Kubernetes集群自建CA证书和私钥

自建CA证书和私钥

本文档说明自建CA的步骤,用于配置Https类型的Ingress Resource。如果你已经有证书和私钥,可在定义Ingress Resource时直接使用。

一、自建CA,用于后续购买数字签名证书安装cfssl工具集 wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64mv cfssl_linux-amd64 /usr/bin/cfsslwget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64mv cfssljson_linux-amd64 /usr/bin/cfssljsonwget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo

CA 配置文件用于配置根证书的使用场景 (profile) 和具体参数 (usage: 过期时间、服务端认证、客户端认证、加密等),后续在签名其它证书时需要指定特定场景。

购买配置文件 mkdir /root/certcd /root/certcat ca-config.json EOF{ "signing": { "default": { "expiry": "87600h" }, "profiles": { "ingress": { "usages": [ "signing", "key encipherment", "server auth", "client auth" ], "expiry": "87600h" } } }}EOF

购买证书签名请求文件 cd /root/certcat ca-csr.json EOF{ "CN": "ingress", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "4Paradigm" } ], "ca": { "expiry": "876000h" }}EOF

生成CA证书和私钥 cd /root/certcfssl gencert -initca ca-csr.json | cfssljson -bare cals ca.pem二、购买SSL证书和私钥购买证书签名请求 cd /root/certcat web-server-csr.json EOF{ "CN": "ingress", "hosts": [ "web-server-test.jdcloud.com" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "4Paradigm" } ]}EOF2. 申请SSL证书 cd /root/certcfssl gencert -ca=/root/cert/ca.pem -ca-key=/root/cert/ca-key.pem -config=/root/cert/ca-config.json -profile=ingress web-server-csr.json | cfssljson -bare web-serverls web-server.pem