【运维】K8S集群部署系列之ETCD集群搭建(二)
TLS证书生成简介安全传输层协议(TLS)用于在两个通信应用程序之间提供保密性和数据完整性。可以用Linux开源OpenSSL工具链或者CFSSL工具生成,本文采用后者。工具下载参考链接GitHub地址: https://github.com/cloudflare/cfssl下载地址:https://pkg.cfssl.org/下载安装wget https://pkg...
·
TLS证书生成
文章目录
简介
安全传输层协议(TLS)用于在两个通信应用程序之间提供保密性和数据完整性。
可以用Linux开源OpenSSL工具链或者CFSSL工具生成,本文采用后者。
工具下载
-
参考链接
GitHub地址: https://github.com/cloudflare/cfssl
下载地址:https://pkg.cfssl.org/ -
下载安装
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 chmod +x cfssl* mv cfssl* /usr/local/bin
创建CA认证中心
CA证书申请文件
- 生成CA证书申请文件
# 生成签名申请模板文件 cfssl print-defaults csr > ca-csr.json cat > ca-csr.json << EOF { "CN": "CA", "key": { "algo": "ecdsa", "size": 256 }, "names": [ { "C": "CN", "L": "ChengDu", "ST": "SiChuan" } ] } EOF
- 名词解释
CN,通用名称,kube-apiserver提取作为请求的用户名,浏览器用于验证网站是否合法; algo,加密方式; size,证书大小; hosts,主机列表,如果不为空则指定授权使用该证书的IP或域名列表,必须包含服务器的本地主机名,`127.0.0.1`,主机私有IP地址; C,国家; L,城市; O,单位,kube-apiserver 从证书中提取该字段作为请求用户所属的组 (Group); OU,部门; ST,省份或州。
生成CA证书和私钥
-
参考链接
公钥基础设施(PKI)/CFSSL证书生成工具的使用:https://blog.51cto.com/liuzhengwei521/2120535?utm_source=oschina-app -
证书生成
cfssl gencert --initca ca-csr.json | cfssljson -bare ca -
文件查看
[root@master ssl]# ls ca* ca.csr ca-csr.json ca-key.pem ca.pem -
文件说明
ca-csr.json,证书申请文件 ca.csr, 证书签名请求,用于交叉签名或重新签名 ca-key.pem, 私钥 ca.pem, 证书
配置证书生成策略
- 生成策略文件
cfssl print-defaults config > ca-config.json # 生成证书策略模板文件 cat > ca-config.json << EOF { "signing": { "default": { "expiry": "8760h" }, "profiles": { "server": { "expiry": "8760h", "usages": [ "signing", "key encipherment", "server auth" ] }, "client": { "expiry": "8760h", "usages": [ "signing", "key encipherment", "client auth" ] }, "peer": { "expiry": "8760h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF
- 名词解释
默认策略(default),指定了证书的有效期是一年(8760h); expiry,证书的有效期; signing, 表示该证书可用于签名其它证书;生成的 ca.pem 证书中 CA=TRUE; server auth,表示 client 可以用该 CA 对 server 提供的证书进行验证; client auth,表示 server 可以用该 CA 对 client 提供的证书进行验证; profiles,定义具体证书生成策略,名称可以自定义,建议与功能相关;生成证书的时候用'--profile=名称'进行指定; 服务端证书,profiles用途包含"server auth"; 客户端证书,profiles用途包含"client auth"; 对等证书或双向证书,profiles用途包含"server auth"和"client auth"。
证书验证
查看证书
[root@master ssl]# cat ca.pem
-----BEGIN CERTIFICATE-----
MIIB5DCCAYqgAwIBAgIUMQub+ffiyuBoHVU0UdSw7JUAqvswCgYIKoZIzj0EAwIw
PjELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB1NpQ2h1YW4xEDAOBgNVBAcTB0NoZW5n
RHUxCzAJBgNVBAMTAkNBMB4XDTE5MDgwODAyNDUwMFoXDTI0MDgwNjAyNDUwMFow
PjELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB1NpQ2h1YW4xEDAOBgNVBAcTB0NoZW5n
RHUxCzAJBgNVBAMTAkNBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhaqjeY78
qkf71qIF5K8DpIpQ0HStsWhz4Aw8Yi1UNR6Gul1+YNgnxHp7nNNU6h+RV9Tx9FhR
idY6ztKYxTYlOKNmMGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C
AQIwHQYDVR0OBBYEFJrE1TyOPe5SrXO55cjsArL5b0luMB8GA1UdIwQYMBaAFJrE
1TyOPe5SrXO55cjsArL5b0luMAoGCCqGSM49BAMCA0gAMEUCIH/K8Cy2PAvtdnUw
JhvLql+uzKoqfMgHNr6uE93VMtP0AiEA/Fl1ae+gkRSWy8585ZwhHqtoFr9qyKyz
HQ6JuhyBnGc=
-----END CERTIFICATE-----
[root@master ssl]# cat ca.csr
-----BEGIN CERTIFICATE REQUEST-----
MIH6MIGgAgEAMD4xCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdTaUNodWFuMRAwDgYD
VQQHEwdDaGVuZ0R1MQswCQYDVQQDEwJDQTBZMBMGByqGSM49AgEGCCqGSM49AwEH
A0IABIWqo3mO/KpH+9aiBeSvA6SKUNB0rbFoc+AMPGItVDUehrpdfmDYJ8R6e5zT
VOofkVfU8fRYUYnWOs7SmMU2JTigADAKBggqhkjOPQQDAgNJADBGAiEA/IB2yWKJ
iaTDra/lTNJhrIxWyBFXppSnW5c/+6zzej8CIQD8bHr12WgCi6+5yFYsfmW0lqnw
SF2hBGnGNV6H+QqItQ==
-----END CERTIFICATE REQUEST-----
验证证书
-
验证工具
- 使用
openssl工具的x509命令
- 使用
cfssl-certinfo工具
- 使用
cfssl工具的certinfo命令
- 使用
-
证书文件验证
[root@master ssl]# cfssl certinfo --cert=ca.pem { "subject": { "common_name": "CA", "country": "CN", "locality": "ChengDu", "province": "SiChuan", "names": [ "CN", "SiChuan", "ChengDu", "CA" ] }, "issuer": { "common_name": "CA", "country": "CN", "locality": "ChengDu", "province": "SiChuan", "names": [ "CN", "SiChuan", "ChengDu", "CA" ] }, "serial_number": "279999443431677648568861906718192795627229850363", "not_before": "2019-08-08T02:45:00Z", "not_after": "2024-08-06T02:45:00Z", "sigalg": "ECDSAWithSHA256", "authority_key_id": "9A:C4:D5:3C:8E:3D:EE:52:AD:73:B9:E5:C8:EC:2:B2:F9:6F:49:6E", "subject_key_id": "9A:C4:D5:3C:8E:3D:EE:52:AD:73:B9:E5:C8:EC:2:B2:F9:6F:49:6E", "pem": "-----BEGIN CERTIFICATE-----\nMIIB5DCCAYqgAwIBAgIUMQub+ffiyuBoHVU0UdSw7JUAqvswCgYIKoZIzj0EAwIw\nPjELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB1NpQ2h1YW4xEDAOBgNVBAcTB0NoZW5n\nRHUxCzAJBgNVBAMTAkNBMB4XDTE5MDgwODAyNDUwMFoXDTI0MDgwNjAyNDUwMFow\nPjELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB1NpQ2h1YW4xEDAOBgNVBAcTB0NoZW5n\nRHUxCzAJBgNVBAMTAkNBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhaqjeY78\nqkf71qIF5K8DpIpQ0HStsWhz4Aw8Yi1UNR6Gul1+YNgnxHp7nNNU6h+RV9Tx9FhR\nidY6ztKYxTYlOKNmMGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C\nAQIwHQYDVR0OBBYEFJrE1TyOPe5SrXO55cjsArL5b0luMB8GA1UdIwQYMBaAFJrE\n1TyOPe5SrXO55cjsArL5b0luMAoGCCqGSM49BAMCA0gAMEUCIH/K8Cy2PAvtdnUw\nJhvLql+uzKoqfMgHNr6uE93VMtP0AiEA/Fl1ae+gkRSWy8585ZwhHqtoFr9qyKyz\nHQ6JuhyBnGc=\n-----END CERTIFICATE-----\n" } -
签名请求验证
[root@master ssl]# cfssl certinfo --csr=ca.csr { "Raw": "MIH6MIGgAgEAMD4xCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdTaUNodWFuMRAwDgYDVQQHEwdDaGVuZ0R1MQswCQYDVQQDEwJDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABIWqo3mO/KpH+9aiBeSvA6SKUNB0rbFoc+AMPGItVDUehrpdfmDYJ8R6e5zTVOofkVfU8fRYUYnWOs7SmMU2JTigADAKBggqhkjOPQQDAgNJADBGAiEA/IB2yWKJiaTDra/lTNJhrIxWyBFXppSnW5c/+6zzej8CIQD8bHr12WgCi6+5yFYsfmW0lqnwSF2hBGnGNV6H+QqItQ==", "RawTBSCertificateRequest": "MIGgAgEAMD4xCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdTaUNodWFuMRAwDgYDVQQHEwdDaGVuZ0R1MQswCQYDVQQDEwJDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABIWqo3mO/KpH+9aiBeSvA6SKUNB0rbFoc+AMPGItVDUehrpdfmDYJ8R6e5zTVOofkVfU8fRYUYnWOs7SmMU2JTigAA==", "RawSubjectPublicKeyInfo": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhaqjeY78qkf71qIF5K8DpIpQ0HStsWhz4Aw8Yi1UNR6Gul1+YNgnxHp7nNNU6h+RV9Tx9FhRidY6ztKYxTYlOA==", "RawSubject": "MD4xCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdTaUNodWFuMRAwDgYDVQQHEwdDaGVuZ0R1MQswCQYDVQQDEwJDQQ==", "Version": 0, "Signature": "MEYCIQD8gHbJYomJpMOtr+VM0mGsjFbIEVemlKdblz/7rPN6PwIhAPxsevXZaAKLr7nIVix+ZbSWqfBIXaEEacY1Xof5Coi1", "SignatureAlgorithm": 10, "PublicKeyAlgorithm": 3, "PublicKey": { "Curve": { "P": 115792089210356248762697446949407573530086143415290314195533631308867097853951, "N": 115792089210356248762697446949407573529996955224135760342422259061068512044369, "B": 41058363725152142129326129780047268409114441015993725554835256314039467401291, "Gx": 48439561293906451759052585252797914202762949526041747995844080717082404635286, "Gy": 36134250956749795798585127919587881956611106672985015071877198253568414405109, "BitSize": 256, "Name": "P-256" }, "X": 60459101124453114412169204472882317150580566743432206744033219809896960374046, "Y": 60939200533768908260916548677280659025495043715626863501784250257417707070776 }, "Subject": { "Country": [ "CN" ], "Organization": null, "OrganizationalUnit": null, "Locality": [ "ChengDu" ], "Province": [ "SiChuan" ], "StreetAddress": null, "PostalCode": null, "SerialNumber": "", "CommonName": "CA", "Names": [ { "Type": [ 2, 5, 4, 6 ], "Value": "CN" }, { "Type": [ 2, 5, 4, 8 ], "Value": "SiChuan" }, { "Type": [ 2, 5, 4, 7 ], "Value": "ChengDu" }, { "Type": [ 2, 5, 4, 3 ], "Value": "CA" } ], "ExtraNames": null }, "Attributes": null, "Extensions": null, "ExtraExtensions": null, "DNSNames": null, "EmailAddresses": null, "IPAddresses": null }
生成ETCD集群的TLS证书
服务端证书(etcd)
etcd 证书申请文件
cat > etcd-csr.json << EOF
{
"CN": "etcd",
"hosts": [
192.168.159.3,
192.168.159.4,
192.168.159.5,
127.0.0.1,
localhost,
localhost.localdomain
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "CN",
"L": "ChengDu",
"O": "JSQ",
"OU": "devops",
"ST": "SiChuan"
}
]
}
EOF
利用CA证书和私钥生成ETCD的服务端证书和私钥
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server etcd-csr.json | cfssljson -bare etcd
ls etcd*
>> etcd.csr etcd-csr.json etcd-key.pem etcd.pem
客户端证书(etcdctl)
etcdctl 证书申请文件
客户端证书在集群所有节点使用,所以不限定hosts列表。
cat > etcdctl-csr.json << EOF
{
"CN": "etcdctl",
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "CN",
"L": "ChengDu",
"O": "JSQ",
"OU": "devops",
"ST": "SiChuan"
}
]
}
EOF
利用CA证书和私钥生成ETCD的客户端证书和私钥
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client etcdctl-csr.json | cfssljson -bare etcdctl
ls etcdctl*
>> etcdctl.csr etcdctl-csr.json etcdctl-key.pem etcdctl.pem
对等证书(peer)
peer 证书申请文件
cat > peer-csr.json << EOF
{
"CN": "peer",
"hosts": [
192.168.159.3,
192.168.159.4,
192.168.159.5,
127.0.0.1,
localhost,
localhost.localdomain
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "CN",
"L": "ChengDu",
"O": "JSQ",
"OU": "devops",
"ST": "SiChuan"
}
]
}
EOF
利用CA证书和私钥生成ETCD的对等证书和私钥
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer peer-csr.json | cfssljson -bare peer
ls peer*
>> peer.csr peer-csr.json peer-key.pem peer.pem
证书验证
以peer为例,简述证书正确性验证
使用cfssl-certinfo工具验证证书
[root@master ssl]# cfssl-certinfo -cert peer.pem
{
"subject": {
"common_name": "etcd",
"country": "CN",
"organization": "JSQ",
"organizational_unit": "k8s",
"locality": "ChengDu",
"province": "SiChuan",
"names": [
"CN",
"SiChuan",
"ChengDu",
"JSQ",
"k8s",
"etcd"
]
},
"issuer": {
"common_name": "CA",
"country": "CN",
"locality": "ChengDu",
"province": "SiChuan",
"names": [
"CN",
"SiChuan",
"ChengDu",
"CA"
]
},
"serial_number": "141913582593314658055513454690348515362961414838",
"sans": [
"localhost",
"localhost.localdomain",
"192.168.159.3",
"192.168.159.4",
"192.168.159.5",
"127.0.0.1"
],
"not_before": "2019-08-08T02:46:00Z",
"not_after": "2020-08-07T02:46:00Z",
"sigalg": "ECDSAWithSHA256",
"authority_key_id": "9A:C4:D5:3C:8E:3D:EE:52:AD:73:B9:E5:C8:EC:2:B2:F9:6F:49:6E",
"subject_key_id": "FD:37:AA:5:1E:3E:B3:A1:C0:D9:4B:FE:6:6C:84:2B:4D:B4:A3:85",
"pem": "-----BEGIN CERTIFICATE-----\nMIICYzCCAgigAwIBAgIUGNugCJvFlxNG/sWpRcyMtDxc2rYwCgYIKoZIzj0EAwIw\nPjELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB1NpQ2h1YW4xEDAOBgNVBAcTB0NoZW5n\nRHUxCzAJBgNVBAMTAkNBMB4XDTE5MDgwODAyNDYwMFoXDTIwMDgwNzAyNDYwMFow\nXDELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB1NpQ2h1YW4xEDAOBgNVBAcTB0NoZW5n\nRHUxDDAKBgNVBAoTA0pTUTEMMAoGA1UECxMDazhzMQ0wCwYDVQQDEwRldGNkMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmNW9REC/yBTRsznrDNG/o3WA5Q8wuX5X\nl4ub6fnvshopjThy/FGVxxp461/wyZ80nlAzHm3rK9vBsy73QnHch6OBxTCBwjAO\nBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwG\nA1UdEwEB/wQCMAAwHQYDVR0OBBYEFP03qgUePrOhwNlL/gZshCtNtKOFMB8GA1Ud\nIwQYMBaAFJrE1TyOPe5SrXO55cjsArL5b0luMEMGA1UdEQQ8MDqCCWxvY2FsaG9z\ndIIVbG9jYWxob3N0LmxvY2FsZG9tYWluhwTAqJ8DhwTAqJ8EhwTAqJ8FhwR/AAAB\nMAoGCCqGSM49BAMCA0kAMEYCIQCf2xTp36KKm8nFlIiT1yaTn6AMvX6k1exEDF6w\nNPJk4wIhAP7rKyOEgHvxWQVmqQyvZOndTMV1jItox5//MucSFG/x\n-----END CERTIFICATE-----\n"
}
- 字段说明
issuer, 与CA证书申请文件内容相同;
subject,与peer证书申请文件内容相同;
pem, 证书内容,与`cat peer.pem`查看结果相同;
sans,与peer证书申请文件的hosts列表相同。
使用 openssl x509命令验证证书
[root@master ssl]# openssl x509 -text -in peer.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
18:db:a0:08:9b:c5:97:13:46:fe:c5:a9:45:cc:8c:b4:3c:5c:da:b6
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=CN, ST=SiChuan, L=ChengDu, CN=CA
Validity
Not Before: Aug 8 02:46:00 2019 GMT
Not After : Aug 7 02:46:00 2020 GMT
Subject: C=CN, ST=SiChuan, L=ChengDu, O=JSQ, OU=k8s, CN=etcd
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:98:d5:bd:44:40:bf:c8:14:d1:b3:39:eb:0c:d1:
bf:a3:75:80:e5:0f:30:b9:7e:57:97:8b:9b:e9:f9:
ef:b2:1a:29:8d:38:72:fc:51:95:c7:1a:78:eb:5f:
f0:c9:9f:34:9e:50:33:1e:6d:eb:2b:db:c1:b3:2e:
f7:42:71:dc:87
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
FD:37:AA:05:1E:3E:B3:A1:C0:D9:4B:FE:06:6C:84:2B:4D:B4:A3:85
X509v3 Authority Key Identifier:
keyid:9A:C4:D5:3C:8E:3D:EE:52:AD:73:B9:E5:C8:EC:02:B2:F9:6F:49:6E
X509v3 Subject Alternative Name:
DNS:localhost, DNS:localhost.localdomain, IP Address:192.168.159.3, IP Address:192.168.159.4, IP Address:192.168.159.5, IP Address:127.0.0.1
Signature Algorithm: ecdsa-with-SHA256
30:46:02:21:00:9f:db:14:e9:df:a2:8a:9b:c9:c5:94:88:93:
d7:26:93:9f:a0:0c:bd:7e:a4:d5:ec:44:0c:5e:b0:34:f2:64:
e3:02:21:00:fe:eb:2b:23:84:80:7b:f1:59:05:66:a9:0c:af:
64:e9:dd:4c:c5:75:8c:8b:68:c7:9f:ff:32:e7:12:14:6f:f1
-----BEGIN CERTIFICATE-----
MIICYzCCAgigAwIBAgIUGNugCJvFlxNG/sWpRcyMtDxc2rYwCgYIKoZIzj0EAwIw
PjELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB1NpQ2h1YW4xEDAOBgNVBAcTB0NoZW5n
RHUxCzAJBgNVBAMTAkNBMB4XDTE5MDgwODAyNDYwMFoXDTIwMDgwNzAyNDYwMFow
XDELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB1NpQ2h1YW4xEDAOBgNVBAcTB0NoZW5n
RHUxDDAKBgNVBAoTA0pTUTEMMAoGA1UECxMDazhzMQ0wCwYDVQQDEwRldGNkMFkw
EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmNW9REC/yBTRsznrDNG/o3WA5Q8wuX5X
l4ub6fnvshopjThy/FGVxxp461/wyZ80nlAzHm3rK9vBsy73QnHch6OBxTCBwjAO
BgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwG
A1UdEwEB/wQCMAAwHQYDVR0OBBYEFP03qgUePrOhwNlL/gZshCtNtKOFMB8GA1Ud
IwQYMBaAFJrE1TyOPe5SrXO55cjsArL5b0luMEMGA1UdEQQ8MDqCCWxvY2FsaG9z
dIIVbG9jYWxob3N0LmxvY2FsZG9tYWluhwTAqJ8DhwTAqJ8EhwTAqJ8FhwR/AAAB
MAoGCCqGSM49BAMCA0kAMEYCIQCf2xTp36KKm8nFlIiT1yaTn6AMvX6k1exEDF6w
NPJk4wIhAP7rKyOEgHvxWQVmqQyvZOndTMV1jItox5//MucSFG/x
-----END CERTIFICATE-----
- 字段说明
Issuer, 与CA证书申请文件内容相同;
Subject,与peer证书申请文件内容相同;
DNS,与peer证书申请文件的hosts列表相同;
X509v3 extensions, 证书用途等信息,根据`--profile`指定策略相同
最后部分, 证书内容,与`cat peer.pem`查看结果相同;
至此
ETCD安全集群的相关TLS证书制作完毕;
下一篇将介绍生产环境中如何将普通集群升级为使用TLS证书加密的安全集群。
K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容
更多推荐
0
0- 0
已为社区贡献7条内容
所有评论(0)