创建证书
java 证书工具keytool生成自签名证书和自签CA证书
https://www.jianshu.com/p/8e065153f315
查看证书详情:
keytool -list -v \
-keystore C:/Users/lt32806/test.jks \
-storepass changeit
打印证书信息:
keytool -list -rfc \
-alias x.nam.nsroot.net \
-keystore C:/Users/lt32806/test.jks \
-storepass pD86LbNeH1
keystore文件生成cer文件:
keytool -export -alias x.nam.nsroot.net \
-keystore C:/Users/lt32806/test.jks \
-file C:/Users/lt32806/tm-api.cer \
-storepass pD86LbNeH1
导入证书文件
keytool -import -trustcacerts \
-keystore www.mydomain.com_keystore.jks \
-storepass mypassword \
-alias www.mydomain.com \
-file www.mydomain.com_cert.cer
生成证书文件:
keytool -genkey -alias x.nam.nsroot.net \
-keyalg RSA \
-sigalg SHA256withRSA \
-storepass changeit \
-keystore C:/Users/lt32806/test.jks \
-storetype jks \
-validity 365 \
-dname "CN=x.nam.nsroot.net, OU=Network Center, O=SHU, L=ZB, ST=SH, C=CN ":
jks文件转换成pfx文件:
keytool -v -importkeystore \
-srckeystore C:/Users/lt32806/test.jks \
-srcstoretype jks -srcstorepass pD86LbNeH1 \
-destkeystore C:/Users/lt32806/server.pfx -deststoretype pkcs12 -deststorepass changeit -destkeypass changeit \
-alias x.nam.nsroot.net
openssl pkcs12 -in C:/Users/lt32806/server.pfx -out C:/Users/lt32806/server.pem -passin pass:changeit -passout pass:changeit
用记事本打开PEM格式文件,从PEM格式的certificate chain中取出私钥,保存为privateKey.key(这个只是一个过渡文件,下面才是最终的KEY)
openssl rsa -in C:/Users/lt32806/privateKey.key -check
-------------------------------------------用根证书签发的证书,带dns
省略号
Certificate chain length: 3
Certificate[1]:2级证书签的3级证书
Owner: CN=省略号
省略号
#10: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: x
DNSName: x.nam.nsroot.net
DNSName: a
DNSName: a.nam.nsroot.net
]
省略号
Certificate[2]:省略号 根证书签的2级证书
Certificate[3]:省略号 根证书
------------------------------------------cfssl创建证书
2.3.1.安装cfssl
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/bin/cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/bin/cfssl-json
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/bin/cfssl-certinfo
chmod +x /usr/bin/cfssl*
2.3.2.创建生成ca证书csr的json配置文件
mkdir /opt/certs
vi /opt/certs/ca-csr.json
{
"CN": "OldboyEdu",
"hosts": [
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
],
"ca": {
"expiry": "175200h"
}
}
2.3.3.生成ca证书文件
cd /opt/certs
cfssl gencert -initca ca-csr.json | cfssl-json -bare ca
ll
ca.csr
ca-csr.json
ca-key.pem
ca.pem
etcd证书
创建基于根证书的config配置文件
hdss7-200上
[root@hdss7-200 ~]# vi /opt/certs/ca-config.json
{
"signing": {
"default": {
"expiry": "175200h"
},
"profiles": {
"server": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
3.1.3.创建生成自签发证书的csr的json配置文件
[root@hdss7-200 ~]# vi /opt/certs/etcd-peer-csr.json
{
"CN": "k8s-etcd",
"hosts": [
"10.4.7.11",
"10.4.7.12",
"10.4.7.21",
"10.4.7.22"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
]
}
3.1.4.生成etcd证书文件
[root@hdss7-200 ~]# cd /opt/certs/
[root@hdss7-200 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd-peer-csr.json |cfssl-json -bare etcd-peer
3.1.5.检查生成的证书文件
[root@hdss7-200 certs]# ll
etcd-peer.csr
etcd-peer-csr.json
etcd-peer-key.pem
etcd-peer.pem
查看证书cfssl-certinfo -cert api-server.pem
cfssl-certinfo -domain www.baidu.com
