#################################################### # # 创建CA X509 version 3.0根证书 # #################################################### rm -rf /k8s/tlsv1 CertPath=/k8s/tlsv1 CertPD=huawei@123 DomainName=ca.huawei.com #1、创建证书存放目录 mkdir -p ${CertPath} && cd ${CertPath} #2、创建CA证书的私钥"cacert-key.pem" openssl genrsa -des3 -out ${CertPath}/ca.key -passout pass:${CertPD} 2048 #3、生产X509 Version3类型证书 openssl req -x509 -new -nodes \ -key ${CertPath}/ca.key \ -sha256 \ -subj "/C=CN/ST=GuangDong/L=ShenZhen/O=HW/OU=IT/CN=${DomainName}" \ -days 7300 \ -out ${CertPath}/ca.crt \ -passin pass:${CertPD} # 4、查看证书文件 openssl x509 -in ${CertPath}/ca.crt -text -noout ##################################################### # # 生成X509 3.0证书 # x509 3.0 CA签署的服务器证书 # ##################################################### # 服务器证书存放路径,需与CA证书存放路径保持一致 CertPath=/k8s/tlsv1 # 证书明文密码 CertPD=huawei@123 # 服务器证书域名 DomainName=www.huawei.com # 1、创建服务器证书的私钥"server.key" openssl genrsa -des3 -out ${CertPath}/server.key -passout pass:${CertPD} 2048 # 2、创建服务器证书请求文件"server.csr" openssl req -new \ -subj "/C=CN/ST=GuangDong/L=ShenZhen/O=HW/OU=IT/CN=${DOMAIN_NAME}" \ -key ${CertPath}/server.key \ -out ${CertPath}/server.csr \ -passin pass:${CertPD} # 3、创建证书扩展文件"my-ssl.conf" cat > ${CertPath}/my-ssl.conf <<EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = @alt_names [ alt_names ] DNS.1 = ${DOMAIN_NAME} IP.1 = ${IP_ADD} EOF # 4、签发并生成服务器证书 openssl x509 -req \ -in ${CertPath}/server.csr \ -out ${CertPath}/server.crt \ -days 3650 \ -CAcreateserial \ -CA ${CertPath}/ca.crt \ -CAkey ${CertPath}/ca.key \ -CAserial serial \ -extfile ${CertPath}/my-ssl.conf \ -passin pass:${CertPD} # 5、查看证书文件 openssl x509 -in ${CertPath}/server.crt -text -noout