碼上快樂

相關內容    簡體    繁體

使用Cfssl生成etcd證書(pem)

本文轉載自   查看原文   2022-02-14 17:13   765    運維 - 分布式存儲

CFSSL是CloudFlare開源的一款PKI/TLS工具,CFSSL包含一個命令行工具和一個用於簽名,驗證並且捆綁TLS證書的HTTP API服務,使用Go語言編寫.

github: https://github.com/cloudflare/cfssl

下載地址: https://pkg.cfssl.org/

在使用etcd,kubernetes等組件的過程中會大量接觸到證書的生成和使用,本文將詳細說明創建etcd的證書

安裝

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl*

獲取默認配置

cfssl print-defaults config > ca-config.json
cfssl print-defaults csr > ca-csr.json

ca-config.json文件內容如下:

{
    "signing": {
        "default": {
            "expiry": "168h"
        },
        "profiles": {
            "www": {
                "expiry": "8760h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth"
                ]
            },
            "client": {
                "expiry": "8760h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth"
                ]
            }
        }
    }
}

ca-csr.json內容如下:

{
    "CN": "example.net",
    "hosts": [
        "example.net",
        "www.example.net"
    ],
    "key": {
        "algo": "ecdsa",
        "size": 256
    },
    "names": [
        {
            "C": "US",
            "L": "CA",
            "ST": "San Francisco"
        }
    ]
}

生成ca證書
將ca-config.json內容修改為:

{
    "signing":{
        "default":{
            "expiry":"876000h"
        },
        "profiles":{
            "etcd":{
                "usages":[
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ],
                "expiry":"876000h"
            }
        }
    }
}

修改ca-csr.json文件內容為:

{
  "CN": "CA",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "shenzhen",
      "L": "shenzhen",
      "O": "etcd",
      "OU": "System"
    }
  ]
}

“CN”:Common Name,etcd 從證書中提取該字段作為請求的用戶名 (User Name);瀏覽器使用該字段驗證網站是否合法; “O”:Organization,etcd 從證書中提取該字段作為請求用戶所屬的組 (Group);

注意,在k8s中: 這兩個參數在后面的kubernetes啟用RBAC模式中很重要,因為需要設置kubelet、admin等角色權限,那么在配置證書的時候就必須配置對了,具體后面在部署kubernetes的時候會進行講解。

修改好配置文件后,接下來就可以生成ca證書了

$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca
2019/04/25 15:02:45 [INFO] generating a new CA key and certificate from CSR
2019/04/25 15:02:45 [INFO] generate received request
2019/04/25 15:02:45 [INFO] received CSR
2019/04/25 15:02:45 [INFO] generating key: rsa-2048
2019/04/25 15:02:46 [INFO] encoded CSR
2019/04/25 15:02:46 [INFO] signed certificate with serial number 391082240034344424489077238735720834723237930875

此時目錄下會出現三個文件:

$ tree
├── ca-config.json #這是剛才的json
├── ca.csr
├── ca-csr.json    #這也是剛才申請證書的json
├── ca-key.pem
├── ca.pem

這樣 我們就生成了:

根證書文件: ca.pem
根證書私鑰: ca-key.pem
根證書申請文件: ca.csr (csr是不是client ssl request?)
簽發證書
創建etct-csr.json,內容為:

{
  "CN": "etcd",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "hosts": [
    "example.net",	#此處為etcd地址,可以多個
    "www.example.net"
  ],
  "names": [
    {
      "C": "CN",
      "ST": "shenzhen",
      "L": "shenzhen",
      "O": "etcd",
      "OU": "System"
    }
  ]
}

使用之前的ca證書簽發etcd證書:

$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd etcd-csr.json | cfssljson -bare etcd

2019/04/25 15:29:57 [INFO] generate received request
2019/04/25 15:29:57 [INFO] received CSR
2019/04/25 15:29:57 [INFO] generating key: rsa-2048
2019/04/25 15:29:57 [INFO] encoded CSR
2019/04/25 15:29:57 [INFO] signed certificate with serial number 298100304200846379445095267906256802955283756560
2019/04/25 15:29:57 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").

此時目錄下會多幾個文件:

$ tree -L 1
├── etcd.csr
├── etcd-csr.json
├── etcd-key.pem
├── etcd.pem

至此,etcd的證書生成完成.

啟動etcd

./etcd
--name etcd1 \
  --cert-file=/etcd.pem \
  --key-file=/etcd-key.pem \
  --peer-cert-file=/etcd.pem \
  --peer-key-file=/etcd-key.pem \
  --trusted-ca-file=/ca.pem \
  --peer-trusted-ca-file=/ca.pem \
  --initial-advertise-peer-urls http://127.0.0.1:2380 \
  --listen-peer-urls http://127.0.0.1:2380 \
  --listen-client-urls http://127.0.0.1:2379,http://127.0.0.1:2379 \
  --advertise-client-urls http://127.0.0.1:2379 \
  --initial-cluster-token etcd-cluster-token \
  --initial-cluster etcd1=https://172.16.5.81:2380,infra2=https://172.16.5.86:2380,infra3=https://172.16.5.87:2380 \
  --initial-cluster-state new \
  --data-dir=/etcd-data


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 使用Cfssl生成etcd證書(pem) 使用cfssl生成ca證書 【加解密】使用CFSSL生成證書並使用gRPC驗證證書 SSL證書介紹並使用openssl和cfssl生成SSL證書 Harbor倉庫安裝使用cfssl工具生成證書 cfssl自簽證書 K8s部署使用CFSSL創建證書 使用openssl轉換pem為pfx證書 使用阿里雲生成的pem密鑰登錄 生成 https 證書並使用
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM