标签:suitable cipher received span bsp csr field gem forum
1、创建CA配置json文件
[root@k8s-master01 k8s]# cat ca-csr.json { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "HuBei", "ST": "WuHan", "O": "k8s", "OU": "System" } ] } [root@k8s-master01 k8s]# cat ca-config.json { "signing": { "default": { "expiry": "876000h" }, "profiles": { "kubernetes": { "expiry": "876000h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } }
2、创建apiserver证书的所需配置文件
[root@k8s-master01 k8s]# cat kube-proxy-csr.json { "CN": "system:kube-proxy", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "HuBei", "ST": "WuHan", "O": "k8s", "OU": "System" } ] } [root@k8s-master01 k8s]# cat server-csr.json { "CN": "kubernetes", "hosts": [ "10.0.0.1", "127.0.0.1", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local", "10.16.8.150", "10.16.8.151", "10.16.8.156", "10.16.8.155", "10.16.8.164" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "HuBei", "ST": "WuHan", "O": "k8s", "OU": "System" } ] } 注:host中的最后几个IP为需要连接apiserver的IP,一般为master集群的所有IP,和负载均衡LB的所有IP和VIP,本文中的IP "10.16.8.150", master01 "10.16.8.151", master02 "10.16.8.156", LB "10.16.8.155", 备用IP "10.16.8.164" 备用IP
3、自建CA
[root@k8s-master01 k8s]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
4、生成证书
[root@k8s-master01 k8s]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server 2019/11/04 16:59:08 [INFO] generate received request 2019/11/04 16:59:08 [INFO] received CSR 2019/11/04 16:59:08 [INFO] generating key: rsa-2048 2019/11/04 16:59:09 [INFO] encoded CSR 2019/11/04 16:59:09 [INFO] signed certificate with serial number 710468047565346200192196031945671979263159074343 2019/11/04 16:59:09 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements"). [root@k8s-master01 k8s]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy 2019/11/04 16:59:23 [INFO] generate received request 2019/11/04 16:59:23 [INFO] received CSR 2019/11/04 16:59:23 [INFO] generating key: rsa-2048 2019/11/04 16:59:23 [INFO] encoded CSR 2019/11/04 16:59:23 [INFO] signed certificate with serial number 632011921807538541174903390077695048984832013926 2019/11/04 16:59:23 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for websites. For more information see the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org); specifically, section 10.2.3 ("Information Requirements").
5、会生成以下证书
[root@k8s-master01 k8s]# ll *.pem -rw------- 1 root root 1679 11月 4 16:58 ca-key.pem -rw-r--r-- 1 root root 1346 11月 4 16:58 ca.pem -rw------- 1 root root 1679 11月 4 16:59 kube-proxy-key.pem -rw-r--r-- 1 root root 1395 11月 4 16:59 kube-proxy.pem -rw------- 1 root root 1675 11月 4 16:59 server-key.pem -rw-r--r-- 1 root root 1643 11月 4 16:59 server.pem
标签:suitable cipher received span bsp csr field gem forum
原文地址:https://www.cnblogs.com/xw115428/p/11955973.html
