cfssl
下载安装cfssl 和cfssjson
curl -s -L -o /usr/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
curl -s -L -o /usr/bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x /usr/bin/{cfssl,cfssljson}生成证书
mkdir ~/cfssl
cd ~/cfssl生成CA配置文件
cfssl print-defaults config > ca-config.json
cfssl print-defaults csr > ca-csr.json将ca-config.json内容修成如下
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"server": { # 服务器证书由服务器使用,并由客户端验证服务器身份。例如docker服务器或kube-apiserver
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": { # 客户端证书用于按服务器对客户端进行身份验证。例如etcdctl,etcd proxy或者docker客户端。
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": { # 对等证书由etcd集群成员使用,因为它们以两种方式相互通信。
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}修改ca-csr.json内容为如下
{
"CN": "etcd server",
"hosts": [
"localhost",
"127.0.0.1",
"172.23.210.22",
"172.23.210.23",
"172.23.210.24",
"test-01",
"test-02",
"test-03"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "HB",
"ST": "Wu Han"
}
]
}生成CA证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -会得到以下文件:
ca-key.pemca.csr
ca.pem生成服务器证书
cfssl print-defaults csr > server.json服务器证书的最重要值是公用名(CN)和主机。我们必须替换它们,内容如下:
server.json内容
{
"CN": "etcd",
"hosts": [
"localhost",
"127.0.0.1",
"172.23.210.22",
"172.23.210.23",
"172.23.210.24"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [{
"C": "CN",
"L": "HB",
"ST": "Wu Han"
}]
}开始生成服务器证书,etcd 集群不需要该证书,可以跳过这一段
cfssl gencert -hostname="172.23.210.22,172.23.210.23,172.23.210.24" -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server server.json | cfssljson -bare server # -profile 指定ca-config.json中profiles的值,这里生成服务器证书,所以用的是server
# 如果不加-hostname参数,生成证书后会报下面的错误,cfssl 1.2版本暂未修复这个BUG
[WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements").或者没有 csr.json文件执行如下命令:
echo '{"CN":"coreos1","hosts":[""],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server -hostname="192.168.122.68,ext.example.com,coreos1.local,coreos1" - | cfssljson -bare server生成对等证书
etcd tls就是用这个证书
cfssl print-defaults csr > peer.jsonpeer.json内容如下:
{
"CN": "etcd",
"hosts": [
"localhost",
"127.0.0.1",
"172.23.210.22",
"172.23.210.23",
"172.23.210.24"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [{
"C": "CN",
"L": "HB",
"ST": "Wu Han"
}]
}执行生成命令
cfssl gencert -hostname="172.23.210.22,172.23.210.23,172.23.210.24" -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer server.json | cfssljson -bare peer
# 如果不加-hostname参数,生成证书后会报下面的错误,cfssl 1.2版本暂未修复这个BUG
[WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements").或者没有 csr.json文件执行如下命令:
echo '{"CN":"member1","hosts":[""],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer -hostname="192.168.122.101,ext.example.com,member1.local,member1" - | cfssljson -bare member1生成客户端证书,etcd tls环境暂时也用不到这个
cfssl print-defaults csr > client.json对于客户端证书,我们可以忽略主机值并仅将公共名称(CN)设置为客户端值:
client.json内容
{
"CN": "client",
"hosts": [
""
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "HB",
"ST": "Wu Han"
}
]
}执行生成命令
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client.json | cfssljson -bare client
# 如果不加-hostname参数,生成证书后会报下面的错误,cfssl 1.2版本暂未修复这个BUG
[WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements").或者没有 csr.json文件执行如下命令:
echo '{"CN":"client","hosts":[""],"key":{"algo":"rsa","size":2048}}' | cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client - | cfssljson -bare client最后更新于