##################################################### # # 創建CA X509 version 1.0根證書 # ##################################################### #創建證書存放目錄 CertPath=/k8s/tlsv2 DomainName=ca.huawei.com # 1、創建證書文件存放目錄 mkdir -p ${CertPath} && cd ${CertPath} # 2、創建CA證書的私鑰"ca.key" openssl genrsa -out ${CertPath}/ca.key # 3、 創建CA證書請求"ca.csr" openssl req -new \ -subj "/C=CN/ST=GuangDong/L=DongGuan/O=HW/OU=IT/CN=${DomainName}" \ -key ${CertPath}/ca.key \ -out ${CertPath}/ca.csr # 4、 創建3年有效期的CA證書"ca.crt" openssl x509 -req \ -days 3650 \ -in ${CertPath}/ca.csr \ -signkey ${CertPath}/ca.key \ -out ${CertPath}/ca.crt # 5、查看證書文件 openssl x509 -in ${CertPath}/ca.crt -text -noout chmod 777 ${CertPath}/ca* && ls -l ${CertPath}/ ##################################################### # # 生成X509 3.0證書,證書key文件不加密 # CA簽署的服務器證書 # ##################################################### ServerName=server DomainName=huawei.com # 1、創建服務證書的私鑰"xxx.key" openssl genrsa -out ${CertPath}/${ServerName}.key # 2、創建服務器證書請求文件 "xxx.csr" openssl req -new \ -subj "/C=CN/ST=GuangDong/L=DongGuan/O=HW/OU=IT/CN=${ServerName}.${DomainName}" \ -key ${CertPath}/${ServerName}.key \ -out ${CertPath}/${ServerName}.csr # 3、創建證書擴展文件 cat > ${CertPath}/my-ssl.conf <<EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = @alt_names [ alt_names ] DNS.1 = kubernetes DNS.2 = kubernetes.default DNS.3 = kubernetes.default.svc DNS.4 = kubernetes.default.svc.cluster DNS.5 = kubernetes.default.svc.cluster.local DNS.6 = www.huawei.com DNS.7 = localhost IP.1 = 168.7.10.201 IP.2 = 168.7.10.202 IP.3 = 168.7.10.203 IP.4 = 168.7.10.204 IP.4 = 127.0.0.1 EOF # 4、簽發X509 3.0服務器證書文件 openssl x509 -req \ -in ${CertPath}/${ServerName}.csr \ -out ${CertPath}/${ServerName}.crt \ -days 3650 \ -CAcreateserial -CA ${CertPath}/ca.crt \ -CAkey ${CertPath}/ca.key \ -CAserial serial \ -extfile ${CertPath}/my-ssl.conf # 4、簽發X509 1.0服務器證書文件,即: "xxx.crt" # openssl x509 -req \ # -in ${CertPath}/${ServerName}.csr \ # -out ${CertPath}/${ServerName}.crt \ # -days 3650 \ # -CAcreateserial -CA ${CertPath}/ca.crt \ # -CAkey ${CertPath}/ca.key # 5、查看證書文件 openssl x509 -in ${CertPath}/${ServerName}.crt -text -noout chmod 777 ${CertPath}/${ServerName}.* && ls -l ${CertPath}/