526互联

TLS证书文件创建

发布时间 2023-08-19 22:45:25作者: vmsysjack
#####################################################
#
# 创建CA X509 version 1.0根证书
#
#####################################################

#创建证书存放目录
CertPath=/k8s/tlsv2
DomainName=ca.huawei.com

# 1、创建证书文件存放目录
mkdir -p ${CertPath} && cd ${CertPath}
     
# 2、创建CA证书的私钥"ca.key"
openssl genrsa -out  ${CertPath}/ca.key

# 3、 创建CA证书请求"ca.csr"
openssl req -new \
-subj "/C=CN/ST=GuangDong/L=DongGuan/O=HW/OU=IT/CN=${DomainName}"  \
-key  ${CertPath}/ca.key \
-out  ${CertPath}/ca.csr

# 4、 创建3年有效期的CA证书"ca.crt"
openssl x509 -req \
-days  3650 \
-in ${CertPath}/ca.csr \
-signkey ${CertPath}/ca.key \
-out ${CertPath}/ca.crt

# 5、查看证书文件
openssl x509 -in ${CertPath}/ca.crt -text -noout
chmod 777 ${CertPath}/ca* && ls -l ${CertPath}/


#####################################################
# 
# 生成X509 3.0证书,证书key文件不加密
# CA签署的服务器证书
#
#####################################################

ServerName=server
DomainName=huawei.com

# 1、创建服务证书的私钥"xxx.key"
openssl genrsa -out ${CertPath}/${ServerName}.key


# 2、创建服务器证书请求文件 "xxx.csr"
openssl req -new \
-subj "/C=CN/ST=GuangDong/L=DongGuan/O=HW/OU=IT/CN=${ServerName}.${DomainName}"  \
-key ${CertPath}/${ServerName}.key \
-out ${CertPath}/${ServerName}.csr


# 3、创建证书扩展文件
cat > ${CertPath}/my-ssl.conf <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster
DNS.5 = kubernetes.default.svc.cluster.local
DNS.6 = www.huawei.com
DNS.7 = localhost
IP.1 = 168.7.10.201
IP.2 = 168.7.10.202
IP.3 = 168.7.10.203
IP.4 = 168.7.10.204
IP.4 = 127.0.0.1
EOF


# 4、签发X509 3.0服务器证书文件
openssl x509 -req \
-in  ${CertPath}/${ServerName}.csr \
-out  ${CertPath}/${ServerName}.crt \
-days 3650 \
-CAcreateserial -CA ${CertPath}/ca.crt \
-CAkey ${CertPath}/ca.key \
-CAserial serial \
-extfile ${CertPath}/my-ssl.conf




# 4、签发X509 1.0服务器证书文件,即: "xxx.crt"
# openssl x509 -req \
# -in  ${CertPath}/${ServerName}.csr \
# -out  ${CertPath}/${ServerName}.crt \
# -days 3650 \
# -CAcreateserial -CA ${CertPath}/ca.crt \
# -CAkey ${CertPath}/ca.key

# 5、查看证书文件
openssl x509 -in  ${CertPath}/${ServerName}.crt  -text -noout
chmod 777 ${CertPath}/${ServerName}.* && ls -l ${CertPath}/
CA1.0--Cert3.0