制作证书 - Powered by MinDoc

k8s使用cloudflare的cfssl工具生成证书
制作通配符和ip证书

k8s使用cloudflare的cfssl工具生成证书

https://jimmysong.io/kubernetes-handbook/practice/create-tls-and-secret-key.html

制作通配符和ip证书

# 1. 创建ca.key 和ca.crt 
openssl req -new -x509 -days 3650 -nodes -out ca.crt -keyout ca.key -subj "/C=US/ST=California/L=San Francisco/O=My Company/CN=mycompany.com"

# 1. 创建csr
cat <<EOF > san.cnf
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C = US
ST = California
L = San Francisco
O = Example Inc
OU = IT
CN = *.example.com

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = *.example.com
IP.1 = 192.0.2.1
EOF
# 生成server.key 和server.csr
openssl req -new -out server.csr -newkey rsa:2048 -nodes -keyout server.key -config san.cnf

#  创建v3.ext ，使用ca签发请求
cat <<EOF > v3.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
subjectKeyIdentifier=hash

[ alt_names ]
DNS.1 = *.example.com
IP.1 = 192.0.2.1
EOF

# 签发证书
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile v3.ext