Create certificates using CFSSL for k8s deployment

Install CFSSL

curl -s -L -o /bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
curl -s -L -o /bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
curl -s -L -o /bin/cfssl-certinfo https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x /bin/cfssl*

Container-related certificate types

client certificate: for service-side authentication clients, such as etcdctl, etcd proxy, fleetctl, docker clients
 server certificate: Used by the server to authenticate the server as such by the client as docker server, kube-apiserver
 peer certificate: A two-way certificate for communication between etcd cluster members

Create CA Certificate

Generate default CA configuration

mkdir /opt/ssl
cd /opt/ssl
cfssl print-defaults config > ca-config.json
cfssl print-defaults csr > ca-csr.json

Modify ca-config.json to configure profile s for three different certificate types, with a validity period of 43800h for five years

{
    "signing": {
        "default": {
            "expiry": "43800h"
        },
        "profiles": {
            "server": {
                "expiry": "43800h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth"
                ]
            },
            "client": {
                "expiry": "43800h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth"
                ]
            },
            "peer": {
                "expiry": "43800h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ]
            }
        }
    }
}

Modify ca-csr.config

{
    "CN": "Self Signed Ca",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "SH",
            "O": "Netease",
            "ST": "SH",            
            "OU": "OT"
        }    ]
}

Generate CA certificate and private key

cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
Generate ca.pem, ca.csr, ca-key.pem(CA private key, need to be properly stored)

Issue Server Certificate

cfssl print-defaults csr > server.json
vim server.json
{
    "CN": "Server",
    "hosts": [
        "192.168.1.1"
       ],
    "key": {
        "algo": "ecdsa",
        "size": 256
    },
    "names": [
        {
            "C": "CN",
            "L": "SH",
            "ST": "SH"
        }
    ]
}

Generate service-side certificates and private keys

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server server.json | cfssljson -bare server

Issue Client Certificate

cfssl print-defaults csr > client.json
vim client.json
{
    "CN": "Client",
    "hosts": [],
    "key": {
        "algo": "ecdsa",
        "size": 256
    },
    "names": [
        {
            "C": "CN",
            "L": "SH",
            "ST": "SH"
        }
    ]
}

Generate client certificates and private keys

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client.json | cfssljson -bare client

Issue peer certificate

cfssl print-defaults csr > member1.json
vim member1.json
{
    "CN": "member1",
    "hosts": [
        "192.168.1.1"
    ],
    "key": {
        "algo": "ecdsa",
        "size": 256
    },
    "names": [
        {
            "C": "CN",
            "L": "SH",
            "ST": "SH"
        }
    ]
}

Generate certificates and private keys for node member1:

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer member1.json | cfssljson -bare member1

For etcd services, corresponding certificates and private keys are generated on each etcd node as described above

Final Verification Certificate

Verify that the generated certificate matches the configuration

openssl x509 -in ca.pem -text -noout
openssl x509 -in server.pem -text -noout
openssl x509 -in client.pem -text -noout

From: http://blog.simlinux.com/archives/1953.html

Tags: JSON curl vim OpenSSL

Posted on Tue, 03 Mar 2020 08:16:20 -0800 by Pyrite