1 安装

1
brew install cfssl

2 创建证书

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
# 2.1 初始化 cfssl

mkdir -p ~/cfssl/cert
cd ~/cfssl/cert

#cfssl print-defaults config > config.json
#cfssl print-defaults csr > csr.json

# 2.2 创建一个 JSON 配置文件来生成 CA 文件
cat <<EOF | tee ca-config.json
{
  "signing": {
    "default": {
      "expiry": "876000h"
    },
    "profiles": {
      "csprofile": {
        "expiry": "876000h",
        "usages": [
          "signing",
          "key encipherment",
          "server auth",
          "client auth"
        ]
      }
    }
  }
}
EOF

# 2.3 创建一个 JSON 配置文件,用于 CA 证书签名请求(CSR)
cat <<EOF | tee ca-csr.json
{
  "CA":{"expiry":"876000h"},
  "CN": "cacert",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names":[{
    "C": "CN",
    "ST": "Jangsu",
    "L": "Nanjing",
    "O": "Examplesoftware",
    "OU": "IT department"
  }]
}
EOF

# 2.4 生成 CA 秘钥文件(ca-key.pem)和证书文件(ca.pem)
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

cfssl certinfo -cert ca.pem | grep 'not'
# openssl req -noout -text -in ./ca.csr
# openssl x509 -noout -text -in ./ca.pem


# 2.5 创建一个 JSON 配置文件,用来为 API 服务器生成秘钥和证书
cat <<EOF | tee server-csr.json
{
  "CN": "k8s.vip.io",
  "hosts": [
    "127.0.0.1",
    "192.168.100.101",
    "192.168.100.100",
    "kubernetes",
    "kubernetes.default",
    "kubernetes.default.svc",
    "kubernetes.default.svc.cluster",
    "kubernetes.default.svc.cluster.local"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [{
    "C": "CN",
    "ST": "Jangsu",
    "L": "Nanjing",
    "O": "Examplesoftware",
    "OU": "IT department"
  }]
}
EOF

# 2.6 为 API 服务器生成秘钥和证书,默认会分别存储为server-key.pem 和 server.pem 两个文件
cfssl gencert \
  -ca ca.pem \
  -ca-key ca-key.pem \
  -config ca-config.json \
  -profile csprofile \
  server-csr.json | cfssljson -bare server

cfssl certinfo -cert server.pem | grep 'not'
# openssl req -noout -text -in ./server.csr
# openssl x509 -noout -text -in ./server.pem