B.校验 TLS 证书

以校验 kubernetes 证书为例:

使用 openssl 命令

  1. $ openssl x509 -noout -text -in kubernetes.pem
  2. ...
  3. Signature Algorithm: sha256WithRSAEncryption
  4. Issuer: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=Kubernetes
  5. Validity
  6. Not Before: Apr 5 05:36:00 2017 GMT
  7. Not After : Apr 5 05:36:00 2018 GMT
  8. Subject: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=kubernetes
  9. ...
  10. X509v3 extensions:
  11. X509v3 Key Usage: critical
  12. Digital Signature, Key Encipherment
  13. X509v3 Extended Key Usage:
  14. TLS Web Server Authentication, TLS Web Client Authentication
  15. X509v3 Basic Constraints: critical
  16. CA:FALSE
  17. X509v3 Subject Key Identifier:
  18. DD:52:04:43:10:13:A9:29:24:17:3A:0E:D7:14:DB:36:F8:6C:E0:E0
  19. X509v3 Authority Key Identifier:
  20. keyid:44:04:3B:60:BD:69:78:14:68:AF:A0:41:13:F6:17:07:13:63:58:CD
  21. X509v3 Subject Alternative Name:
  22. DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local, IP Address:127.0.0.1, IP Address:10.64.3.7, IP Address:10.254.0.1
  23. ...
  • 确认 Issuer 字段的内容和 ca-csr.json 一致;
  • 确认 Subject 字段的内容和 kubernetes-csr.json 一致;
  • 确认 X509v3 Subject Alternative Name 字段的内容和 kubernetes-csr.json 一致;
  • 确认 X509v3 Key Usage、Extended Key Usage 字段的内容和 ca-config.jsonkubernetes profile 一致;

使用 cfssl-certinfo 命令

  1. $ cfssl-certinfo -cert kubernetes.pem
  2. ...
  3. {
  4. "subject": {
  5. "common_name": "kubernetes",
  6. "country": "CN",
  7. "organization": "k8s",
  8. "organizational_unit": "System",
  9. "locality": "BeiJing",
  10. "province": "BeiJing",
  11. "names": [
  12. "CN",
  13. "BeiJing",
  14. "BeiJing",
  15. "k8s",
  16. "System",
  17. "kubernetes"
  18. ]
  19. },
  20. "issuer": {
  21. "common_name": "Kubernetes",
  22. "country": "CN",
  23. "organization": "k8s",
  24. "organizational_unit": "System",
  25. "locality": "BeiJing",
  26. "province": "BeiJing",
  27. "names": [
  28. "CN",
  29. "BeiJing",
  30. "BeiJing",
  31. "k8s",
  32. "System",
  33. "Kubernetes"
  34. ]
  35. },
  36. "serial_number": "174360492872423263473151971632292895707129022309",
  37. "sans": [
  38. "kubernetes",
  39. "kubernetes.default",
  40. "kubernetes.default.svc",
  41. "kubernetes.default.svc.cluster",
  42. "kubernetes.default.svc.cluster.local",
  43. "127.0.0.1",
  44. "10.64.3.7",
  45. "10.64.3.8",
  46. "10.66.3.86",
  47. "10.254.0.1"
  48. ],
  49. "not_before": "2017-04-05T05:36:00Z",
  50. "not_after": "2018-04-05T05:36:00Z",
  51. "sigalg": "SHA256WithRSA",
  52. ...

校验证书是否被 CA 证书签名

正确的情况:

  1. $ openssl verify -CAfile /etc/kubernetes/cert/ca.pem /etc/kubernetes/cert/kubernetes.pem
  2. /etc/kubernetes/cert/kubernetes.pem: OK

失败的情况:

  1. $ openssl verify -CAfile ca_wrong.pem /etc/kubernetes/cert/kubernetes.pem
  2. /etc/kubernetes/cert/kubernetes.pem: C = CN, ST = BeiJing, L = BeiJing, O = k8s, OU = 4Paradigm, CN = kubernetes
  3. error 20 at 0 depth lookup:unable to get local issuer certificate