cfssl生成ca证书
【摘要】 前言本文介绍,如何通过cfssl生成证书,并通过openssl以及keytool 转换生成相关文件。安装安装cfsslwget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64wget https://pkg.cfssl.org/R1.2/cfss...
前言
本文介绍,如何通过cfssl生成证书,并通过openssl以及keytool 转换生成相关文件。
安装
安装cfssl
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64 mv cfssl_linux-amd64 /usr/local/bin/cfssl mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
安装java
$ yum install java
安装openssl
wget https://www.openssl.org/source/openssl-1.1.0h.tar.gz tar -xzvf /tmp/openssl-1.1.0h.tar.gzcd openssl-1.1.0h ./config --prefix=/usr/local/openssl make make install mv /usr/bin/openssl /usr/bin/openssl.bak ln -sf /usr/local/openssl/bin/openssl /usr/bin/opensslecho "/usr/local/openssl/lib" >> /etc/ld.so.conf ldconfig -v openssl version OpenSSL 1.1.0h 27
制作证书
运行如下脚本gen.sh,生成证书。
#!/bin/bashPASS=${1:-"123456"}cat > ca-config.json <<EOF
{ "signing": { "default": { "expiry": "87600h"
}, "profiles": { "kubernetes": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth"
]
}
}
}
}
EOF# 颁发者信息 CN - 一般名词,O - 组织 , OU组织单位,cat > ca-csr.json <<EOF
{ "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048
}, "names": [
{ "C": "CN", "L": "Beijing", "ST": "Beijing", "O": "k8s", "OU": "System"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -#-----------------------# 颁发给组织信息 cat > server-csr.json <<EOF
{ "CN": "kubernetes", "hosts": [ "127.0.0.1", "192.168.3.90", "192.168.3.91", "192.168.3.92", "10.10.10.1", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local"
], "key": { "algo": "rsa", "size": 2048
}, "names": [
{ "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "k8s", "OU": "System"
}
]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server#-----------------------openssl pkcs12 -export -in server.pem -inkey server-key.pem -out server.pk12 -name serverkey -passout pass:${PASS}keytool -importkeystore -deststorepass ${PASS} -destkeypass ${PASS} -destkeystore server.keystore -srckeystore server.pk12 -srcstoretype PKCS12 -srcstorepass ${PASS} -alias serverkey
openssl x509 -outform der -in server.pem -out server.crt
openssl x509 -outform der -in ca.pem -out ca.crt
tomcat 配置
如果使用nio链接
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="/root/ssl/server.keystore" keystorePass="123456" clientAuth="false" sslProtocol="TLS"/>
如果使用apr链接
<Connector protocol="org.apache.coyote.http11.Http11AprProtocol" port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" SSLCertificateFile="/root/ssl/server.crt" SSLCertificateKeyFile="/root/ssl/server.pem" SSLVerifyClient="optional" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"/>
apr未验证
【版权声明】本文为华为云社区用户原创内容,转载时必须标注文章的来源(华为云社区)、文章链接、文章作者等基本信息, 否则作者和本社区有权追究责任。如果您发现本社区中有涉嫌抄袭的内容,欢迎发送邮件进行举报,并提供相关证据,一经查实,本社区将立刻删除涉嫌侵权内容,举报邮箱:
cloudbbs@huaweicloud.com
- 点赞
- 收藏
- 关注作者
评论(0)