第一步:系统基本设置
1 关闭防火墙,selinux
2 关闭swap
3 同步时间
第二步:cfssl自签证书(下载地址:https://pkg.cfssl.org/)
curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl
curl -L https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson
curl -L https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo
我这里直接下载到/usr/local/bin下,并重新命名了。(如下图)
创建目录test,并进入:mkdir test && cd test
手动编写以下三个配置文件
vim ca-config.json
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"www": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
vim server-csr.json
{
"CN": "etcd",
"hosts": [
"192.168.31.61",
"192.168.31.62",
"192.168.31.63"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
vim ca-csr.json
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
执行以下命令,就可以获取相差证书了
cfssl gencert -initca ca-csr.json | cfssljson -bare ca - # 生成ca证书,这个证书的作用相当于:颁发证书的机构
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server # 生成一个server的证书
生成的证书配置到相应服务
【未完待续】
原文:https://www.cnblogs.com/yeyu1314/p/13060545.html