证书创建方法
mkdir /etc/kubernetes/ssl
cd /etc/kubernetes/ssl
openssl genrsa -out ca-key.pem 2048
openssl req -x509 -new -nodes -key ca-key.pem -days 10000 -out ca.pem -subj "/CN=kube-ca"
cat >> openssl.cnf << EOF
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS = dashboard.yiwu.com
IP.1 = 10.254.0.1 #k8s 集群service ip
IP.2 = 192.168.23.128
EOF
openssl genrsa -out ingress-key.pem 2048
openssl req -new -key ingress-key.pem -out ingress.csr -subj "/CN=dashboard.yiwu.com" -config openssl.cnf
openssl x509 -req -in ingress.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ingress.pem -days 365 -extensions v3_req -extfile openssl.cnf
kubectl create secret tls ingress-secret --key ingress-key.pem --cert ingress.pem -n kube-system
kubectl create -f /opt/docker/conf/dashboard/dashboard-ingress-tls.yaml
dashboard-ingress.yaml
pem文件转cer文件
用命令行执行下面的命令:
1.把PEM转成PKCS12格式
1 | openssl pkcs12 -export -out cacert.p12 -in cacert.pem |
2. 把PKCS 转成crt
1 | openssl pkcs12 -in cacert.p12 -out mycerts.crt -nokeys -clcerts |
3.把crt转成cer
1 | openssl x509 -inform pem -in mycerts.crt -outform der -out mycerts.cer |
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
