[k8s]通过openssl生成证书

证书认证原理:
http://www.cnblogs.com/iiiiher/p/7873737.html

[root@m1 ssl]# cat master_ssl.cnf 
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster.local
DNS.5 = m1.ma.com
IP.1 = 10.254.0.1


- 根据配置文件无交互生成证书
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -subj "/CN=m1.ma.com" -days 5000 -out ca.crt

openssl genrsa -out server.key 2048
openssl req -new -key server.key -subj "/CN=m1.ma.com" -config master_ssl.cnf -out server.csr
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 5000 -extensions v3_req -extfile master_ssl.cnf -out server.crt

- 开始-运行打开证书管理器
certmgr.msc

- 无交互生成证书
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -subj "/CN=myca.com" -days 5000 -out ca.crt

openssl genrsa -out server.key 2048
openssl req -new -key server.key -subj "/O=My Server /CN=n1.ma.com" -out server.csr
openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt

- 查看证书的内容
openssl x509 -in /etc/pki/CA/cacert.pem -noout -text|egrep -i "issuer|subject|serial|dates"
openssl x509  -noout -text -in  kubernetes.pem
cfssl-certinfo -cert kubernetes.pem
posted @ 2017-11-24 17:36  _毛台  阅读(2899)  评论(0编辑  收藏  举报