1.下载cfssl工具
$ wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
$ chmod +x cfssl_linux-amd64
$ sudo mv cfssl_linux-amd64 /root/local/bin/cfssl
$ wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
$ chmod +x cfssljson_linux-amd64
$ sudo mv cfssljson_linux-amd64 /root/local/bin/cfssljson
$ wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
$ chmod +x cfssl-certinfo_linux-amd64
$ sudo mv cfssl-certinfo_linux-amd64 /root/local/bin/cfssl-certinfo
$ export PATH=/root/local/bin:$PATH
2.生成默认的配置文件和证书签名请求文件
$ cfssl print-defaults config > ca-config.json
$ cfssl print-defaults csr > ca-csr.json
2.1.查看并修改CA 配置文件
cat ca-config.json
{
“signing”: {
“default”: {
“expiry”: “9999h”
},
“profiles”: {
“www”: {
“expiry”: “9999h”,
“usages”: [
“signing”,
“key encipherment”,
“server auth”
]
},
“client”: {
“expiry”: “9999h”,
“usages”: [
“signing”,
“key encipherment”,
“client auth”
]
}
}
}
}
ca-config.json
:可以定义多个 profiles,分别指定不同的过期时间、使用场景等参数;后续在签名证书时使用某个 profile;signing
:表示该证书可用于签名其它证书;生成的 ca.pem 证书中CA=TRUE
;server auth
:表示 client 可以用该 CA 对 server 提供的证书进行验证;client auth
:表示 server 可以用该 CA 对 client 提供的证书进行验证;
2.2.查看并修改 CA 证书签名请求
{
“CN”: “registry.test.com”,
“hosts”: [
“127.0.0.1”,
“172.16.160.38”,
“registry.test.com”
],
“key”: {
“algo”: “rsa”,
“size”: 2048
},
“names”: [
{
“C”: “CN”,
“ST”: “BeiJing”,
“L”: “BeiJing”,
“O”: “k8s”,
“OU”: “System”
}
]
}
“CN”:
Common Name
,kube-apiserver 从证书中提取该字段作为请求的用户名 (User Name);浏览器使用该字段验证网站是否合法;“O”:
Organization
,kube-apiserver 从证书中提取该字段作为请求用户所属的组 (Group);
3.生成 CA 证书和私钥:
[root@dev tmp]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca #重新执行
[root@dev tmp]# ls ca*
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem
分发证书
4.校验证书
4.1使用 openssl
命令校验证书
$ openssl x509 -noout -text -in kubernetes.pem
…
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=Kubernetes
Validity
Not Before: Apr 5 05:36:00 2017 GMT
Not After : Apr 5 05:36:00 2018 GMT
Subject: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=kubernetes
…
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
DD:52:04:43:10:13:A9:29:24:17:3A:0E:D7:14:DB:36:F8:6C:E0:E0
X509v3 Authority Key Identifier:
keyid:44:04:3B:60:BD:69:78:14:68:AF:A0:41:13:F6:17:07:13:63:58:CD
X509v3 Subject Alternative Name:
DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local, IP Address:127.0.0.1, IP Address:10.64.3.7, IP Address:10.254.0.1
…
确认
Issuer
字段的内容和ca-csr.json
一致;确认
Subject
字段的内容和kubernetes-csr.json
一致;确认
X509v3 Subject Alternative Name
字段的内容和kubernetes-csr.json
一致;确认
X509v3 Key Usage、Extended Key Usage
字段的内容和ca-config.json
中kubernetes
profile 一致;
4.2使用cfssl-certinfo
命令校验证书
$ cfssl-certinfo -cert kubernetes.pem
…
{
“subject”: {
“common_name”: “kubernetes”,
“country”: “CN”,
“organization”: “k8s”,
“organizational_unit”: “System”,
“locality”: “BeiJing”,
“province”: “BeiJing”,
“names”: [
“CN”,
“BeiJing”,
“BeiJing”,
“k8s”,
“System”,
“kubernetes”
]
},
“issuer”: {
“common_name”: “Kubernetes”,
“country”: “CN”,
“organization”: “k8s”,
“organizational_unit”: “System”,
“locality”: “BeiJing”,
“province”: “BeiJing”,
“names”: [
“CN”,
“BeiJing”,
“BeiJing”,
“k8s”,
“System”,
“Kubernetes”
]
},
“serial_number”: “174360492872423263473151971632292895707129022309”,
“sans”: [
“kubernetes”,
“kubernetes.default”,
“kubernetes.default.svc”,
“kubernetes.default.svc.cluster”,
“kubernetes.default.svc.cluster.local”,
“127.0.0.1”,
“10.64.3.7”,
“10.64.3.8”,
“10.66.3.86”,
“10.254.0.1”
],
“not_before”: “2017-04-05T05:36:00Z”,
“not_after”: “2018-04-05T05:36:00Z”,
“sigalg”: “SHA256WithRSA”,
…
4.3使用浏览器验证
导入证书ca.pem改名为ca.crt。将正式导入浏览器。
构建https服务
[root@dev tmp]# cd /root/ssl_test
[root@dev tmp]# cat > http-server.js <<EOF
var https = require(‘https’);
var fs = require(‘fs’);
var options = {
key: fs.readFileSync(’./keys/app-key.pem’),
cert: fs.readFileSync(’./keys/app.pem’)
};
https.createServer(options, function (req, res) {
res.writeHead(200);
res.end(‘hello world’);
}).listen(8000);
EOF
[root@dev tmp]# yum install nodejs -y
[root@dev tmp]# npm install https -g
[root@dev tmp]# node http-server.js
修改hosts文件添加
172.16.160.28 www.test.com
在浏览器访问https://www.test.com:8000 发现网站显示为安全
附:
数字证书中主题(Subject)中字段的含义
一般的数字证书产品的主题通常含有如下字段:
字段名 字段值
公用名称 (Common Name) 简称:CN 字段,对于 SSL 证书,一般为网站域名;而对于代码签名证书则为申请单位名称;而对于客户端证书则为证书申请者的姓名;
单位名称 (Organization Name) 简称:O 字段,对于 SSL 证书,一般为网站域名;而对于代码签名证书则为申请单位名称;而对于客户端单位证书则为证书申请者所在单位名称;
证书申请单位所在地
字段名 字段值
所在城市 (Locality) 简称:L 字段
所在省份 (State/Provice) 简称:S 字段
所在国家 (Country) 简称:C 字段,只能是国家字母缩写,如中国:CN
其他一些字段
字段名 字段值
电子邮件 (Email) 简称:E 字段
多个姓名字段 简称:G 字段
介绍 Description 字段
电话号码: Phone 字段,格式要求 + 国家区号 城市区号 电话号码,如: +86 732 88888888
地址: STREET 字段
邮政编码: PostalCode 字段
显示其他内容 简称:OU 字段
例子:
[root@dev ca]# cat ca-config.json
{
“signing”: {
“default”: {
“expiry”: “9999h”
},
“profiles”: {
“www”: {
“expiry”: “9999h”,
“usages”: [
“signing”,
“key encipherment”,
“server auth”
]
},
“client”: {
“expiry”: “9999h”,
“usages”: [
“signing”,
“key encipherment”,
“client auth”
]
}
}
}
}
[root@dev ca]# cat ca-csr.json
{
“CN”: “registry.test.com”,
“hosts”: [
“127.0.0.1”,
“172.16.160.38”,
“registry.test.com”
],
“key”: {
“algo”: “rsa”,
“size”: 2048
},
“names”: [
{
“C”: “CN”,
“ST”: “BeiJing”,
“L”: “BeiJing”,
“O”: “k8s”,
“OU”: “System”
}
]
}
[root@dev ca]# ll
总用量 8
-rw-r–r– 1 root root 568 11月 14 15:59 ca-config.json
-rw-r–r– 1 root root 289 11月 14 16:02 ca-csr.json
[root@dev ca]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca
2018/11/14 16:05:01 [INFO] generating a new CA key and certificate from CSR
2018/11/14 16:05:01 [INFO] generate received request
2018/11/14 16:05:01 [INFO] received CSR
2018/11/14 16:05:01 [INFO] generating key: rsa-2048
2018/11/14 16:05:01 [INFO] encoded CSR
2018/11/14 16:05:01 [INFO] signed certificate with serial number 303515642193399207794287652931621857332460556169
[root@dev ca]# ll
总用量 20
-rw-r–r– 1 root root 568 11月 14 15:59 ca-config.json
-rw-r–r– 1 root root 1082 11月 14 16:05 ca.csr
-rw-r–r– 1 root root 289 11月 14 16:02 ca-csr.json
-rw——- 1 root root 1679 11月 14 16:05 ca-key.pem
-rw-r–r– 1 root root 1379 11月 14 16:05 ca.pem
[root@dev ca]# openssl x509 -noout -text -in ca.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
35:2a:1c:b2:f6:1a:f3:82:38:50:05:8c:fb:65:ef:9e:89:74:8f:89
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=harbor
Validity
Not Before: Nov 14 08:00:00 2018 GMT
Not After : Nov 13 08:00:00 2023 GMT
Subject: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=harbor
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b7:2e:6a:52:f4:d2:34:8b:5e:3f:95:5d:c8:b0:
85:9a:1b:ef:c5:0f:1b:94:b9:94:12:fe:fa:66:0d:
8c:67:b8:9e:82:30:fc:e1:42:94:6e:00:fb:c0:fd:
84:be:65:2c:e4:8f:f1:f1:93:e5:ae:8e:5b:74:7a:
d5:94:25:9c:01:76:f9:96:4e:02:b9:27:a2:44:e0:
da:b3:f3:09:82:5c:9f:26:a6:26:54:35:15:e6:a6:
7a:4b:14:99:07:9d:e3:c3:b8:bd:3f:b6:76:53:05:
82:02:bb:e2:61:21:23:5b:3b:23:4c:08:eb:a7:51:
00:fb:01:5f:b7:f8:b9:67:5b:a1:99:19:23:42:7a:
d2:22:0a:11:01:1d:75:34:9e:25:9c:c8:9f:31:d7:
f5:f3:98:14:b8:c4:07:f3:5a:a1:fa:96:bd:0f:b3:
dc:13:5b:8e:03:e8:66:3b:b5:bd:8d:08:ee:61:c2:
4f:78:dc:9a:ee:37:f8:87:6b:5f:e3:87:ae:91:b0:
8c:c9:40:51:44:cb:57:47:23:f1:2d:34:af:0f:5f:
42:89:14:ac??73:d4:32:54:c2??99:38:96:d4:
b8??f3:df:5c:a5:55:54:8f:a1:b7:fa:42:8b:d9:
fe:2d:14:1f:d5:62:d9:c7:c1:4d:55:41:3b:a9:d3:
0d:2d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:2
X509v3 Subject Key Identifier:
15:1F:81:A2:AC:41:18:DA:DD:19:36:03:61:18:7B:EF:3D:94:10:AE
X509v3 Authority Key Identifier:
keyid:15:1F:81:A2:AC:41:18:DA:DD:19:36:03:61:18:7B:EF:3D:94:10:AE
X509v3 Subject Alternative Name:
IP Address:127.0.0.1, IP Address:172.16.160.38
Signature Algorithm: sha256WithRSAEncryption
62:41:3c:40:6d:91:29:d2:0b:6d:ce:08:a1:e4:47:64:0a:66:
0e:c0:55:eb:c4:6b:30:6d:79:51:b4:97:8c:02:1e:15:ba:0f:
84:ce:2a:3c:c7:86:29:3c:1f:55:35:a1:da:df:70:5d:58:93:
45:24:c4:20:4d:c1:c7:bb:83:8d:52:0c:7d:43:e2:7c:5b:00:
5d:57:5a:b5:bf:d0:56:5a:57:32:ca:fc:29:59:23:ab:5e:1e:
0e:9b:f9:f6:8d:e8:e4:c6:cb:e6:fe:9f:e3:cd:55:2e:7b:35:
1e:bc:80:0f:ba:d8:66:ae:43:19:bf:d1:bb:81:17:d6:4a:3b:
01:ba:d4:28:da:3f:19:63:82:72:6f:df:7a:b4:bc:d4:cf:a9:
b1:fc:a6:c7:c1:5d:9b:09:2e:72:2a:d4:18:ed:f4:3d:97:1e:
e6:43:81:5c:eb:40:2c:f9:aa:6f:90:16:70:46:77:52:09:64:
43:83:00:0c:44:59:de:17:65:7b:7e:3d:51:df:54:6e:bb:80:
cb:22:13:e2:20:80:91:f8:3f:5e:83:70:32:68:ad:ad:7e:4a:
15:32:45:a7:a5:c4:ed:1c:d4:e4:cc:38:ac:8a:9d:d1:bb:4e:
1c:21:17:56:a2:a0:f9:39:f3:73:e4:96:00:ac:98:93:f3:80:
96:9d:b5:97
[root@dev ca]#
如果出现
[root@dev ~]# docker login registry.test.com
Username (admin): admin
Password:
Error response from daemon: Get https://registry.mayocase.com/v1/users/: x509: certificate signed by unknown authority
检查下目录/etc/docker/certs.d/registry.test.com下是否有ca.crt文件,可能需要重启docker
[root@dev ~]# cp ca.pem /etc/docker/certs.d/registry.test.com/ca.crt
[root@dev ~]# systemctl restart docker
修改harbor证书后操作:
[root@dev harbor]# cd /data/harbor #一定要在此目录下运行以下命令。
[root@dev harbor]# ll
总用量 878344
drwxr-xr-x 4 root root 35 7月 31 2017 common
-rw-r–r– 1 root root 1988 7月 31 2017 docker-compose.notary.yml
-rw-r–r– 1 root root 3155 7月 31 2017 docker-compose.yml
-rw-r–r– 1 root root 4304 7月 31 2017 harbor_1_1_0_template
-rw-r–r– 1 root root 4178 7月 31 2017 harbor.cfg
-rw-r–r– 1 root root 1082 7月 31 2017 harbor.csr
-rw-r–r– 1 root root 288 7月 31 2017 harbor-csr.json
-rw-r–r– 1 root root 448963966 7月 31 2017 harbor.v1.1.1.tar.gz
-rw-r–r– 1 root root 450041094 7月 31 2017 harbor.v1.1.2.tar.gz
-rwxr-xr-x 1 root root 5169 7月 31 2017 install.sh
-rw-r–r– 1 root root 337600 7月 31 2017 LICENSE
-rw-r–r– 1 root root 472 7月 31 2017 NOTICE
-rwxr-xr-x 1 root root 16522 7月 31 2017 prepare
-rwxr-xr-x 1 root root 4550 7月 31 2017 upgrade
[root@dev harbor]#
停止 harbor
[root@dev harbor]# docker-compose down -v #多运行几次直到所有docker都删除
修改配置
[root@dev harbor]# vim harbor.cfg
更修改的配置更新到 docker-compose.yml 文件
[root@dev harbor]# ./prepare
启动 harbor
[root@dev harbor]# docker-compose up -d
CFSSL是CloudFlare开源的一款PKI/TLS工具。 CFSSL 包含一个命令行工具 和一个用于 签名,验证并且捆绑TLS证书的 HTTP API 服务。 使用Go语言编写。
Github 地址: https://github.com/cloudflare/cfssl
官网地址: https://pkg.cfssl.org/
参考地址:liuzhengwei521
curl -s -L -o /bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
curl -s -L -o /bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
curl -s -L -o /bin/cfssl-certinfo https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x /bin/cfssl*
集群相关证书类型
client certificate: 用于服务端认证客户端,例如etcdctl、etcd proxy、fleetctl、docker客户端
server certificate: 服务端使用,客户端以此验证服务端身份,例如docker服务端、kube-apiserver
peer certificate: 双向证书,用于etcd集群成员间通信
根据认证对象可以将证书分成三类:服务器证书server cert,客户端证书client cert,对等证书peer cert(表示既是server cert又是client cert),在kubernetes 集群中需要的证书种类如下:
etcd 节点需要标识自己服务的server cert,也需要client cert与etcd集群其他节点交互,当然可以分别指定2个证书,也可以使用一个对等证书
master 节点需要标识 apiserver服务的server cert,也需要client cert连接etcd集群,这里也使用一个对等证书
kubectl calico kube-proxy 只需要client cert,因此证书请求中 hosts 字段可以为空
kubelet证书比较特殊,不是手动生成,它由node节点TLS BootStrap向apiserver请求,由master节点的controller-manager 自动签发,包含一个client cert 和一个server cert
创建CA配置文件
配置证书生成策略,规定CA可以颁发那种类型的证书
vim /opt/ssl/k8sca/ca-config.json
{
“signing”: {
“default”: {
“expiry”: “87600h”
},
“profiles”: {
“kubernetes”: {
“usages”: [
“signing”,
“key encipherment”,
“server auth”,
“client auth”
],
“expiry”: “87600h”
}
}
}
}
创建CA证书签名请求
vim /opt/ssl/k8sca/ ca-csr.json
{
“CN”: “kubernetes”,
“key”: {
“algo”: “rsa”,
“size”: 2048
},
“names”: [
{
“C”: “CN”,
“L”: “BeiJing”,
“O”: “Ctyun”,
“ST”: “BeiJing”,
“OU”: “ops”
} ]
}
生成CA和私钥
生成CA所必需的文件ca-key.pem(私钥)和ca.pem(证书),还会生成ca.csr(证书签名请求),用于交叉签名或重新签名。
$ cd /opt/ssl/k8sca/
$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca
$ ls
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem