k8s–证书签发

大家好，又见面了，我是你们的朋友全栈君。

1.准备签发证书环境

运维主机 hdss-1-200.host.com上：

2.安装CFSSL

证书签发工具CFSSL:R1.2

cfssl下载地址  https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 

cfssl-json下载地址 https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64

cfssl-certinfo下载地址  https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64

3. 下载到指定目录

[root@hdss-1-200 ~]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/bin/cfssl
[root@hdss-1-200 ~]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/bin/cfssl-json
[root@hdss-1-200 ~]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/bin/cfssl-certinfo

4.查看文件并赋执行权限

[root@hdss-1-200 bin]# ls -lrt cf*
-rw-r--r-- 1 root root  2277873 Feb  8 12:01 cfssl-json
-rw-r--r-- 1 root root  6595195 Feb  8 12:01 cfssl-certinfo
-rw-r--r-- 1 root root 10376657 Feb  8 12:01 cfssl
[root@hdss-1-200 bin]# chmod +x /usr/bin/cfssl*
[root@hdss-1-200 bin]# ls -lrt cf*
-rwxr-xr-x 1 root root  2277873 Feb  8 12:01 cfssl-json
-rwxr-xr-x 1 root root  6595195 Feb  8 12:01 cfssl-certinfo
-rwxr-xr-x 1 root root 10376657 Feb  8 12:01 cfssl
[root@hdss-1-200 bin]# which cfssl-certinfo
/usr/bin/cfssl-certinfo
[root@hdss-1-200 bin]# which cfssl
/usr/bin/cfssl
[root@hdss-1-200 bin]# which cfssl-json
/usr/bin/cfssl-json

5.签发证书，创建指定的目录

[root@hdss-1-200 opt]# mkdir certs
[root@hdss-1-200 opt]# cd certs/
[root@hdss-1-200 certs]# 

6.创建生成CA证书签名请求（csr）的JSON配置文件

[root@hdss-1-200 certs]# vi /opt/certs/ca-csr.json
{
    "CN": "OldboyEdu",		# 机构名称，浏览器使用该字段验证网站是否合法，一般写的是域名，非常重要，浏览器使用该字段验证网站是否合法
    "hosts": [	
    ],
    "key": {			
        "algo": "rsa",		# 算法
        "size": 2048		# 长度
    },
    "names": [
        {
            "C": "CN",		# C，国家
            "ST": "beijing",	# ST 州，省
            "L": "beijing",	# L 地区 城市
            "O": "od",		# O 组织名称，公司名称
            "OU": "ops"		# OU 组织单位名称，公司部门
        }
    ],
    "ca": {
        "expiry": "175200h"	# expiry 过期时间，任何证书都有过期时间.20年
    }
}

 7.签发证书

[root@hdss-1-200 certs]# cfssl gencert -initca ca-csr.json 
2021/02/08 12:13:54 [INFO] generating a new CA key and certificate from CSR
2021/02/08 12:13:54 [INFO] generate received request
2021/02/08 12:13:54 [INFO] received CSR
2021/02/08 12:13:54 [INFO] generating key: rsa-2048
2021/02/08 12:13:54 [INFO] encoded CSR
2021/02/08 12:13:54 [INFO] signed certificate with serial number 240189431803521968703357144322271086616848173037
{"cert":"-----BEGIN CERTIFICATE-----\nMIIDtDCCApygAwIBAgIUKhJ3dIfX4mYealjZtJhdi99hB+0wDQYJKoZIhvcNAQEL\nBQAwYDELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB2JlaWppbmcxEDAOBgNVBAcTB2Jl\naWppbmcxCzAJBgNVBAoTAm9kMQwwCgYDVQQLEwNvcHMxEjAQBgNVBAMTCU9sZGJv\neUVkdTAeFw0yMTAyMDgxNzA5MDBaFw00MTAyMDMxNzA5MDBaMGAxCzAJBgNVBAYT\nAkNOMRAwDgYDVQQIEwdiZWlqaW5nMRAwDgYDVQQHEwdiZWlqaW5nMQswCQYDVQQK\nEwJvZDEMMAoGA1UECxMDb3BzMRIwEAYDVQQDEwlPbGRib3lFZHUwggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/H+E5rO6Y3Z+RjTdyTY3JerrDignTHN3v\nyOsGFM9REVD2qLFtRZ4Koj92KxuTivJm20GOgTr5UC504AhtS1L5TK9oXMR6YPtK\n36tlJ6LjJABM3nEKOr/TSQedFz6bGZ8DIJgEDIUI4QpRs71ZSsvalHfeD4WZg8Iu\n46PLZC1ObovOqyBhB3lds7QKF3hnKcGoInA7P8ZcEdLhEfD8N4u9HIYHnyHyoQYi\nStjpAAGc9rr5yGCAm8wE+e2YkMbMbL47nIf7kZdHhBR2DfmItkJLvgeIBJVn5DmQ\nnPeWgCJg7QOa+KbxAgitBwuw8xWIjvKLdnx9vEVDjb9H3ae97uJHAgMBAAGjZjBk\nMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBTm\n1AYuIz1AxW8jSdiNe9L1oOGY0TAfBgNVHSMEGDAWgBTm1AYuIz1AxW8jSdiNe9L1\noOGY0TANBgkqhkiG9w0BAQsFAAOCAQEAA6YdDer2KKc5iAQciZxAZWXOdpnFCnzi\nj+tOclgajoJzsX3EBEHszUY7RqXRDXIF5ZSEYESHd5HqxdwtZBdG0mvVNm07YoCv\n6eVFoICqTtoodyRJIrqtiE40Gx21/RMsgvrFFC5QhkWKGbWDtz+3uowRyd1aYfGJ\nvaCatl2dcDMc2gI0x++Bu5m7C3nftfeO1uVZPgq3aH2nMC+zrYCzubE6bFSBSQbT\nhz88p8TeZOZcBdTVhMG7LXApfSOCO5Fbw1EXnn1nGMAAm6WmRzsIDRdknzDpcQe3\nkKSlNeFtY8kY1BKhMnU4fHThcubNCK8CWzoObejwAsHQmH+8fMN/Qg==\n-----END CERTIFICATE-----\n","csr":"-----BEGIN CERTIFICATE REQUEST-----\nMIICpTCCAY0CAQAwYDELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB2JlaWppbmcxEDAO\nBgNVBAcTB2JlaWppbmcxCzAJBgNVBAoTAm9kMQwwCgYDVQQLEwNvcHMxEjAQBgNV\nBAMTCU9sZGJveUVkdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL8f\n4Tms7pjdn5GNN3JNjcl6usOKCdMc3e/I6wYUz1ERUPaosW1FngqiP3YrG5OK8mbb\nQY6BOvlQLnTgCG1LUvlMr2hcxHpg+0rfq2UnouMkAEzecQo6v9NJB50XPpsZnwMg\nmAQMhQjhClGzvVlKy9qUd94PhZmDwi7jo8tkLU5ui86rIGEHeV2ztAoXeGcpwagi\ncDs/xlwR0uER8Pw3i70chgefIfKhBiJK2OkAAZz2uvnIYICbzAT57ZiQxsxsvjuc\nh/uRl0eEFHYN+Yi2Qku+B4gElWfkOZCc95aAImDtA5r4pvECCK0HC7DzFYiO8ot2\nfH28RUONv0fdp73u4kcCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQCh11nDWCUF\ne3qtBymlC38h02yOtXUmf7sUou2POQ6r12GiIdrY57qtjVIh5LqPMpjpJjUk+A3v\nbOGjipCIemGj5iKsKOt1AaA1/EhabJjEg+LxwWhIZ/jGsu4KIMBxZ7ZWFTRJDG9B\nDeREV//vcaaYZ6zdXTu1H8Ns5zC+0cx/7Yyq/pg8wfgEw1pV+5jIj3ryjmRYj5ow\nA/U7WYFKQ139jREpKOQAKECBByf7CNw0iHAbdyo4PNXz72YmArOronbcw4B9djeK\n/dGv1tVELUp/ZkXwBvtZFJSdyOD7xz76IIpguea8fLvUU2m5RrDfLrZwDB6nN3Io\nBSKLD/3tHUJk\n-----END CERTIFICATE REQUEST-----\n","key":"-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEAvx/hOazumN2fkY03ck2NyXq6w4oJ0xzd78jrBhTPURFQ9qix\nbUWeCqI/disbk4ryZttBjoE6+VAudOAIbUtS+UyvaFzEemD7St+rZSei4yQATN5x\nCjq/00kHnRc+mxmfAyCYBAyFCOEKUbO9WUrL2pR33g+FmYPCLuOjy2QtTm6Lzqsg\nYQd5XbO0Chd4ZynBqCJwOz/GXBHS4RHw/DeLvRyGB58h8qEGIkrY6QABnPa6+chg\ngJvMBPntmJDGzGy+O5yH+5GXR4QUdg35iLZCS74HiASVZ+Q5kJz3loAiYO0Dmvim\n8QIIrQcLsPMViI7yi3Z8fbxFQ42/R92nve7iRwIDAQABAoIBACV943ik68kg8IRk\n51OM0xuK78gb9AFt0DuRdkkjG+gTNYatYODGn1IGsdxEaIxw3UxABoQl5aOyjupu\naDjIZeZxnJckW4aGL8VoSv7034cfMM/jctlG3QpdcRjnzmguhnrekfN5YT90pcmR\nMLuraIHgTgNJmDOdHSKFlUP4yspvnWtn8BcbtI9joE3FOv4aciC0yP52cpOO1XL5\nFVPabEypnQDNs6C50oP6Va1Do3YtKdbAPZV/h35pgtPfUI3tLobfgT6tj9ZFLrg+\nM5eULW6RsDXBh7aqgSo5YPu94b3LZzC8sOarN855JLd+XSIGaoFuGCUzQiwLfydM\nuxteuQECgYEA/mPTnbaD7eZWOuj6IMcxV8h5SGxFrShxq/7YILdbXAz0ZTaNf5W/\ndXgXUU7ETtsVbjhIsrkUSWXkQAfRxcp62qdgfW2toVhtMurlQ48gUex16lWKsC9G\nxu/H6USRVUKRG41cHI7TuXRMs5Nt6/9aaI0+eaOYEn2UJXBNCASrmJcCgYEAwFWM\nP+/k9xfwW0/W6kbPyWSKiRP3Xp4r1zI5pfSTioJRrFFpzMTMJ2jKW1L/oGa/DKNZ\nXBobFbL6QNBD7w+wpTX3YReNVFMIIDNxwSuch6fIN8/VOfdqeWJVtXx9RK6VyyMK\nRIq4nWfc2XTqi9F1SQAeVPykcyVI3sO76AuWCdECgYBrfmlUUmRrKZK0b/AJ28H4\n8wh01vOWWOm3oQdYw8ICIqM/BY9DI1b031sTC3KeU6s5mOT3SIfPABQ0DlnQ9190\nd5epSKg+7muuQV3Bb4BbvcyRybXB/ygsNfRGmKfE3E0O1Gvg0WWcDw2+MAUZ3Rwp\n481LfxpqbdAlBdA3HCoaXwKBgQCrzX7rOfHP2n1kQ2wZd0lyfzHUgpZL2YQVxRKD\nsHX+mqwz/cFBHWWzqkJf00LuV/k+Y8eVougguPAb5y1XpS9IVG12OCCRe13dzbZG\nNButfW02lZrFHcHpTbJ73AjVyhGaE+G/Gh8Q088OHAbLAD4BCG8PwWFwTZTLEBKQ\nk5DhkQKBgQDkXHYPgFI95olQiSnpsW2VGSjuFRR1vtrgT+o/8OuySrJDiJSTajVp\ndjPhFRMklLWwjngi2Ah9I803zBPD2IkVvyeM++8yIoCrwrt289DBiUdC4Gqae/eX\n3Sbgz4N6kF8gnGRZhCp0NUA94d84mxOO8SiapWz0IhfKjI9JNeSvoA==\n-----END RSA PRIVATE KEY-----\n"}

8.做成承载式证书

[root@hdss-1-200 certs]# ls
ca-csr.json
[root@hdss-1-200 certs]# cfssl gencert -initca ca-csr.json | cfssl-json -bare ca
2021/02/09 15:30:09 [INFO] generating a new CA key and certificate from CSR
2021/02/09 15:30:09 [INFO] generate received request
2021/02/09 15:30:09 [INFO] received CSR
2021/02/09 15:30:09 [INFO] generating key: rsa-2048
2021/02/09 15:30:10 [INFO] encoded CSR
2021/02/09 15:30:10 [INFO] signed certificate with serial number 80946315882407051316915181916096221469731026792
[root@hdss-1-200 certs]# ll
total 16
-rw-r--r-- 1 root root  993 Feb  9 15:30 ca.csr
-rw-r--r-- 1 root root  346 Feb  9 15:29 ca-csr.json
-rw------- 1 root root 1675 Feb  9 15:30 ca-key.pem
-rw-r--r-- 1 root root 1346 Feb  9 15:30 ca.pem
[root@hdss-1-200 certs]# 

 9.查看证书

[root@hdss-1-200 certs]# cat ca.csr 
-----BEGIN CERTIFICATE REQUEST-----
MIICpTCCAY0CAQAwYDELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB2JlaWppbmcxEDAO
BgNVBAcTB2JlaWppbmcxCzAJBgNVBAoTAm9kMQwwCgYDVQQLEwNvcHMxEjAQBgNV
BAMTCU9sZGJveUVkdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMly
Swes0sjLmU7KGG3ZDiOjggopHFawF5MRbNjjpbBBIr+uscPr5TNHls6S9lYOnUF9
RCFukDxZvf7xXJDeCWovCuiowVxA/N0nt0n8ESlh3OOS/eVnoeO6k2jG7LZxFjmB
9lQHVR1Lluc6yDd+36wvCVw/xjhcrAkAAFcwbRZm7PDzuzeXbWWbxhD1hg1vC7s8
qRd24mWIPoEUV4ZxAZWtpcZRa0etstVBjrF2LR/vpFCp6AYwe7Bykx0Sz1iIz05x
xEkkIp+aKw/pwau4lKa4UzN9OcHw2y41wUQ7pWSsYTByWTJW+NEQrC5azB1YCI6M
zwyz3A8MxGLl1AG2LhsCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQA25mT5mJHR
+BDs8jq12qQjRljuVHJwDSIrLDHMOGGhIUzOBIe94Nj/tSXJ8Y7gQ+VeJIR+Yhjg
eW/8dpqOz0wqv8npXsUfmwrMWtYJu5YyuA7GLs03AwWyQIfycqAHfT1zp20YMr2j
bZkTCPiggk9Nb3k5fqyQyu7kdpvxQfS+d5Ygp5PHsU/pHzvxPhHbbIRwMGFgrrIr
6wMekRl2ruUnB2zt/RcPNcUYUnePIJLT8BakmPHyKsVouOEsqO/c470QN/KJvk3C
oxMF84qkPF1zBhS1ElMTpzXCbMQtyO0yMINvvAyPlM6NJ/4w+FO9AQG9X4f0tmrq
pPvaYwOqTV6w
-----END CERTIFICATE REQUEST-----
[root@hdss-1-200 certs]#