K3s生成100年CA证书
查看Openssl版本
openssl version
注意:只需要在第1台执行K3s服务的服务器中执行命令生成证书即可
如果版本大于等于1.1.1
# k3s相关CA证书
mkdir -p /var/lib/rancher/k3s/server/tls
cd /var/lib/rancher/k3s/server/tls
openssl genrsa -out client-ca.key 2048
openssl genrsa -out server-ca.key 2048
openssl genrsa -out request-header-ca.key 2048
openssl req -x509 -new -nodes -key client-ca.key -sha256 -days 36500 -out client-ca.crt -addext keyUsage=critical,digitalSignature,keyEncipherment,keyCertSign -subj '/CN=k3s-client-ca'
openssl req -x509 -new -nodes -key server-ca.key -sha256 -days 36500 -out server-ca.crt -addext keyUsage=critical,digitalSignature,keyEncipherment,keyCertSign -subj '/CN=k3s-server-ca'
openssl req -x509 -new -nodes -key request-header-ca.key -sha256 -days 36500 -out request-header-ca.crt -addext keyUsage=critical,digitalSignature,keyEncipherment,keyCertSign -subj '/CN=k3s-request-header-ca'
#etcd相关CA证书
mkdir -p /var/lib/rancher/k3s/server/tls/etcd
cd /var/lib/rancher/k3s/server/tls/etcd
openssl genrsa -out peer-ca.key 2048
openssl genrsa -out server-ca.key 2048
openssl req -x509 -new -nodes -key peer-ca.key -sha256 -days 36500 -out peer-ca.crt -addext keyUsage=critical,digitalSignature,keyEncipherment,keyCertSign -subj '/CN=k3s-peer-ca'
openssl req -x509 -new -nodes -key server-ca.key -sha256 -days 36500 -out server-ca.crt -addext keyUsage=critical,digitalSignature,keyEncipherment,keyCertSign -subj '/CN=k3s-server-ca'
如果版本小于1.1.1
# k3s相关CA证书
mkdir -p /var/lib/rancher/k3s/server/tls
cd /var/lib/rancher/k3s/server/tls
openssl genrsa -out client-ca.key 2048
openssl genrsa -out server-ca.key 2048
openssl genrsa -out request-header-ca.key 2048
openssl req -x509 -new -nodes -key client-ca.key -sha256 -days 36500 -out client-ca.crt -subj '/CN=k3s-client-ca' -extensions key -config <(echo '[req]'; echo 'distinguished_name=req'; echo '[key]'; echo 'keyUsage=critical,digitalSignature,keyEncipherment,keyCertSign'; echo 'basicConstraints=critical,CA:TRUE';)
openssl req -x509 -new -nodes -key server-ca.key -sha256 -days 36500 -out server-ca.crt -subj '/CN=k3s-server-ca' -extensions key -config <(echo '[req]'; echo 'distinguished_name=req'; echo '[key]'; echo 'keyUsage=critical,digitalSignature,keyEncipherment,keyCertSign'; echo 'basicConstraints=critical,CA:TRUE';)
openssl req -x509 -new -nodes -key request-header-ca.key -sha256 -days 36500 -out request-header-ca.crt -subj '/CN=k3s-request-header-ca' -extensions key -config <(echo '[req]'; echo 'distinguished_name=req'; echo '[key]'; echo 'keyUsage=critical,digitalSignature,keyEncipherment,keyCertSign'; echo 'basicConstraints=critical,CA:TRUE';)
# etcd相关CA证书
mkdir -p /var/lib/rancher/k3s/server/tls/etcd
cd /var/lib/rancher/k3s/server/tls/etcd
openssl genrsa -out peer-ca.key 2048
openssl genrsa -out server-ca.key 2048
openssl req -x509 -new -nodes -key peer-ca.key -sha256 -days 36500 -out peer-ca.crt -subj '/CN=k3s-peer-ca' -extensions key -config <(echo '[req]'; echo 'distinguished_name=req'; echo '[key]'; echo 'keyUsage=critical,digitalSignature,keyEncipherment,keyCertSign'; echo 'basicConstraints=critical,CA:TRUE';)
openssl req -x509 -new -nodes -key server-ca.key -sha256 -days 36500 -out server-ca.crt -subj '/CN=k3s-server-ca' -extensions key -config <(echo '[req]'; echo 'distinguished_name=req'; echo '[key]'; echo 'keyUsage=critical,digitalSignature,keyEncipherment,keyCertSign'; echo 'basicConstraints=critical,CA:TRUE';)
然后参考K3s生成100年非CA证书
FAQ#
查看生成的证书
openssl x509 -in xxx.crt -noout -text
参考#
突破K3s CA 证书10 年有效期的限制 - Ksd的博客 | KSD Blog (kingsd.top)
原文链接:https://www.cnblogs.com/KSPT/p/16688400.html
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· DeepSeek 开源周回顾「GitHub 热点速览」
· 物流快递公司核心技术能力-地址解析分单基础技术分享
· .NET 10首个预览版发布:重大改进与新特性概览!
· AI与.NET技术实操系列(二):开始使用ML.NET
· 单线程的Redis速度为什么快?