#################################################### # # 創建CA X509 version 3.0根證書 # #################################################### rm -rf /k8s/tlsv1 CertPath=/k8s/tlsv1 CertPD=huawei@123 DomainName=ca.huawei.com #1、創建證書存放目錄 mkdir -p ${CertPath} && cd ${CertPath} #2、創建CA證書的私鑰"cacert-key.pem" openssl genrsa -des3 -out ${CertPath}/ca.key -passout pass:${CertPD} 2048 #3、生產X509 Version3類型證書 openssl req -x509 -new -nodes \ -key ${CertPath}/ca.key \ -sha256 \ -subj "/C=CN/ST=GuangDong/L=ShenZhen/O=HW/OU=IT/CN=${DomainName}" \ -days 7300 \ -out ${CertPath}/ca.crt \ -passin pass:${CertPD} # 4、查看證書文件 openssl x509 -in ${CertPath}/ca.crt -text -noout ##################################################### # # 生成X509 3.0證書 # x509 3.0 CA簽署的服務器證書 # ##################################################### # 服務器證書存放路徑,需與CA證書存放路徑保持一致 CertPath=/k8s/tlsv1 # 證書明文密碼 CertPD=huawei@123 # 服務器證書域名 DomainName=www.huawei.com # 1、創建服務器證書的私鑰"server.key" openssl genrsa -des3 -out ${CertPath}/server.key -passout pass:${CertPD} 2048 # 2、創建服務器證書請求文件"server.csr" openssl req -new \ -subj "/C=CN/ST=GuangDong/L=ShenZhen/O=HW/OU=IT/CN=${DomainName}" \ -key ${CertPath}/server.key \ -out ${CertPath}/server.csr \ -passin pass:${CertPD} # 3、創建證書擴展文件"my-ssl.conf" # 更改相應IP和DNS地址 # cat > ${CertPath}/my-ssl.conf <<EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = @alt_names [ alt_names ] DNS.1 = www.baidu.com DNS.2 = www.qq.com DNS.3 = www.huawei.com IP.1 = 1.1.1.1 IP.2 = 2.2.2.2 IP.3 = 3.3.3.3 EOF # 4、簽發並生成服務器證書 openssl x509 -req \ -in ${CertPath}/server.csr \ -out ${CertPath}/server.crt \ -days 3650 \ -CAcreateserial \ -CA ${CertPath}/ca.crt \ -CAkey ${CertPath}/ca.key \ -CAserial serial \ -extfile ${CertPath}/my-ssl.conf \ -passin pass:${CertPD} # 5、查看證書文件 openssl x509 -in ${CertPath}/server.crt -text -noout