cfssl详解1

详解1"/>

cfssl详解1

一、安装包获取

wget -c .6.1/cfssl_1.6.1_linux_amd64
mv cfssl_1.6.1_linux_amd64  cfssl

二、相关命令详解

2.1 cfssl --help 打印详细信息

[root@master01 bin]# ./cfssl  --help
Usage:
Available commands:bundlecrlserveversionocspdumpinfogencrlocspsignscanrevokecertinfogenkeyocsprefreshocspserveprint-defaultssigngencertgencsrselfsign
Top-level flags:-alsologtostderrlog to standard error as well as files-log_backtrace_at valuewhen logging hits line file:N, emit a stack trace-log_dir stringIf non-empty, write log files in this directory-logtostderrlog to standard error instead of files-stderrthreshold valuelogs at or above this threshold go to stderr-v valuelog level for V logs-vmodule valuecomma-separated list of pattern=N settings for file-filtered logging
[root@master01 bin]# 

2.2 cfssl version 打印版本信息

[root@master01 bin]# ./cfssl version
Version: 1.6.1
Runtime: go1.12.12
[root@master01 bin]# 

2.3 cfssl print-defaults 打印出默认配置文件

[root@master01 bin]# ./cfssl  print-defaults  list
Default configurations are available for:configcsr
[root@master01 bin]# 

打印默认配置

[root@master01 bin]# ./cfssl  print-defaults  config
{"signing": {"default": {"expiry": "168h"},"profiles": {"www": {"expiry": "8760h","usages": ["signing","key encipherment","server auth"]},"client": {"expiry": "8760h","usages": ["signing","key encipherment","client auth"]}}}
}

打印默认证书请求文件

[root@master01 bin]# ./cfssl  print-defaults csr
{"CN": "example","hosts": ["example","www.example"],"key": {"algo": "ecdsa","size": 256},"names": [{"C": "US","ST": "CA","L": "San Francisco"}]
}[root@master01 bin]# 

2.4 cfssl genkey csr.json 从json文件中生成一个证书签名请求和一个私钥（csr.json 从上述命令获取 ）

root@master01 cfssl]# /opt/kubernetes/bin/cfssl  genkey   csr.json 
2023/07/16 08:28:30 [INFO] generate received request
2023/07/16 08:28:30 [INFO] received CSR
2023/07/16 08:28:30 [INFO] generating key: ecdsa-256
2023/07/16 08:28:30 [INFO] encoded CSR
{"csr":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBPDCB5AIBADBIMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcT\nDVNhbiBGcmFuY2lzY28xFDASBgNVBAMTC2V4YW1wbGUubmV0MFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAEz6f2FcnyV2kwYf04efFT6fLKVVj94Y8EJzbKxUgxH8rb\nfihaoobRk1IiSmx7mKhUPwostYJ9n2ff4qVTnxSTe6A6MDgGCSqGSIb3DQEJDjEr\nMCkwJwYDVR0RBCAwHoILZXhhbXBsZS5uZXSCD3d3dy5leGFtcGxlLm5ldDAKBggq\nhkjOPQQDAgNHADBEAiA2LzUYH4l9kEJR4CvG3l06LuBIJyHGaJwlKdZelg2WBwIg\nE6wsshsrjOgv32E7/gWOrWKQZOQ6o/n6BI0gisVnPvE=\n-----END CERTIFICATE REQUEST-----\n","key":"-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIE9dAXiV164jh+6lkqrkYRvjGD5VRZJBOgS/jXk5jMz7oAoGCCqGSM49\nAwEHoUQDQgAEz6f2FcnyV2kwYf04efFT6fLKVVj94Y8EJzbKxUgxH8rbfihaoobR\nk1IiSmx7mKhUPwostYJ9n2ff4qVTnxSTew==\n-----END EC PRIVATE KEY-----\n"}
[root@master01 cfssl]# 

2.5 cfssl genkey -initca csr.json 从json文件中生成一个证书签名请求和一个私钥，并生成一个自签名的证书（一般是根证书）

root@master01 cfssl]# /opt/kubernetes/bin/cfssl  genkey -initca  csr.json 
2023/07/16 08:47:24 [INFO] generate received request
2023/07/16 08:47:24 [INFO] received CSR
2023/07/16 08:47:24 [INFO] generating key: ecdsa-256
2023/07/16 08:47:24 [INFO] encoded CSR
2023/07/16 08:47:24 [INFO] signed certificate with serial number 327648792318884080755224335626427538051858180551
{"cert":"-----BEGIN CERTIFICATE-----\nMIIB1DCCAXqgAwIBAgIUOWRHrQ+9VzqoDWxU06UB/orgKccwCgYIKoZIzj0EAwIw\nSDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp\nc2NvMRQwEgYDVQQDEwtleGFtcGxlLm5ldDAeFw0yMzA3MTYxNTQyMDBaFw0yODA3\nMTQxNTQyMDBaMEgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMN\nU2FuIEZyYW5jaXNjbzEUMBIGA1UEAxMLZXhhbXBsZS5uZXQwWTATBgcqhkjOPQIB\nBggqhkjOPQMBBwNCAARIFQNPl58Mjwy76vh7FeFLGPp1kRrQlILqQ8gaChLPSoEo\nmqr6sRXFO2W5xXHv6p3m3h399OLzrIrpctlFg+R4o0IwQDAOBgNVHQ8BAf8EBAMC\nAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUuPxbGOXaAVCiuS8muTQTkoWi\nXUAwCgYIKoZIzj0EAwIDSAAwRQIgO3By1tlP0gH4X7CvePoTSTCGQUEITFl3bnVq\nVwQ3E/UCIQDL3alQmOiv+IxbJaDHvAawVaRgtgBtYDqS1htW3QK0wQ==\n-----END CERTIFICATE-----\n","csr":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBPTCB5AIBADBIMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcT\nDVNhbiBGcmFuY2lzY28xFDASBgNVBAMTC2V4YW1wbGUubmV0MFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAESBUDT5efDI8Mu+r4exXhSxj6dZEa0JSC6kPIGgoSz0qB\nKJqq+rEVxTtlucVx7+qd5t4d/fTi86yK6XLZRYPkeKA6MDgGCSqGSIb3DQEJDjEr\nMCkwJwYDVR0RBCAwHoILZXhhbXBsZS5uZXSCD3d3dy5leGFtcGxlLm5ldDAKBggq\nhkjOPQQDAgNIADBFAiAPGfjSDn3Hnmcbgos5jg8TsiXS7w583/u9S7v2vfg0FQIh\nALrFa6rxrt4PQcQ3cfJfSdrBCKTSxOkC0B8HUzRKIsA7\n-----END CERTIFICATE REQUEST-----\n","key":"-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIDsYNrVMpId/aWFEWWOoA995evruDmzjliTUACSEnivloAoGCCqGSM49\nAwEHoUQDQgAESBUDT5efDI8Mu+r4exXhSxj6dZEa0JSC6kPIGgoSz0qBKJqq+rEV\nxTtlucVx7+qd5t4d/fTi86yK6XLZRYPkeA==\n-----END EC PRIVATE KEY-----\n"}
[root@master01 cfssl]# 

2.6 cfssl gencert – generate a new key and signed certificate 生成一个新的私钥和签名的证书 以及证书签名请求

2.6.1 cfssl gencert -initca csr.json 从json文件中生成一个证书签名请求和一个私钥，并生成一个自签名的证书（一般是根证书）

#  cfssl  gencert    csr.json  是会报错的
[root@master01 cfssl]# /opt/kubernetes/bin/cfssl gencert csr.json 
2023/07/18 07:06:43 [ERROR] need a CA certificate (provide one with -ca)
[root@master01 cfssl]# [root@master01 cfssl]# /opt/kubernetes/bin/cfssl gencert csr.json 
2023/07/18 07:06:28 [ERROR] need a CA certificate (provide one with -ca)
[root@master01 cfssl]# /opt/kubernetes/bin/cfssl gencert csr.json 
2023/07/18 07:06:43 [ERROR] need a CA certificate (provide one with -ca)
[root@master01 cfssl]# /opt/kubernetes/bin/cfssl gencert -initca csr.json 
2023/07/18 07:06:58 [INFO] generating a new CA key and certificate from CSR
2023/07/18 07:06:58 [INFO] generate received request
2023/07/18 07:06:58 [INFO] received CSR
2023/07/18 07:06:58 [INFO] generating key: ecdsa-256
2023/07/18 07:06:58 [INFO] encoded CSR
2023/07/18 07:06:58 [INFO] signed certificate with serial number 608368421128572508958145539850839136927344849175
{"cert":"-----BEGIN CERTIFICATE-----\nMIIB1DCCAXqgAwIBAgIUapAu+aNmNp4kqr/wUMC85841cRcwCgYIKoZIzj0EAwIw\nSDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp\nc2NvMRQwEgYDVQQDEwtleGFtcGxlLm5ldDAeFw0yMzA3MTgxNDAyMDBaFw0yODA3\nMTYxNDAyMDBaMEgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMN\nU2FuIEZyYW5jaXNjbzEUMBIGA1UEAxMLZXhhbXBsZS5uZXQwWTATBgcqhkjOPQIB\nBggqhkjOPQMBBwNCAAQ1aXQZBV0LNV9VDU/vdopUGt00VZE6pPOOzyYn3XCMjHOj\nu1o5+Zal3uQg+nU+AaofWRbv7OG7j9XQE/kE3z5xo0IwQDAOBgNVHQ8BAf8EBAMC\nAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUn4I0ba+Yb8be2qox8bCDuARU\ndpcwCgYIKoZIzj0EAwIDSAAwRQIhAPZAcoVTCSf77T49jnaPO+oriX5Bv0ZzTje6\n4rL8KOrTAiBgc6bxzL7ErjILvs2n1QhsQh6j2Kn8NV9Bf9rDuQF/pg==\n-----END CERTIFICATE-----\n","csr":"-----BEGIN CERTIFICATE REQUEST-----\nMIIBPjCB5AIBADBIMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcT\nDVNhbiBGcmFuY2lzY28xFDASBgNVBAMTC2V4YW1wbGUubmV0MFkwEwYHKoZIzj0C\nAQYIKoZIzj0DAQcDQgAENWl0GQVdCzVfVQ1P73aKVBrdNFWROqTzjs8mJ91wjIxz\no7taOfmWpd7kIPp1PgGqH1kW7+zhu4/V0BP5BN8+caA6MDgGCSqGSIb3DQEJDjEr\nMCkwJwYDVR0RBCAwHoILZXhhbXBsZS5uZXSCD3d3dy5leGFtcGxlLm5ldDAKBggq\nhkjOPQQDAgNJADBGAiEA+VrrxfUo2OVpJI03clbv9yNV0Dwr1yjk+co0Cl9N7d0C\nIQDcAssgYeZptOO+BEtMYPf9SGB9kjelHzq9B/25uzg7Kw==\n-----END CERTIFICATE REQUEST-----\n","key":"-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIGI9cHJ6PLimn0IcwpRaBoL7i2F+L3pMedTlHAZBtTKGoAoGCCqGSM49\nAwEHoUQDQgAENWl0GQVdCzVfVQ1P73aKVBrdNFWROqTzjs8mJ91wjIxzo7taOfmW\npd7kIPp1PgGqH1kW7+zhu4/V0BP5BN8+cQ==\n-----END EC PRIVATE KEY-----\n"}
[root@master01 cfssl]# 

2.6.2 cfssl gencert -ca cert -ca-key key [-config config] [-profile profile] [-hostname hostname] [-cn cn]CSRJSON 通过证书（根证书）和私钥签名其他证书

-hostname 一般是服务器或者集群的ip列表或者域名,可用于覆盖SANs
-cn 一般用于设置CN

[root@master01 cfssl]# /opt/kubernetes/bin/cfssl gencert  -ca="/root/cfssl/ca.pem"  -ca-key="/root/cfssl/ca-key.pem"   -config="/root/cfssl/ca.config" -profile="www"  server-csr.json | /opt/kubernetes/bin/cfssljson  -bare server -
2023/07/18 08:01:01 [INFO] generate received request
2023/07/18 08:01:01 [INFO] received CSR
2023/07/18 08:01:01 [INFO] generating key: rsa-2048
2023/07/18 08:01:01 [INFO] encoded CSR
2023/07/18 08:01:01 [INFO] signed certificate with serial number 476728697350752092822751015533037530814209274099
[root@master01 cfssl]# ll
total 36
-rw-r--r--. 1 root root  567 Jul 18 07:57 ca.config
-rw-r--r--. 1 root root  509 Jul 18 07:17 ca.csr
-rw-------. 1 root root  227 Jul 18 07:17 ca-key.pem
-rw-r--r--. 1 root root  696 Jul 18 07:17 ca.pem
-rw-r--r--. 1 root root  287 Jul 16 04:55 csr.json
-rw-r--r--. 1 root root 1269 Jul 18 08:01 server.csr
-rw-r--r--. 1 root root  569 Jul 18 07:54 server-csr.json
-rw-------. 1 root root 1679 Jul 18 08:01 server-key.pem
-rw-r--r--. 1 root root 1322 Jul 18 08:01 server.pem
[root@master01 cfssl]# openssl x509 -in server.pem  -text
Certificate:Data:Version: 3 (0x2)Serial Number:53:81:41:0e:86:d5:56:47:7c:65:ea:4c:55:a8:a1:52:6e:a7:30:f3Signature Algorithm: ecdsa-with-SHA256Issuer: C=US, ST=CA, L=San Francisco, CN=exampleValidityNot Before: Jul 18 14:56:00 2023 GMTNot After : Jul 17 14:56:00 2024 GMTSubject: C=CN, ST=Shanghai, L=Shanghai, O=k8s, OU=cloudnative, CN=kubernetesSubject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (2048 bit)Modulus:00:c2:48:df:9a:f7:17:08:4b:c0:d7:a9:48:54:84:69:35:48:27:15:7f:c5:8e:1d:1f:d5:94:2d:76:2a:e4:0b:99:16:55:64:b7:b9:b6:20:a7:55:9e:8a:ad:78:7b:58:53:cd:88:82:ec:3f:d7:35:c8:ac:8c:49:f5:84:7b:0f:06:e3:35:2a:0f:90:00:5d:7b:38:27:51:a7:68:e9:7e:66:df:f2:00:f6:13:d7:9d:b1:de:0d:a4:35:61:1b:a0:1a:4a:be:44:87:b6:11:72:4b:b9:55:c4:7c:48:71:91:aa:b4:c6:dd:29:b9:05:05:d6:45:26:c2:90:ff:b8:ba:49:48:28:69:cf:9f:dc:18:f8:df:43:47:4c:55:98:2f:9b:74:4d:e0:f9:cd:a2:da:e8:d8:e2:4e:75:55:5c:de:15:d9:06:0d:30:f5:38:1e:3e:0e:f2:55:d5:bb:9f:c6:b8:10:e2:36:e3:7e:00:9d:c9:19:fa:cc:ca:ae:75:84:31:50:1d:e2:8a:37:f8:12:d9:a0:78:d7:2c:74:82:de:8d:1e:19:5c:4f:be:43:89:2a:29:81:4c:98:c0:ff:a4:f8:e3:e8:15:fc:fd:48:b5:bb:aa:79:b3:96:0e:18:50:00:08:0d:61:62:94:86:4a:83:cb:e2:82:93:50:25:97:f1Exponent: 65537 (0x10001)X509v3 extensions:X509v3 Key Usage: criticalDigital Signature, Key EnciphermentX509v3 Extended Key Usage: TLS Web Server AuthenticationX509v3 Basic Constraints: criticalCA:FALSEX509v3 Subject Key Identifier: 46:DB:A9:17:93:57:38:47:06:07:CE:D4:E1:7C:ED:5F:B3:CA:8E:CDX509v3 Authority Key Identifier: keyid:5E:12:B7:79:AC:80:A5:3F:34:EC:5F:E3:75:59:01:95:4D:87:A2:C1X509v3 Subject Alternative Name: DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local, IP Address:127.0.0.1, IP Address:10.0.0.1, IP Address:10.240.139.133, IP Address:10.240.139.134, IP Address:10.240.139.135Signature Algorithm: ecdsa-with-SHA25630:44:02:20:15:9b:1c:74:64:7c:3e:e8:2e:c5:c9:93:a8:37:9b:51:a2:9d:38:b3:a3:d3:f9:fc:83:57:56:82:ea:43:f0:29:02:20:3f:ed:82:b5:45:e4:b0:aa:b3:90:62:1b:60:db:76:50:f3:c2:65:67:90:d1:34:4c:80:dd:31:87:16:f1:8e:0f
-----BEGIN CERTIFICATE-----
MIIDozCCA0qgAwIBAgIUU4FBDobVVkd8ZepMVaihUm6nMPMwCgYIKoZIzj0EAwIw
SDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp
c2NvMRQwEgYDVQQDEwtleGFtcGxlLm5ldDAeFw0yMzA3MTgxNDU2MDBaFw0yNDA3
MTcxNDU2MDBaMGwxCzAJBgNVBAYTAkNOMREwDwYDVQQIEwhTaGFuZ2hhaTERMA8G
A1UEBxMIU2hhbmdoYWkxDDAKBgNVBAoTA2s4czEUMBIGA1UECxMLY2xvdWRuYXRp
dmUxEzARBgNVBAMTCmt1YmVybmV0ZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDCSN+a9xcIS8DXqUhUhGk1SCcVf8WOHR/VlC12KuQLmRZVZLe5tiCn
VZ6KrXh7WFPNiILsP9c1yKyMSfWEew8G4zUqD5AAXXs4J1GnaOl+Zt/yAPYT152x
3g2kNWEboBpKvkSHthFyS7lVxHxIcZGqtMbdKbkFBdZFJsKQ/7i6SUgoac+f3Bj4
30NHTFWYL5t0TeD5zaLa6NjiTnVVXN4V2QYNMPU4Hj4O8lXVu5/GuBDiNuN+AJ3J
GfrMyq51hDFQHeKKN/gS2aB41yx0gt6NHhlcT75DiSopgUyYwP+k+OPoFfz9SLW7
qnmzlg4YUAAIDWFilIZKg8vigpNQJZfxAgMBAAGjggEhMIIBHTAOBgNVHQ8BAf8E
BAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4E
FgQURtupF5NXOEcGB87U4XztX7PKjs0wHwYDVR0jBBgwFoAUXhK3eayApT807F/j
dVkBlU2HosEwgacGA1UdEQSBnzCBnIIKa3ViZXJuZXRlc4ISa3ViZXJuZXRlcy5k
ZWZhdWx0ghZrdWJlcm5ldGVzLmRlZmF1bHQuc3Zjgh5rdWJlcm5ldGVzLmRlZmF1
bHQuc3ZjLmNsdXN0ZXKCJGt1YmVybmV0ZXMuZGVmYXVsdC5zdmMuY2x1c3Rlci5s
b2NhbIcEfwAAAYcECgAAAYcECvCLhYcECvCLhocECvCLhzAKBggqhkjOPQQDAgNH
ADBEAiAVmxx0ZHw+6C7FyZOoN5tRop04s6PT+fyDV1aC6kPwKQIgP+2CtUXksKqz
kGIbYNt2UPPCZWeQ0TRMgN0xhxbxjg8=
-----END CERTIFICATE-----
4[root@master01 cfssl]# [root@master01 cfssl]# cat server-csr.json 
{"CN": "kubernetes","hosts": ["127.0.0.1","10.0.0.1","10.240.139.133","10.240.139.134","10.240.139.135","kubernetes","kubernetes.default","kubernetes.default.svc","kubernetes.default.svc.cluster","kubernetes.default.svc.cluster.local"],"key": {"algo": "rsa","size": 2048},"names": [{"C": "CN","ST": "Shanghai","L": "Shanghai","O": "k8s","OU": "cloudnative"}]
}[root@master01 cfssl]# 

2.7 /opt/kubernetes/bin/cfssl sign 签名证书

2.7.1 cfssl sign -ca cert -ca-key key [-config config] [-profile profile] [-hostname hostname] CSR [SUBJECT]

参数是CSR文件，而不是CSRJSON文件，使用 - 可以从标准输入读取CSR文件,CSR文件也可以通过-csr选项引入
Flags:
-hostname=“”: Hostname for the cert, could be a comma-separated hostname list
-csr=“”: Certificate signature request file for new public key
-ca=“”: CA used to sign the new certificate – accepts ‘[file:]fname’ or ‘env:varname’
-ca-key=“”: CA private key – accepts ‘[file:]fname’ or ‘env:varname’
-config=“”: path to configuration file
-profile=“”: signing profile to use
-label=“”: key label to use in remote CFSSL server
-remote=“”: remote CFSSL server
-db-config=“”: certificate db configuration file
-loglevel=1: Log level (0 = DEBUG, 5 = FATAL)

[root@master01 cfssl]# ll
total 36
-rw-r--r--. 1 root root  567 Jul 18 07:57 ca.config
-rw-r--r--. 1 root root  509 Jul 18 07:17 ca.csr
-rw-------. 1 root root  227 Jul 18 07:17 ca-key.pem
-rw-r--r--. 1 root root  696 Jul 18 07:17 ca.pem
-rw-r--r--. 1 root root  287 Jul 16 04:55 csr.json
-rw-r--r--. 1 root root 1269 Jul 18 08:01 server.csr
-rw-r--r--. 1 root root  569 Jul 18 07:54 server-csr.json
-rw-------. 1 root root 1679 Jul 18 08:01 server-key.pem
-rw-r--r--. 1 root root 1322 Jul 18 08:01 server.pem
[root@master01 cfssl]# /opt/kubernetes/bin/cfssl sign -ca="./ca.pem" -ca-key="./ca-key.pem"  server.csr
2023/07/19 06:54:01 [INFO] signed certificate with serial number 165914920130701242719464470114662666597076361286
{"cert":"-----BEGIN CERTIFICATE-----\nMIIDrTCCA1SgAwIBAgIUHQ/h4FOxaYqLzFo9Sso+v3+I4EYwCgYIKoZIzj0EAwIw\nSDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp\nc2NvMRQwEgYDVQQDEwtleGFtcGxlLm5ldDAeFw0yMzA3MTkxMzQ5MDBaFw0yNDA3\nMTgxMzQ5MDBaMGwxCzAJBgNVBAYTAkNOMREwDwYDVQQIEwhTaGFuZ2hhaTERMA8G\nA1UEBxMIU2hhbmdoYWkxDDAKBgNVBAoTA2s4czEUMBIGA1UECxMLY2xvdWRuYXRp\ndmUxEzARBgNVBAMTCmt1YmVybmV0ZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\nggEKAoIBAQDCSN+a9xcIS8DXqUhUhGk1SCcVf8WOHR/VlC12KuQLmRZVZLe5tiCn\nVZ6KrXh7WFPNiILsP9c1yKyMSfWEew8G4zUqD5AAXXs4J1GnaOl+Zt/yAPYT152x\n3g2kNWEboBpKvkSHthFyS7lVxHxIcZGqtMbdKbkFBdZFJsKQ/7i6SUgoac+f3Bj4\n30NHTFWYL5t0TeD5zaLa6NjiTnVVXN4V2QYNMPU4Hj4O8lXVu5/GuBDiNuN+AJ3J\nGfrMyq51hDFQHeKKN/gS2aB41yx0gt6NHhlcT75DiSopgUyYwP+k+OPoFfz9SLW7\nqnmzlg4YUAAIDWFilIZKg8vigpNQJZfxAgMBAAGjggErMIIBJzAOBgNVHQ8BAf8E\nBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQC\nMAAwHQYDVR0OBBYEFEbbqReTVzhHBgfO1OF87V+zyo7NMB8GA1UdIwQYMBaAFF4S\nt3msgKU/NOxf43VZAZVNh6LBMIGnBgNVHREEgZ8wgZyCCmt1YmVybmV0ZXOCEmt1\nYmVybmV0ZXMuZGVmYXVsdIIWa3ViZXJuZXRlcy5kZWZhdWx0LnN2Y4Iea3ViZXJu\nZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVygiRrdWJlcm5ldGVzLmRlZmF1bHQuc3Zj\nLmNsdXN0ZXIubG9jYWyHBH8AAAGHBAoAAAGHBArwi4WHBArwi4aHBArwi4cwCgYI\nKoZIzj0EAwIDRwAwRAIgfTwEDZcObWKe5/qahToulFy2OuOOA1jLGn5kJrUUgEoC\nIAxkuS1tOwmmvL+IY+e6/HPmlNG0jtJQT7G49LUr9YIr\n-----END CERTIFICATE-----\n","csr":"-----BEGIN CERTIFICATE REQUEST-----\nMIIDcDCCAlgCAQAwbDELMAkGA1UEBhMCQ04xETAPBgNVBAgTCFNoYW5naGFpMREw\nDwYDVQQHEwhTaGFuZ2hhaTEMMAoGA1UEChMDazhzMRQwEgYDVQQLEwtjbG91ZG5h\ndGl2ZTETMBEGA1UEAxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEP\nADCCAQoCggEBAMJI35r3FwhLwNepSFSEaTVIJxV/xY4dH9WULXYq5AuZFlVkt7m2\nIKdVnoqteHtYU82Iguw/1zXIrIxJ9YR7DwbjNSoPkABdezgnUado6X5m3/IA9hPX\nnbHeDaQ1YRugGkq+RIe2EXJLuVXEfEhxkaq0xt0puQUF1kUmwpD/uLpJSChpz5/c\nGPjfQ0dMVZgvm3RN4PnNotro2OJOdVVc3hXZBg0w9TgePg7yVdW7n8a4EOI2434A\nnckZ+szKrnWEMVAd4oo3+BLZoHjXLHSC3o0eGVxPvkOJKimBTJjA/6T44+gV/P1I\ntbuqebOWDhhQAAgNYWKUhkqDy+KCk1All/ECAwEAAaCBvjCBuwYJKoZIhvcNAQkO\nMYGtMIGqMIGnBgNVHREEgZ8wgZyCCmt1YmVybmV0ZXOCEmt1YmVybmV0ZXMuZGVm\nYXVsdIIWa3ViZXJuZXRlcy5kZWZhdWx0LnN2Y4Iea3ViZXJuZXRlcy5kZWZhdWx0\nLnN2Yy5jbHVzdGVygiRrdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9j\nYWyHBH8AAAGHBAoAAAGHBArwi4WHBArwi4aHBArwi4cwDQYJKoZIhvcNAQELBQAD\nggEBAL23nXYMF6jCz0QWgq0+Jw+QXAEZm4E8DeXoPzSHtxYell2VWQReLh4ZunBE\nHMAFldkkUEkGKG8fMT65BQ0om+6p1eK/HXbsj6oWHo5u2WiVS8+Dkcs7JygqVDdA\nFpcv505cRjO8hBD6jObbnCNm+duxEuObu4GP6A4dBmcp9H5bkphzl+SmaZqDD1if\nfnO6xWL51oA/Oz7XUWGL/3KSv3kgx110vW6mQAiqxwILht6sGx+DoRj6EQckXeUB\nM2vwbALu3hRs9xOEno69TUPLFdk1jfDC1WDUS6UMiMkZ70nqSgH5CTWx0uKNvj8C\neufzgltsdNIMN9mY3n2H40xcT4E=\n-----END CERTIFICATE REQUEST-----\n"}
[root@master01 cfssl]# 

2.8 cfssl selfsign 生成一个私钥和自签名的证书（不安全的，不建议使用）

[root@master01 cfssl]# /opt/kubernetes/bin/cfssl selfsign --helpcfssl selfsign -- generate a new self-signed key and signed certificateUsage of gencert:cfssl selfsign HOSTNAME CSRJSONWARNING: this should ONLY be used for testing. This should never be
used in production.WARNING: self-signed certificates are insecure; they do not provide
the authentication required for secure systems. Use these at your own
risk.Arguments:HOSTNAME:   Hostname for the certCSRJSON:    JSON file containing the request, use '-' for reading JSON from stdinFlags:-config="": path to configuration file-loglevel=1: Log level (0 = DEBUG, 5 = FATAL)