②.cfssl 签发etcd peer证书

用CA证书为k8s-etcd用户签发一个证书及私钥

vi /opt/certs/etcd-peer-csr.json
{
    "CN": "k8s-etcd",
    "hosts": [
        "192.168.1.201",
        "192.168.1.202",
        "192.168.1.203",
        "192.168.1.204",
        "192.168.1.205"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "beijing",
            "L": "beijing",
            "O": "od",
            "OU": "ops"
        }
    ]
}

hosts字段包含etcd服务运行主机的ip地址 填写ip段无效
生成etcd-peer.pem 及etcd-peer-key.pem证书

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd-peer-csr.json |cfssl-json -bare etcd-peer

检验etcd-peer.pem信息

[root@rstx-53 certs]# ls etcd-peer*
etcd-peer.csr  etcd-peer-csr.json  etcd-peer-key.pem  etcd-peer.pem


cfssl-certinfo -cert etcd-peer.pem
posted @ 2021-07-16 11:13  老夫聊发少年狂88  阅读(270)  评论(0编辑  收藏  举报