Kubernetes deployment: CA certificate production

Make CA certificate manually

1. Install CFSSL

[root@node-01  ~]# cd /usr/local/src
[root@node-01  src]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
[root@node-01  src]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
[root@node-01  src]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
[root@node-01  src]# chmod +x cfssl*
[root@node-01  src]# mv cfssl-certinfo_linux-amd64 /data/kubernetes/bin/cfssl-certinfo
[root@node-01  src]# mv cfssljson_linux-amd64  /data/kubernetes/bin/cfssljson
[root@node-01  src]# mv cfssl_linux-amd64  /data/kubernetes/bin/cfssl
//Copy cfssl command file to all nodes
[root@node-01  ~]# scp /data/kubernetes/bin/cfssl* /data/kubernetes/bin
[root@node-01  ~]# scp /data/kubernetes/bin/cfssl* /data/kubernetes/bin
//Add / data/kubernetes/bin to the environment variable
[root@node-01 ~]# echo 'PATH=/data/kubernetes/bin:$PATH' >>/etc/profile
[root@node-01 ~]# source /etc/profile

2. Initialize cfssl

Production initial configuration files, we change according to these files

[root@node-01  src]# mkdir ssl && cd ssl
[root@node-01  ssl]# cfssl print-defaults config > config.json
[root@node-01  ssl]# cfssl print-defaults csr > csr.json

3. Create JSON configuration file to generate CA file

server auth indicates that the client can use the ca to verify the certificate provided by the server

client auth means that the server can use the ca to verify the certificate provided by the client

[root@node-01 ssl]# vim ca-config.json
  "signing": {
    "default": {
      "expiry": "87600h"
    "profiles": {
      "kubernetes": {
        "usages": [
            "key encipherment",
            "server auth",
            "client auth"
        "expiry": "87600h"

4. Create JSON configuration file to generate CA certificate signing request (CSR)

[root@node-01 ssl]# vim ca-csr.json
  "CN": "kubernetes",
  "key": {
    "algo": "rsa",
    "size": 2048
  "names": [
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"

5. Generate CA certificate (ca.pem) and key (CA key. PEM)

[root@node-01 ssl]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca
[root@node-01 ssl]# ls -l ca*
-rw-r--r-- 1 root root  292 Dec 24 16:11 ca-config.json
-rw-r--r-- 1 root root 1001 Dec 24 16:15 ca.csr
-rw-r--r-- 1 root root  208 Dec 24 16:14 ca-csr.json
-rw------- 1 root root 1679 Dec 24 16:15 ca-key.pem
-rw-r--r-- 1 root root 1359 Dec 24 16:15 ca.pem

6. Distribution certificate

[root@node-01 ssl]# cp ca.csr ca.pem ca-key.pem ca-config.json /data/kubernetes/ssl
SCP Certificate to all nodes
[root@node-01 ssl]# for n in `seq 202 206`;do scp ca.csr ca.pem ca-key.pem ca-config.json root@10.31.90.$n:/data/kubernetes/ssl;done 

In the future, all the installation documents will be updated. If you think I wrote well, I hope you will pay more attention to it. Thank you very much!

Tags: Kubernetes SSL JSON vim

Posted on Tue, 03 Dec 2019 10:42:32 -0500 by CONTEMAN