####################################################
#
# 创建CA X509 version 3.0根证书
#
####################################################
rm -rf /k8s/tlsv1
CertPath=/k8s/tlsv1
CertPD=huawei@123
DomainName=ca.huawei.com
#1、创建证书存放目录
mkdir -p ${CertPath} && cd ${CertPath}
#2、创建CA证书的私钥"cacert-key.pem"
openssl genrsa -des3 -out ${CertPath}/ca.key -passout pass:${CertPD} 2048
#3、生产X509 Version3类型证书
openssl req -x509 -new -nodes \
-key ${CertPath}/ca.key \
-sha256 \
-subj "/C=CN/ST=GuangDong/L=ShenZhen/O=HW/OU=IT/CN=${DomainName}" \
-days 7300 \
-out ${CertPath}/ca.crt \
-passin pass:${CertPD}
# 4、查看证书文件
openssl x509 -in ${CertPath}/ca.crt -text -noout
#####################################################
#
# 生成X509 3.0证书
# x509 3.0 CA签署的服务器证书
#
#####################################################
# 服务器证书存放路径,需与CA证书存放路径保持一致
CertPath=/k8s/tlsv1
# 证书明文密码
CertPD=huawei@123
# 服务器证书域名
DomainName=www.huawei.com
# 1、创建服务器证书的私钥"server.key"
openssl genrsa -des3 -out ${CertPath}/server.key -passout pass:${CertPD} 2048
# 2、创建服务器证书请求文件"server.csr"
openssl req -new \
-subj "/C=CN/ST=GuangDong/L=ShenZhen/O=HW/OU=IT/CN=${DomainName}" \
-key ${CertPath}/server.key \
-out ${CertPath}/server.csr \
-passin pass:${CertPD}
# 3、创建证书扩展文件"my-ssl.conf"
# 更改相应IP和DNS地址
#
cat > ${CertPath}/my-ssl.conf <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = www.baidu.com
DNS.2 = www.qq.com
DNS.3 = www.huawei.com
IP.1 = 1.1.1.1
IP.2 = 2.2.2.2
IP.3 = 3.3.3.3
EOF
# 4、签发并生成服务器证书
openssl x509 -req \
-in ${CertPath}/server.csr \
-out ${CertPath}/server.crt \
-days 3650 \
-CAcreateserial \
-CA ${CertPath}/ca.crt \
-CAkey ${CertPath}/ca.key \
-CAserial serial \
-extfile ${CertPath}/my-ssl.conf \
-passin pass:${CertPD}
# 5、查看证书文件
openssl x509 -in ${CertPath}/server.crt -text -noout
