- 安装
cfssl
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
chmod +x cfssl_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x cfssljson_linux-amd64
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl-certinfo_linux-amd64
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
export PATH=/usr/local/bin:$PATH
-
找到 kubernetes 的根证书
ca.pem,ca-key.pem,ca-config.json -
生成证书请求配置文件, 可以替换
usage为其他名字, 替换usage.common.name为服务器域名
cat > usage.json <<EOF
{
"CN": "usage.common.name",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
],
"ca": {
"expiry": "87600h"
}
}
EOF
- 用
cfssl工具签名服务端证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes usage.json | cfssljson -bare usage
$ ls usage*
usage.csr usage.json usage-key.pem usage.pem
- 使用
openssl签名客户端证书
openssl -in usage.pem -out usage.client.pem
- 使用
usage.pemusage-key.pemusage.client.pem愉快的玩耍
参考资料: