openssl的命令太多了,非常不容易记住,在此记下常用的:
#生成私钥 (umask 077; openssl genrsa -out dashboard.key 2048) #根据私钥生成证书签名请求 openssl req -new -key dashboard.key -out dashboard.csr -subj "/O=dashboard/CN=dashboard" #用CA签署证书(根据csr生成证书) openssl x509 -req -in dashboard.csr -CA ca.crt -CAkey ca.key -out dashboard.crt -CAcreateserial -days 3650 #查看证书信息 openssl x509 -in apiserver-kubelet-client.crt -text -noout #生成自签证书 openssl req -new -x509 -key tls.key -out tls.crt -subj "/CN=aaa.baidu.com"
另一份完整示例:
#生成ca的key (umask 077; openssl genrsa -out cakey.pem 2048) #生成ca的自签名证书 openssl req -new -x509 -key cakey.pem -out cacert.pem -days 365 -subj "/O=devops/CN=ca.ilinux.com" #生成客户端的key openssl genrsa -out nginx.key #生成客户端的证书签名请求,假设CN为www.ilinux.com openssl req -new -key nginx.key -out nginx.csr -subj "/O=devops/CN=www.ilinux.com" #根据客户端的签名请求生成证书 openssl x509 -req -in nginx.csr -CA cacert.pem -CAkey cakey.pem -out nginx.crt -CAcreateserial -days 3650
