openssl+cfssl证书签名认证
一、 openssl 生成证书
# 如果出现 -bash: openssl: command not found,请安装 openssl:yum -y install openssl
# 生成指定位数的 RSA 私钥:ca.key
openssl genrsa -out ca.key 2048
# 根据 RSA 私钥,生成 crt 证书:ca.crt
# CN:设置你要使用的域名
# -utf8:支持中文
# openssl req -new -x509 -days 36500 -key ca.key -subj "/C=CN/ST=北京/L=昌平/O=同创/OU=研发体系/CN=gitlab.xincan.com/emailAddress=jiangxincan@hatech.com.cn" -out ca.crt -utf8
openssl req -new -x509 -days 36500 -key ca.key -subj "/C=CN/ST=北京/L=昌平/O=同创/OU=研发体系/CN=gitlab.xincan.com/emailAddress=jiangxincan@hatech.com.cn" -out ca.crt -utf8
# 生成 server.csr、server.key
# CN:设置你要使用的域名
# -utf8:支持中文
# openssl req -newkey rsa:2048 -nodes -keyout gitlab.xincan.com.key -subj "/C=CN/ST=山东/L=青岛/O=徐晓伟工作室/CN=192.168.80.14" -out gitlab.xincan.com.csr -utf8
openssl req -newkey rsa:2048 -nodes -keyout gitlab.xincan.com.key -subj "/C=CN/ST=北京/L=昌平/O=同创/OU=研发体系/CN=gitlab.xincan.com" -out gitlab.xincan.com.csr -utf8
# 生成 ca.srl、server.crt
# subjectAltName:设置 DNS、IP
# openssl x509 -req -extfile <(printf "subjectAltName=IP:192.168.80.14") -days 36500 -in gitlab.xincan.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out gitlab.xincan.com.crt
openssl x509 -req -extfile <(printf "subjectAltName=DNS:gitlab.xincan.com,DNS:minio.xincan.com,DNS:kas.xincan.com,DNS:registry.xincan.com,DNS:*.xincan.com") -days 36500 -in gitlab.xincan.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out gitlab.xincan.com.crt
最终生成了:ca.crt、ca.key、ca.srl、server.crt、server.csr、server.key,其中 server.crt 和 server.key 就是使用的证书
二、cfssl 生成证书
- 创建文件夹
[root@master140 cert]# tree
.
├── ca
├── client
├── peer
└── server
4 directories, 3 files
[root@master140 cert]#
- 生成ca根证书:创建生成 ca config 配置
[root@master140 cert]# cfssl print-defaults config > ca/cert-config.json
- 创建生成 ca csr 配置
[root@master140 cert]# cfssl print-defaults csr > ca/cert-csr.json
- 查看ca目录
[root@master140 cert]# tree
.
├── ca
│ ├── ca-config.json
│ └── ca-csr.json
├── client
├── peer
└── server
- 查看并修改配置 ca-config,如下:
- signing, 表示ca.pem证书可用于签名其它证书
- profile中的peer配置的client auth 和 server auth
- profile中的client配置的client auth
- profile中的server配置的server auth
- server auth:表示 客户端client 可以用 CA证书 对 服务端server的证书进行签名验证。
- client auth:表示 服务端server 可以用 CA证书 对 客户端client 提供的证书进行签名验证。
- server auth和client auth都存在时,说明客户端和服务端双向验证。
- 证书的失效日期是100年
[root@master140 cert]# cat ca/ca-config.json
{
"signing": {
"default": {
"expiry": "876000h"
},
"profiles": {
"server": {
"expiry": "876000h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": {
"expiry": "876000h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
-
查看并修改配置 ca-csr
-
CN: Common Name,表示业务的名称或者对外的域名。
-
C: Country, 表示国家
-
L: Locality,表示地区或城市
-
O: Organization Name,表示组织名称或公司名称
-
OU: Organizational Unit 表示组织单元名称
-
ST: State,表示 州,省OU: Organization Unit Name,组织单位名称或者部门
-
ca.expiry 表示证书的有效期,此处是100年
-
key.algo 表示证书的签名算法 使用rsa
-
hosts 表示要签名的域名,此处是根证书,所以空着,用于签名其他的证书。
-
[root@master140 cert]# cat ca/ca-csr.json
{
"CN": "xincan.com",
"ca": {
"expiry": "876000h"
},
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BJ",
"L": "BJ",
"OU": "HATECH",
"O": "DEV"
}
]
}
- 生成ca根证书, 生成ca.csr ca-key.pem ca.pem
[root@master140 cert]# cfssl gencert -initca ca/ca-csr.json | cfssljson -bare ca/ca -
2023/04/03 14:37:39 [INFO] generating a new CA key and certificate from CSR
2023/04/03 14:37:39 [INFO] generate received request
2023/04/03 14:37:39 [INFO] received CSR
2023/04/03 14:37:39 [INFO] generating key: rsa-2048
2023/04/03 14:37:39 [INFO] encoded CSR
2023/04/03 14:37:39 [INFO] signed certificate with serial number 697391719967130139590478233799697587612905566397
# 查看目录结构
# 生成ca.csr ca-key.pem ca.pem
[root@master140 cert]# tree
.
├── ca
│ ├── ca-config.json
│ ├── ca.csr
│ ├── ca-csr.json
│ ├── ca-key.pem
│ └── ca.pem
├── client
├── peer
└── server
└── server-csr.json
4 directories, 6 files
[root@master140 cert]#
- 查看ca证书内容
[root@master140 cert]# cfssl-certinfo -cert ca/ca.pem
{
"subject": {
"common_name": "xincan.com",
"country": "CN",
"organization": "DEV",
"organizational_unit": "HATECH",
"locality": "BJ",
"province": "BJ",
"names": [
"CN",
"BJ",
"BJ",
"DEV",
"HATECH",
"xincan.com"
]
},
"issuer": {
"common_name": "xincan.com",
"country": "CN",
"organization": "DEV",
"organizational_unit": "HATECH",
"locality": "BJ",
"province": "BJ",
"names": [
"CN",
"BJ",
"BJ",
"DEV",
"HATECH",
"xincan.com"
]
},
"serial_number": "697391719967130139590478233799697587612905566397",
"not_before": "2023-04-03T06:33:00Z",
"not_after": "2123-03-10T06:33:00Z",
"sigalg": "SHA256WithRSA",
"authority_key_id": "",
"subject_key_id": "5D:7C:0D:F3:F1:BA:20:9A:4D:17:10:1C:13:82:44:03:12:95:C6:20",
"pem": "-----BEGIN CERTIFICATE-----\nMIIDiDCCAnCgAwIBAgIUeiggU9Q5XvR3y8JIZEP0Ugmu8L0wDQYJKoZIhvcNAQEL\nBQAwWzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAkJKMQswCQYDVQQHEwJCSjEMMAoG\nA1UEChMDREVWMQ8wDQYDVQQLEwZIQVRFQ0gxEzARBgNVBAMTCnhpbmNhbi5jb20w\nIBcNMjMwNDAzMDYzMzAwWhgPMjEyMzAzMTAwNjMzMDBaMFsxCzAJBgNVBAYTAkNO\nMQswCQYDVQQIEwJCSjELMAkGA1UEBxMCQkoxDDAKBgNVBAoTA0RFVjEPMA0GA1UE\nCxMGSEFURUNIMRMwEQYDVQQDEwp4aW5jYW4uY29tMIIBIjANBgkqhkiG9w0BAQEF\nAAOCAQ8AMIIBCgKCAQEA07HdbeSiDc2VzFuaNDmGsHDPNfBVEdxZ7EtHdtg+cv9b\nqdP/vXm5/z5P/WqK5PSVeDIE+KK0wQ4Yr5yrGGBHBYWcscMtAGSdm8NfGv85d1qr\nM/dI5vIJbWXOTKFynEaCCMjbyhMb6MVrZWw539GImC0xAtX1VrtV/l1vCPxkS+Q/\nBllUyX9RjNClq6Hxrqy1Qpr2J1eDCITJbjO6qizlS6gSB4RMuU3aFxGTRS3FmMx/\nk7bBq+KXnH1R7sbD4cN+XDz/sLz6Uqi+ZibtW29oMsdrOrw4CybfiMuvU1JCz7Km\ny+WRZhi+hmX7zctR2I5KG+FiETmkfP7u6t8W+piT8QIDAQABo0IwQDAOBgNVHQ8B\nAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUXXwN8/G6IJpNFxAc\nE4JEAxKVxiAwDQYJKoZIhvcNAQELBQADggEBAIQK0bVsEUjBby5Jn+X/EwNQgQFZ\ngIEtTEOTPm2lJwH2lKINk5nKBUVsP6GEfojxRln7p29RpGeLx+G2TZglr0Eu0xIC\n0bVlroIq9LJe4l2O62rulFLpb5391r9HAPjXraAauFPM+qj+3xq1WwGyWUZ9SCOH\n7AGIfbqIqh41s73Bv15xlQyoBYPVuFa9TTbivDrcEvZrviycJGgPTryMsr03tQS0\nVMslNMcvTGClcu9lpVKYmi898ZY8q15Fu/vVF66MqzdMElrs7yN9PNurqWc/xz2b\nFF8gZ4RlAl906A6+aT5Z1ZgNDM1yIYjcCwgyJMNn10T+kp2R7eCsiJVp/XE=\n-----END CERTIFICATE-----\n"
}
[root@master140 cert]#
- 生成server端证书:创建server csr 配置文件
[root@master140 cert]# cfssl print-defaults csr > server/server-csr.json
[root@master140 cert]# tree
.
├── ca
│ ├── ca-config.json
│ ├── ca.csr
│ ├── ca-csr.json
│ ├── ca-key.pem
│ └── ca.pem
├── client
├── peer
└── server
└── server-csr.json
4 directories, 6 files
[root@master140 cert]#
- 编辑 server csr 配置文件
[root@master140 cert]# cat server/server-csr.json
{
"CN": "xincan.com",
"hosts": [
"*.xincan.com",
"gitlab.xincan.com",
"kas.xincan.com",
"minio.xincan.com",
"registry.xincan.com"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BJ",
"L": "BJ",
"OU": "HATECH",
"O": "DEV"
}
]
}
[root@master140 cert]#
- ca证书签发,生成 server 证书
[root@master140 cert]# cfssl gencert -ca=ca/ca.pem -ca-key=ca/ca-key.pem -config=ca/ca-config.json -profile=server server/server-csr.json | cfssljson -bare server/server
2023/04/03 14:46:33 [INFO] generate received request
2023/04/03 14:46:33 [INFO] received CSR
2023/04/03 14:46:33 [INFO] generating key: rsa-2048
2023/04/03 14:46:34 [INFO] encoded CSR
2023/04/03 14:46:34 [INFO] signed certificate with serial number 442737742437017287357493659096492885026776647093
[root@master140 cert]# tree
.
├── ca
│ ├── ca-config.json
│ ├── ca.csr
│ ├── ca-csr.json
│ ├── ca-key.pem
│ └── ca.pem
├── client
├── peer
└── server
├── server.csr
├── server-csr.json
├── server-key.pem
└── server.pem
4 directories, 9 files
[root@master140 cert]#
- 查看server端证书内容
[root@master140 cert]# cfssl-certinfo -cert server/server.pem
{
"subject": {
"common_name": "xincan.com",
"country": "CN",
"organization": "DEV",
"organizational_unit": "HATECH",
"locality": "BJ",
"province": "BJ",
"names": [
"CN",
"BJ",
"BJ",
"DEV",
"HATECH",
"xincan.com"
]
},
"issuer": {
"common_name": "xincan.com",
"country": "CN",
"organization": "DEV",
"organizational_unit": "HATECH",
"locality": "BJ",
"province": "BJ",
"names": [
"CN",
"BJ",
"BJ",
"DEV",
"HATECH",
"xincan.com"
]
},
"serial_number": "442737742437017287357493659096492885026776647093",
"sans": [
"*.xincan.com",
"gitlab.xincan.com",
"kas.xincan.com",
"minio.xincan.com",
"registry.xincan.com"
],
"not_before": "2023-04-03T06:42:00Z",
"not_after": "2123-03-10T06:42:00Z",
"sigalg": "SHA256WithRSA",
"authority_key_id": "",
"subject_key_id": "42:8E:7B:91:26:B1:88:15:A4:44:04:76:7A:AC:EA:3A:67:C8:E7:BA",
"pem": "-----BEGIN CERTIFICATE-----\nMIID/zCCAuegAwIBAgIUTY0MB9OJgWldx78oXhgNMziBhbUwDQYJKoZIhvcNAQEL\nBQAwWzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAkJKMQswCQYDVQQHEwJCSjEMMAoG\nA1UEChMDREVWMQ8wDQYDVQQLEwZIQVRFQ0gxEzARBgNVBAMTCnhpbmNhbi5jb20w\nIBcNMjMwNDAzMDY0MjAwWhgPMjEyMzAzMTAwNjQyMDBaMFsxCzAJBgNVBAYTAkNO\nMQswCQYDVQQIEwJCSjELMAkGA1UEBxMCQkoxDDAKBgNVBAoTA0RFVjEPMA0GA1UE\nCxMGSEFURUNIMRMwEQYDVQQDEwp4aW5jYW4uY29tMIIBIjANBgkqhkiG9w0BAQEF\nAAOCAQ8AMIIBCgKCAQEA6QAMTbYL1cMBbRiililj4Z1Z52wkl0glm40niAYgpluZ\nZHERaACdabdmDmmXssKIiva7MA5pCJjsB9u2nIGSp8DDjZgnsxASzNd+M4hyq8GL\nqwWO5yg8Wx4HDFCOzY23K/OgxS27a9QHFGjzTrpIOhCZN/Cg79VCYOOlUSx6WwLK\nnx6T9DsiMzKO2bfHydI8kXEk0WPDcip0YL33Tk4bHnvbJGCB6RK8DwGegwbJRsEo\nQS/1KF6ctbA6Jh3SMQeuyLJS8ARqWbwiAZgl8UqG7REJM282xmCoVc0wOGKvIkJU\n7p0bxca3NqxJFrWkxZxPbgHySmYDHiKoh9kh6OodOwIDAQABo4G4MIG1MA4GA1Ud\nDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB0G\nA1UdDgQWBBRCjnuRJrGIFaREBHZ6rOo6Z8jnujBhBgNVHREEWjBYggwqLnhpbmNh\nbi5jb22CEWdpdGxhYi54aW5jYW4uY29tgg5rYXMueGluY2FuLmNvbYIQbWluaW8u\neGluY2FuLmNvbYITcmVnaXN0cnkueGluY2FuLmNvbTANBgkqhkiG9w0BAQsFAAOC\nAQEApHzi4bZONwmtBsoeJp0ERNTbpDEHP9L+yeRMgej7fScPjx9ip6p0834mpNAi\nbo7fxyWM5Lyeo8sGUkaFjk+pClOS0vswn5CfB7B+HiH6hFoi3vZH7hgAjgiOxp61\nksFaPQG9cxF4rwMmxOaFLGWdvVnIQFIO2u4R9dkFbMMOz5hxYFYYd87dEMOisye7\nooZD3TsTrqDDGPp+AwrReOm3ErII184ZjdRghrBQt6kUhlWT5gOfymwPXnkeLpSy\ne3uoQ21vtwT8Pg5apUx/l+35Z5EEveSBH25LgdD87JkwL13GTtJroBb/1tg8pE4F\n2/2s1R8Abog/RAoFVwB09w6stg==\n-----END CERTIFICATE-----\n"
}
[root@master140 cert]#
- 生成client端证书,创建生成client csr 配置
[root@master140 cert]# cfssl print-defaults csr > client/client-csr.json
[root@master140 cert]# tree
.
├── ca
│ ├── ca-config.json
│ ├── ca.csr
│ ├── ca-csr.json
│ ├── ca-key.pem
│ └── ca.pem
├── client
│ └── client-csr.json
├── peer
└── server
├── server.csr
├── server-csr.json
├── server-key.pem
└── server.pem
4 directories, 10 files
[root@master140 cert]#
- 编辑 client csr 配置文件
[root@master140 cert]# cat client/client-csr.json
{
"CN": "xincan.com",
"hosts": [
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BJ",
"L": "BJ",
"OU": "HATECH",
"O": "DEV"
}
]
}
[root@master140 cert]#
- ca证书签发,生成 client 证书
[root@master140 cert]# cfssl gencert -ca=ca/ca.pem -ca-key=ca/ca-key.pem -config=ca/ca-config.json -profile=client client/client-csr.json | cfssljson -bare client/client
2023/04/03 15:06:53 [INFO] generate received request
2023/04/03 15:06:53 [INFO] received CSR
2023/04/03 15:06:53 [INFO] generating key: rsa-2048
2023/04/03 15:06:53 [INFO] encoded CSR
2023/04/03 15:06:53 [INFO] signed certificate with serial number 120187828283756310134089339261770832983323917924
2023/04/03 15:06:53 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@master140 cert]# tree
.
├── ca
│ ├── ca-config.json
│ ├── ca.csr
│ ├── ca-csr.json
│ ├── ca-key.pem
│ └── ca.pem
├── client
│ ├── client.csr
│ ├── client-csr.json
│ ├── client-key.pem
│ └── client.pem
├── peer
└── server
├── server.csr
├── server-csr.json
├── server-key.pem
└── server.pem
4 directories, 13 files
[root@master140 cert]#
- 验证 client 端证书
[root@master140 cert]# cfssl-certinfo -cert client/client.pem
{
"subject": {
"common_name": "xincan.com",
"country": "CN",
"organization": "DEV",
"organizational_unit": "HATECH",
"locality": "BJ",
"province": "BJ",
"names": [
"CN",
"BJ",
"BJ",
"DEV",
"HATECH",
"xincan.com"
]
},
"issuer": {
"common_name": "xincan.com",
"country": "CN",
"organization": "DEV",
"organizational_unit": "HATECH",
"locality": "BJ",
"province": "BJ",
"names": [
"CN",
"BJ",
"BJ",
"DEV",
"HATECH",
"xincan.com"
]
},
"serial_number": "120187828283756310134089339261770832983323917924",
"not_before": "2023-04-03T07:02:00Z",
"not_after": "2033-03-31T07:02:00Z",
"sigalg": "SHA256WithRSA",
"authority_key_id": "",
"subject_key_id": "C5:62:6F:AB:93:EB:A1:02:F4:47:14:07:ED:44:B4:F1:C9:5D:37:1E",
"pem": "-----BEGIN CERTIFICATE-----\nMIIDmDCCAoCgAwIBAgIUFQ1omvZ/voh4M7RCUkBpEwgBPmQwDQYJKoZIhvcNAQEL\nBQAwWzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAkJKMQswCQYDVQQHEwJCSjEMMAoG\nA1UEChMDREVWMQ8wDQYDVQQLEwZIQVRFQ0gxEzARBgNVBAMTCnhpbmNhbi5jb20w\nHhcNMjMwNDAzMDcwMjAwWhcNMzMwMzMxMDcwMjAwWjBbMQswCQYDVQQGEwJDTjEL\nMAkGA1UECBMCQkoxCzAJBgNVBAcTAkJKMQwwCgYDVQQKEwNERVYxDzANBgNVBAsT\nBkhBVEVDSDETMBEGA1UEAxMKeGluY2FuLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD\nggEPADCCAQoCggEBAPRhzpeNPIPwlWRDwQZVxU36SGriqRdqIHwfUUr/C/BeS/9d\n4jbDkhUL7da503JDbZQDaGaE6+F2Pm9CQyEUkIRNYlGOvEecbSLQrdD3UyGVLkTW\nGJ1TP0z+Dla0k065mRDegci/+mZjv0h7OAkCMMaEbAu6kO9L9eku03p8PAPsCcwn\n/KPpnuTRAejli2efRLXxRYBe1Rtidp3YGCnbojzzeaIGuJaXDNYsdIFTVSK/3Pfb\nFpQo+05bgJVm8yZB04cRlv3W/tsSYZPrhGtCeXrP1Wu+au/iDVZsE3zYOePOsOhp\ndrWx0QPLGCXi5pymKKOeg7kWX89jap6sATy546ECAwEAAaNUMFIwDgYDVR0PAQH/\nBAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0O\nBBYEFMVib6uT66EC9EcUB+1EtPHJXTceMA0GCSqGSIb3DQEBCwUAA4IBAQACzcOJ\nzSOKaoYi7t4Xbb8RNwmCsFlVAVmxXuSyZ+9mJ8UPmD9GB7Y253J6FkpDAj+Jb5CN\n5RaLQJDL13Hk48uSZYpQfJ6mNyVshA1GBg6YL3MNFNUU5Y0bK+9sLYtMeE5PFIiQ\nPkmCPrWCEwWFEjY+97slVeJy9HDARbHCygGVi5TAxfZZKwTk24PTEdRHUyvofKMx\nu3Ne6f/KSBEYoSnu1Mcc99GqZUcENtMxa+7HDFlGpfxzdymlWTnwtDlxONLD03Hu\nhHYzOiLTRnS9Dl1V4xOCLsb6oUjaUwP8NIPyTY5em6VH5tHa4Fp7FDmDgfk7Dlu3\nppmpPeR9SpL7HqOa\n-----END CERTIFICATE-----\n"
}
[root@master140 cert]#
- 生成 peer 双向验证证书,创建生成 peer csr 配置
[root@master140 cert]# cfssl print-defaults csr > peer/peer-csr.json
[root@master140 cert]# tree
.
├── ca
│ ├── ca-config.json
│ ├── ca.csr
│ ├── ca-csr.json
│ ├── ca-key.pem
│ └── ca.pem
├── client
│ ├── client.csr
│ ├── client-csr.json
│ ├── client-key.pem
│ └── client.pem
├── peer
│ └── peer-csr.json
└── server
├── server.csr
├── server-csr.json
├── server-key.pem
└── server.pem
4 directories, 14 files
[root@master140 cert]#
- 编辑 peer csr 配置文件
[root@master140 cert]# cat peer/peer-csr.json
{
"CN": "xincan.com",
"hosts": [
"*.xincan.com",
"gitlab.xincan.com",
"kas.xincan.com",
"minio.xincan.com",
"registry.xincan.com",
"localhost",
"10.1.90.139",
"10.1.90.140",
"10.1.90.141",
"10.1.90.142",
"10.1.90.143",
"10.1.90.144",
"10.1.90.145",
"172.16.17.122"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BJ",
"L": "BJ",
"OU": "HATECH",
"O": "DEV"
}
]
}
[root@master140 cert]#
- ca证书签发,生成 peer 证书
[root@master140 cert]# cfssl gencert -ca=ca/ca.pem -ca-key=ca/ca-key.pem -config=ca/ca-config.json -profile=peer peer/peer-csr.json | cfssljson -bare peer/peer
2023/04/03 15:17:21 [INFO] generate received request
2023/04/03 15:17:21 [INFO] received CSR
2023/04/03 15:17:21 [INFO] generating key: rsa-2048
2023/04/03 15:17:22 [INFO] encoded CSR
2023/04/03 15:17:22 [INFO] signed certificate with serial number 163486644097371029598312313422157147044268955922
[root@master140 cert]# tree
.
├── ca
│ ├── ca-config.json
│ ├── ca.csr
│ ├── ca-csr.json
│ ├── ca-key.pem
│ └── ca.pem
├── client
│ ├── client.csr
│ ├── client-csr.json
│ ├── client-key.pem
│ └── client.pem
├── peer
│ ├── peer.csr
│ ├── peer-csr.json
│ ├── peer-key.pem
│ └── peer.pem
└── server
├── server.csr
├── server-csr.json
├── server-key.pem
└── server.pem
4 directories, 17 files
[root@master140 cert]#
- 验证 peer 证书
[root@master140 cert]# cfssl-certinfo -cert peer/peer.pem
{
"subject": {
"common_name": "xincan.com",
"country": "CN",
"organization": "DEV",
"organizational_unit": "HATECH",
"locality": "BJ",
"province": "BJ",
"names": [
"CN",
"BJ",
"BJ",
"DEV",
"HATECH",
"xincan.com"
]
},
"issuer": {
"common_name": "xincan.com",
"country": "CN",
"organization": "DEV",
"organizational_unit": "HATECH",
"locality": "BJ",
"province": "BJ",
"names": [
"CN",
"BJ",
"BJ",
"DEV",
"HATECH",
"xincan.com"
]
},
"serial_number": "163486644097371029598312313422157147044268955922",
"sans": [
"*.xincan.com",
"gitlab.xincan.com",
"kas.xincan.com",
"minio.xincan.com",
"registry.xincan.com",
"localhost",
"10.1.90.139",
"10.1.90.140",
"10.1.90.141",
"10.1.90.142",
"10.1.90.143",
"10.1.90.144",
"10.1.90.145",
"172.16.17.122"
],
"not_before": "2023-04-03T07:12:00Z",
"not_after": "2123-03-10T07:12:00Z",
"sigalg": "SHA256WithRSA",
"authority_key_id": "",
"subject_key_id": "5C:DB:5E:55:D5:31:BB:3A:97:BA:16:BA:16:20:BD:02:90:CA:CA:05",
"pem": "-----BEGIN CERTIFICATE-----\nMIIESDCCAzCgAwIBAgIUHKL+om2qj45wHLTQKAO5c/+fWRIwDQYJKoZIhvcNAQEL\nBQAwWzELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAkJKMQswCQYDVQQHEwJCSjEMMAoG\nA1UEChMDREVWMQ8wDQYDVQQLEwZIQVRFQ0gxEzARBgNVBAMTCnhpbmNhbi5jb20w\nIBcNMjMwNDAzMDcxMjAwWhgPMjEyMzAzMTAwNzEyMDBaMFsxCzAJBgNVBAYTAkNO\nMQswCQYDVQQIEwJCSjELMAkGA1UEBxMCQkoxDDAKBgNVBAoTA0RFVjEPMA0GA1UE\nCxMGSEFURUNIMRMwEQYDVQQDEwp4aW5jYW4uY29tMIIBIjANBgkqhkiG9w0BAQEF\nAAOCAQ8AMIIBCgKCAQEAzA8U/CCOXt1hoxKGJrMTUDmwRLSya8+7Wy0xJr7PKi1m\ni3XWaV64uzb5vpQACcB+EV0Cn0mrrBeI5zHlxaSJQNoYKcbVu+jiGHKfDLaHz/V6\n1zkGEY77lvkdDI/QzB2Ms1sYEpLxJMjyRZTMolt5o8C5CjlRnldfJ1sG/36TOo5b\nxuFQmbNkWa8fI+smqa+VK2L9KMa3EWTDo1JJg81UXnv7DuGQzhEFkrOwYT7b5mTS\nIcpsKZikemiwyAmJU8+NX5+DvB3O8ZZ0nUAyB+EQS2j6H1r1LOc2HahB2vheCjr3\ndM1BcsLVS25B9vTP1/DPK8PyeB4bF2kvLx9SuBMu/QIDAQABo4IBADCB/TAOBgNV\nHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1Ud\nEwEB/wQCMAAwHQYDVR0OBBYEFFzbXlXVMbs6l7oWuhYgvQKQysoFMIGeBgNVHREE\ngZYwgZOCDCoueGluY2FuLmNvbYIRZ2l0bGFiLnhpbmNhbi5jb22CDmthcy54aW5j\nYW4uY29tghBtaW5pby54aW5jYW4uY29tghNyZWdpc3RyeS54aW5jYW4uY29tggls\nb2NhbGhvc3SHBAoBWouHBAoBWoyHBAoBWo2HBAoBWo6HBAoBWo+HBAoBWpCHBAoB\nWpGHBKwQEXowDQYJKoZIhvcNAQELBQADggEBAI2aXtGSUwYBhHp7mu1DFy0XEO/Z\ncomH5nMqpXYIjze+sqjsVq4PFTPfSeU3ucMBcx5lPWQGUdHWFSXWNvxHpCH3lJ3n\nctJrX/flFo61KwTN4Yp/1yJtoDxgkBFBb7flWBYY4VyTqyAWwY7TOmq/vEv+OOQc\nrLY/aIJz9Xln+VqyEFJ2okn3RQ1uz+2bWJ9RnNdz5PJ2AsYw3+r5W12m0fIavw41\nCLY65xGbxOZtBsk0ud7t5X/2zDqkcmZQPkuIoZ2Gq1htqldGlIare87wNFtE5aVR\nTOIC8iY9hEy+v3FohhvB8/kzYZSpVlCI7qifQRAqxjv7u5iFeZXEVz4WJCc=\n-----END CERTIFICATE-----\n"
}
[root@master140 cert]#
- 如果需要crt格式请执行
[root@master140 cert]# cp ca/ca.pem ca/ca.crt
[root@master140 cert]# cp server/server.pem server/server.crt
[root@master140 cert]# cp client/client.pem client/client.crt
[root@master140 cert]# cp peer/peer.pem peer/peer.crt
[root@master140 cert]# tree
.
├── ca
│ ├── ca-config.json
│ ├── ca.crt
│ ├── ca.csr
│ ├── ca-csr.json
│ ├── ca-key.pem
│ └── ca.pem
├── client
│ ├── client.crt
│ ├── client.csr
│ ├── client-csr.json
│ ├── client-key.pem
│ └── client.pem
├── peer
│ ├── peer.crt
│ ├── peer.csr
│ ├── peer-csr.json
│ ├── peer-key.pem
│ └── peer.pem
└── server
├── server.crt
├── server.csr
├── server-csr.json
├── server-key.pem
└── server.pem
4 directories, 21 files
[root@master140 cert]#
三、证书使用
- kubernetes生成 tls 证书
[root@master140 cert]# kubectl -n gitlab create secret tls gitlab.xincan.com --cert=/xincan/secrets/cert/server/server.crt --key=/xincan/secrets/cert/server/server-key.pem
secret/gitlab.xincan.com created
NAME TYPE DATA AGE
default-token-zkpdw kubernetes.io/service-account-token 3 19d
gitlab.xincan.com kubernetes.io/tls 2 142m
[root@master140 cert]#
- kubernetes生成 generic 证书
# kubectl -n gitlab create secret generic gitlab.xincan.com \
--from-file=ca.crt=/xincan/secrets/cert/ca/ca.crt \
--from-file=ca.csr=/xincan/secrets/cert/ca/ca.csr \
--from-file=ca.pem=/xincan/secrets/cert/ca/ca.pem \
--from-file=gitlab.xincan.com.crt=/xincan/secrets/cert/server/server.crt \
--from-file=gitlab.xincan.com.csr=/xincan/secrets/cert/server/server.csr \
--from-file=gitlab.xincan.com.pem=/xincan/secrets/cert/server/server.pem
