安装 CFSSL
直接使用二进制源码包安装
mkdir ~/bin
curl -s -L -o ~/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
curl -s -L -o ~/bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x ~/bin/{cfssl,cfssljson}
export PATH=$PATH:~/bin
创建默认配置文件
cfssl print-defaults config > ca-config.json
cfssl print-defaults csr > ca-csr.json
证书类型介绍
- 客户端证书用于服务器验证客户端身份
- 服务器端证书用于客户端验证服务器端身份
- 对等证书由etcd集群成员使用,同时使用客户端认证和服务器端认证
配置CA
修改ca-config.json
{
"signing": {
"default": {
"expiry": "99999h"
},
"profiles": {
"server": {
"expiry": "99999h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "99999h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": {
"expiry": "99999h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
配置证书请求
修改ca-csr.json,可以根据自己的需求修改对应字段
{
"CN": "My own CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"O": "work",
"ST": "BeiJing"
}
]
}
生成CA证书
运行以下命令生成CA证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
生成以下文件
ca-key.pem
ca.csr
ca.pem
- ca-key.pem为CA的私钥,请妥善保管
- csr文件为证书请求文件,可以删除
生成服务器端证书
cfssl print-defaults csr > server.json
修改server.json的CN和hosts字段,names字段按需修改
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
"0.0.0.0",
"10.0.0.0/8"
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
创建服务器端证书和私钥
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server server.json | cfssljson -bare server
生成以下文件
server-key.pem
server.csr
server.pem
生成客户端证书
cfssl print-defaults csr > client.json
修改client.json,客户端证书不需要hosts字段,只需要CN字段设置为client
{
"CN": "client",
"hosts": [
""
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
生成以下文件
client-key.p