概述

官方最佳实践是用kubeadm构建证书,而如果要手动制作证书,官方推荐cfssl工具更加简明、方便。

此文是oepnssl来制作etcd的根CA证书和server证书,只是为了尝试更多的可能。

制作etcd的CA根证书

解析kubeadm制作etcd的CA根证书

# openssl x509 -in ca.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=etcd-ca
        Validity
            Not Before: Jun 18 02:25:38 2020 GMT
            Not After : Jun 16 02:25:38 2030 GMT
        Subject: CN=etcd-ca
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e8:68:49:8d:70:76:65:94:39:c1:a5:2e:a9:94:
                    53:83:cd:a1:da:3c:6e:80:d1:9a:95:eb:96:98:5a:
                    c1:7d:04:53:41:b3:81:dd:5d:bf:72:06:cc:1b:9e:
                    d7:20:1f:6d:bf:ba:cb:77:50:c2:e2:34:3f:69:64:
                    81:26:7b:05:90:fb:5e:39:97:2d:7f:af:71:32:b3:
                    63:bf:b6:83:25:17:49:89:c4:b8:1f:fe:11:a6:d6:
                    84:cd:7a:92:16:bb:84:9f:48:2d:96:e2:c8:15:da:
                    9b:e0:76:fd:7a:95:1d:1e:0c:66:ea:ed:75:61:85:
                    fe:05:5b:41:7a:02:72:e6:03:81:e0:8c:ab:81:28:
                    75:83:9c:75:25:01:3c:e1:b4:90:a9:a8:06:6c:f4:
                    a1:79:41:60:53:62:58:b7:ac:b9:a7:3d:df:ed:db:
                    85:ab:d0:cb:b1:b5:df:98:08:b3:00:6d:41:5b:e4:
                    65:4a:4b:55:80:19:08:78:db:c3:c9:51:8e:82:12:
                    f2:51:ed:ef:18:26:97:9a:1c:9f:26:01:de:9e:71:
                    76:c0:4c:bc:ee:c2:4c:4a:2a:5c:d9:23:8b:32:01:
                    b5:25:c1:ac:cb:f6:b0:9c:b7:e6:0f:10:16:57:ff:
                    04:9c:a8:38:f3:b0:24:11:e2:c8:25:ee:5f:74:bc:
                    da:2b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Certificate Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         19:bc:f4:f0:3b:66:6f:90:1c:a9:c5:a4:e4:f4:e7:e2:ea:06:
         22:e0:02:f3:e9:ac:40:67:86:95:d6:4b:04:ed:10:70:31:9d:
         e2:b9:08:18:a5:70:5b:db:b5:8d:e9:34:8e:fe:b3:60:7c:2c:
         ab:6c:70:b1:b2:e1:7d:e3:a2:eb:19:20:5a:f7:97:bc:8d:89:
         8e:b1:c5:25:61:9b:f0:7f:44:a3:4d:b9:02:e4:45:9a:8d:7f:
         42:4f:cb:8e:17:15:47:50:f9:ed:27:a3:4d:0d:4d:fc:75:9e:
         61:a6:c9:b3:f7:9c:85:64:34:ee:27:52:5c:7c:1a:3c:b8:f9:
         3c:9f:e4:67:93:cd:05:da:23:e7:ff:38:ec:e2:9a:14:a4:32:
         3c:86:52:51:92:e7:67:1b:f9:8b:05:1c:da:02:64:1c:ee:32:
         94:20:04:5e:81:44:4a:55:c3:f7:02:ad:c0:95:a9:f6:2c:c3:
         74:ac:14:b8:00:a6:d8:ae:e1:0b:36:2d:e0:a9:9d:b3:43:79:
         73:1a:e8:77:c7:cd:15:74:b9:b9:20:42:1c:30:ad:cb:c0:5f:
         6a:9d:7e:ee:23:46:e8:a4:72:b4:d3:b8:74:be:12:d7:a8:a1:
         31:cf:51:1a:95:ae:2f:e2:cd:c4:4d:2d:a2:da:76:5e:9e:d4:
         2e:c1:02:c8

制作根证书私钥

(umask 077;openssl genrsa -out ca.key 2048)

生成签署请求

配置openssl文件


cat<<EOF>openssl-ca.conf
[ req ]
default_bits            = 2048
default_md              = sha256
distinguished_name      = req_distinguished_name
attributes              = req_attributes
req_extensions = v3_req 
[ req_distinguished_name ]
[ req_attributes ]
[ v3_req ]
basicConstraints = critical,CA:true
keyUsage = critical,Digital Signature, Key Encipherment, Certificate Sign
EOF
#用私钥和配置问阿金生成签署请求,CN是签署机构
openssl req -new -key ca.key -out ca.csr -subj "/CN=etcd-ca" -config openssl-ca.conf  -extensions v3_req 
#验证csr扩展属性是否生效
openssl req -noout -text -in ca.csr

生成根CA证书

openssl x509 -req -in ca.csr -out ca.crt -signkey ca.key -days 3650   -extfile openssl-ca.conf -extensions v3_req

openssl x509 -in ca.crt -noout -text

制作根server私钥

解析kubeadm制作etcd的server证书

# openssl x509 -in server.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 401045847498090572 (0x590cd12cec4e84c)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=etcd-ca
        Validity
            Not Before: Jun 18 02:25:38 2020 GMT
            Not After : Jun 18 02:25:39 2021 GMT
        Subject: CN=192.168.145.10
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:cb:a2:8d:47:c4:51:5d:19:e5:48:42:ed:62:42:
                    b0:b7:34:b3:e7:58:af:f1:66:82:da:b0:ca:66:3a:
                    df:3a:6d:5b:c7:db:b5:2c:0e:54:dd:b6:0d:a0:6d:
                    56:fa:d8:c7:16:4c:58:08:b1:4c:ca:46:e8:94:66:
                    23:c8:83:cf:e5:bd:c9:71:b2:d9:20:24:36:06:78:
                    34:a1:3c:23:2a:ab:f9:92:38:41:7e:0b:8b:16:f6:
                    07:90:0d:3d:5d:6d:ea:16:27:cf:a2:f9:62:ea:06:
                    55:97:04:92:02:eb:13:6a:49:43:7c:84:72:9a:ec:
                    f0:05:9a:88:42:f0:25:61:99:b9:9a:25:96:18:d0:
                    34:82:89:e0:53:6e:fd:bc:97:67:67:96:4b:5e:8b:
                    1a:2b:87:67:e4:26:e9:06:0d:45:bf:50:cc:a9:a5:
                    8a:ba:e4:57:ef:a5:bd:58:0a:41:8e:96:2f:f4:b0:
                    f1:8a:f5:d9:ba:94:c5:e8:a3:d7:f7:36:01:96:80:
                    e7:42:9e:43:f2:70:40:ed:b0:92:2b:b5:11:33:c4:
                    62:fd:b3:92:ba:89:da:26:6b:0f:16:ad:9f:b0:1c:
                    03:81:41:9f:27:54:25:19:0e:de:cc:e6:d8:70:7f:
                    ac:7b:80:f4:28:ae:db:f8:6e:1e:0a:c0:bd:fb:a3:
                    1b:77
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Alternative Name: 
                DNS:192.168.145.10, DNS:localhost, IP Address:192.168.145.10, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
    Signature Algorithm: sha256WithRSAEncryption
         9e:45:73:72:3e:3c:2f:9f:d3:be:0d:80:ba:c1:a1:43:a3:e3:
         d6:1a:20:a0:5d:5f:99:cf:0e:d7:2c:c5:e0:f6:69:2c:b9:99:
         58:69:c3:75:f4:b5:b9:1a:b0:94:84:b4:ef:6f:a4:1a:76:75:
         70:32:2f:d2:b2:b7:41:91:47:a6:be:30:da:7e:2e:0f:77:8b:
         07:31:1f:98:44:a5:5e:02:c6:02:e1:ec:f3:ae:5c:33:b9:ed:
         1d:9b:92:4f:a6:bd:13:09:5b:82:c7:3d:44:56:11:5a:78:da:
         92:77:54:18:fa:0f:4c:b5:b2:81:5f:97:29:74:30:15:7b:6c:
         b9:83:eb:d8:8f:fd:28:f0:57:2e:19:b5:dc:d1:3a:81:76:b9:
         09:47:47:fb:90:96:48:23:72:d1:70:2c:d2:a9:6f:e2:79:cb:
         66:10:1e:dd:3d:0e:80:01:b1:5f:8c:2c:7e:95:3d:fb:e6:56:
         f6:27:de:fe:cb:ba:bf:81:03:9f:54:e3:bb:83:8d:36:27:c1:
         eb:a0:c0:1a:f2:b7:9d:68:c6:83:96:3c:ab:c3:dc:65:34:5e:
         48:a2:da:ca:ce:28:84:23:d4:ed:9c:45:c3:ca:2e:82:0f:78:
         a5:85:f4:3f:5d:eb:c4:d7:1b:b0:02:44:03:ac:3b:7f:66:83:
         4a:1a:e7:0c

制作根证书私钥

(umask 077;openssl genrsa -out server.key 2048)

生成签署请求

配置openssl文件


cat<<EOF>openssl-server.conf
[ req ]
default_bits            = 2048
default_md              = sha256
distinguished_name      = req_distinguished_name
attributes              = req_attributes
req_extensions = v3_req 
[ req_distinguished_name ]
[ req_attributes ]
[ v3_req ]
basicConstraints = critical,CA:true
keyUsage = critical,Digital Signature, Key Encipherment, Certificate Sign
extendedKeyUsage = TLS Web Server Authentication, TLS Web Client Authentication
subjectAltName = @alt_names

[alt_names]
DNS.1 = 192.168.145.11
DNS.2 = localhost
IP.1 = 192.168.145.11
IP.2 = 127.0.0.1
EOF
#用私钥和配置问阿金生成签署请求,CN是签署机构
openssl req -new -key server.key -out server.csr -subj "/CN=etcd-ca" -config openssl-server.conf  -extensions v3_req 
#验证csr扩展属性是否生效
openssl req -noout -text -in server.csr

生成根CA证书

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365  -extfile openssl-ca.conf -extensions v3_req

openssl x509 -in server.crt -noout -text
Logo

开源、云原生的融合云平台

更多推荐