Linux使用CFSSL自签TLS证书

⒈安装CFSSL

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64

  ①生成证书

  ②利用Json生成证书

  ③查看证书信息的工具

⒉修改权限

chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64

⒊移动文件

mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo

⒋验证指令

cfssl --help

  ①print-defaults  输出生成证书的模板

*生成一个配置模板

cfssl print-defaults config > config.json

  默认生成的模板文件如下:

 1 {
 2     "signing": {  //签名
 3         "default": {
 4             "expiry": "168h"  //默认过期时间
 5         },
 6         "profiles": {
 7             "www": {
 8                 "expiry": "8760h",
 9                 "usages": [
10                     "signing",
11                     "key encipherment",
12                     "server auth"
13                 ]
14             },
15             "client": {
16                 "expiry": "8760h",
17                 "usages": [
18                     "signing",
19                     "key encipherment",
20                     "client auth"
21                 ]
22             }
23         }
24     }
25 }

*生成证书信息文件

cfssl print-defaults csr > csr.json

默认生成的模板文件如下:

 1 {
 2     "CN": "example.net",  //标识具体的域
 3     "hosts": [  //使用该证书的域名
 4         "example.net",
 5         "www.example.net"
 6     ],
 7     "key": {  //加密方式,一般RSA 2048
 8         "algo": "ecdsa",
 9         "size": 256
10     },
11     "names": [  //证书包含的信息,例如国家、地区等
12         {
13             "C": "US",
14             "L": "CA",
15             "ST": "San Francisco"
16         }
17     ]
18 }

 ⒌生成配置模板及证书信息

 1 cat > ca-config.json <<EOF
 2 {
 3     "signing":{
 4         "default":{
 5             "expiry":"87600h"
 6         },
 7         "profiles":{
 8             "kubernetes":{
 9                 "expiry":"87600h",
10                 "usages":[
11                     "signing",
12                     "key encipherment",
13                     "server auth",
14                     "client auth"
15                 ]
16             }
17         }
18     }
19 }
20 EOF
21 
22 cat > ca-csr.json <<EOF
23 {
24     "CN":"kubernetes",
25     "key":{
26         "algo":"rsa",
27         "size":2048
28     },
29     "names":[
30         {
31             "C":"CN",
32             "L":"Hebei",
33             "ST":"Zhangjiakou",
34             "O":"k8s",
35             "OU":"System"
36         }
37     ]
38 }
39 EOF

⒍使用证书信息文件生成证书

1 cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

 ⒎生成服务端的配置模板及证书信息

 1 cat > server-csr.json << EOF
 2 {
 3     "CN":"kubernetes",
 4     "hosts":[
 5         "127.0.0.1",
 6         "192.168.0.211",
 7         "192.168.0.212",
 8         "192.168.0.213",
 9         "10.10.10.1",
10         "kubernetes",
11         "kubernetes.default",
12         "kubernetes.default.svc",
13         "kubernetes.default.svc.cluster",
14         "kubernetes.default.svc.cluste.local"
15     ],
16     "key":{
17         "algo":"rsa",
18         "size":2048
19     },
20     "names":[
21         {
22             "C":"CN",
23             "L":"Hebei",
24             "ST":"Zhangjiakou",
25             "O":"k8s",
26             "OU":"System"
27         }
28     ]
29 }
30 EOF

 

 ⒏使用证书信息生成证书

1 cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server

 ⒐集群管理员通过该证书访问集群

 1 cat > admin-csr.json <<EOF
 2 {
 3     "CN":"admin",
 4     "hosts":[],
 5     "key":{
 6         "algo":"rsa",
 7         "size":2048
 8     },
 9     "names":[
10         {
11             "C":"CN",
12             "L":"Hebei",
13             "ST":"Zhangjiakou",
14             "O":"system:masters",
15             "OU":"System"
16         }
17     ]
18 }
19 EOF

 ⒑生成证书

1 cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin

 ⒒

 1 cat > kube-proxy-csr.json <<EOF
 2 {
 3     "CN":"system:kube-proxy",
 4     "hosts":[],
 5     "key":{
 6         "algo":"rsa",
 7         "size":2048
 8     },
 9     "names":[
10         {
11             "C":"CN",
12             "L":"Hebei",
13             "ST":"Zhangjiakou",
14             "O":"k8s",
15             "OU":"System"
16         }
17     ]
18 }
19 EOF

⒓生成证书

1 cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy

 ⒔只保留证书文件,删除多余的文件

1 ls |grep -v pem |xargs -i rm {}

 

posted @ 2019-04-24 21:20  SpringCore  阅读(6726)  评论(0编辑  收藏  举报