自己颁发证书
这里已经在上面的文章里提到过,使用了 cfssl 和 openssl 来作为证书生产工具.
在第9层,我给dashboard 生产了自定义证书,并实现了如下效果:
image.png
注意这里的绿色: 连接是安全的,主要是我们加入了信任的根机构证书。
在window上,pem 无法直接导入,所以我有使用了openssl 把pem转换成了cer 证书。
注: crt 也是直接可以在windows 安装的。
怎么做的?
这里权当做学习吧!
[root@k8s-node1 etcd]# ls
ca.cer ca.csr ca-key.pem etcd etcdctl install k8s-local.csr k8s-local-key.pem kubernetes.csr kubernetes.pem ssl
ca-config.json ca-csr.json ca.pem etcd-2.etcd etcd.yaml k8s-csr.json k8s-local.json k8s-local.pem kubernetes-key.pem nohup.out
[root@k8s-node1 etcd]# openssl x509 -in ca.pem -text -out ca.cer
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
19:22:46:76:5a:d1:1c:3c:c9:55:07:64:80:37:b0:66:08:5d:c0:12
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=shenzhen, L=shenzhen, O=k8s, OU=System, CN=kubernetes
Validity
Not Before: Nov 2 07:50:00 2019 GMT
Not After : Oct 31 07:50:00 2024 GMT
Subject: C=CN, ST=shenzhen, L=shenzhen, O=k8s, OU=System, CN=kubernetes
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:bf:d5:e2:17:10:54:6d:c9:85:fd:1f:14:75:01:
30:51:82:49:87:65:33:04:b0:8c:8c:cf:23:98:5d:
64:45:f9:01:bf:78:a3:46:9a:72:3f:79:d1:2f:be:
db:1d:8c:e4:a0:c0:68:9f:e9:0f:29:31:da:13:f6:
34:90:f6:3a:c3:4f:d8:b4:82:19:f1:e7:91:df:34:
27:c0:4f:bd:14:58:b0:f7:c9:95:7c:bd:9a:43:43:
f4:92:ec:c5:e5:aa:31:62:48:60:43:b1:87:9b:20:
29:12:8a:96:9b:33:f1:fd:cf:e2:b4:ae:c7:2e:4d:
f2:f6:9a:74:5b:07:4e:94:68:ce:a1:b4:be:2b:85:
39:6d:8e:c3:98:9e:b1:d7:d9:7c:0d:b0:cd:d6:08:
cf:b6:f9:a7:1a:3b:91:19:58:a1:9e:c4:e3:07:89:
0a:49:88:29:45:ad:f6:3d:e6:8f:8a:e5:82:a2:89:
f2:36:96:85:24:6b:57:f1:03:fa:f7:fe:16:2c:4e:
7c:e4:43:50:0e:b5:0a:de:2b:42:82:4f:5d:92:6c:
6b:69:f0:d6:23:e6:05:75:5d:8b:c3:34:dc:8d:4e:
c2:05:7d:4e:6b:4e:f7:90:1b:eb:df:cf:3b:4c:63:
f9:30:08:de:32:9c:d2:49:d1:22:3d:bf:53:f5:4d:
2a:1b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:2
X509v3 Subject Key Identifier:
0B:89:F2:49:E2:C3:A5:31:A0:39:A2:B6:97:80:0A:6C:B8:CD:3A:2B
X509v3 Authority Key Identifier:
keyid:0B:89:F2:49:E2:C3:A5:31:A0:39:A2:B6:97:80:0A:6C:B8:CD:3A:2B
Signature Algorithm: sha256WithRSAEncryption
33:aa:87:d0:ab:b2:29:36:7d:b1:18:05:46:8e:f4:a8:53:f2:
09:df:21:14:82:bb:cc:fc:97:35:8e:5a:90:04:eb:62:10:cd:
30:43:96:84:4b:d5:97:99:54:00:54:44:d7:a4:8f:38:11:25:
6f:dc:e8:9e:b0:d4:59:00:a1:53:af:26:e9:c7:71:d5:35:13:
b6:60:61:77:ae:ae:d2:e4:89:08:c5:d5:ee:35:2a:ee:93:cb:
56:fa:ab:88:be:0a:b1:5b:c1:0f:13:77:5d:d9:f7:7d:f8:b6:
23:7d:29:52:44:6e:31:04:06:77:16:d6:aa:f9:70:35:ca:a4:
95:ee:52:74:d6:0b:d8:c8:96:7a:7c:83:ef:df:a2:15:0b:4e:
45:d9:81:85:a2:5c:ed:d8:28:88:19:0c:e6:3f:db:16:75:da:
db:7e:8f:00:7e:ad:7a:2d:06:be:15:fb:40:1c:57:5b:e0:6c:
29:9d:50:a4:11:7f:ca:fd:f2:6c:3d:47:50:41:f7:05:75:bb:
6b:ca:f2:72:ed:33:8e:37:33:7b:6e:38:2a:2b:b7:a2:58:ce:
b8:b6:2a:13:fe:60:c5:08:0b:51:b8:03:4f:14:82:34:7a:b3:
25:05:16:d3:e7:9d:e9:ff:58:da:1a:56:38:ae:bf:d4:e4:12:
21:bb:b8:a0
此时,我们生成了证书根机构的 ca.cert 证书:
image.png
双击,一步一步在最后把这个证书加入到本计算机的信任根证书列表即可。
我们的根机构证书:
image.png
证书方面的知识
签发
image.png
浏览器CA认证
image.png
