使用OpenSSL提供的命令则可非常容易地生成kubernetes集群创建所需要的证书,参照官方给的示例方法,再结合前面的文章对于OpenSSL的使用介绍,会发现openssl使用起来还是非常方便和简单的。
[root@liumiaocn k8s]# openssl version OpenSSL 1.1.1d 10 Sep 2019 [root@liumiaocn k8s]#步骤1: 生成ca的私钥
执行命令:openssl genrsa -out ca.key 2048
[root@liumiaocn k8s]# ls [root@liumiaocn k8s]# openssl genrsa -out ca.key 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ........................................+++++ ...............................................................................+++++ e is 65537 (0x010001) [root@liumiaocn k8s]# ls ca.key [root@liumiaocn k8s]# [root@liumiaocn k8s]# cat ca.key -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAryNEmfVyzO/C8husAn/crU7CekP2WpepK2bVfhJZbpBtNS/p plQcgj8WZBDqb9b2ryLmFSaJ1GQ44ThcoQLTHV4EVcJGACcaUzZy/pzEvgNEoAzi t9Ny/7i4AO2LoPbFgU35d3ckwAEx7DTPKdzgX7UeSG0FZ8FSWaqTSBk+K6IvW+bS ZerqHOMuzumE/5Babll95CFOc7pBQklpkOEuwrX/1k2tgkVqzCC2z+RWXmKuPOeg UepG/bBxQUhd7zbTSCvITE3dDoqb1DP9xbI0+q9jxiZyK4Z5hJZs9C4ma+8U4wC7 2Zo7m1w2M2WxgJxweNr7K5BEtM3MXVhT0bwVpQIDAQABAoIBAQCM+BdM0TrxZ/+D PvDKJj7rJJz3KuMNckuRirlHO9/OVeQBTqqD3eoAkGUmcFMzaFSxDaci2R1R3sXF yscMNqjVV4qnuLL9hnvzBL204VyfESRYq2aFzmYfHYDGBm5ARsEc3jVxim4DOjMD zFH/gTD8+F0CsPYL2Ji/YcQg4WigVxsBkoaTB45OCBEgkUsuwu+uvyLkx/62w5iU 1J9kxWOX/5q/iqgmQOLiaagmPVRCg0jxwbSAnrl64WRFBueOJhT3NRewzcoA/klB 4ho2om2RTXtgb/70E0ELjXLTEc+PxcIhogIpH95Kwu6fYLzezkAw4Y2PgkW2Pu16 HVygtMnBAoGBAN4tMzqIe3Q2qFdRJ3LIaVpV9E9ZcF5PH5wttWzv2GA1knCpUSFE lLlzyTotqpYxwyK9T0Jafd9rxhk7pW4SpXfDt9zBRsm99gh7zdOaSAzJIoHbk4kb KYgs01nYOh+iG+EQ3nfG2J5t1Q0mLoyTeHS3m/V2Ggjjid9PLaIX33IVAoGBAMnM 1+IWuC0VDfXm3yz9NkGKFQ0OeX/92Lt4UhAQN6kiBdTDE+leyZQFmbt2AzXa7iMI ZJbaBd//sgsoic9qDHotWx8vKcBAh7bENhmqdTxDEIQ5kuiUCcbIdefLM4ZZ6J+9 XMUKcWgXwaHUz+3/YKQUg9cjplcbrszDar7HvUlRAoGAEroUm1ZtsXn57oI0pQQn fSnJkfaj9g8NRwjDRg9hWZqqYTykTf2N26PazkCTJF3FaOQ0Dg+6lF5tMCtK4mBH +jRRBxZzdQXB+y0USEW01P8PHYr4gJH9ijDdD7GeFJSBbRMS7V2hXJk9YAJb4hV8 Dbp8NtBhmWY0dNIjson4l5ECgYAckyT+nrj1qUWQzGBNvo0wOp1AfAw4U3mdEiyM mb9H88lflz/6i7F/hEuAf/V0asvNqiKUOcsbLNnJOrRI6ntZ0ZJVmBgRYRHWj3IZ sElpfxWXo49p34yC2V/Ysq1ZGOIXvHimbhQg6TxB7iCDUuYcVctVa3biXskhtYon +aCUAQKBgGnJ84m37oGuljoZuKSHDQAD16Bgtx9RkAprfUdI0QYIs48lnrOkM++p EtrAtTr1Bxnfh9XUpBdsMuTDM6SkwlBnaxqY6m0xhX+aQ20f26dgYQbjUUfhYS/b SLf3Ijv4mO796fhpx3jTthKZj3hniifeu9Qenx/PRnUNtuGVUjWs -----END RSA PRIVATE KEY----- [root@liumiaocn k8s]#
提取私钥中的公钥内容
[root@liumiaocn k8s]# openssl rsa -in ca.key -pubout writing RSA key -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAryNEmfVyzO/C8husAn/c rU7CekP2WpepK2bVfhJZbpBtNS/pplQcgj8WZBDqb9b2ryLmFSaJ1GQ44ThcoQLT HV4EVcJGACcaUzZy/pzEvgNEoAzit9Ny/7i4AO2LoPbFgU35d3ckwAEx7DTPKdzg X7UeSG0FZ8FSWaqTSBk+K6IvW+bSZerqHOMuzumE/5Babll95CFOc7pBQklpkOEu wrX/1k2tgkVqzCC2z+RWXmKuPOegUepG/bBxQUhd7zbTSCvITE3dDoqb1DP9xbI0 +q9jxiZyK4Z5hJZs9C4ma+8U4wC72Zo7m1w2M2WxgJxweNr7K5BEtM3MXVhT0bwV pQIDAQAB -----END PUBLIC KEY----- [root@liumiaocn k8s]#步骤2: 生成ca证书
执行命令:openssl req -x509 -new -nodes -key ca.key -subj “/CN=${MASTER_IP}” -days 10000 -out ca.crt
[root@liumiaocn k8s]# MASTER_IP=192.168.163.121
[root@liumiaocn k8s]# openssl req -x509 -new -nodes -key ca.key -subj "/CN=${MASTER_IP}" -days 10000 -out ca.crt
[root@liumiaocn k8s]# ls
ca.crt ca.key
[root@liumiaocn k8s]#
可以看到这实际上就是一个自签名的证书
[root@liumiaocn k8s]# openssl x509 -in ca.crt -noout -issuer -subject -dates issuer=CN = 192.168.163.121 subject=CN = 192.168.163.121 notBefore=Dec 15 06:14:00 2019 GMT notAfter=May 2 06:14:00 2047 GMT [root@liumiaocn k8s]#步骤3: 生成server端私钥文件
执行命令:openssl genrsa -out server.key 2048
[root@liumiaocn k8s]# ls ca.crt ca.key [root@liumiaocn k8s]# openssl genrsa -out server.key 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ..............+++++ ..............................................................+++++ e is 65537 (0x010001) [root@liumiaocn k8s]# ls ca.crt ca.key server.key [root@liumiaocn k8s]# file server.key server.key: PEM RSA private key [root@liumiaocn k8s]#步骤4: 设定证书签名请求CSR文件的配置文件
[root@liumiaocn k8s]# cat csr.conf [ req ] default_bits = 2048 prompt = no default_md = sha256 req_extensions = req_ext distinguished_name = dn [ dn ] C = CN ST = LiaoNing L = DaLian O = kubernetes OU = kubernetes CN = 192.168.163.121 [ req_ext ] subjectAltName = @alt_names [ alt_names ] DNS.1 = kubernetes DNS.2 = kubernetes.default DNS.3 = kubernetes.default.svc DNS.4 = kubernetes.default.svc.cluster DNS.5 = kubernetes.default.svc.cluster.local IP.1 = 192.168.163.121 IP.2 = 10.254.0.1 [ v3_ext ] authorityKeyIdentifier=keyid,issuer:always basicConstraints=CA:FALSE keyUsage=keyEncipherment,dataEncipherment extendedKeyUsage=serverAuth,clientAuth subjectAltName=@alt_names [root@liumiaocn k8s]#步骤5: 生成server端证书签名请求CSR文件
执行命令:openssl req -new -key server.key -out server.csr -config csr.conf
[root@liumiaocn k8s]# ls ca.crt ca.key csr.conf server.key [root@liumiaocn k8s]# openssl req -new -key server.key -out server.csr -config csr.conf [root@liumiaocn k8s]# ls ca.crt ca.key csr.conf server.csr server.key [root@liumiaocn k8s]# file server.csr server.csr: PEM certificate request [root@liumiaocn k8s]#步骤6: 生成server端证书
执行命令:openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 10000 -extensions v3_ext -extfile csr.conf
[root@liumiaocn k8s]# ls ca.crt ca.key csr.conf server.csr server.key [root@liumiaocn k8s]# openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 10000 -extensions v3_ext -extfile csr.conf Signature ok subject=C = CN, ST = LiaoNing, L = DaLian, O = kubernetes, OU = kubernetes, CN = 192.168.163.121 Getting CA Private Key [root@liumiaocn k8s]# ls ca.crt ca.key ca.srl csr.conf server.crt server.csr server.key [root@liumiaocn k8s]# file server.crt server.crt: PEM certificate [root@liumiaocn k8s]#步骤7: 确认server证书信息
执行命令:openssl x509 -noout -text -in ./server.crt
[root@liumiaocn k8s]# openssl x509 -noout -text -in ./server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
54:e9:0e:67:55:c5:fb:b2:30:5d:9e:36:33:72:42:a2:74:32:ee:ac
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = 192.168.163.121
Validity
Not Before: Dec 15 06:27:11 2019 GMT
Not After : May 2 06:27:11 2047 GMT
Subject: C = CN, ST = LiaoNing, L = DaLian, O = kubernetes, OU = kubernetes, CN = 192.168.163.121
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b0:90:e9:74:1b:2f:94:8e:7d:d4:eb:12:ba:e2:
54:97:eb:bc:4e:05:00:20:6e:34:5b:1c:fb:bd:6e:
76:95:3e:e1:bf:c8:78:c6:c8:69:30:3e:40:a4:30:
f3:77:cc:ea:bc:0d:b6:2f:44:4f:a2:31:10:df:1a:
15:fe:78:79:76:96:1e:c5:21:cd:c4:95:10:d1:fd:
95:ed:87:26:5f:1d:e2:2f:d0:de:8f:65:8d:d2:d8:
e6:0f:f7:d1:e9:4a:1c:d6:e4:d0:bf:bc:33:ec:ea:
43:9c:08:2f:9a:9b:1a:9b:9f:de:80:69:a8:f2:cb:
21:eb:cc:bf:5f:bc:0d:64:da:a3:96:fd:2a:4e:8e:
60:59:c8:8c:f2:8b:ab:7c:28:1b:74:67:a6:0f:2c:
b1:4c:2e:8c:27:ce:8b:94:fa:66:3b:c6:9a:a7:1c:
1f:31:ae:47:24:70:06:43:d4:d1:4b:85:e9:58:fe:
b9:d7:6a:c2:bf:2b:53:53:ca:bb:47:97:b2:12:5e:
6a:e7:61:77:aa:e5:a5:db:fd:88:99:fa:d4:07:52:
55:42:de:f0:96:1e:da:51:f6:06:6c:a1:f4:d8:e6:
b1:fb:a3:f2:2c:d7:49:d1:45:c5:19:0e:81:4f:a9:
2f:78:60:0d:3d:e7:18:03:df:67:83:97:a2:38:48:
94:75
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:AF:FE:C3:A4:D6:FD:F0:4D:44:D3:B2:A0:AB:BA:60:AE:B9:DC:F6:58
DirName:/CN=192.168.163.121
serial:08:79:A5:DC:0A:28:3E:9A:5D:E8:97:E5:D6:D1:AE:52:DD:82:DD:DB
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local, IP Address:192.168.163.121, IP Address:10.254.0.1
Signature Algorithm: sha256WithRSAEncryption
57:77:b3:9d:00:e5:d5:10:45:20:ef:8b:7d:dc:9a:26:e2:29:
c9:be:fd:99:84:99:cd:df:58:36:b8:4a:98:92:46:49:7f:10:
99:a3:9b:49:6d:7f:9d:28:2e:c3:8b:12:2b:0c:50:f2:60:1a:
4b:d6:80:73:ec:bd:d7:82:fe:c4:b1:17:4b:2c:00:c3:ee:f1:
8a:61:fb:c8:f6:77:11:f7:2f:37:8e:fc:35:1c:2a:53:1f:2b:
2d:8a:71:d9:6d:fb:23:23:c1:8d:c0:fe:52:d6:d2:03:b8:46:
58:48:fe:98:75:0f:f7:b3:35:90:c7:5a:39:83:6c:46:d3:4e:
cd:4c:f9:5f:93:27:ae:a6:a4:68:e1:4e:cc:6f:b4:08:45:23:
1e:f5:bb:71:5a:ae:59:50:56:e0:80:1b:4b:35:5a:71:ac:de:
c5:98:f3:51:1f:ab:ea:74:f7:e4:64:78:7a:ea:67:e1:bd:00:
b4:e9:6c:15:d7:b1:3f:6e:b4:e7:a3:bd:39:92:b3:da:0c:7f:
24:ba:28:9d:dd:10:11:df:bd:4d:9b:0e:1e:93:bd:8e:9a:7e:
98:c8:e4:b5:21:78:74:f9:a4:c4:88:e5:aa:0c:e9:a8:97:b4:
53:5d:da:f0:66:d3:c0:b6:bc:bb:92:f5:35:c5:20:d0:bb:cf:
61:7a:19:7a
[root@liumiaocn k8s]#
可以看到此证书的签发者正是ca
[root@liumiaocn k8s]# openssl x509 -noout -in ./server.crt -issuer -subject -dates issuer=CN = 192.168.163.121 subject=C = CN, ST = LiaoNing, L = DaLian, O = kubernetes, OU = kubernetes, CN = 192.168.163.121 notBefore=Dec 15 06:27:11 2019 GMT notAfter=May 2 06:27:11 2047 GMT [root@liumiaocn k8s]#
另外,server端中证书中的公钥信息也和server.key私钥是符合的
[root@liumiaocn k8s]# openssl x509 -noout -in ./server.crt -pubkey -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsJDpdBsvlI591OsSuuJU l+u8TgUAIG40Wxz7vW52lT7hv8h4xshpMD5ApDDzd8zqvA22L0RPojEQ3xoV/nh5 dpYexSHNxJUQ0f2V7YcmXx3iL9Dej2WN0tjmD/fR6Uoc1uTQv7wz7OpDnAgvmpsa m5/egGmo8ssh68y/X7wNZNqjlv0qTo5gWciM8ourfCgbdGemDyyxTC6MJ86LlPpm O8aapxwfMa5HJHAGQ9TRS4XpWP6512rCvytTU8q7R5eyEl5q52F3quWl2/2ImfrU B1JVQt7wlh7aUfYGbKH02Oax+6PyLNdJ0UXFGQ6BT6kveGANPecYA99ng5eiOEiU dQIDAQAB -----END PUBLIC KEY----- [root@liumiaocn k8s]# [root@liumiaocn k8s]# openssl rsa -in server.key -pubout writing RSA key -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsJDpdBsvlI591OsSuuJU l+u8TgUAIG40Wxz7vW52lT7hv8h4xshpMD5ApDDzd8zqvA22L0RPojEQ3xoV/nh5 dpYexSHNxJUQ0f2V7YcmXx3iL9Dej2WN0tjmD/fR6Uoc1uTQv7wz7OpDnAgvmpsa m5/egGmo8ssh68y/X7wNZNqjlv0qTo5gWciM8ourfCgbdGemDyyxTC6MJ86LlPpm O8aapxwfMa5HJHAGQ9TRS4XpWP6512rCvytTU8q7R5eyEl5q52F3quWl2/2ImfrU B1JVQt7wlh7aUfYGbKH02Oax+6PyLNdJ0UXFGQ6BT6kveGANPecYA99ng5eiOEiU dQIDAQAB -----END PUBLIC KEY----- [root@liumiaocn k8s]#参考内容
https://kubernetes.io/docs/concepts/cluster-administration/certificates/
