1、部署主機
- YN101-100.host.com(運維主機)
2、安裝證書簽發工具CFSSL:R1.2
#CFSSL
wget "https://pkg.cfssl.org/R1.2/cfssl_linux-amd64" -O /usr/bin/cfssl
#CFSSL-json
wget "https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64" -O /usr/bin/cfssl-json
#CFSSL-certinfo
wget "https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64" -O /usr/bin/cfssl-certinfo
#給執行權限
chmod +x /usr/bin/cfssl*
#查看路徑
which cfssl,cfssl-json,cfssl-certinfo
3、創建生成CA證書簽名請求(csr)的json配置文件
在/opt/目錄下,創建certs目錄和ca-csr.json文件
mkdir -p /opt/certs
vi ca-csr.json
json文件配置內容如下:
{
"CN": "KevinEdu",
"hosts": [ ],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "YN",
"L": "KM",
"O": "kevin",
"OU": "edu"
}
],
"ca": {
"expiry": "175200h"
}
}
執行生成證書命令,查看目錄下已經生成根證書ca.pem和根證書的私鑰ca-key.pem
[root@yn101-100 certs]# cfssl gencert -initca ca-csr.json | cfssl-json -bare ca
[root@yn-100 certs]# ls
ca.csr ca-csr.json ca-key.pem ca.pem