CFSSL是CloudFlare开源的一款PKI/TLS工具,CFSSL包含一个命令行工具和一个用于签名,验证并且捆绑TLS证书的HTTP API服务,使用Go语言编写.

github: https://github.com/cloudflare/cfssl

下载地址: https://pkg.cfssl.org/

在使用etcd,kubernetes等组件的过程中会大量接触到证书的生成和使用,本文将详细说明创建etcd的证书

安装

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl*

获取默认配置

cfssl print-defaults config > ca-config.json
cfssl print-defaults csr > ca-csr.json

ca-config.json文件内容如下:

{
    "signing": {
        "default": {
            "expiry": "168h"
        },
        "profiles": {
            "www": {
                "expiry": "8760h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth"
                ]
            },
            "client": {
                "expiry": "8760h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth"
                ]
            }
        }
    }
}

ca-csr.json内容如下:

{
    "CN": "example.net",
    "hosts": [
        "example.net",
        "www.example.net"
    ],
    "key": {
        "algo": "ecdsa",
        "size": 256
    },
    "names": [
        {
            "C": "US",
            "L": "CA",
            "ST": "San Francisco"
        }
    ]
}

生成ca证书

ca-config.json内容修改为:

{
    "signing":{
        "default":{
            "expiry":"876000h"
        },
        "profiles":{
            "etcd":{
                "usages":[
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ],
                "expiry":"876000h"
            }
        }
    }
}

修改ca-csr.json文件内容为:

{
  "CN": "CA",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "shenzhen",
      "L": "shenzhen",
      "O": "etcd",
      "OU": "System"
    }
  ]
}

“CN”:Common Name,etcd 从证书中提取该字段作为请求的用户名 (User Name);浏览器使用该字段验证网站是否合法; “O”:Organization,etcd 从证书中提取该字段作为请求用户所属的组 (Group);

注意,在k8s中: 这两个参数在后面的kubernetes启用RBAC模式中很重要,因为需要设置kubelet、admin等角色权限,那么在配置证书的时候就必须配置对了,具体后面在部署kubernetes的时候会进行讲解。

修改好配置文件后,接下来就可以生成ca证书了

$ cfssl gencert -initca ca-csr.json | cfssljson -bare ca
2019/04/25 15:02:45 [INFO] generating a new CA key and certificate from CSR
2019/04/25 15:02:45 [INFO] generate received request
2019/04/25 15:02:45 [INFO] received CSR
2019/04/25 15:02:45 [INFO] generating key: rsa-2048
2019/04/25 15:02:46 [INFO] encoded CSR
2019/04/25 15:02:46 [INFO] signed certificate with serial number 391082240034344424489077238735720834723237930875

此时目录下会出现三个文件:

$ tree
├── ca-config.json #这是刚才的json
├── ca.csr
├── ca-csr.json    #这也是刚才申请证书的json
├── ca-key.pem
├── ca.pem

这样 我们就生成了:

  • 根证书文件: ca.pem
  • 根证书私钥: ca-key.pem
  • 根证书申请文件: ca.csr (csr是不是client ssl request?)

签发证书

创建etct-csr.json,内容为:

{
  "CN": "etcd",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "hosts": [
    "example.net",	#此处为etcd地址,可以多个
    "www.example.net"
  ],
  "names": [
    {
      "C": "CN",
      "ST": "shenzhen",
      "L": "shenzhen",
      "O": "etcd",
      "OU": "System"
    }
  ]
}

使用之前的ca证书签发etcd证书:

$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=etcd etcd-csr.json | cfssljson -bare etcd

2019/04/25 15:29:57 [INFO] generate received request
2019/04/25 15:29:57 [INFO] received CSR
2019/04/25 15:29:57 [INFO] generating key: rsa-2048
2019/04/25 15:29:57 [INFO] encoded CSR
2019/04/25 15:29:57 [INFO] signed certificate with serial number 298100304200846379445095267906256802955283756560
2019/04/25 15:29:57 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").

此时目录下会多几个文件:

$ tree -L 1
├── etcd.csr
├── etcd-csr.json
├── etcd-key.pem
├── etcd.pem

至此,etcd的证书生成完成.

启动etcd

./etcd
--name etcd1 \
  --cert-file=/etcd.pem \
  --key-file=/etcd-key.pem \
  --peer-cert-file=/etcd.pem \
  --peer-key-file=/etcd-key.pem \
  --trusted-ca-file=/ca.pem \
  --peer-trusted-ca-file=/ca.pem \
  --initial-advertise-peer-urls http://127.0.0.1:2380 \
  --listen-peer-urls http://127.0.0.1:2380 \
  --listen-client-urls http://127.0.0.1:2379,http://127.0.0.1:2379 \
  --advertise-client-urls http://127.0.0.1:2379 \
  --initial-cluster-token etcd-cluster-token \
  --initial-cluster etcd1=https://172.16.5.81:2380,infra2=https://172.16.5.86:2380,infra3=https://172.16.5.87:2380 \
  --initial-cluster-state new \
  --data-dir=/etcd-data