!/bin/bash function tls3(){ #################################################### # # 創建CA X509 version 3.0根證書 # #################################################### CertPath=/k8s/tlsv3 CertPD=huawei@123 DomainName=ca.huawei.com #1、創建證書存放目錄 mkdir -p ${CertPath} && cd ${CertPath} #2、創建CA證書的私鑰"cacert-key.pem" openssl genrsa -des3 -out ${CertPath}/ca.key -passout pass:${CertPD} 2048 #3、生產X509 Version3類型證書 openssl req -x509 -new -nodes \ -key ${CertPath}/ca.key \ -sha256 \ -subj "/C=CN/ST=GuangDong/L=ShenZhen/O=HW/OU=IT/CN=${DomainName}" \ -days 7300 \ -out ${CertPath}/ca.crt \ -passin pass:${CertPD} # 4、查看證書文件 openssl x509 -in ${CertPath}/ca.crt -text -noout ##################################################### # # 生成X509 3.0證書 # CA簽署的服務器證書 # ##################################################### # 服務器證書存放路徑,需與CA證書存放路徑保持一致 CertPath=/k8s/tlsv1 # 證書明文密碼 CertPD=huawei@123 # 服務器證書域名 DomainName=www.huawei.com # 1、創建服務器證書的私鑰"server.key" openssl genrsa -des3 -out ${CertPath}/server.key -passout pass:${CertPD} 2048 # 2、創建服務器證書請求文件"server.csr" openssl req -new \ -subj "/C=CN/ST=GuangDong/L=ShenZhen/O=HW/OU=IT/CN=${DomainName}" \ -key ${CertPath}/server.key \ -out ${CertPath}/server.csr \ -passin pass:${CertPD} # 3、創建證書擴展文件"my-ssl.conf" # 更改相應IP和DNS地址 # cat > ${CertPath}/my-ssl.conf <<EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = @alt_names [ alt_names ] DNS.1 = kubernetes DNS.2 = kubernetes.default DNS.3 = kubernetes.default.svc DNS.4 = kubernetes.default.svc.cluster DNS.5 = kubernetes.default.svc.cluster.local DNS.6 = www.huawei.com DNS.7 = localhost IP.1 = 168.7.10.201 IP.2 = 168.7.10.202 IP.3 = 168.7.10.203 IP.4 = 168.7.10.204 IP.4 = 127.0.0.1 EOF # 4、簽發並生成服務器證書 openssl x509 -req \ -in ${CertPath}/server.csr \ -out ${CertPath}/server.crt \ -days 3650 \ -CAcreateserial \ -CA ${CertPath}/ca.crt \ -CAkey ${CertPath}/ca.key \ -CAserial serial \ -extfile ${CertPath}/my-ssl.conf \ -passin pass:${CertPD} # 5、查看證書文件 openssl x509 -in ${CertPath}/server.crt -text -noout chmod 777 ${CertPath}/ca* ${CertPath}/ser* && ls -l ${CertPath}/ } function tls1(){ ##################################################### # # 創建CA X509 version 1.0根證書 # ##################################################### #創建證書存放目錄 CertPath=/k8s/tlsv1 CertPD=huawei@123 DomainName=ca.huawei.com # 1、創建證書文件存放目錄 mkdir -p ${CertPath} && cd ${CertPath} # 2、創建CA證書的私鑰"ca.key" openssl genrsa -out ${CertPath}/ca.key # 3、 創建CA證書請求"ca.csr" openssl req -new \ -subj "/C=CN/ST=GuangDong/L=DongGuan/O=HW/OU=IT/CN=${DomainName}" \ -key ${CertPath}/ca.key \ -out ${CertPath}/ca.csr # 4、 創建3年有效期的CA證書"ca.crt" openssl x509 -req \ -days 3650 \ -in ${CertPath}/ca.csr \ -signkey ${CertPath}/ca.key \ -out ${CertPath}/ca.crt # 5、查看證書文件 openssl x509 -in ${CertPath}/ca.crt -text -noout chmod 777 ${CertPath}/ca* && ls -l ${CertPath}/ ##################################################### # # 生成X509 1.0證書 # CA簽署的服務器證書 # ##################################################### ServerName=ldap DomainName=huawei.com # 1、創建服務證書的私鑰"xxx.key" openssl genrsa -out ${CertPath}/${ServerName}.key # 2、創建服務器證書請求文件 "xxx.csr" openssl req -new \ -subj "/C=CN/ST=GuangDong/L=DongGuan/O=HW/OU=IT/CN=${ServerName}.${DomainName}" \ -key ${CertPath}/${ServerName}.key \ -out ${CertPath}/${ServerName}.csr # 3、CA簽署服務器證書,有效期3年,即: "xxx.crt" openssl x509 -req \ -in ${CertPath}/${ServerName}.csr \ -out ${CertPath}/${ServerName}.crt \ -days 3650 \ -CAcreateserial -CA ${CertPath}/ca.crt \ -CAkey ${CertPath}/ca.key # 4、查看證書文件 openssl x509 -in ${CertPath}/${ServerName}.crt -text -noout chmod 777 ${CertPath}/${ServerName}.* && ls -l ${CertPath}/ } function tls3.bak(){ ##################################################### # # 創建CA X509 version 1.0根證書 # ##################################################### #創建證書存放目錄 CertPath=/k8s/tlsv2 CertPD=huawei@123 DomainName=ca.huawei.com # 1、創建證書文件存放目錄 mkdir -p ${CertPath} && cd ${CertPath} # 2、創建CA證書的私鑰"ca.key" openssl genrsa -out ${CertPath}/ca.key # 3、 創建CA證書請求"ca.csr" openssl req -new \ -subj "/C=CN/ST=GuangDong/L=DongGuan/O=HW/OU=IT/CN=${DomainName}" \ -key ${CertPath}/ca.key \ -out ${CertPath}/ca.csr # 4、 創建3年有效期的CA證書"ca.crt" openssl x509 -req \ -days 3650 \ -in ${CertPath}/ca.csr \ -signkey ${CertPath}/ca.key \ -out ${CertPath}/ca.crt # 5、查看證書文件 openssl x509 -in ${CertPath}/ca.crt -text -noout chmod 777 ${CertPath}/ca* && ls -l ${CertPath}/ ##################################################### # # 生成X509 3.0證書 # CA簽署的服務器證書 # ##################################################### ServerName=server DomainName=huawei.com # 1、創建服務證書的私鑰"xxx.key" openssl genrsa -out ${CertPath}/${ServerName}.key # 2、創建服務器證書請求文件 "xxx.csr" openssl req -new \ -subj "/C=CN/ST=GuangDong/L=DongGuan/O=HW/OU=IT/CN=${ServerName}.${DomainName}" \ -key ${CertPath}/${ServerName}.key \ -out ${CertPath}/${ServerName}.csr # 3、創建證書擴展文件 cat > ${CertPath}/my-ssl.conf <<EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = @alt_names [ alt_names ] DNS.1 = kubernetes DNS.2 = kubernetes.default DNS.3 = kubernetes.default.svc DNS.4 = kubernetes.default.svc.cluster DNS.5 = kubernetes.default.svc.cluster.local DNS.6 = www.huawei.com DNS.7 = localhost IP.1 = 168.7.10.201 IP.2 = 168.7.10.202 IP.3 = 168.7.10.203 IP.4 = 168.7.10.204 IP.4 = 127.0.0.1 EOF # 4、簽發X509 3.0服務器證書文件 openssl x509 -req \ -in ${CertPath}/${ServerName}.csr \ -out ${CertPath}/${ServerName}.crt \ -days 3650 \ -CAcreateserial -CA ${CertPath}/ca.crt \ -CAkey ${CertPath}/ca.key \ -CAserial serial \ -extfile ${CertPath}/my-ssl.conf # 4、簽發X509 3.0服務器證書文件,即: "xxx.crt" # openssl x509 -req \ # -in ${CertPath}/${ServerName}.csr \ # -out ${CertPath}/${ServerName}.crt \ # -days 3650 \ # -CAcreateserial -CA ${CertPath}/ca.crt \ # -CAkey ${CertPath}/ca.key # 5、查看證書文件 openssl x509 -in ${CertPath}/${ServerName}.crt -text -noout chmod 777 ${CertPath}/${ServerName}.* && ls -l ${CertPath}/ }