cfssl生成ca证书

2018-07-10  本文已影响0人  Nick_4438

前言

本文介绍,如何通过cfssl生成证书,并通过openssl以及keytool 转换生成相关文件。

安装

$ wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
$ wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
$ wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
$ chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
$ mv cfssl_linux-amd64 /usr/local/bin/cfssl
$ mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
$ yum install java 
wget https://www.openssl.org/source/openssl-1.1.0h.tar.gz
tar -xzvf /tmp/openssl-1.1.0h.tar.gz
cd openssl-1.1.0h
./config --prefix=/usr/local/openssl   
make
make install
mv /usr/bin/openssl /usr/bin/openssl.bak
ln -sf /usr/local/openssl/bin/openssl /usr/bin/openssl
echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
ldconfig -v                    
openssl version
OpenSSL 1.1.0h  27

制作证书

运行如下脚本gen.sh,生成证书。

#!/bin/bash

PASS=${1:-"123456"}

cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF

# 颁发者信息 CN - 一般名词,O - 组织 , OU组织单位,
cat > ca-csr.json <<EOF
{
    "CN": "kubernetes",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing",
            "O": "k8s",
            "OU": "System"
        }
    ]
}
EOF

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

#-----------------------

# 颁发给组织信息 
cat > server-csr.json <<EOF
{
    "CN": "kubernetes",
    "hosts": [
      "127.0.0.1",
      "192.168.3.90",
      "192.168.3.91",
      "192.168.3.92",
      "10.10.10.1",
      "kubernetes",
      "kubernetes.default",
      "kubernetes.default.svc",
      "kubernetes.default.svc.cluster",
      "kubernetes.default.svc.cluster.local"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing",
            "O": "k8s",
            "OU": "System"
        }
    ]
}
EOF

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server

#-----------------------
openssl pkcs12 -export -in server.pem -inkey server-key.pem -out server.pk12 -name serverkey -passout pass:${PASS}
keytool -importkeystore -deststorepass ${PASS} -destkeypass ${PASS} -destkeystore server.keystore -srckeystore server.pk12 -srcstoretype PKCS12 -srcstorepass ${PASS} -alias serverkey
openssl x509 -outform der -in server.pem -out server.crt
openssl x509 -outform der -in ca.pem -out ca.crt

tomcat 配置

 <Connector
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="/root/ssl/server.keystore" keystorePass="123456"
           clientAuth="false" sslProtocol="TLS"/>
<Connector
           protocol="org.apache.coyote.http11.Http11AprProtocol"
           port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           SSLCertificateFile="/root/ssl/server.crt"
           SSLCertificateKeyFile="/root/ssl/server.pem"
           SSLVerifyClient="optional" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"/>

apr未验证

上一篇 下一篇

猜你喜欢

热点阅读