cfgssl

实战：利用cfgssl自签证书-2023.1.5(测试成功)

目录

[toc]

实验环境

linux机器

实验软件

链接：https:-rw-r--r--1rootroot5.6MNov252019cfssl.tar.gz-rw-r--r--1rootroot1005Mar262021certs.sh[root@k8s-master1 ~]#tar tvf cfssl.tar.gz -rwxr-xr-xroot/root103766572019-11-2506:36cfssl-rwxr-xr-xroot/root65951952019-11-2506:36cfssl-certinfo-rwxr-xr-xroot/root22778732019-11-2506:36cfssljson[root@k8s-master1 ~]#tar xf cfssl.tar.gz -C /usr/bin/

• 验证：

[root@k8s-master1 ~]#cfssl --helpUsage:Availablecommands:bundlecertinfoocspsignselfsignscanprint-defaultssigngencertocspdumpversiongenkeygencrlocsprefreshinfoserveocspserverevokeTop-levelflags:-allow_verification_with_non_compliant_keysAllowaSignatureVerifiertousekeyswhicharetechnicallynon-compliantwithRFC6962.-loglevelintLoglevel(0 =DEBUG,5=FATAL) (default1)

2、生成证书

• 创建测试目录：

[root@k8s-master1 ~]#mkdir https[root@k8s-master1 ~]#cd https/

• 将证书生成脚本移动到刚才创建的目录

[root@k8s-master1 ~]#mv certs.sh https/[root@k8s-master1 ~]#ls https/certs.sh[root@k8s-master1 ~]#cd https/[root@k8s-master1 https]#cat certs.sh cat>ca-config.json<<EOF{"signing":{"default":{"expiry":"87600h"},"profiles":{"kubernetes":{"expiry":"87600h","usages":["signing","key encipherment","server auth","client auth"]}}}}EOFcat>ca-csr.json<<EOF{"CN":"kubernetes","key":{"algo":"rsa","size":2048},"names":[{"C":"CN","L":"Beijing","ST":"Beijing"}]}EOFcfsslgencert-initcaca-csr.json|cfssljson-bareca-cat>web.aliangedu.cn-csr.json<<EOF{"CN":"web.aliangedu.cn","hosts":[],"key":{"algo":"rsa","size":2048},"names":[{"C":"CN","L":"BeiJing","ST":"BeiJing"}]}EOFcfsslgencert-ca=ca.pem-ca-key=ca-key.pem-config=ca-config.json-profile=kubernetesweb.aliangedu.cn-csr.json|cfssljson-bareweb.aliangedu.cn

备注：

• 执行脚本，生成证书：

[root@k8s-master1 https]#sh certs.sh 2022/11/2709:38:30[INFO] generating a new CA key and certificate from CSR2022/11/2709:38:30[INFO] generate received request2022/11/2709:38:30[INFO] received CSR2022/11/2709:38:30[INFO] generating key:rsa-20482022/11/2709:38:30[INFO] encoded CSR2022/11/2709:38:30[INFO] signed certificate with serial number 429205721976735100251217293813103954947758866892022/11/2709:38:30[INFO] generate received request2022/11/2709:38:30[INFO] received CSR2022/11/2709:38:30[INFO] generating key:rsa-20482022/11/2709:38:30[INFO] encoded CSR2022/11/2709:38:30[INFO] signed certificate with serial number 2656501574463098711105240218991557072159400247322022/11/2709:38:30[WARNING] This certificate lacks a "hosts"field. This makes it unsuitable forwebsites.FormoreinformationseetheBaselineRequirementsfortheIssuanceandManagementofPublicly-TrustedCertificates,v.1.1.6,fromtheCA/BrowserForum(https:specifically,section10.2.3("Information Requirements").[root@k8s-master1 https]#ll *-rw-r--r--1rootroot294Nov2709:38ca-config.json-rw-r--r--1rootroot960Nov2709:38ca.csr-rw-r--r--1rootroot212Nov2709:38ca-csr.json-rw-------1rootroot1675Nov2709:38ca-key.pem-rw-r--r--1rootroot1273Nov2709:38ca.pem-rw-r--r--1rootroot1005Mar262021certs.sh-rw-r--r--1rootroot968Nov2709:38web.aliangedu.cn.csr-rw-r--r--1rootroot189Nov2709:38web.aliangedu.cn-csr.json-rw-------1rootroot1679Nov2709:38web.aliangedu.cn-key.pem#数字证书私钥-rw-r--r--1rootroot1318Nov2709:38web.aliangedu.cn.pem#数字证书[root@k8s-master1 https]#

• 注意：这个后缀不一样，.crt，.key。

参考文章

参考1：

此处为语雀内容卡片，点击链接查看：https:实战2：只能访问某个namespace的普通用户-2023.2.6(测试成功)（cfgssl）