为etcd自签证书

Posted xw115428

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了为etcd自签证书相关的知识,希望对你有一定的参考价值。

准备工作
需要两套证书,一套k8s通讯使用,一套etcd内部通讯使用

 

下载证书生成工具

[root@k8s-master01 k8s]# curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl
[root@k8s-master01 k8s]# curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson
[root@k8s-master01 k8s]# curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo
[root@k8s-master01 k8s]# chmod +x /usr/local/bin/cfssl*

 

 

etcd自签证书
1、为etcd创建自签证书
创建CA配置json文件

技术图片
 1 [root@k8s-master01 etcd]# cat ca-csr.json 
 2 {
 3     "CN": "etcd CA",
 4     "key": {
 5         "algo": "rsa",
 6         "size": 2048
 7     },
 8     "names": [
 9         {
10             "C": "CN",
11             "L": "Heibei",
12             "ST": "WuHan"
13         }
14     ]
15 }
16 [root@k8s-master01 etcd]# cat ca-config.json 
17 {
18   "signing": {
19     "default": {
20       "expiry": "876000h"
21     },
22     "profiles": {
23       "www": {
24          "expiry": "876000h",
25          "usages": [
26             "signing",
27             "key encipherment",
28             "server auth",
29             "client auth"
30         ]
31       }
32     }
33   }
34 }
View Code

 

2、自建CA

[root@k8s-master01 etcd]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
2019/11/01 17:35:11 [INFO] generating a new CA key and certificate from CSR
2019/11/01 17:35:11 [INFO] generate received request
2019/11/01 17:35:11 [INFO] received CSR
2019/11/01 17:35:11 [INFO] generating key: rsa-2048
2019/11/01 17:35:11 [INFO] encoded CSR
2019/11/01 17:35:11 [INFO] signed certificate with serial number 92590521640563530821402907840883867551598481151
[root@k8s-master01 etcd]# ls *.pem
ca-key.pem ca.pem  

ca.pem为ca的数字证书
ca-key.pem为ca的私钥


3、创建etcd证书的配置文件

技术图片
 1 [root@k8s-master01 etcd]# cat server-csr.json 
 2 {
 3     "CN": "etcd",
 4     "hosts": [
 5         "10.16.8.161",
 6         "10.16.8.162",
 7         "10.16.8.163"
 8         ],
 9     "key": {
10         "algo": "rsa",
11         "size": 2048
12     },
13     "names": [
14         {
15             "C": "CN",
16             "L": "HuBei",
17             "ST": "WuHan"
18         }
19     ]
20 }
View Code

 

4、为etcd生成域名证书

 1 [root@k8s-master01 etcd]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
 2 2019/11/01 17:43:28 [INFO] generate received request
 3 2019/11/01 17:43:28 [INFO] received CSR
 4 2019/11/01 17:43:28 [INFO] generating key: rsa-2048
 5 2019/11/01 17:43:29 [INFO] encoded CSR
 6 2019/11/01 17:43:29 [INFO] signed certificate with serial number 54870045087631859810761264273552824049503170814
 7 2019/11/01 17:43:29 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
 8 websites. For more information see the Baseline Requirements for the Issuance and Management
 9 of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
10 specifically, section 10.2.3 ("Information Requirements").
11 
12 [root@k8s-master01 etcd]# ls server*.pem
13 server-key.pem server.pem

 


5、会用到的证书为

1 [root@k8s-master01 etcd]# ll *.pem
2 -rw------- 1 root root 1679 11月 1 17:35 ca-key.pem
3 -rw-r--r-- 1 root root 1257 11月 1 17:35 ca.pem
4 -rw------- 1 root root 1679 11月 1 17:43 server-key.pem
5 -rw-r--r-- 1 root root 1330 11月 1 17:43 server.pem

 

 

以上是关于为etcd自签证书的主要内容,如果未能解决你的问题,请参考以下文章

.NET 6学习笔记生成自签证书

Window下生成OpenSSL自签证书

创建CA自签证书

Nginx 配置生成自签证书

创建CA自签证书及发证

企业为啥不能使用自签名SSL证书?