NOTICE
Don’t put ca-key.pem into a Container Linux Config, it is recommended to store it in safe place. This key allows to generate as much certificates as possible.
Keep key files in safe. Don’t forget to set proper file permissions, i.e. chmod 0600 server-key.pem.
Certificates in this TLDR example have both server auth and client auth X509 V3 extensions and you can use them with servers and clients’ authentication.
generate keys and certificates for wildcard * address as well. They will work on any machine. It will simplify certificates routine but increase security risks.
check X509v3 Subject Alternative Name(HOST) issued in server.pem
openssl x509 -in server.pem -text |grep DNS
Generate self-signed certificates
Download cfssl
mkdir ~/bin curl -s -L -o ~/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 curl -s -L -o ~/bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 chmod +x ~/bin/{cfssl,cfssljson}Initialize a certificate authority
mkdir ~/cfssl cd ~/cfssl cfssl print-defaults config > ca-config.json cfssl print-defaults csr > ca-csr.jsonCertificate types which are used inside Container Linux
- client certificate is used to authenticate client by server. .
- server certificate is used by server and verified by client for server identity.
- peer certificate is used by cluster as members communicate with each other in both ways.
Configure CA options ca-csr.json(Certificate Signing Request (CSR))
{ "CN": "wubigo CA", "key": { "algo": "ecdsa", "size": 256 }, "names": [ { "C": "CN", "L": "BJ", "ST": "Bei Jing" } ] }
ca-config.json( set expiry to 8760h (1 year))
{
"signing": {
"default": {
"expiry": "168h"
},
"profiles": {
"server": {
"expiry": "8760h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "8760h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": {
"expiry": "8760h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
generate CA with defined options:
cfssl gencert -initca ca-csr.json | cfssljson -bare ca - ls ca-key.pem ca.csr ca.pemPlease keep ca-key.pem file in safe. This key allows to create any kind of certificates within the CA
Generate server certificate
cfssl print-defaults csr > server.jsonMost important values for server certificate are Common Name (CN) and hosts. substitute them accordingly:
... "CN": "server", "hosts": [ "192.168.1.6", "wubigo.com", "localhost", "127.0.0.1" ], ...generate server certificate and private key:
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server server.json | cfssljson -bare serverresult following files:
server-key.pem server.csr server.pem
Generate peer certificate
cfssl print-defaults csr > member1.json
Substitute CN and hosts values, for example:
...
"CN": "member1",
"hosts": [
"192.168.1.7",
"member1.wubigo.com",
"member1.local",
"member1"
],
...
generate member1 certificate and private key:
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer member1.json | cfssljson -bare member1member1-key.pem member1.csr member1.pemGenerate client certificate
cfssl print-defaults csr > client.jsonFor client certificate ignore hosts values and set only Common Name (CN) to client value:
... "CN": "client", "hosts": [ "" ]", ...Generate client certificate:
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client.json | cfssljson -bare client
get following files:
client-key.pem
client.csr
client.pem