本文共 5568 字，大约阅读时间需要 18 分钟。

事前准备

[root@liumiaocn cert]# lsca-config.json  ca.csr  ca-csr.json  ca-key.pem  ca.pem  server.csr  server-csr.json  server-key.pem  server.pem[root@liumiaocn cert]#

详细证书生成方法可参看：https://liumiaocn.blog.csdn.net/article/details/103556278

CSR文件

CA机构不会凭空创建一个证书，他们需要一个公钥和一些元数据来填入证书之中，而这些信息就是存放在CSR文件之中，这个信息沟通的过程如下图所示：

• 申请者的公钥信息
• 使用申请者私钥所生成的数字签名
• 申请者机构相关的信息

CA可以对提供上述内容的CSR进行证书的创建。首先它会通过对于数字签名进行检验来确认申请者的身份，然后通过确认域名或者IP是否有效等方式来确认是否能够进行证书的签发，CA会有一个数据库保存所有的证书信息，不能与既存的有效证书向冲突也是检验的内容之一，如果所有验证都通过，CA就会使用自己的私钥发行一个证书给予此CSR文件的申请者。

比如此处使用server端生成的csr文件，文件内容如下所示：

[root@liumiaocn cert]# cat server.csr -----BEGIN CERTIFICATE REQUEST-----MIIDbzCCAlcCAQAwcDELMAkGA1UEBhMCQ04xETAPBgNVBAgTCExpYW9OaW5nMQ8wDQYDVQQHEwZEYUxpYW4xEzARBgNVBAoTCmt1YmVybmV0ZXMxEzARBgNVBAsTCmt1YmVybmV0ZXMxEzARBgNVBAMTCmt1YmVybmV0ZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKeqktIT2LcX38w04MggMfm8oMZZOQYCiijLYWrSZyzCZ9fRjtZisHKvIs7Gu1G9Ut20gukfy430/EBQNtLe0TK8XdD3n4oQGEa8Z7KB9JhoyZzcfl6yPiRiZ0nTioSgQXadKDb4uSf6BtppQMfhgra6em1Ndhuq23Pww0ec1nwonhqz+Nm6ApvpZOODIhiAGPSCnZaM8cBjgMDbrSOA/elyQpTGvZ857+rh/exumhgJn5bnFV6Wd3T8b5psM3jcl7cqnUetxZJQhZDO7SSNZk+C1b4FxoxISZR+9fJ5i5F5B/Gh6hbAlsSq0W5xsm7cOn1Kl5itslcelM6V3dwHQdAgMBAAGggbkwgbYGCSqGSIb3DQEJDjGBqDCBpTCBogYDVR0RBIGaMIGXggsuMTAuMjU0LjAuMYIKa3ViZXJuZXRlc4ISa3ViZXJuZXRlcy5kZWZhdWx0ghZrdWJlcm5ldGVzLmRlZmF1bHQuc3Zjgh5rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXKCJGt1YmVybmV0ZXMuZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2NhbIcEfwAAAYcEwKijeTANBgkqhkiG9w0BAQsFAAOCAQEAOc+3ICZVuFXJC17CY0GuIAPyB4PK/Ue/edmY680Zd5xMdO+lUGIPgyPNf+GdwRTNYVYLdiagRxL17B9WceLImo7WOKRVLjkRu2XXck7OuLiA1V+ZevTQOQq4FPtWkCVLtKTxijG2AIsMdRt8y0ORv5jMKmBGKM6T+K6Zw7uBRGaQ+nAxgAJLBaeTZnpUt5omTRkIxdNk/su/Nk5jxJaWMHnLg0Ehcp/qtbiAqxro2m/iL8fbYWA9y0HfSnBB9vEtXpYOwPH5dZvBWQ+pOliJZEmNkYtDRdCK+skfc1OsGfasYgLs6Z0A4fchztYzu6oPSQ0VnEsGmvjFpsFOBLEIbA==-----END CERTIFICATE REQUEST-----[root@liumiaocn cert]#

使用-verify选项验证CSR内容：

[root@liumiaocn cert]# openssl req -verify -noout -in server.csr verify OK[root@liumiaocn cert]#

获取申请者的公钥和申请的信息（Subject）

[root@liumiaocn cert]# openssl req -noout -in server.csr -subjectsubject=C = CN, ST = LiaoNing, L = DaLian, O = kubernetes, OU = kubernetes, CN = kubernetes[root@liumiaocn cert]# openssl req -noout -in server.csr -pubkey-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAynqpLSE9i3F9/MNODIIDH5vKDGWTkGAoooy2Fq0mcswmfX0Y7WYrByryLOxrtRvVLdtILpH8uN9PxAUDbS3tEyvF3Q95+KEBhGvGeygfSYaMmc3H5esj4kYmdJ04qEoEF2nSg2+Lkn+gbaaUDH4YK2unptTXYbqttz8MNHnNZ8KJ4as/jZugKb6WTjgyIYgBj0gp2WjPHAY4DA260jgP3pckKUxr2fOe/q4f3sbpoYCZ+W5xVelnd0/G+abDN43Je3Kp1HrcWSUIWQzu0kjWZPgtW+BcaMSEmUfvXyeYuReQfxoeoWwJbEqtFucbJu3Dp9SpeYrbJXHpTOld3cB0HQIDAQAB-----END PUBLIC KEY-----

整个CSR的详细信息如下所示

[root@liumiaocn cert]# openssl req -in server.csr -noout -textCertificate Request:    Data:        Version: 1 (0x0)        Subject: C = CN, ST = LiaoNing, L = DaLian, O = kubernetes, OU = kubernetes, CN = kubernetes        Subject Public Key Info:            Public Key Algorithm: rsaEncryption                RSA Public-Key: (2048 bit)                Modulus:                    00:ca:7a:a9:2d:21:3d:8b:71:7d:fc:c3:4e:0c:82:                    03:1f:9b:ca:0c:65:93:90:60:28:a2:8c:b6:16:ad:                    26:72:cc:26:7d:7d:18:ed:66:2b:07:2a:f2:2c:ec:                    6b:b5:1b:d5:2d:db:48:2e:91:fc:b8:df:4f:c4:05:                    03:6d:2d:ed:13:2b:c5:dd:0f:79:f8:a1:01:84:6b:                    c6:7b:28:1f:49:86:8c:99:cd:c7:e5:eb:23:e2:46:                    26:74:9d:38:a8:4a:04:17:69:d2:83:6f:8b:92:7f:                    a0:6d:a6:94:0c:7e:18:2b:6b:a7:a6:d4:d7:61:ba:                    ad:b7:3f:0c:34:79:cd:67:c2:89:e1:ab:3f:8d:9b:                    a0:29:be:96:4e:38:32:21:88:01:8f:48:29:d9:68:                    cf:1c:06:38:0c:0d:ba:d2:38:0f:de:97:24:29:4c:                    6b:d9:f3:9e:fe:ae:1f:de:c6:e9:a1:80:99:f9:6e:                    71:55:e9:67:77:4f:c6:f9:a6:c3:37:8d:c9:7b:72:                    a9:d4:7a:dc:59:25:08:59:0c:ee:d2:48:d6:64:f8:                    2d:5b:e0:5c:68:c4:84:99:47:ef:5f:27:98:b9:17:                    90:7f:1a:1e:a1:6c:09:6c:4a:ad:16:e7:1b:26:ed:                    c3:a7:d4:a9:79:8a:db:25:71:e9:4c:e9:5d:dd:c0:                    74:1d                Exponent: 65537 (0x10001)        Attributes:        Requested Extensions:            X509v3 Subject Alternative Name:                 DNS:.10.254.0.1, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local, IP Address:127.0.0.1, IP Address:192.168.163.121    Signature Algorithm: sha256WithRSAEncryption         39:cf:b7:20:26:55:b8:55:c9:0b:5e:c2:63:41:ae:20:03:f2:         07:83:ca:fd:47:bf:79:d9:98:eb:cd:19:77:9c:4c:74:ef:a5:         50:62:0f:83:23:cd:7f:e1:9d:c1:14:cd:61:56:0b:76:26:a0:         47:12:f5:ec:1f:56:71:e2:c8:9a:8e:d6:38:a4:55:2e:39:11:         bb:65:d7:72:4e:ce:b8:b8:80:d5:5f:99:7a:f4:d0:39:0a:b8:         14:fb:56:90:25:4b:b4:a4:f1:8a:31:b6:00:8b:0c:75:1b:7c:         cb:43:91:bf:98:cc:2a:60:46:28:ce:93:f8:ae:99:c3:bb:81:         44:66:90:fa:70:31:80:02:4b:05:a7:93:66:7a:54:b7:9a:26:         4d:19:08:c5:d3:64:fe:cb:bf:36:4e:63:c4:96:96:30:79:cb:         83:41:21:72:9f:ea:b5:b8:80:ab:1a:e8:da:6f:e2:2f:c7:db:         61:60:3d:cb:41:df:4a:70:41:f6:f1:2d:5e:96:0e:c0:f1:f9:         75:9b:c1:59:0f:a9:3a:58:89:64:49:8d:91:8b:43:45:d0:8a:         fa:c9:1f:73:53:ac:19:f6:ac:62:02:ec:e9:9d:00:e1:f7:21:         ce:d6:33:bb:aa:0f:49:0d:15:9c:4b:06:9a:f8:c5:a6:c1:4e:         04:b1:08:6c[root@liumiaocn cert]#

转载地址：https://liumiaocn.blog.csdn.net/article/details/103556952 如侵犯您的版权，请留言回复原文章的地址，我们会给您删除此文章，给您带来不便请您谅解！