openssl 生成 Kubernetes 证书

Kubernetes :

1. ca.crt         ca.key
   

   openssl genrsa -out ca.key 2048
   openssl req -x509 -new -nodes -key ca.key -out ca.crt -subj ‘/CN=kubernetes‘

    
   kubeadm generate:
   

    

    

2. apiserver.crt     apiserver.key
   

   openssl genrsa -out apiserver.key 2048
   openssl req -new -nodes -key apiserver.key -out apiserver.csr -config apiserver.conf
   openssl x509 -req -in apiserver.csr -out apiserver.crt -CA ca.crt -CAkey ca.key -CAcreateserial -extfile apiserver.conf -extensions v3_ext -days 44444

   
   kubeadm generate
   
   

    

    apiserver.conf
   
   

   [ req ]
   default_bits = 2048
   prompt = no
   default_md = sha256
   req_extensions = req_ext
   distinguished_name = dn
   
   [ dn ]
   CN = kube-apiserver
   
   [ req_ext ]
   subjectAltName = @alt_names
   
   [ alt_names ]
   DNS.1 = kubernetes
   DNS.2 = kubernetes.default
   DNS.3 = kubernetes.default.svc
   DNS.4 = kubernetes.default.svc.cluster
   DNS.5 = kubernetes.default.svc.cluster.local
   DNS.6 = ram1
   IP.1 = 10.96.0.1
   IP.2 = 192.168.8.11
   IP.3 = 192.168.8.200
   
   [ v3_ext ]
   keyUsage=critical, digitalSignature, keyEncipherment
   extendedKeyUsage=serverAuth
   basicConstraints=critical, CA:FALSE
   authorityKeyIdentifier=keyid
   subjectAltName=@alt_names

   View Code

    

    

3. apiserver-kubelet-client.crt      apiserver-kubelet-client.key

   openssl genrsa -out apiserver-kubelet-client.key 2048
   openssl req -new -nodes -key apiserver-kubelet-client.key -out apiserver-kubelet-client.csr -config apiserver-kubelet-client.conf
   openssl x509 -req -in apiserver-kubelet-client.csr -out apiserver-kubelet-client.crt -CA ca.crt -CAkey ca.key -CAcreateserial -extfile apiserver-kubelet-client.conf -extensions v3_ext -days 4444 

   
   

    

    apiserver-kubelet-client.conf
   
   
   

   [ req ]
   default_bits = 2048
   prompt = no
   default_md = sha256
   distinguished_name = dn
   
   [ dn ]
   O = system:masters
   CN = kube-apiserver-kubelet-client
   
   [ v3_ext ]
   keyUsage=critical, digitalSignature, keyEncipherment
   extendedKeyUsage=clientAuth
   basicConstraints=critical, CA:FALSE
   authorityKeyIdentifier=keyid

   View Code

   
   
   

4. kubectl 等 客户端证书
   
   查看kubeadm部署集群生成的证书
   

   cat /etc/kubernetes/admin.conf | grep client-certificate-data | awk ‘{print $2}‘ | base64 --decode > kubectl.crt

    

    

   
   

   openssl genrsa -out kubectl.key 2048
   openssl req -new -nodes -key kubectl.key -out kubectl.csr -config kubectl.conf
   openssl x509 -req -in kubectl.csr -out kubectl.crt -CA ca.crt -CAkey ca.key -CAcreateserial -extfile kubectl.conf -extensions v3_ext -days 4444 

   
   kubectl.conf
   
   

   [ req ]
   default_bits = 2048
   prompt = no
   default_md = sha256
   distinguished_name = dn
   
   [ dn ]
   O = system:masters
   CN = kubernetes-admin
   
   [ v3_ext ]
   keyUsage=critical, digitalSignature, keyEncipherment
   extendedKeyUsage=clientAuth
   basicConstraints=critical, CA:FALSE
   authorityKeyIdentifier=keyid

   View Code

   
   
   

5. apiserver-etcd-client.crt      apiserver-etcd-client.key        CA 为 etcd.ca
   
   

etcd:

1. ca.crt        ca.key
   
   

原文：https://www.cnblogs.com/dissipate/p/15194842.html