TLS证书生成

简介

安全传输层协议(TLS)用于在两个通信应用程序之间提供保密性和数据完整性。
可以用Linux开源OpenSSL工具链或者CFSSL工具生成,本文采用后者。

工具下载

  • 参考链接
    GitHub地址: https://github.com/cloudflare/cfssl
    下载地址:https://pkg.cfssl.org/

  • 下载安装

    wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
    wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
    wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
    chmod +x cfssl*
    mv cfssl* /usr/local/bin
    

创建CA认证中心

CA证书申请文件

  • 生成CA证书申请文件
    # 生成签名申请模板文件
    cfssl print-defaults csr > ca-csr.json 
    cat > ca-csr.json << EOF
    {
        "CN": "CA",
        "key": {
            "algo": "ecdsa",
            "size": 256
        },
        "names": [
            {
                "C": "CN",
                "L": "ChengDu",
                "ST": "SiChuan"
            }
        ]
    }
    EOF
    
  • 名词解释
    CN,通用名称,kube-apiserver提取作为请求的用户名,浏览器用于验证网站是否合法;
    algo,加密方式;
    size,证书大小;
    hosts,主机列表,如果不为空则指定授权使用该证书的IP或域名列表,必须包含服务器的本地主机名,`127.0.0.1`,主机私有IP地址;
    C,国家;
    L,城市;
    O,单位,kube-apiserver 从证书中提取该字段作为请求用户所属的组 (Group);
    OU,部门;
    ST,省份或州。
    

生成CA证书和私钥

  • 参考链接
    公钥基础设施(PKI)/CFSSL证书生成工具的使用:https://blog.51cto.com/liuzhengwei521/2120535?utm_source=oschina-app

  • 证书生成

    cfssl gencert --initca ca-csr.json | cfssljson -bare ca
    
  • 文件查看

    [root@master ssl]# ls ca*
    ca.csr  ca-csr.json  ca-key.pem  ca.pem
    
  • 文件说明

      ca-csr.json,证书申请文件
      ca.csr, 证书签名请求,用于交叉签名或重新签名
      ca-key.pem, 私钥
      ca.pem, 证书
    

配置证书生成策略

  • 生成策略文件
     cfssl print-defaults config > ca-config.json # 生成证书策略模板文件
     cat > ca-config.json << EOF
    	{
    	    "signing": {
    	        "default": {
    	            "expiry": "8760h"
    	        },
    	        "profiles": {
    	            "server": {
    	                "expiry": "8760h",
    	                "usages": [
    	                    "signing",
    	                    "key encipherment",
    	                    "server auth"
    	                ]
    	            },
    	            "client": {
    	                "expiry": "8760h",
    	                "usages": [
    	                    "signing",
    	                    "key encipherment",
    	                    "client auth"
    	                ]
    	            },
    	           "peer": {
    	                "expiry": "8760h",
    	                "usages": [
    	                    "signing",
    	                    "key encipherment",
    	                    "server auth",
    	                    "client auth"
    	                ]
    	            }
    	        }
    	    }
    	}
    EOF
    
  • 名词解释
        默认策略(default),指定了证书的有效期是一年(8760h);
        expiry,证书的有效期;
        signing, 表示该证书可用于签名其它证书;生成的 ca.pem 证书中 CA=TRUE;
        server auth,表示 client 可以用该 CA 对 server 提供的证书进行验证;
        client auth,表示 server 可以用该 CA 对 client 提供的证书进行验证;
        profiles,定义具体证书生成策略,名称可以自定义,建议与功能相关;生成证书的时候用'--profile=名称'进行指定;
        服务端证书,profiles用途包含"server auth";
        客户端证书,profiles用途包含"client auth";
        对等证书或双向证书,profiles用途包含"server auth"和"client auth"。
    

证书验证

查看证书
[root@master ssl]# cat ca.pem 
-----BEGIN CERTIFICATE-----
MIIB5DCCAYqgAwIBAgIUMQub+ffiyuBoHVU0UdSw7JUAqvswCgYIKoZIzj0EAwIw
PjELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB1NpQ2h1YW4xEDAOBgNVBAcTB0NoZW5n
RHUxCzAJBgNVBAMTAkNBMB4XDTE5MDgwODAyNDUwMFoXDTI0MDgwNjAyNDUwMFow
PjELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB1NpQ2h1YW4xEDAOBgNVBAcTB0NoZW5n
RHUxCzAJBgNVBAMTAkNBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhaqjeY78
qkf71qIF5K8DpIpQ0HStsWhz4Aw8Yi1UNR6Gul1+YNgnxHp7nNNU6h+RV9Tx9FhR
idY6ztKYxTYlOKNmMGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C
AQIwHQYDVR0OBBYEFJrE1TyOPe5SrXO55cjsArL5b0luMB8GA1UdIwQYMBaAFJrE
1TyOPe5SrXO55cjsArL5b0luMAoGCCqGSM49BAMCA0gAMEUCIH/K8Cy2PAvtdnUw
JhvLql+uzKoqfMgHNr6uE93VMtP0AiEA/Fl1ae+gkRSWy8585ZwhHqtoFr9qyKyz
HQ6JuhyBnGc=
-----END CERTIFICATE-----
[root@master ssl]# cat ca.csr 
-----BEGIN CERTIFICATE REQUEST-----
MIH6MIGgAgEAMD4xCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdTaUNodWFuMRAwDgYD
VQQHEwdDaGVuZ0R1MQswCQYDVQQDEwJDQTBZMBMGByqGSM49AgEGCCqGSM49AwEH
A0IABIWqo3mO/KpH+9aiBeSvA6SKUNB0rbFoc+AMPGItVDUehrpdfmDYJ8R6e5zT
VOofkVfU8fRYUYnWOs7SmMU2JTigADAKBggqhkjOPQQDAgNJADBGAiEA/IB2yWKJ
iaTDra/lTNJhrIxWyBFXppSnW5c/+6zzej8CIQD8bHr12WgCi6+5yFYsfmW0lqnw
SF2hBGnGNV6H+QqItQ==
-----END CERTIFICATE REQUEST-----
验证证书
  • 验证工具

    • 使用cfssl-certinfo工具
    • 使用cfssl工具的certinfo命令
  • 证书文件验证

    [root@master ssl]# cfssl certinfo --cert=ca.pem
    {
      "subject": {
        "common_name": "CA",
        "country": "CN",
        "locality": "ChengDu",
        "province": "SiChuan",
        "names": [
          "CN",
          "SiChuan",
          "ChengDu",
          "CA"
        ]
      },
      "issuer": {
        "common_name": "CA",
        "country": "CN",
        "locality": "ChengDu",
        "province": "SiChuan",
        "names": [
          "CN",
          "SiChuan",
          "ChengDu",
          "CA"
        ]
      },
      "serial_number": "279999443431677648568861906718192795627229850363",
      "not_before": "2019-08-08T02:45:00Z",
      "not_after": "2024-08-06T02:45:00Z",
      "sigalg": "ECDSAWithSHA256",
      "authority_key_id": "9A:C4:D5:3C:8E:3D:EE:52:AD:73:B9:E5:C8:EC:2:B2:F9:6F:49:6E",
      "subject_key_id": "9A:C4:D5:3C:8E:3D:EE:52:AD:73:B9:E5:C8:EC:2:B2:F9:6F:49:6E",
      "pem": "-----BEGIN CERTIFICATE-----\nMIIB5DCCAYqgAwIBAgIUMQub+ffiyuBoHVU0UdSw7JUAqvswCgYIKoZIzj0EAwIw\nPjELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB1NpQ2h1YW4xEDAOBgNVBAcTB0NoZW5n\nRHUxCzAJBgNVBAMTAkNBMB4XDTE5MDgwODAyNDUwMFoXDTI0MDgwNjAyNDUwMFow\nPjELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB1NpQ2h1YW4xEDAOBgNVBAcTB0NoZW5n\nRHUxCzAJBgNVBAMTAkNBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhaqjeY78\nqkf71qIF5K8DpIpQ0HStsWhz4Aw8Yi1UNR6Gul1+YNgnxHp7nNNU6h+RV9Tx9FhR\nidY6ztKYxTYlOKNmMGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C\nAQIwHQYDVR0OBBYEFJrE1TyOPe5SrXO55cjsArL5b0luMB8GA1UdIwQYMBaAFJrE\n1TyOPe5SrXO55cjsArL5b0luMAoGCCqGSM49BAMCA0gAMEUCIH/K8Cy2PAvtdnUw\nJhvLql+uzKoqfMgHNr6uE93VMtP0AiEA/Fl1ae+gkRSWy8585ZwhHqtoFr9qyKyz\nHQ6JuhyBnGc=\n-----END CERTIFICATE-----\n"
    }
    
  • 签名请求验证

    [root@master ssl]# cfssl certinfo --csr=ca.csr 
    {
      "Raw": "MIH6MIGgAgEAMD4xCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdTaUNodWFuMRAwDgYDVQQHEwdDaGVuZ0R1MQswCQYDVQQDEwJDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABIWqo3mO/KpH+9aiBeSvA6SKUNB0rbFoc+AMPGItVDUehrpdfmDYJ8R6e5zTVOofkVfU8fRYUYnWOs7SmMU2JTigADAKBggqhkjOPQQDAgNJADBGAiEA/IB2yWKJiaTDra/lTNJhrIxWyBFXppSnW5c/+6zzej8CIQD8bHr12WgCi6+5yFYsfmW0lqnwSF2hBGnGNV6H+QqItQ==",
      "RawTBSCertificateRequest": "MIGgAgEAMD4xCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdTaUNodWFuMRAwDgYDVQQHEwdDaGVuZ0R1MQswCQYDVQQDEwJDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABIWqo3mO/KpH+9aiBeSvA6SKUNB0rbFoc+AMPGItVDUehrpdfmDYJ8R6e5zTVOofkVfU8fRYUYnWOs7SmMU2JTigAA==",
      "RawSubjectPublicKeyInfo": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhaqjeY78qkf71qIF5K8DpIpQ0HStsWhz4Aw8Yi1UNR6Gul1+YNgnxHp7nNNU6h+RV9Tx9FhRidY6ztKYxTYlOA==",
      "RawSubject": "MD4xCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdTaUNodWFuMRAwDgYDVQQHEwdDaGVuZ0R1MQswCQYDVQQDEwJDQQ==",
      "Version": 0,
      "Signature": "MEYCIQD8gHbJYomJpMOtr+VM0mGsjFbIEVemlKdblz/7rPN6PwIhAPxsevXZaAKLr7nIVix+ZbSWqfBIXaEEacY1Xof5Coi1",
      "SignatureAlgorithm": 10,
      "PublicKeyAlgorithm": 3,
      "PublicKey": {
        "Curve": {
          "P": 115792089210356248762697446949407573530086143415290314195533631308867097853951,
          "N": 115792089210356248762697446949407573529996955224135760342422259061068512044369,
          "B": 41058363725152142129326129780047268409114441015993725554835256314039467401291,
          "Gx": 48439561293906451759052585252797914202762949526041747995844080717082404635286,
          "Gy": 36134250956749795798585127919587881956611106672985015071877198253568414405109,
          "BitSize": 256,
          "Name": "P-256"
        },
        "X": 60459101124453114412169204472882317150580566743432206744033219809896960374046,
        "Y": 60939200533768908260916548677280659025495043715626863501784250257417707070776
      },
      "Subject": {
        "Country": [
          "CN"
        ],
        "Organization": null,
        "OrganizationalUnit": null,
        "Locality": [
          "ChengDu"
        ],
        "Province": [
          "SiChuan"
        ],
        "StreetAddress": null,
        "PostalCode": null,
        "SerialNumber": "",
        "CommonName": "CA",
        "Names": [
          {
            "Type": [
              2,
              5,
              4,
              6
            ],
            "Value": "CN"
          },
          {
            "Type": [
              2,
              5,
              4,
              8
            ],
            "Value": "SiChuan"
          },
          {
            "Type": [
              2,
              5,
              4,
              7
            ],
            "Value": "ChengDu"
          },
          {
            "Type": [
              2,
              5,
              4,
              3
            ],
            "Value": "CA"
          }
        ],
        "ExtraNames": null
      },
      "Attributes": null,
      "Extensions": null,
      "ExtraExtensions": null,
      "DNSNames": null,
      "EmailAddresses": null,
      "IPAddresses": null
    }
    

生成ETCD集群的TLS证书

服务端证书(etcd)

etcd 证书申请文件
cat > etcd-csr.json << EOF
{
    "CN": "etcd",
    "hosts": [
        192.168.159.3,
        192.168.159.4,
        192.168.159.5,
        127.0.0.1,
        localhost,
        localhost.localdomain
    ], 
    "key": {
        "algo": "ecdsa",
        "size": 256
    },
    "names": [
        {
            "C": "CN",
            "L": "ChengDu",
            "O": "JSQ",
            "OU": "devops",
            "ST": "SiChuan"
        }
    ]
}
EOF 
利用CA证书和私钥生成ETCD的服务端证书和私钥
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server etcd-csr.json | cfssljson -bare etcd
ls etcd*
>> etcd.csr  etcd-csr.json etcd-key.pem  etcd.pem

客户端证书(etcdctl)

etcdctl 证书申请文件
客户端证书在集群所有节点使用,所以不限定hosts列表。
cat > etcdctl-csr.json << EOF
    {
        "CN": "etcdctl",
        "key": {
            "algo": "ecdsa",
            "size": 256
        },
        "names": [
            {
                "C": "CN",
                "L": "ChengDu",
                "O": "JSQ",
                "OU": "devops",
                "ST": "SiChuan"
            }
        ]
    }
EOF 
利用CA证书和私钥生成ETCD的客户端证书和私钥
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client etcdctl-csr.json | cfssljson -bare etcdctl
ls etcdctl*
>> etcdctl.csr  etcdctl-csr.json  etcdctl-key.pem  etcdctl.pem

对等证书(peer)

peer 证书申请文件
cat > peer-csr.json << EOF
{
    "CN": "peer",
    "hosts": [
        192.168.159.3,
        192.168.159.4,
        192.168.159.5,
        127.0.0.1,
        localhost,
        localhost.localdomain
    ], 
    "key": {
        "algo": "ecdsa",
        "size": 256
    },
    "names": [
        {
            "C": "CN",
            "L": "ChengDu",
            "O": "JSQ",
            "OU": "devops",
            "ST": "SiChuan"
        }
    ]
}
EOF 
利用CA证书和私钥生成ETCD的对等证书和私钥
  cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer peer-csr.json | cfssljson -bare peer
  ls peer*
  >> peer.csr  peer-csr.json  peer-key.pem  peer.pem

证书验证

以peer为例,简述证书正确性验证
使用cfssl-certinfo工具验证证书
[root@master ssl]# cfssl-certinfo -cert peer.pem 
{
  "subject": {
    "common_name": "etcd",
    "country": "CN",
    "organization": "JSQ",
    "organizational_unit": "k8s",
    "locality": "ChengDu",
    "province": "SiChuan",
    "names": [
      "CN",
      "SiChuan",
      "ChengDu",
      "JSQ",
      "k8s",
      "etcd"
    ]
  },
  "issuer": {
    "common_name": "CA",
    "country": "CN",
    "locality": "ChengDu",
    "province": "SiChuan",
    "names": [
      "CN",
      "SiChuan",
      "ChengDu",
      "CA"
    ]
  },
  "serial_number": "141913582593314658055513454690348515362961414838",
  "sans": [
    "localhost",
    "localhost.localdomain",
    "192.168.159.3",
    "192.168.159.4",
    "192.168.159.5",
    "127.0.0.1"
  ],
  "not_before": "2019-08-08T02:46:00Z",
  "not_after": "2020-08-07T02:46:00Z",
  "sigalg": "ECDSAWithSHA256",
  "authority_key_id": "9A:C4:D5:3C:8E:3D:EE:52:AD:73:B9:E5:C8:EC:2:B2:F9:6F:49:6E",
  "subject_key_id": "FD:37:AA:5:1E:3E:B3:A1:C0:D9:4B:FE:6:6C:84:2B:4D:B4:A3:85",
  "pem": "-----BEGIN CERTIFICATE-----\nMIICYzCCAgigAwIBAgIUGNugCJvFlxNG/sWpRcyMtDxc2rYwCgYIKoZIzj0EAwIw\nPjELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB1NpQ2h1YW4xEDAOBgNVBAcTB0NoZW5n\nRHUxCzAJBgNVBAMTAkNBMB4XDTE5MDgwODAyNDYwMFoXDTIwMDgwNzAyNDYwMFow\nXDELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB1NpQ2h1YW4xEDAOBgNVBAcTB0NoZW5n\nRHUxDDAKBgNVBAoTA0pTUTEMMAoGA1UECxMDazhzMQ0wCwYDVQQDEwRldGNkMFkw\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmNW9REC/yBTRsznrDNG/o3WA5Q8wuX5X\nl4ub6fnvshopjThy/FGVxxp461/wyZ80nlAzHm3rK9vBsy73QnHch6OBxTCBwjAO\nBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwG\nA1UdEwEB/wQCMAAwHQYDVR0OBBYEFP03qgUePrOhwNlL/gZshCtNtKOFMB8GA1Ud\nIwQYMBaAFJrE1TyOPe5SrXO55cjsArL5b0luMEMGA1UdEQQ8MDqCCWxvY2FsaG9z\ndIIVbG9jYWxob3N0LmxvY2FsZG9tYWluhwTAqJ8DhwTAqJ8EhwTAqJ8FhwR/AAAB\nMAoGCCqGSM49BAMCA0kAMEYCIQCf2xTp36KKm8nFlIiT1yaTn6AMvX6k1exEDF6w\nNPJk4wIhAP7rKyOEgHvxWQVmqQyvZOndTMV1jItox5//MucSFG/x\n-----END CERTIFICATE-----\n"
}
  • 字段说明
issuer, 与CA证书申请文件内容相同;
subject,与peer证书申请文件内容相同;
pem, 证书内容,与`cat peer.pem`查看结果相同;
sans,与peer证书申请文件的hosts列表相同。
使用 openssl x509命令验证证书
[root@master ssl]# openssl x509 -text  -in peer.pem 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            18:db:a0:08:9b:c5:97:13:46:fe:c5:a9:45:cc:8c:b4:3c:5c:da:b6
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: C=CN, ST=SiChuan, L=ChengDu, CN=CA
        Validity
            Not Before: Aug  8 02:46:00 2019 GMT
            Not After : Aug  7 02:46:00 2020 GMT
        Subject: C=CN, ST=SiChuan, L=ChengDu, O=JSQ, OU=k8s, CN=etcd
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub: 
                    04:98:d5:bd:44:40:bf:c8:14:d1:b3:39:eb:0c:d1:
                    bf:a3:75:80:e5:0f:30:b9:7e:57:97:8b:9b:e9:f9:
                    ef:b2:1a:29:8d:38:72:fc:51:95:c7:1a:78:eb:5f:
                    f0:c9:9f:34:9e:50:33:1e:6d:eb:2b:db:c1:b3:2e:
                    f7:42:71:dc:87
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                FD:37:AA:05:1E:3E:B3:A1:C0:D9:4B:FE:06:6C:84:2B:4D:B4:A3:85
            X509v3 Authority Key Identifier: 
                keyid:9A:C4:D5:3C:8E:3D:EE:52:AD:73:B9:E5:C8:EC:02:B2:F9:6F:49:6E

            X509v3 Subject Alternative Name: 
                DNS:localhost, DNS:localhost.localdomain, IP Address:192.168.159.3, IP Address:192.168.159.4, IP Address:192.168.159.5, IP Address:127.0.0.1
    Signature Algorithm: ecdsa-with-SHA256
         30:46:02:21:00:9f:db:14:e9:df:a2:8a:9b:c9:c5:94:88:93:
         d7:26:93:9f:a0:0c:bd:7e:a4:d5:ec:44:0c:5e:b0:34:f2:64:
         e3:02:21:00:fe:eb:2b:23:84:80:7b:f1:59:05:66:a9:0c:af:
         64:e9:dd:4c:c5:75:8c:8b:68:c7:9f:ff:32:e7:12:14:6f:f1
-----BEGIN CERTIFICATE-----
MIICYzCCAgigAwIBAgIUGNugCJvFlxNG/sWpRcyMtDxc2rYwCgYIKoZIzj0EAwIw
PjELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB1NpQ2h1YW4xEDAOBgNVBAcTB0NoZW5n
RHUxCzAJBgNVBAMTAkNBMB4XDTE5MDgwODAyNDYwMFoXDTIwMDgwNzAyNDYwMFow
XDELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB1NpQ2h1YW4xEDAOBgNVBAcTB0NoZW5n
RHUxDDAKBgNVBAoTA0pTUTEMMAoGA1UECxMDazhzMQ0wCwYDVQQDEwRldGNkMFkw
EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmNW9REC/yBTRsznrDNG/o3WA5Q8wuX5X
l4ub6fnvshopjThy/FGVxxp461/wyZ80nlAzHm3rK9vBsy73QnHch6OBxTCBwjAO
BgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwG
A1UdEwEB/wQCMAAwHQYDVR0OBBYEFP03qgUePrOhwNlL/gZshCtNtKOFMB8GA1Ud
IwQYMBaAFJrE1TyOPe5SrXO55cjsArL5b0luMEMGA1UdEQQ8MDqCCWxvY2FsaG9z
dIIVbG9jYWxob3N0LmxvY2FsZG9tYWluhwTAqJ8DhwTAqJ8EhwTAqJ8FhwR/AAAB
MAoGCCqGSM49BAMCA0kAMEYCIQCf2xTp36KKm8nFlIiT1yaTn6AMvX6k1exEDF6w
NPJk4wIhAP7rKyOEgHvxWQVmqQyvZOndTMV1jItox5//MucSFG/x
-----END CERTIFICATE-----
  • 字段说明
Issuer, 与CA证书申请文件内容相同;
Subject,与peer证书申请文件内容相同;
DNS,与peer证书申请文件的hosts列表相同;
X509v3 extensions, 证书用途等信息,根据`--profile`指定策略相同
最后部分, 证书内容,与`cat peer.pem`查看结果相同;

至此ETCD安全集群的相关TLS证书制作完毕;
下一篇将介绍生产环境中如何将普通集群升级为使用TLS证书加密的安全集群。

Logo

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐