tls签名
openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 36500 -subj "/C=CN/ST=Beijing/L=Beijing/O=Qianxin/OU=Zion/CN=QAX-ATS4-CA" -key ca.key -out ca.crt
if [ ! -e "tikv.pem" ] && [ ! -e "tikv.crt" ]; then
openssl genrsa -out tikv.pem 2048
openssl req -new -key tikv.pem -out tikv.csr -subj "/C=CN/ST=Beijing/L=Beijing/O=Qianxin/OU=Zion/CN=tikv-server" -config openssl.cnf
openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -in tikv.csr -out tikv.crt -extensions v3_req -extfile openssl.cnf
fi
if [ ! -e "pd.pem" ] && [ ! -e "pd.crt" ]; then
openssl genrsa -out pd.pem 2048
openssl req -new -key pd.pem -out pd.csr -subj "/C=CN/ST=Beijing/L=Beijing/O=Qianxin/OU=Zion/CN=pd-server" -config openssl.cnf
openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -in pd.csr -out pd.crt -extensions v3_req -extfile openssl.cnf
fi
if [ ! -e "blackbox_exporter.pem" ] && [ ! -e "blackbox_exporter.crt" ]; then
openssl genrsa -out blackbox_exporter.pem 2048
openssl req -new -key blackbox_exporter.pem -out blackbox_exporter.csr -subj "/C=CN/ST=Beijing/L=Beijing/O=Qianxin/OU=Zion/CN=monitor" -config openssl.cnf
openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -in blackbox_exporter.csr -out blackbox_exporter.crt -extensions v3_req -extfile openssl.cnf
fi
if [ ! -e "grafana.pem" ] && [ ! -e "grafana.crt" ]; then
openssl genrsa -out grafana.pem 2048
openssl req -new -key grafana.pem -out grafana.csr -subj "/C=CN/ST=Beijing/L=Beijing/O=Qianxin/OU=Zion/CN=grafana-server" -config openssl.cnf
openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -in grafana.csr -out grafana.crt -extensions v3_req -extfile openssl.cnf
fi
if [ ! -e "prometheus.pem" ] && [ ! -e "prometheus.crt" ]; then
openssl genrsa -out prometheus.pem 2048
openssl req -new -key prometheus.pem -out prometheus.csr -subj "/C=CN/ST=Beijing/L=Beijing/O=Qianxin/OU=Zion/CN=prometheus-server" -config openssl.cnf
openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -in prometheus.csr -out prometheus.crt -extensions v3_req -extfile openssl.cnf
fi
openssl genrsa -out client.pem 2048
openssl req -new -key client.pem -out client.csr -subj "/C=CN/ST=Beijing/L=Beijing/O=Qianxin/OU=Zion/CN=tikv-client"
openssl x509 -req -days 36500 -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr -out client.crt
[ alt_names ]
DNS.1 = *
{% for host in ansible_play_hosts_all %}
DNS.{{loop.index+1}} = {{hostvars[host]['ansible_nodename']}}
{% endfor %}
{% for host in ansible_play_hosts_all %}
{% if isuseipv6 is defined and isuseipv6|bool %}
IP.{{loop.index}} = {{(hostvars[host]['ansible_'+interface]['ipv6'] | selectattr('scope', 'equalto', 'global') | list | first).address}}
{% else %}
{% if hostvars[host]['ansible_facts']['default_ipv4'] is defined %}
IP.{{loop.index}} = {{hostvars[host]['ansible_facts']['default_ipv4']['address']}}
{% else %}
IP.{{loop.index}} = {{hostvars[host]['ansible_default_ipv4']['address']}}
{% endif %}
{% endif %}
{% if loop.last %}
IP.{{loop.index+1}} = 127.0.0.1
{% set dassl_last=loop.index %}
{% if global_vip_list != None and global_vip_list != '' %}
{%for item in global_vip_list.split(',') %}
IP.{{loop.index+dassl_last+1}}={{item}}
{% endfor %}
{% endif %}
{% endif %}
{% endfor %}
[ v3_ext ]
keyUsage=critical, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement
extendedKeyUsage=TLS Web Server Authentication, TLS Web Client Authentication
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid, issuer:always
subjectAltName=@alt_names
openssl genrsa -out 127.0.0.1.key 2048
openssl req -new -key 127.0.0.1.key -out 127.0.0.1.csr -subj "/C=CN/ST=Beijing/L=Beijing/O=Qianxin/OU=Zion/CN=127.0.0.1"
openssl x509 -req -days 36500 -CA {{da_ssl_oid}}.crt -CAkey {{da_ssl_oid}}.key -CAcreateserial -in 127.0.0.1.csr -out public.crt \
-extensions v3_ext -extfile openssl.conf
[ v3_ext ] keyUsage=critical, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement extendedKeyUsage=TLS Web Server Authentication, TLS Web Client Authentication subjectKeyIdentifier=hash authorityKeyIdentifier=keyid, issuer:always subjectAltName=@alt_names [ alt_names ] DNS.1 = example.com DNS.2 = *.example.com IP.1 = 192.168.1.1
浙公网安备 33010602011771号