生成 key
$ openssl genrsa --out mkt.key 2048
根据 key 生成 csr
CN: 为 mkt
$ openssl req -new -key mkt.key -out mkt.csr -subj "/CN=mkt"
把 csr 发给 apiserver 的 ca 生成 crt
$ openssl x509 -req -in mkt.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out mkt.crt -days 1095
Signature ok
subject=CN = mkt
Getting CA Private Key
生成文件:
root@master1:~/tmp# ls
mkt.crt mkt.csr mkt.key
查看证书
$ openssl x509 -in mkt.crt -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
01:60:fb:9a:ce:5e:59:28:b0:e3:d6:76:90:99:eb:52:41:a5:b9:86
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = kubernetes
Validity
Not Before: Jan 3 06:44:53 2024 GMT
Not After : Jan 2 06:44:53