zoukankan      html  css  js  c++  java
  • [k8s]通过openssl生成证书

    证书认证原理:
    http://www.cnblogs.com/iiiiher/p/7873737.html

    [root@m1 ssl]# cat master_ssl.cnf 
    [req]
    req_extensions = v3_req
    distinguished_name = req_distinguished_name
    [ req_distinguished_name ]
    [ v3_req ]
    basicConstraints = CA:FALSE
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    subjectAltName = @alt_names
    [alt_names]
    DNS.1 = kubernetes
    DNS.2 = kubernetes.default
    DNS.3 = kubernetes.default.svc
    DNS.4 = kubernetes.default.svc.cluster.local
    DNS.5 = m1.ma.com
    IP.1 = 10.254.0.1
    
    
    - 根据配置文件无交互生成证书
    openssl genrsa -out ca.key 2048
    openssl req -x509 -new -nodes -key ca.key -subj "/CN=m1.ma.com" -days 5000 -out ca.crt
    
    openssl genrsa -out server.key 2048
    openssl req -new -key server.key -subj "/CN=m1.ma.com" -config master_ssl.cnf -out server.csr
    openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 5000 -extensions v3_req -extfile master_ssl.cnf -out server.crt
    
    - 开始-运行打开证书管理器
    certmgr.msc
    
    - 无交互生成证书
    openssl genrsa -out ca.key 2048
    openssl req -x509 -new -nodes -key ca.key -subj "/CN=myca.com" -days 5000 -out ca.crt
    
    openssl genrsa -out server.key 2048
    openssl req -new -key server.key -subj "/O=My Server /CN=n1.ma.com" -out server.csr
    openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt
    
    - 查看证书的内容
    openssl x509 -in /etc/pki/CA/cacert.pem -noout -text|egrep -i "issuer|subject|serial|dates"
    openssl x509  -noout -text -in  kubernetes.pem
    cfssl-certinfo -cert kubernetes.pem
    
  • 相关阅读:
    SQL------Hint
    JVM——垃圾回收
    JVM——内存结构
    SpringMVC——拦截器,过滤器实现登录拦截
    SpringMVC——参数传递
    SpringMVC——数据乱码问题
    SpringMVC——MVC执行流程底层剖析
    Spring——5种增强方式
    Spring——bean的五种作用域和生命周期
    Spring——多种方式实现依赖注入
  • 原文地址:https://www.cnblogs.com/iiiiher/p/7891669.html
Copyright © 2011-2022 走看看