cfssl 证书签发工具使用
介绍
安装
$ apt install golang-cfssl
$ cfssl version
Version: 1.2.0
Revision: dev
Runtime: go1.8.1
示例
自签发示例
签发 k8s 证书示例
已签署 velero 为例
{
"CN": "velero",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Shanghai",
"L": "Shanghai",
"O": "xiexianbin.cn",
"OU": "System"
}
]
}
$ cfssl gencert -ca=/etc/kubernetes/pki/ca.crt -ca-key=/etc/kubernetes/pki/ca.key -profile=kubernetes ./velero-csr.json | cfssljson -bare velero
2022/09/01 19:07:00 [INFO] generate received request
2022/09/01 19:07:00 [INFO] received CSR
2022/09/01 19:07:00 [INFO] generating key: rsa-2048
2022/09/01 19:07:01 [INFO] encoded CSR
2022/09/01 19:07:01 [INFO] signed certificate with serial number 189907845831992997781066517490680137593355413304
2022/09/01 19:07:01 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
# 签发后的证书信息
$ ls -lhart
total 20K
-rw-r--r-- 1 root root 232 Sep 1 19:05 velero-csr.json
drwx------ 10 root root 4.0K Sep 1 19:05 ..
-rw-r--r-- 1 root root 1.3K Sep 1 19:07 velero.pem
-rw------- 1 root root 1.7K Sep 1 19:07 velero-key.pem
-rw-r--r-- 1 root root 1013 Sep 1 19:07 velero.csr
F&Q