• cfssl自签证书

    安装cfssl

    7-200 ~]# curl -s -L -o /usr/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 
7-200 ~]# curl -s -L -o /usr/bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 
7-200 ~]# curl -s -L -o /usr/bin/cfssl-certinfo https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 
7-200 ~]# chmod +x /usr/bin/cfssl*

    2.2 配置

    创建生成CA证书的JSON配置文件

    7-200 ~]# mkdir /opt/certs
7-200 ~]# vim /opt/certs/ca-config.json
{
    "signing": {
        "default": {
            "expiry": "175200h"
        },
        "profiles": {
            "server": {
                "expiry": "175200h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth"
                ]
            },
            "client": {
                "expiry": "175200h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth"
                ]
            },
            "peer": {
                "expiry": "175200h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ]
            }
        }
    }
}

    证书类型
    client certificate: 客户端使用,用于服务端认证客户端,例如etcdctl、etcd proxy、fleetctl、docker客户端
    server certificate: 服务端使用,客户端以此验证服务端身份,例如docker服务端、kube-apiserver
    peer certificate: 双向证书,用于etcd集群成员间通信

    创建生成CA证书签名请求(csr)的JSON配置文件

    /opt/certs/ca-csr.json
{
    "CN": "kubernetes-ca",
    "hosts": [
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "shanghai",
            "L": "shanghai",
            "O": "phc-dow",
            "OU": "kjdow"
        }
    ],
    "ca": {
        "expiry": "175200h"
    }
}

    CN: Common Name,浏览器使用该字段验证网站是否合法,一般写的是域名。非常重要。浏览器使用该字段验证网站是否合法
    C: Country, 国家
    ST: State,州,省
    L: Locality,地区,城市
    O: Organization Name,组织名称,公司名称
    OU: Organization Unit Name,组织单位名称,公司部门

    生成CA证书和私钥

    7-200 ~]# cd /opt/certs
7-200 certs]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca  
2019/01/18 09:31:19 [INFO] generating a new CA key and certificate from CSR
2019/01/18 09:31:19 [INFO] generate received request
2019/01/18 09:31:19 [INFO] received CSR
2019/01/18 09:31:19 [INFO] generating key: rsa-2048
2019/01/18 09:31:19 [INFO] encoded CSR
2019/01/18 09:31:19 [INFO] signed certificate with serial number 345276964513449660162382535043012874724976422200

7-200 certs]# ls -l
-rw-r--r-- 1 root root  836 Jan 16 11:04 ca-config.json
-rw-r--r-- 1 root root  332 Jan 16 11:10 ca-csr.json
-rw------- 1 root root 1675 Jan 16 11:17 ca-key.pem
-rw-r--r-- 1 root root 1001 Jan 16 11:17 ca.csr
-rw-r--r-- 1 root root 1354 Jan 16 11:17 ca.pem

    生成ca.pem、ca.csr、ca-key.pem(CA私钥,需妥善保管)
  • 相关阅读:
    css js 解除网页无法选择进而复制的限制,bd文库无法复制
    Git命令简记
    DDD基本概念-未完成
    多线程隙-IO模型(BIO、NIO、AIO)
    RabbitMQ笔记-保证消息队列高可用
    关于fiddler手机抓包
    spring控制反转是谁在何时何地反转给谁?依赖注入??
    Cookie、Session、Token的区别
    详解Redis中两种持久化机制RDB和AOF
    Java中线程池的抛出策略、阻塞队列、内存溢出
  • 原文地址:https://www.cnblogs.com/dinghc/p/13092363.html
Copyright © 2020-2023  润新知