Loading

K3s生成100年CA证书

查看Openssl版本

openssl version

注意:只需要在第1台执行K3s服务的服务器中执行命令生成证书即可

如果版本大于等于1.1.1

# k3s相关CA证书
mkdir -p /var/lib/rancher/k3s/server/tls
cd /var/lib/rancher/k3s/server/tls
openssl genrsa -out client-ca.key 2048
openssl genrsa -out server-ca.key 2048
openssl genrsa -out request-header-ca.key 2048
openssl req -x509 -new -nodes -key client-ca.key -sha256 -days 36500 -out client-ca.crt -addext keyUsage=critical,digitalSignature,keyEncipherment,keyCertSign -subj '/CN=k3s-client-ca'
openssl req -x509 -new -nodes -key server-ca.key -sha256 -days 36500 -out server-ca.crt -addext keyUsage=critical,digitalSignature,keyEncipherment,keyCertSign -subj '/CN=k3s-server-ca'
openssl req -x509 -new -nodes -key request-header-ca.key -sha256 -days 36500 -out request-header-ca.crt -addext keyUsage=critical,digitalSignature,keyEncipherment,keyCertSign -subj '/CN=k3s-request-header-ca'

#etcd相关CA证书
mkdir -p /var/lib/rancher/k3s/server/tls/etcd
cd /var/lib/rancher/k3s/server/tls/etcd
openssl genrsa -out peer-ca.key 2048
openssl genrsa -out server-ca.key 2048
openssl req -x509 -new -nodes -key peer-ca.key -sha256 -days 36500 -out peer-ca.crt -addext keyUsage=critical,digitalSignature,keyEncipherment,keyCertSign -subj '/CN=k3s-peer-ca'
openssl req -x509 -new -nodes -key server-ca.key -sha256 -days 36500 -out server-ca.crt -addext keyUsage=critical,digitalSignature,keyEncipherment,keyCertSign -subj '/CN=k3s-server-ca'

如果版本小于1.1.1

# k3s相关CA证书
mkdir -p /var/lib/rancher/k3s/server/tls
cd /var/lib/rancher/k3s/server/tls
openssl genrsa -out client-ca.key 2048
openssl genrsa -out server-ca.key 2048
openssl genrsa -out request-header-ca.key 2048
openssl req -x509 -new -nodes -key client-ca.key -sha256 -days 36500 -out client-ca.crt -subj '/CN=k3s-client-ca' -extensions key -config <(echo '[req]'; echo 'distinguished_name=req'; echo '[key]'; echo 'keyUsage=critical,digitalSignature,keyEncipherment,keyCertSign'; echo 'basicConstraints=critical,CA:TRUE';)
openssl req -x509 -new -nodes -key server-ca.key -sha256 -days 36500 -out server-ca.crt -subj '/CN=k3s-server-ca' -extensions key -config <(echo '[req]'; echo 'distinguished_name=req'; echo '[key]'; echo 'keyUsage=critical,digitalSignature,keyEncipherment,keyCertSign'; echo 'basicConstraints=critical,CA:TRUE';)
openssl req -x509 -new -nodes -key request-header-ca.key -sha256 -days 36500 -out request-header-ca.crt -subj '/CN=k3s-request-header-ca' -extensions key -config <(echo '[req]'; echo 'distinguished_name=req'; echo '[key]'; echo 'keyUsage=critical,digitalSignature,keyEncipherment,keyCertSign'; echo 'basicConstraints=critical,CA:TRUE';)

# etcd相关CA证书
mkdir -p /var/lib/rancher/k3s/server/tls/etcd
cd /var/lib/rancher/k3s/server/tls/etcd
openssl genrsa -out peer-ca.key 2048
openssl genrsa -out server-ca.key 2048
openssl req -x509 -new -nodes -key peer-ca.key -sha256 -days 36500 -out peer-ca.crt -subj '/CN=k3s-peer-ca' -extensions key -config <(echo '[req]'; echo 'distinguished_name=req'; echo '[key]'; echo 'keyUsage=critical,digitalSignature,keyEncipherment,keyCertSign'; echo 'basicConstraints=critical,CA:TRUE';)
openssl req -x509 -new -nodes -key server-ca.key -sha256 -days 36500 -out server-ca.crt -subj '/CN=k3s-server-ca' -extensions key -config <(echo '[req]'; echo 'distinguished_name=req'; echo '[key]'; echo 'keyUsage=critical,digitalSignature,keyEncipherment,keyCertSign'; echo 'basicConstraints=critical,CA:TRUE';)

然后参考K3s生成100年非CA证书

FAQ

查看生成的证书

openssl x509 -in xxx.crt -noout -text

参考

突破K3s CA 证书10 年有效期的限制 - Ksd的博客 | KSD Blog (kingsd.top)

原文链接:https://www.cnblogs.com/KSPT/p/16688400.html

posted @ 2022-09-13 10:39  知科行技  阅读(183)  评论(0编辑  收藏  举报