PKI 公钥基础设施 及 CA 认证原理 之 -- CFSSL 证书生成工具的使用
CFSSL 是 CloudFlare 开源的一款 PKI/TLS 工具。 CFSSL 包含一个命令行工具 和一个用于 签名,验证并且捆绑 TLS 证书的 HTTP API 服务。 使用 Go 语言编写。
项目地址: https://github.com/cloudflare/cfssl
下载地址: https://pkg.cfssl.org/
参考链接: https://blog.cloudflare.com/how-to-build-your-own-public-key-infrastructure/
cfssl用法参考:https://coreos.com/os/docs/latest/generate-self-signed-certificates.html
1. CFSSL包括:
一组用于生成自定义 TLS PKI 的工具
cfssl :是 CFSSL 的命令行工具
cfssljson :从cfssl和multirootca程序获取JSON输出,并将证书,密钥,CSR 和 bundle 写入磁盘
multirootca :是可以使用多个签名密钥的证书颁发机构服务器
mkbundle :用于构建证书池
2. 安装 cfssl (二进制方式)
这里我们只用到 cfssl 工具 和 cfssljson 和查看工具 cfssl-certinfo :
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64 mv cfssl_linux-amd64 /usr/local/bin/cfssl mv cfssljson_linux-amd64 /usr/local/bin/cfssljson mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfo
3. cfssl 命令介绍
bundle: 创建包含客户端证书的证书包
genkey: 生成一个key(私钥)和CSR(证书签名请求)
scan: 扫描主机问题
revoke: 吊销证书
certinfo: 输出给定证书的证书信息, 跟cfssl-certinfo 工具作用一样
gencrl: 生成新的证书吊销列表
selfsign: 生成一个新的自签名密钥和 签名证书
print-defaults: 打印默认配置,这个默认配置可以用作模板
config:生成ca配置模板文件
csr:生成证书请求模板文件
serve: 启动一个HTTP API服务
gencert: 生成新的key(密钥)和签名证书
-initca:初始化一个新ca
-ca:指明 ca 的证书
-ca-key:指明 ca 的私钥文件
-config:指明 请求证书 csr 的 json 文件
-profile:与 -config 中的 profile 对应,是指根据 config 中的 profile 段来生成证书的相关信息
ocspdump
ocspsign
info: 获取有关远程签名者的信息
sign: 签名一个客户端证书,通过给定的CA和CA密钥,和主机名
ocsprefresh
ocspserve
4. cfssl 创建证书
4.1 创建认证中心(CA)
运行认证中心 CA 需要生成 CA 证书和 CA 私钥 (root 证书 和 私钥),其实就是创建一个自签名证书
打印 csr 模板
# cfssl print-defaults csr > ca-csr.json
# cat ca-csr.json
{
"CN": "example.net",
"hosts": [
"example.net",
"www.example.net"
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "US",
"L": "CA",
"ST": "San Francisco"
}
]
}修改模板如下
# vim ca-csr.json
{
"CA": {
"expiry": "87600h",
"pathlen": 0
},
"CN": "dzcx root ca",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "ShangHai",
"L": "ShangHai",
"O": "k8s",
"OU": "System"
}
]
}CA: 默认 CA 的证书只有 5 年,这里改为 10 年( 新增的参数,模板没有 )
CN: Common Name,自定义一个名字, 一般用域名
key:生成证书的算法
hosts:表示哪些主机名(域名)或者IP可以使用此 csr 申请的证书,为空或者""表示所有的都可以使用( CA 不设置 hosts 字段)
names:一些其它的属性
C: Country, 国家
ST: State,州或者是省份
L: Locality Name,地区,城市
O: Organization Name,组织名称,公司名称(在k8s中常用于指定Group,进行RBAC绑定)
OU: Organization Unit Name,组织单位名称,公司部门
创建 CA 证书
该命令会生成运行 CA 所必需的文件 ca-key.pem(私钥)和 ca.pem(证书),还会生成 ca.csr(证书签名请求),用于交叉签名或重新签名。
[root@tmp cfssl]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca - 2020/05/20 13:57:38 [INFO] generating a new CA key and certificate from CSR 2020/05/20 13:57:38 [INFO] generate received request 2020/05/20 13:57:38 [INFO] received CSR 2020/05/20 13:57:38 [INFO] generating key: rsa-2048 2020/05/20 13:57:38 [INFO] encoded CSR 2020/05/20 13:57:38 [INFO] signed certificate with serial number 378591317186040818700586804688980599461480903089
您将获得以下文件
[root@tmp cfssl]# ll total 20 -rw-r--r--. 1 root root 1005 May 20 13:57 ca.csr -rw-------. 1 root root 1679 May 20 13:57 ca-key.pem -rw-r--r--. 1 root root 1371 May 20 13:57 ca.pem
请保证 ca-key.pem 文件安全。使用此密钥可以在您的 CA 中创建任何种类的证书。
* .csr 顶级 CA 这个文件未用
查看 CA.PEM 证书内容
X509v3 extensions: CA:TRUE
[root@tmp ca]# openssl x509 -in ca.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 68:9f:21:f4:e0:69:dd:9f:c1:26:38:b8:23:f9:a9:d9:8c:b3:a3:9a Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=ShangHai, L=ShangHai, O=DZCX, OU=LAOJIA, CN=dzcx laojia local ca Validity Not Before: May 21 02:02:00 2020 GMT Not After : Apr 27 02:02:00 2120 GMT Subject: C=CN, ST=ShangHai, L=ShangHai, O=DZCX, OU=LAOJIA, CN=dzcx laojia local ca Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a3:39:29:f2:f2:7f:ec:3c:cf:1c:c8:3a:27:d9: e3:20:12:b8:61:8b:9b:2d:5c:c2:8b:14:9d:8e:18: f2:a1:a3:4c:a0:14:ac:66:a8:8f:1a:91:77:08:aa: 2b:92:bd:78:a8:2a:9d:c2:1e:fd:d3:c3:a6:b9:6b: 4e:d8:85:de:57:7f:bb:e0:8c:3b:93:b3:64:78:99: 30:51:c2:d3:60:01:06:43:b1:4a:e7:b5:3a:83:24: e9:c0:88:65:5b:44:92:20:af:0f:77:75:9d:a6:f9: b3:17:b8:b8:e5:d0:16:da:85:12:f6:eb:5e:1e:c2: 4f:02:9f:5e:7f:94:b2:ca:a1:73:39:bf:7f:69:9f: bc:47:13:50:bd:b9:6d:f6:78:1a:bb:57:74:e5:cf: 1c:5e:26:c8:19:95:2f:d5:ca:da:fe:e2:5e:08:19: cf:c3:15:1b:f8:d8:ad:e7:1d:c3:b8:af:9c:ec:17: 06:49:c5:6f:cb:27:2b:cd:25:66:1a:96:71:ed:c5: e6:19:db:16:06:4f:7a:26:95:80:bd:98:4a:ae:9e: 6f:69:30:af:1c:b2:00:88:89:95:ba:e8:4d:51:2f: 48:76:54:c2:5e:a4:3e:97:87:9a:58:00:c5:aa:47: ca:ed:69:91:fb:bf:9b:7e:60:ec:ca:59:1e:17:db: c2:d1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE, pathlen:2 X509v3 Subject Key Identifier: 5F:A3:94:0B:4C:DC:45:FA:5E:37:06:F5:6F:B0:0C:51:5E:45:63:C6 X509v3 Authority Key Identifier: keyid:5F:A3:94:0B:4C:DC:45:FA:5E:37:06:F5:6F:B0:0C:51:5E:45:63:C6 Signature Algorithm: sha256WithRSAEncryption 06:22:37:ca:e9:e2:b6:85:d2:7b:6d:eb:68:eb:36:b2:57:a9: f0:41:3c:0e:a2:ff:9f:5e:be:7f:60:64:2a:56:a9:07:6e:48: e6:2a:59:ab:07:95:82:a6:28:64:02:f9:d6:4c:09:25:9a:6a: bb:48:75:da:b5:a8:8f:a4:54:c6:cc:cc:2d:38:fa:60:26:87: a1:49:e0:da:19:4d:e2:29:88:87:5c:c9:3a:99:9e:81:dd:61: 42:0b:be:f8:77:a3:f1:68:39:56:fc:26:42:e4:c2:04:56:fb: 00:2a:8b:3a:ac:27:40:27:fb:96:d1:5a:e9:4c:f2:86:b7:dc: e4:6c:8f:b8:e4:53:13:f0:fb:19:bd:9d:9b:b2:5e:0f:16:8c: 5f:d8:85:9c:5c:de:fc:88:46:c4:0b:19:80:4b:0b:0c:c2:e8: bf:ec:1e:92:2d:db:15:29:a1:89:bd:d2:c6:c3:22:78:26:51: c4:bc:32:fc:b7:78:48:9b:fd:97:f7:77:70:3e:23:c3:b4:5b: 56:60:6a:69:85:c5:c4:e3:cb:8e:8d:1e:ca:08:d2:11:6d:c2: a6:ea:44:b7:5a:d4:13:28:62:e7:28:9a:76:95:1c:c5:b8:15: 8d:4b:7f:ae:d7:40:77:b7:6b:05:4c:a8:5c:66:01:56:42:ee: 61:83:89:f6
4.2 配置签名选项
打印 config 模板
[root@tmp cfssl]# cfssl print-defaults config > ca-config.json
[root@tmp cfssl]# cat ca-config.json
{
"signing": {
"default": {
"expiry": "168h"
},
"profiles": {
"www": {
"expiry": "8760h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "8760h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
}
}
}
}默认生成 www 和 client 配置; 用于 TLS web 服务器和客户端 认证, X509 V3 证书
对模板进行修改
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"server": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}default:默认策略,指定了证书的默认有效期是一年(8760h)
server/client/peer:表示该配置(profile)的用途
signing:表示该证书可用于签名其它证书;生成的 ca.pem 证书中 CA=TRUE
server auth:生成的证书由服务器使用,并由客户端验证服务器身份。如 docker 和 kube-apiserver
client auth: 通过服务器对客户端进行身份验证。如: etcdct, etcd proxy ,docker client 等
expiry:也表示 过期时间,如果不写以 default 中的为准。 这里改为 87600h (10年)
peer 配置同时具有 server auth 和 client auth 表示 通信的双方互相验证。
关于更多 【server auth】 和 【client auth】 区别参考:X509 V3 证书 格式说明
4.3 生成 server 证书
生成 server 证书的 csr
服务器证书最重要的是设置 CN 和 hosts
# cfssl print-defaults csr > server.json
# cat server.json
{
"CN": "coreos1",
"hosts": [
"192.168.122.68",
"ext.example.com",
"coreos1.local",
"coreos1"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "ShangHai",
"L": "ShangHai",
"O": "dzcx",
"OU": "yunwei"
}
]
}生成 服务器证书和私钥
-profile=server 指定使用 server 配置
server.json 配置的 server 模板
server-cert 生成的证书的前缀
[root@tmp cfssl]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server server.json | cfssljson -bare server-cert
2020/05/20 14:45:53 [INFO] generate received request
2020/05/20 14:45:53 [INFO] received CSR
2020/05/20 14:45:53 [INFO] generating key: rsa-2048
2020/05/20 14:45:53 [INFO] encoded CSR
2020/05/20 14:45:53 [INFO] signed certificate with serial number 195518660804980521202440009503382212314971696118
2020/05/20 14:45:53 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").查看生成的证书
[root@tmp cfssl]# ll total 36 -rw-r--r--. 1 root root 1102 May 20 14:45 server-cert.csr -rw-------. 1 root root 1679 May 20 14:45 server-cert-key.pem -rw-r--r--. 1 root root 1464 May 20 14:45 server-cert.pem
证书内容
X509v3 Extended Key Usage: TLS Web Server Authentication
CA:FALSE
X509v3 Subject Alternative Name: DNS:kube-node1
[root@tmp ca]# openssl x509 -in server-diff.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 28:ba:fa:d0:35:bb:2e:bd:04:32:48:8b:79:62:02:23:95:aa:e5:e5 Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=ShangHai, L=ShangHai, O=DZCX, OU=LAOJIA, CN=dzcx laojia local ca Validity Not Before: May 22 05:49:00 2020 GMT Not After : May 20 05:49:00 2030 GMT Subject: C=CN, ST=ShangHai, L=ShangHai, O=dzcx, OU=etcd, CN=kube-node1 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b8:f2:5a:f4:f3:2c:aa:25:51:86:11:84:24:c9: b7:7b:56:02:c8:62:66:c0:8e:d9:20:94:4b:6b:ba: 66:8b:31:ab:8a:b9:4c:8c:78:e5:a5:97:4f:61:76: 4d:04:58:9c:a8:1b:f9:90:37:cc:55:14:d4:ef:c0: ed:0b:2e:66:dd:37:51:b5:06:ab:8a:5e:87:01:eb: f4:36:7c:82:e4:bb:a9:e0:17:08:89:6c:df:81:54: 41:48:e5:05:25:bc:d6:53:fa:d2:65:14:b1:80:bd: 54:c7:1a:17:db:51:fa:4b:a0:e1:79:88:b6:c8:88: d2:02:9e:a9:79:71:25:61:62:72:06:04:b9:81:72: 20:0b:d4:9a:c4:0d:74:c1:f3:be:5c:1b:76:77:64: c2:8f:f9:d5:1f:11:6f:cb:83:fa:b5:8b:58:2e:1c: d6:6b:10:3a:04:a3:f1:3c:68:30:16:1a:d1:5d:83: de:5f:b9:58:96:af:23:c1:9f:0c:cb:83:ee:63:37: 01:29:87:79:01:7e:3f:58:04:5d:b1:98:a2:1e:12: 44:27:34:f8:de:d6:9c:5c:90:21:e4:3a:18:bf:70: 18:b8:d0:c1:3e:50:a2:df:38:eb:3b:74:aa:63:a4: 3d:7f:b8:8c:d1:00:5c:57:40:d4:c0:79:af:2c:17: d5:95 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 8F:2E:B5:27:C4:90:93:FD:EA:8C:DA:C8:2E:EF:31:48:82:07:06:0B X509v3 Authority Key Identifier: keyid:5F:A3:94:0B:4C:DC:45:FA:5E:37:06:F5:6F:B0:0C:51:5E:45:63:C6 X509v3 Subject Alternative Name: DNS:kube-node1 Signature Algorithm: sha256WithRSAEncryption 2a:62:6a:95:da:b5:6a:bf:d5:bd:d0:01:7e:02:7e:b8:75:86: a2:5d:e2:ce:72:97:02:65:c7:7a:c3:db:47:e6:fe:d4:77:87: 5e:56:c9:8c:a4:d1:15:a6:5a:4c:1f:8a:7e:42:ce:84:df:ee: a8:ac:2c:08:66:0d:d4:ef:20:5f:e7:8e:3f:15:6f:bd:1c:55: 5e:d4:c5:e7:c0:09:f4:71:24:ef:5b:b9:55:3e:f7:6f:d5:a6: 7b:03:96:e0:33:54:99:81:11:49:b1:81:97:70:3c:ac:b8:a5: 45:88:01:c5:7c:21:5c:33:03:90:41:88:e1:cf:1a:51:88:be: c1:f9:f2:33:07:af:36:8e:af:a9:08:ba:92:7e:d1:01:4b:8a: 65:f7:23:7a:26:1f:28:00:c0:13:78:4b:76:ed:41:ea:5a:f7: cf:0a:a5:19:b9:7d:3f:e1:57:c4:a1:ad:c9:87:dd:91:fa:25: 2b:f4:93:f1:f4:0d:89:1e:27:13:7e:e6:dd:15:73:ec:33:14: a8:0a:d7:ee:d5:34:af:54:8d:1c:f0:69:cb:fa:b0:c5:0f:db: b1:c5:17:2a:1d:16:ed:8c:c0:12:0d:bd:f5:7b:5f:f9:7c:f7: 74:d0:56:41:f3:e6:53:25:ac:ab:19:87:c5:c8:f0:b9:64:e8: b7:58:de:35
4.4 生成 client 证书 ( 网站)
生成 client 证书的 csr
对于client 证书,我们可以忽略主机值,设置 CN 为客户端值:
# cfssl print-defaults csr > client.json
# cat client.json
{
"CN": "www.xieow.net",
"hosts": [""],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "ShangHai",
"L": "ShangHai",
"O": "dzcx",
"OU": "yunwei"
}
]
}生成 客户端证书和私钥
[root@tmp cfssl]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client.json | cfssljson -bare client
2020/05/20 14:55:40 [INFO] generate received request
2020/05/20 14:55:40 [INFO] received CSR
2020/05/20 14:55:40 [INFO] generating key: rsa-2048
2020/05/20 14:55:40 [INFO] encoded CSR
2020/05/20 14:55:40 [INFO] signed certificate with serial number 545852657215626295217446445695888814018746963305
2020/05/20 14:55:40 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").查看生成的证书
[root@tmp cfssl]# ll total 52 -rw-r--r--. 1 root root 1050 May 20 14:55 client.csr -rw-------. 1 root root 1679 May 20 14:55 client-key.pem -rw-r--r--. 1 root root 1411 May 20 14:55 client.pem
证书内容
X509v3 Extended Key Usage: TLS Web Client Authentication
CA:FALSE
X509v3 Subject Alternative Name: DNS:
[root@tmp ca]# openssl x509 -in client-diff.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 31:16:a5:bf:68:c8:f5:67:33:ff:25:3c:58:7f:ce:e2:6e:77:de:ff Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=ShangHai, L=ShangHai, O=DZCX, OU=LAOJIA, CN=dzcx laojia local ca Validity Not Before: May 22 05:48:00 2020 GMT Not After : May 20 05:48:00 2030 GMT Subject: C=CN, ST=ShangHai, L=ShangHai, O=dzcx, OU=etcd, CN=kube-node1 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a9:a3:f4:26:31:09:fe:0f:3f:9c:f2:ba:c8:11: f4:0b:f2:24:b5:ff:98:45:e7:ba:8e:0f:33:ff:cc: 7b:64:d9:33:8e:45:ac:59:93:58:7f:ba:c6:cd:d9: ee:c6:55:eb:29:59:4c:de:9a:e6:dd:64:af:4c:0d: 30:4b:9e:7a:85:81:8a:8d:43:0c:6b:8e:04:49:3e: 9e:f5:6b:ba:d0:51:df:d1:06:45:c1:d1:ce:40:f7: 5b:ff:83:ec:62:bb:9f:ea:2b:7e:c0:77:f9:b5:7c: 66:05:d9:92:e4:f6:13:1b:90:9f:22:73:1d:7d:c9: 5a:17:02:19:d8:02:ae:cc:9b:ac:18:18:ce:8f:54: 1c:bd:79:0d:ee:55:31:ba:fb:8d:e3:0a:be:6b:9f: 73:53:57:b5:f6:95:8b:1f:40:e8:8b:e3:62:df:e9: bd:5f:06:44:af:a8:2a:85:30:da:69:58:f9:1e:8f: 3f:d5:1d:aa:a1:8c:86:79:10:de:a5:4c:f4:27:46: ce:fc:3a:b8:ce:ba:ec:70:5b:a5:25:c5:51:ec:e4: 6c:37:b4:af:40:f8:da:98:d5:8f:51:d2:ef:45:29: 65:66:04:34:90:26:a0:9c:30:19:9f:b2:19:90:ec: 5c:93:05:26:21:6c:e6:3f:8b:c0:0f:7e:f3:8d:1c: c1:b3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 55:4B:55:8F:87:43:32:AC:03:76:65:9F:81:35:46:50:25:57:D6:2B X509v3 Authority Key Identifier: keyid:5F:A3:94:0B:4C:DC:45:FA:5E:37:06:F5:6F:B0:0C:51:5E:45:63:C6 X509v3 Subject Alternative Name: DNS: Signature Algorithm: sha256WithRSAEncryption 6d:63:79:2f:b0:e5:19:8f:6a:50:84:3c:e1:96:4a:ac:59:04: d7:f7:0c:10:13:24:3a:5f:72:dd:c1:55:d4:bc:10:45:e7:a8: 46:7a:74:69:49:42:47:fe:d7:c6:83:bc:e7:67:5b:e7:80:1e: e7:51:a7:55:e9:58:1e:34:9c:18:44:4a:12:74:f5:54:3d:60: 45:f1:83:5a:b9:95:38:d1:f3:dc:fe:4e:f3:a5:1f:60:10:53: 59:31:f6:ab:9a:a7:1c:cf:7a:5d:d0:45:4e:e7:28:c8:2b:d1: 52:3d:f7:74:da:fc:a8:d9:ab:5c:e4:23:78:3e:f4:9e:7b:00: d2:b4:16:41:7e:e7:6d:ef:33:da:1f:b7:08:48:0d:75:51:a8: 0b:0f:ed:d9:cd:d3:da:0d:28:18:f2:60:72:13:d2:79:7b:1e: 8e:0c:f4:f1:23:fe:dd:87:79:bd:cf:19:94:0b:0c:c7:91:3e: ce:41:d6:9a:6a:4f:5a:01:9d:34:4b:ec:7b:78:5e:ef:b8:17: 5d:87:5f:76:40:70:6e:29:cf:a9:88:64:c5:64:b7:b9:52:85: 25:5f:2f:cf:41:f7:55:03:bf:99:37:e5:e4:9f:9c:98:96:99: ab:fb:5c:3d:08:54:a3:0d:d7:cc:ed:a2:59:d6:ae:7a:98:d6: 0d:87:c3:60
4.5 生成 peer 对等证书
生成 peer 证书的 csr ; 替换 CN 和 hosts
# cfssl print-defaults csr > member1.json
# cat member1.json
{
"CN": "member1",
"hosts": [
"192.168.122.101",
"ext.example.com",
"member1.local",
"member1"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "ShangHai",
"L": "ShangHai",
"O": "dzcx",
"OU": "yunwei"
}
]
}生成 peer 证书和私钥
[root@tmp cfssl]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer member1.json | cfssljson -bare member1
2020/05/20 15:01:26 [INFO] generate received request
2020/05/20 15:01:26 [INFO] received CSR
2020/05/20 15:01:26 [INFO] generating key: rsa-2048
2020/05/20 15:01:26 [INFO] encoded CSR
2020/05/20 15:01:26 [INFO] signed certificate with serial number 93063574151482303566808578105258759235399113076
2020/05/20 15:01:26 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").查看生成的证书
[root@tmp cfssl]# ll total 68 -rw-r--r--. 1 root root 1102 May 20 15:01 member1.csr -rw-------. 1 root root 1679 May 20 15:01 member1-key.pem -rw-r--r--. 1 root root 1480 May 20 15:01 member1.pem
查看证书
X509v3 Extended Key Usage: TLS Web Client Authentication,TLS Web Server Authentication
CA:FALSE
X509v3 Subject Alternative Name: DNS:kube-node1, DNS:kube-node2。。。
[root@tmp ca]# openssl x509 -in peer-diff.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 30:91:60:62:42:34:83:55:38:c3:9b:05:33:8a:f1:5c:d1:5a:57:18 Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=ShangHai, L=ShangHai, O=DZCX, OU=LAOJIA, CN=dzcx laojia local ca Validity Not Before: May 22 05:49:00 2020 GMT Not After : May 20 05:49:00 2030 GMT Subject: C=CN, ST=ShangHai, L=ShangHai, O=dzcx, OU=etcd, CN=kube-node1 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:bf:ed:91:3e:a5:0d:ec:2e:17:b6:28:a8:0c:ad: 2a:a4:d3:55:01:ee:18:f3:5d:9b:a0:15:1b:07:78: 5f:12:a8:e1:9b:62:45:9c:41:35:18:1e:ce:83:f4: e1:49:b0:f2:dd:de:df:64:37:fd:40:97:a5:31:be: 10:e2:6c:79:9b:eb:8d:9c:74:07:8d:15:2e:4a:b8: 2a:ce:fb:bc:81:25:a7:c4:e7:3b:2f:6c:2b:b1:14: 04:a6:61:6b:e4:d7:bf:87:cd:1e:a3:01:de:83:b8: 3a:95:42:aa:62:47:71:3f:cf:66:f3:9f:96:0f:c7: 6f:fb:ad:7c:68:b8:0b:78:ba:36:37:76:e3:04:82: e8:b9:95:ed:e6:21:a3:38:dc:ac:ca:83:f9:3c:8f: 92:d1:6c:70:51:d8:a5:7b:0c:47:d6:b2:29:f0:24: 69:63:5a:c9:ab:7b:ff:93:85:d0:ba:79:95:f6:79: a2:dc:c3:5f:6d:55:2c:69:9d:22:fb:d3:91:49:8f: a7:4d:8b:44:f4:7a:b6:6a:44:e1:2f:25:00:b0:c1: a0:81:7d:48:83:c8:6c:72:0b:85:f5:fb:b4:25:fd: 24:30:40:8d:53:85:44:aa:4a:81:d4:8b:db:ca:8f: 32:7a:0a:9b:b2:ee:26:7e:86:cc:ea:94:29:4c:5b: b2:27 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 3F:A9:A4:8E:5D:4C:5C:98:C4:26:45:3D:B1:DA:65:70:2D:56:57:BF X509v3 Authority Key Identifier: keyid:5F:A3:94:0B:4C:DC:45:FA:5E:37:06:F5:6F:B0:0C:51:5E:45:63:C6 X509v3 Subject Alternative Name: DNS:kube-node1, DNS:kube-node2, DNS:kube-node3, IP Address:192.168.16.32, IP Address:192.168.16.33, IP Address:192.168.16.35 Signature Algorithm: sha256WithRSAEncryption 39:ff:ad:11:fd:d4:a0:99:aa:1d:b4:a8:88:65:cf:5c:40:ce: e4:e3:cd:0c:1e:b8:e9:38:cf:6e:39:5a:a2:e5:63:23:8c:69: d8:df:d0:1a:f6:46:83:3e:c9:87:a5:13:8e:95:11:d1:d5:7f: 46:41:9b:c0:84:14:90:39:45:5f:f5:cb:56:d3:f8:98:73:ee: f7:ea:e8:80:7b:e8:83:9e:78:6e:46:d8:27:7f:c3:0d:42:2c: 26:d2:9f:20:ef:53:b4:8c:b5:7c:8c:5e:52:55:2b:f9:15:8a: 4e:cb:2a:42:be:b8:ca:4a:2a:8b:cd:1f:29:e8:2d:c3:70:58: 4c:c6:b5:2c:ea:7e:ce:54:50:75:3b:75:bc:f4:8e:4d:da:cd: ff:e3:e8:8c:40:31:d4:25:36:37:7c:e9:b1:4a:d2:fb:2e:f5: e2:ae:44:7e:8f:e6:12:f5:d2:ed:4a:2b:b1:5b:1c:83:2f:88: f9:2c:24:e0:74:ad:61:4d:5d:66:16:9f:8a:46:e1:2e:65:da: 58:e3:08:32:ff:1a:d1:bd:9c:f7:f7:34:a0:24:d5:2a:38:cf: 84:77:28:0e:32:97:a9:09:02:b8:51:5a:fc:2a:10:86:0f:53: 01:c9:fb:a8:ef:32:56:7d:95:65:b6:d7:83:31:b3:9f:2e:37: 48:25:e7:09
5. 查看cert(证书信息) 和 证书签名请求
# 查看cert(证书信息): # cfssl certinfo -cert ca.pem # 查看CSR(证书签名请求)信息: # cfssl certinfo -csr ca.csr
6. 其他说明
签名完后,要把 CA 的公钥 ca.pem 内容追加到 签发的 证书后面,如 client.pem ,不然浏览器,读不到签发的机构
0顶
0 踩
共 0 条评论