Pki/tls Swiss Army knife cfssl

CFSSL yes CloudFlare Provided by the company PKI/TLS Tools , It's a group using Go Open source tools for language development .CloudFlare One of the company's main businesses is to provide network security services , Open source CFSSL When they say they have TLS Certificates are used CFSSL Tools .

Certificate management involves many aspects such as certificate chain , For many operation and maintenance managers, it's very tedious ,CFSSL One of the goals is to solve the problem of certificate management in performance 、 Compatibility and security issues .

CA(Certification Authority) certificate , It refers to the certificate issued to us by the authority .

A key is a file or string used for encryption and decryption . The key is in the field of asymmetric encryption , It refers to the private key and public key , They always appear in pairs , Its main function is to encrypt and decrypt . The commonly used strength is encryption 2048bit.

RSA Asymmetric encryption algorithm . Asymmetric encryption has two different passwords , A private key , The other is called public key , The data encrypted with one of them can only be unlocked with the other password , You can't solve it with your own , In other words, the data encrypted with the public key can only be unlocked by the private key .

PEM(Privacy Enhanced Mail), It is usually used for digital certificate authority （Certificate Authorities,CA）, extension .pem, .crt, .cer, and .key. The content is Base64 Coded ASCII Code file , There are similar server authentication certificates marked at the beginning and end .

Intermediate certificate and private key can be stored as PEM Format （ The authentication certificate is actually the public key ）.Apache and nginx And similar servers use PEM Form Certificate .

DER(Distinguished Encoding Rules), And PEM The difference is that it uses binary rather than Base64 Coded ASCII. extension .der, But it's also used a lot .cer Used as an extension , All types of authentication certificates and private keys can be stored as DER Format .Java Make it a typical use platform .

CSR(Certificate Signing Request), It is to CA Number of institutional applications ××× Request documents used in the book . Before generating the request file , We need to prepare a pair of symmetric keys . The private key information is saved by itself , The request will be accompanied by the public key information and country , City , domain name ,Email Etc ,CSR Signature information will also be attached to the . When we are ready CSR The document can be submitted to CA Institutions , Sign them for us and wait , After signing, we will receive crt file , Certificate .

Be careful ：CSR It's not a certificate . It's an application for a signed certificate from an authoritative certification authority .

hold CSR To an authoritative certification authority , This is signed by an authoritative certification authority , complete . Keep it CSR, When a certificate issued by an authoritative certification authority has expired , You can also use the same CSR To apply for a new certificate ,key remain unchanged .

cfssl Introduction to common subcommands

bundle:  Create a certificate package containing client certificates 
genkey:  Generate a key( Private key ) and CSR( Certificate signing request )
scan:  Scan the host for problems 
revoke:  Revocation of certificate 
certinfo:  Output the certificate information of the given Certificate ,  Follow cfssl-certinfo  Tools work the same way 
gencrl:  Generate a new certificate revocation list 
selfsign:  Generate a new self signed key and   Signature certificate 
print-defaults:  Print the default configuration , This default configuration can be used as a template 
serve:  Start a HTTP API service 
gencert:  Generate a new key( secret key ) And signature certificate 
 -ca： To specify ca Certificate 
 -ca-key： To specify ca Private key file 
 -config： Indicating the request for a certificate json file 
 -profile： And -config Medium profile Corresponding , Means according to config Medium profile Section to generate information about the certificate 
ocspdump:  from cert db  All in  OCSP  A series of coherent... Is generated in the response  OCSP  Respond to , for  ocspserve  Use 
ocspsign:  For a given CA、Cert And status sign OCSP Respond to . Return to one base64 Coded OCSP Respond to 
info:  Get information about the remote signer 
sign:  Sign a client certificate , By giving CA and CA secret key , And the host name 
ocsprefresh:  With all known unexpired certificates OCSP Response refresh ocsp_responses surface .
ocspserve:  Set up a HTTP The server , Process data from files or directly from databases OCSP request （ see RFC 5019）.

Common commands

cfssl gencert -initca ca-csr.json | cfssljson -bare ca ##  initialization ca
cfssl gencert -initca -ca-key key.pem ca-csr.json | cfssljson -bare ca ##  Use existing private key ,  To regenerate the 
cfssl certinfo -cert ca.pem
cfssl certinfo -csr ca.csr

Use CFSSL establish CA The authentication steps
1、 Create a certification authority (CA)

cfssl You can create an internal certification center to obtain and operate certificates . Running the certification center requires a CA Certificates and corresponding CA Private key . Anyone who knows the private key can act as CA To issue certificates . therefore , The protection of private key is very important , Here we have k8s The required certificates to practice ：

cfssl print-defaults config > config.json #  Default certificate policy configuration template 
cfssl print-defaults csr > csr.json # Default csr The request template 

Combined with their own requirements , Modify certificate request file csr.json, certificate 10 year

{
    
  "CN": "kubernetes",
  "key": {
    
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
    
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
   ],
   "ca": {
    
    "expiry": "87600h"
  }
}

Knowledge point :

"CN"：Common Name,kube-apiserver  Extract this field from the certificate as the requested user name  (User Name)
"O"：Organization,kube-apiserver Extract this field from the certificate as the group to which the requesting user belongs  (Group)
C: Country,  Country 
L: Locality, region , City 
O: Organization Name, Organization name , Corporate name 
OU: Organization Unit Name, Organization name , Company Department 
ST: State, state , province 

Certificate configuration template file ca-config.json

{
    
  "signing": {
    
      "default": {
    
        "expiry": "87600h"
   },
  "profiles": {
    
    "kubernetes": {
    
      "usages": [
        "signing",
        "key encipherment",
        "server auth",
        "client auth"
      ],
      "expiry": "87600h"
    }
   }
  }
}

Knowledge point ：

config.json： Multiple can be defined  profiles, Specify different expiration times 、 Use the scene and other parameters ; Use some of the following when signing the certificate  profile; This instance has only one kubernetes Templates .
signing： Indicates that the certificate can be used to sign other certificates ; Generated  ca.pem  In the certificate CA=TRUE
server auth： Express client You can use this.  CA  Yes server Certificate provided to verify ;
client auth： Express server You can use this. CA Yes client Certificate provided to verify ;
 Pay attention to punctuation , The last field is usually without commas .

2、 Initialize creation CA authentication center , Will generate ca-key.pem（ Private key ） and ca.pem（ Public key ）

cfssl gencert -initca ca-csr.json | cfssljson -bare ca

3、 establish kubernetes certificate

establish kubernetes-csr.json Certificate request file

{
    
    "CN": "kubernetes",
    "hosts": [
        "127.0.0.1",
        "10.1.20.129",
        "10.1.20.128",
        "10.1.20.126",
        "10.1.20.127",
        "10.254.0.1",
        "*.kubernetes.master",
        "localhost",
        "kubernetes",
        "kubernetes.default",
        "kubernetes.default.svc",
        "kubernetes.default.svc.cluster",
        "kubernetes.default.svc.cluster.local"
    ],
    "key": {
    
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
    
            "C": "CN",
            "ST": "BeiJing",
            "L": "BeiJing",
            "O": "k8s",
            "OU": "System"
        }
    ]
}

Knowledge point ：

This certificate is currently exclusive to apiserver, Added a *.kubernetes.master Domain name for internal private DNS Parsing uses ( Deleting );
kubernetes Can these be deleted , The answer is no ; Because when the cluster is created ,default namespace Next, we will create a file called kubenretes Of svc, There are some components that directly connect to this svc Follow me api communication , If the certificate does not contain, you may be unable to connect ;
Others kubernetes The domain name at the beginning has the same function
hosts It contains the scope of Authorization , Nodes or services not in this range will report a certificate mismatch error if they use this certificate .
10.254.0.1 Refer to kube-apiserver designated service-cluster-ip-range The first network segment IP.

4、 Generate kubernetes Certificate and private key

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes

Knowledge point ：

-config  It refers to the default configuration file in the template ,
-profiles Is to specify a specific usage scenario , such as config.json Medium kubernetes Area 

5、 establish admin certificate

establish admin Certificate request file admin-csr.json

 {
    
    "CN": "admin",
    "hosts": [],
    "key": {
    
    "algo": "rsa",
    "size": 2048
    },
    "names": [
    {
    
        "C": "CN",
        "ST": "BeiJing",
        "L": "BeiJing",
        "O": "system:masters",
        "OU": "System"
    }
    ]
}

6、 Generate admin Certificate and private key

cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin

Knowledge point ：
This admin certificate , It will be used by the administrator in the future kubeconfig Configuration file , Now we generally recommend using RBAC Come on kubernetes Control role permissions , kubernetes Put... In the certificate CN Field as User, O Field as Group

Again , We can also create in the same way kubernetes in etcd Certificate of cluster