|
概述
官方最佳实践是用kubeadm构建证书,而如果要手动制作证书,官方推荐cfssl工具更加简明、方便。
此文是oepnssl来制作etcd的根CA证书和server证书,只是为了尝试更多的可能。
制作etcd的CA根证书
解析kubeadm制作etcd的CA根证书
# openssl x509 -in ca.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=etcd-ca
Validity
Not Before: Jun 18 02:25:38 2020 GMT
Not After : Jun 16 02:25:38 2030 GMT
Subject: CN=etcd-ca
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e8:68:49:8d:70:76:65:94:39:c1:a5:2e:a9:94:
53:83:cd:a1:da:3c:6e:80:d1:9a:95:eb:96:98:5a:
c1:7d:04:53:41:b3:81:dd:5d:bf:72:06:cc:1b:9e:
d7:20:1f:6d:bf:ba:cb:77:50:c2:e2:34:3f:69:64:
81:26:7b:05:90:fb:5e:39:97:2d:7f:af:71:32:b3:
63:bf:b6:83:25:17:49:89:c4:b8:1f:fe:11:a6:d6:
84:cd:7a:92:16:bb:84:9f:48:2d:96:e2:c8:15:da:
9b:e0:76:fd:7a:95:1d:1e:0c:66:ea:ed:75:61:85:
fe:05:5b:41:7a:02:72:e6:03:81:e0:8c:ab:81:28:
75:83:9c:75:25:01:3c:e1:b4:90:a9:a8:06:6c:f4:
a1:79:41:60:53:62:58:b7:ac:b9:a7:3d:df:ed:db:
85:ab:d0:cb:b1:b5:df:98:08:b3:00:6d:41:5b:e4:
65:4a:4b:55:80:19:08:78:db:c3:c9:51:8e:82:12:
f2:51:ed:ef:18:26:97:9a:1c:9f:26:01:de:9e:71:
76:c0:4c:bc:ee:c2:4c:4a:2a:5c:d9:23:8b:32:01:
b5:25:c1:ac:cb:f6:b0:9c:b7:e6:0f:10:16:57:ff:
04:9c:a8:38:f3:b0:24:11:e2:c8:25:ee:5f:74:bc:
da:2b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Certificate Sign
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
19:bc:f4:f0:3b:66:6f:90:1c:a9:c5:a4:e4:f4:e7:e2:ea:06:
22:e0:02:f3:e9:ac:40:67:86:95:d6:4b:04:ed:10:70:31:9d:
e2:b9:08:18:a5:70:5b:db:b5:8d:e9:34:8e:fe:b3:60:7c:2c:
ab:6c:70:b1:b2:e1:7d:e3:a2:eb:19:20:5a:f7:97:bc:8d:89:
8e:b1:c5:25:61:9b:f0:7f:44:a3:4d:b9:02:e4:45:9a:8d:7f:
42:4f:cb:8e:17:15:47:50:f9:ed:27:a3:4d:0d:4d:fc:75:9e:
61:a6:c9:b3:f7:9c:85:64:34:ee:27:52:5c:7c:1a:3c:b8:f9:
3c:9f:e4:67:93:cd:05:da:23:e7:ff:38:ec:e2:9a:14:a4:32:
3c:86:52:51:92:e7:67:1b:f9:8b:05:1c:da:02:64:1c:ee:32:
94:20:04:5e:81:44:4a:55:c3:f7:02:ad:c0:95:a9:f6:2c:c3:
74:ac:14:b8:00:a6:d8:ae:e1:0b:36:2d:e0:a9:9d:b3:43:79:
73:1a:e8:77:c7:cd:15:74:b9:b9:20:42:1c:30:ad:cb:c0:5f:
6a:9d:7e:ee:23:46:e8:a4:72:b4:d3:b8:74:be:12:d7:a8:a1:
31:cf:51:1a:95:ae:2f:e2:cd:c4:4d:2d:a2:da:76:5e:9e:d4:
2e:c1:02:c8
制作根证书私钥
(umask 077;openssl genrsa -out ca.key 2048)
生成签署请求
配置openssl文件
cat |