更新kubeadm安装的K8S的CA

使用已有的证书和私钥生成CSR

openssl x509 -in ca.crt -signkey ca.key -x509toreq -out domain.csr

查看csr证书请求文件

openssl req -text -noout -in domain.csr

创建V3扩展文件

可以根据源证书的扩展适当修改，当前为v1.18.18集群

cat << 'EOF' > ca_v3.ext
keyUsage           = critical, digitalSignature, keyEncipherment, keyCertSign
basicConstraints   = critical, CA:true
EOF

生成自签名证书

openssl x509 -req -days 365 -sha256 -CAcreateserial -extfile ca_v3.ext -in domain.csr -signkey ca.key -out ca_new.crt

查看证书内容

openssl x509 -text -noout -in ca_new.crt

V3扩展中keyUsage说明

keyUsage的配置	实际证书中的呈现	说明
digitalSignature	Digital Signature	必选
nonRepudiation	Non Repudiation
keyEncipherment	Key Encipherment	必选
dataEncipherment	Data Encipherment
keyAgreement	Key Agreement
keyCertSign	Certificate Sign	必选
cRLSign	CRL Sign
encipherOnly	Encipher Only
decipherOnly	Decipher Only

CA证书示例

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=kubernetes
        Validity
            Not Before: Apr 24 05:47:52 2021 GMT
            Not After : Apr 22 05:47:52 2031 GMT
        Subject: CN=kubernetes
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a7:31:98:cb:76:32:74:2c:6a:87:b3:57:90:98:
                    2e:c9:00:c9:4e:73:08:c1:66:6a:85:54:c4:b3:13:
                    6c:4b:f6:9b:41:7a:49:cd:ec:f4:de:20:62:c1:5a:
                    26:64:98:a6:fa:5d:1a:0c:f6:cd:83:f4:30:09:e6:
                    43:59:2c:c1:c4:01:fe:79:94:97:f8:3b:21:74:9f:
                    21:f7:32:3b:c6:57:a1:88:f8:4e:f1:74:23:0b:fb:
                    21:28:37:c1:53:b4:30:89:69:3f:f5:df:ba:9e:53:
                    19:e1:f5:4c:b4:38:3e:8c:bc:d9:d8:66:a5:6b:4c:
                    94:fe:49:a3:2f:31:ce:36:4a:63:87:8f:5f:ba:30:
                    d5:d7:26:0e:b5:ec:6c:ac:39:21:7d:4c:9e:4e:9d:
                    40:e3:dc:54:ec:de:c5:55:c2:50:29:b7:29:51:f0:
                    09:76:09:f6:39:a8:40:6b:b7:a3:c1:03:b3:72:7c:
                    cb:99:20:99:14:30:41:c8:9e:a4:83:3f:4b:18:36:
                    2c:bd:dc:d8:0e:ae:a3:99:8f:36:b4:61:4c:c2:db:
                    e2:ad:e4:26:d3:d4:7a:0e:04:fa:98:89:bc:65:1d:
                    e0:80:f1:b7:02:1a:f0:48:14:94:f1:c3:a0:05:06:
                    7a:40:08:e8:bf:ce:37:c6:ec:fc:a1:e7:0d:cc:3f:
                    04:89
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Certificate Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         10:a8:69:31:d6:fd:09:77:53:7d:50:9e:e0:f1:fd:de:70:97:
         e4:f8:03:96:76:7f:6e:01:60:8e:71:e2:a9:60:c7:b4:eb:e8:
         24:96:bb:42:53:47:98:ee:46:8d:12:7b:f4:38:95:e4:bd:e4:
         51:61:b7:e3:c2:db:e3:64:f6:ae:6a:f0:87:03:7c:73:5e:71:
         9f:ec:95:7f:ee:5c:0f:3a:5a:0f:a8:08:30:a9:ea:d2:8f:44:
         f6:9d:e5:f7:fc:dd:9d:a9:a8:11:d9:e5:d6:7c:8d:f4:af:93:
         7b:75:ec:15:63:9e:e6:fa:81:bb:fd:82:18:c6:bd:1b:e6:de:
         70:27:8e:8d:14:3d:f2:47:84:e3:bd:04:44:4a:93:1f:e6:f4:
         36:ec:b2:4d:0a:44:62:d6:a7:08:79:a4:73:a2:a3:4d:a1:66:
         36:17:0e:0f:d9:57:25:94:f9:a2:f0:a8:e6:32:24:7e:ba:50:
         4f:08:8c:40:3c:92:af:97:da:63:9f:2b:6b:c1:6d:3a:f7:e7:
         28:6b:40:7c:6f:0c:fb:98:a6:48:cb:4d:be:5d:8d:3a:d5:4e:
         ad:9e:c7:aa:bd:30:59:5a:67:c5:99:e1:53:5a:d6:3b:fd:87:
         5b:b3:01:0e:f2:75:4f:f5:be:a0:45:57:ca:dc:2e:03:c0:db:
         3f:3c:71:08

打赏