背景描述
在區域網中部署元件時,想要通過證書來實現身份的認證,確保通訊的安全性,可以通過cfssl工具來進行CA證書,服務端證書,客戶端證書的建立。
目錄
部署cfssl工具
下載,上傳cfssl,cfssljson,cfssl-certinfo工具到伺服器上
[root@nccztsjb-node-17 data]# ls -ltr
total 35936
-rw-r--r-- 1 root root 15108368 Nov 27 14:07 cfssl_1.5.0_linux_amd64
-rw-r--r-- 1 root root 9663504 Nov 27 14:21 cfssljson_1.5.0_linux_amd64
-rw-r--r-- 1 root root 12021008 Nov 30 11:22 cfssl-certinfo_1.5.0_linux_amd64
增加命令的執行許可權,並且增加到相關目錄
[root@nccztsjb-node-17 data]# chmod +x cfssl*
[root@nccztsjb-node-17 data]# cp cfssl_1.5.0_linux_amd64 /usr/local/bin/cfssl
[root@nccztsjb-node-17 data]# cp cfssljson_1.5.0_linux_amd64 /usr/local/bin/cfssljson
[root@nccztsjb-node-17 data]# cp cfssl-certinfo_1.5.0_linux_amd64 /usr/local/bin/cfssl-certinfo
[root@nccztsjb-node-17 data]# cfssl version
Version: 1.5.0
Runtime: go1.12.12
備註:此時cfssl工具安裝完成。
建立CA根證書
ca根證書主要是用來簽發其他的證書
建立ca配置檔案
cat >ca-config.json <<EOF
{
"signing": {
"default": {
"expiry": "262800h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "262800h"
}
}
}
}
EOF
說明:可以設定預設的簽名出來的證書的有效時間。可以同時設定不同的profile用於不同的用途。
建立ca的csr檔案
cat > ca-csr.json <<EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "DC",
"OU": "System"
}
],
"ca": {
"expiry": "262800h"
}
}
EOF
建立CA證書及私鑰
[root@nccztsjb-node-17 data]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca
2020/12/04 14:20:39 [INFO] generating a new CA key and certificate from CSR
2020/12/04 14:20:39 [INFO] generate received request
2020/12/04 14:20:39 [INFO] received CSR
2020/12/04 14:20:39 [INFO] generating key: rsa-2048
2020/12/04 14:20:39 [INFO] encoded CSR
2020/12/04 14:20:39 [INFO] signed certificate with serial number 497233672920328375338343228164630446467151606126
[root@nccztsjb-node-17 data]# ls -l ca*
-rw-r--r-- 1 root root 294 Dec 4 14:13 ca-config.json
-rw-r--r-- 1 root root 1045 Dec 4 14:20 ca.csr
-rw-r--r-- 1 root root 246 Dec 4 14:19 ca-csr.json
-rw------- 1 root root 1675 Dec 4 14:20 ca-key.pem
-rw-r--r-- 1 root root 1310 Dec 4 14:20 ca.pem
ca.pem就是ca的證書,ca-key.pem就是ca的私鑰。
建立etcd服務端證書
建立etcd的csr檔案
cat >etcd-csr.json <<EOF
{
"CN": "etcd",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Beijing",
"L": "Beijing",
"O": "DC",
"OU": "System"
}
]
}
EOF
用CA簽發etcd證書和私鑰
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes etcd-csr.json | cfssljson -bare etcd
2020/12/04 14:33:00 [INFO] generate received request
2020/12/04 14:33:00 [INFO] received CSR
2020/12/04 14:33:00 [INFO] generating key: rsa-2048
2020/12/04 14:33:00 [INFO] encoded CSR
2020/12/04 14:33:00 [INFO] signed certificate with serial number 86899219278041222746661164070003623992607015229
2020/12/04 14:33:00 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@nccztsjb-node-17 data]# ls -l etcd*
-rw-r--r-- 1 root root 993 Dec 4 14:33 etcd.csr
-rw-r--r-- 1 root root 201 Dec 4 14:30 etcd-csr.json
-rw------- 1 root root 1679 Dec 4 14:33 etcd-key.pem
-rw-r--r-- 1 root root 1383 Dec 4 14:33 etcd.pem
etcd.csr為etcd的證書請求檔案,etcd-key.pem為etcd的私鑰,etcd.pem為etcd的證書。至此,etcd的證書籤發完成。此證書可以作為etcd的服務端證書來使用。