# 一、加密的方式
1、對稱加密:加密解密相同
2、非對稱加密:用公鑰~私鑰的密鑰對加密(https為非對稱加密)
3、單項加密:只能加密不能解密(MD5)
# 二、SSL證書

# 三、SSL證書的分類
1、自簽證書:內部使用
2、第三方機構:通常在外部連接中使用
# 四、自簽證書工具
1、使用cfssl工具自簽證書
# 五、為ETCD和APIserver自簽SSL證書cfssl安裝
1、 在線安裝
1.1、安裝CFSSL
* 生成證書
```
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
```
或者
```
wget https://github.com/cloudflare/cfssl/releases/download/1.2.0/cfssl_linux-amd64
```
* 利用Json生成證書
```
wget https://github.com/cloudflare/cfssl/releases/download/1.2.0/cfssljson_linux-amd64
```
* 查看證書信息的工具
```
wget https://github.com/cloudflare/cfssl/releases/download/1.2.0/cfssl-certinfo_linux-amd64
```
1.2、修改權限
```
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
```
或者:
```
sudo chmod +x cfssl*
```
1.3、移動文件(配置環境變量)
```
mv cfssl_linux-amd64?/usr/local/bin/cfssl
mv cfssljson_linux-amd64?/usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64?/usr/local/bin/cfssl-certinfo
```
移動的時候會自動添加,如果沒有添加成功或者測試不成功再添加環境變量
```
export PATH=/root/local/bin:$PATH
```
1.4、驗證指令
```
cfssl --help
```

1.5、生成一個配置模板
```
cfssl print-defaults config > config.json
```
```
{
??? "signing": { //簽名
??????? "default": {
??????????? "expiry": "168h" //默認過期時間
??????? },
??????? "profiles": {
??????????? "www": {
??????????????? "expiry": "8760h",
??????????????? "usages": [
??????????????????? "signing",
??????????????????? "key encipherment",
??????????????????? "server auth"
??????????????? ]
??????????? },
??????????? "client": {
??????????????? "expiry": "8760h",
??????????????? "usages": [
??????????????????? "signing",
??????????????????? "key encipherment",
??????????????????? "client auth"
??????????????? ]
??????????? }
??????? }
??? }
}
```
1.6、生成證書信息模板文件
```
cfssl print-defaults csr > csr.json
```
```
{
??? "CN": "example.net", //標識具體的域
??? "hosts": [ //使用該證書的域名
??????? "example.net",
??????? "www.example.net"
??? ],
??? "key": { //加密方式,一般RSA 2048
??????? "algo": "ecdsa",
??????? "size": 256
??? },
??? "names": [ //證書包含的信息,例如國家、地區等
??????? {
??????????? "C": "US",
??????????? "L": "CA",
??????????? "ST": "San Francisco"
??????? }
??? ]
}
```
1.7、根據初始的配置模板和證書信息模板來生成配置模板以及證書信息
生成我們自己的模板,我們可以把這里生成的模板單獨放到一個文件中,進入到我們自己的文件中后,執行下面的代碼內容,下面的代碼內容是我們根據初始的配置模板、證書信息模板修改之后的來的。下面代碼的意思就是創建文件并再文件中添加內容
```
cat > ca-config.json
{
??? "signing":{
??????? "default":{
??????????? "expiry":"87600h"
??????? },
??????? "profiles":{
??????????? "kubernetes":{
??????????????? "expiry":"87600h",
??????????????? "usages":[
??????????????????? "signing",
??????????????????? "key encipherment",
??????????????????? "server auth",
??????????????????? "client auth"
??????????????? ]
??????????? }
??????? }
??? }
}
```
```
cat > ca-csr.json
{
??? "CN":"kubernetes",
??? "key":{
??????? "algo":"rsa",
??????? "size":2048
??? },
??? "names":[
??????? {
??????????? "C":"CN",
??????????? "L":"Hebei",
??????????? "ST":"Zhangjiakou",
??????????? "O":"k8s",
??????????? "OU":"System"
??????? }
??? ]
}
```
1.8、使用證書信息文件生成證書
```
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
```
1.9、生成服務端的配置模板及證書信息
```
cat > server-csr.json
{
??? "CN":"kubernetes",
??? "hosts":[
??????? "192.168.72.166",
??????? "192.168.72.168",
??????? "192.168.72.169"
??? ],
??? "key":{
??????? "algo":"rsa",
??????? "size":2048
??? },
??? "names":[
??????? {
??????????? "C":"CN",
??????????? "L":"Hebei",
??????????? "ST":"Zhangjiakou",
??????????? "O":"k8s",
??????????? "OU":"System"
??????? }
??? ]
}
EOF
```
1.10、使用證書信息生成證書
```
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
```

參考:[https://www.cnblogs.com/fanqisoft/p/10765038.html](https://www.cnblogs.com/fanqisoft/p/10765038.html)
2、離線安裝
2.1、上傳TLSLjar包
壓縮包上傳,這里的壓縮包就是移動到/usr/local/bin/文件目錄下的內容,可以自己進行打包下載。
下載地址:[https://jsbke.cn/files/TLS.tar.gz](https://jsbke.cn/files/TLS.tar.gz)
下載地址:
鏈接:[https://pan.baidu.com/s/1dwRa7wW_qWjBfJrckHhRgw?pwd=ud0q](https://pan.baidu.com/s/1dwRa7wW_qWjBfJrckHhRgw?pwd=ud0q)
提取碼:ud0q
--來自百度網盤超級會員V5的分享
2.2、解壓
2.3、執行cfssl.sh文件
cfssl.sh中的代碼
```
#curl -L https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl
#curl -L https://github.com/cloudflare/cfssl/releases/download/1.2.0/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson
#curl -L github.com/cloudflare/cfssl/releases/download/1.2.0/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo
cp -rf cfssl cfssl-certinfo cfssljson /usr/local/bin
chmod +x /usr/local/bin/cfssl*
```
2.4、驗證
~~~
cfssl --help
~~~
2.5、cd etcd
2.6、修改配置文件
```
cat server-csr.json
{
??? "CN": "etcd",
??? "hosts": [
??????? "192.168.72.166",
??????? "192.168.72.168",
??????? "192.168.72.169"
??????? ],
??? "key": {
??????? "algo": "rsa",
??????? "size": 2048
??? },
??? "names": [
??????? {
??????????? "C": "CN",
??????????? "L": "BeiJing",
??????????? "ST": "BeiJing"
??????? }
??? ]
}
```
2.7、執行命令生成證書
```
generate_etcd_cert.sh
```
generate_etcd_cert.sh中的代碼:
```
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
```
注:證書在哪里生成都行
參考文檔:[https://www.cnblogs.com/yangzp/p/15692046.html](https://www.cnblogs.com/yangzp/p/15692046.html)