cfssl CA证书创建与签发
来源:原创
时间:2019-04-16
作者:脚本小站
分类:Linux
下载cfssl工具:
wget -O cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 wget -O cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 wget -O cfssl-certinfo https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
预置配置:可以用这个命令生成模板,修改相关内容就可使用了
cfssl print-defaults config > ca-config.json cfssl print-defaults csr > ca-csr.json
创建CA
ca请求配置文件:
cat > ca-csr.json <<EOF { "CN": "etcd", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "Shanghai", "L": "Shanghai", "O": "etcd", "OU": "4Paradigm" } ] } EOF
生成证书和证书私钥文件:ca.pem ca-key.pem
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
创建TLS认证证书
ca配置文件:
cat > ca-config.json <<EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "etcd": { "usages": [ "signing", "key encipherment", "server auth", "client auth" ], "expiry": "87600h" } } } } EOF
etcd证书请求文件:
cat > etcd-csr.json <<EOF { "CN": "etcd", "hosts": [ "127.0.0.1", "192.168.1.163", "192.168.1.164", "192.168.1.165" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "Shanghai", "L": "Shanghai", "O": "etcd", "OU": "4Paradigm" } ] } EOF
创建证书:
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd etcd-csr.json | cfssljson -bare etcd