Chrome下可用的的Kubernetes Dashboard证书的制作

在前面的文章中介绍了Dashboard 2.0.0的部署和使用方法，但是在Chrome 58+的版本无法使用，这篇文章用于memo和整理一下对应方法。

证书请求文件：CSR

[root@host131 k8s]# cat dashboard-csr.config 
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C = CN
ST = LiaoNing 
L = DaLian
O = K8S
OU = System
CN = kubernetes-dashboard

[ req_ext ]
subjectAltName = @alt_names

[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=@alt_names

[ alt_names ]
DNS.1 = 192.168.163.131
[root@host131 k8s]# 

生成私钥

[root@host131 k8s]# openssl genrsa -out cert-dashboard-key.pem 2048
Generating RSA private key, 2048 bit long modulus
.....+++
.............................................................................................................................................................................................................+++
e is 65537 (0x10001)
[root@host131 k8s]# ls cert-dashboard-key.pem 
cert-dashboard-key.pem
[root@host131 k8s]# 

生成CSR文件

[root@host131 k8s]# openssl req -new -key cert-dashboard-key.pem -out dashboard.csr -config dashboard-csr.config
[root@host131 k8s]# 
[root@host131 k8s]# ls dashboard*
dashboard.csr  dashboard-csr.config
[root@host131 k8s]# 

生成证书文件

[root@host131 k8s]# openssl x509 -req -in dashboard.csr -CA /etc/ssl/ca/ca.pem -CAkey /etc/ssl/ca/ca-key.pem -CAcreateserial -out cert-dashboard.pem -days 10000 -extensions v3_ext -extfile dashboard-csr.config
Signature ok
subject=/C=CN/ST=LiaoNing/L=DaLian/O=K8S/OU=System/CN=kubernetes-dashboard
Getting CA Private Key
[root@host131 k8s]# 

证书确认

[root@host131 k8s]# openssl x509 -in dashboard.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            96:73:f3:1c:62:51:11:52
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=LiaoNing, L=DaLian, O=K8S, OU=System, CN=kubernetes
        Validity
            Not Before: Feb  1 10:01:04 2020 GMT
            Not After : Jun 19 10:01:04 2047 GMT
        Subject: C=CN, ST=LiaoNing, L=DaLian, O=K8S, OU=System, CN=kubernetes-dashboard
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b6:29:a2:8c:3a:4d:54:bf:fa:71:e6:32:9f:be:
                    c1:04:02:20:5f:11:3e:d2:da:f6:30:39:54:a7:7e:
                    b7:8c:21:2f:c9:53:73:91:dd:80:51:16:27:35:48:
                    01:90:38:2f:71:97:60:c0:8e:8c:10:5e:f2:e7:d8:
                    6d:4b:bd:81:70:5f:8a:0e:4f:c1:29:32:5e:cb:c5:
                    e1:f9:65:59:60:b9:42:b1:50:65:d1:2b:e8:2f:bd:
                    6d:64:1e:e1:89:3b:fb:53:d3:f7:75:4e:f9:d3:0f:
                    7e:24:3a:81:68:dd:2b:5f:8b:74:38:b6:14:c2:52:
                    e6:68:bf:05:66:00:fd:e9:53:f6:e3:6f:36:c7:96:
                    cc:98:51:8a:69:6b:96:ed:47:63:24:3f:d8:b1:8c:
                    c2:2d:4a:c6:a7:7f:45:27:2a:56:8e:91:78:f2:81:
                    53:74:e9:be:a0:be:bb:1c:b0:1f:22:68:44:44:61:
                    af:6f:b7:2e:aa:f8:9e:f4:03:2d:0f:68:70:7e:0c:
                    46:53:30:f2:b6:ad:a3:43:8f:3c:7f:a4:fb:af:d4:
                    32:73:fa:88:40:b4:74:d5:c9:44:dd:06:52:93:52:
                    f0:a2:0d:ec:e5:08:fb:10:fb:d8:07:7a:a6:56:72:
                    a2:b5:34:4f:8d:c5:cf:96:b8:be:c6:e0:35:6f:2f:
                    cb:b9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:B9:D4:4A:BA:8B:F4:44:21:0E:99:B0:7D:0D:4D:C6:10:3E:EB:98:7A
                DirName:/C=CN/ST=LiaoNing/L=DaLian/O=K8S/OU=System/CN=kubernetes
                serial:79:EE:52:BF:6D:30:05:64:4E:E8:4A:38:8F:5C:8E:77:E5:71:37:3D

            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Key Encipherment, Data Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Alternative Name: 
                DNS:192.168.163.131
    Signature Algorithm: sha256WithRSAEncryption
         76:f4:ab:dc:9f:5b:75:8a:c1:5c:0d:aa:0d:9a:d0:fb:8c:de:
         69:71:09:2b:a7:94:60:3e:ed:53:61:53:d3:09:e9:31:6f:7e:
         72:aa:72:e4:22:12:89:ed:b9:fe:1e:85:4a:ba:87:a7:f1:e5:
         3f:39:f8:7e:c4:88:a3:f2:c9:3c:0f:4a:c2:53:e4:8b:c7:93:
         56:f9:63:48:81:5a:82:44:1e:6d:d8:8f:24:1a:8d:4b:a3:8f:
         27:ea:af:9e:83:77:ac:65:aa:9b:dc:61:86:5a:0d:dd:12:3c:
         71:e5:b1:e8:4b:aa:24:49:20:65:c7:71:2f:e0:b7:ad:49:38:
         2d:57:30:bf:2e:c7:00:37:dc:de:03:58:16:ae:ce:36:8c:f7:
         42:7e:37:d4:cd:3a:6a:a4:f6:3e:2d:65:a2:da:ed:08:ac:82:
         c5:17:43:25:0c:06:9d:6e:e1:69:7a:b2:74:9b:5d:aa:7e:7f:
         6f:61:f2:1e:63:bc:04:7e:6a:9c:22:1c:3d:26:b0:7a:4c:86:
         60:5b:a7:e1:db:66:6b:a9:d4:7f:a8:e1:bc:2b:f2:20:a3:f0:
         6b:ae:15:27:ea:2b:51:7f:5e:83:db:be:16:94:1d:44:a4:d2:
         74:da:f1:53:9e:54:8e:4d:ea:3f:22:01:37:dc:9f:07:4e:3d:
         80:fe:df:b6
[root@host131 k8s]#

可以看到此处已经生成了可用的扩展的Subject Alternative Name

尚存问题点

将CA证书以及创建的dashboard的证书都导入到信任链中，仍然无法使用Chrome 58+，后续将继续确认此问题。
注：之前的1.10.1的Dashboard版本可以正常使用。有些文章中将CN设定为域名或者IP解决了此问题，但我本机实验的问题中查看信息详情中缺少Subject Alternative Name，而在之前其他的https的证书中Chrome也有类似的问题，通过本文示例方式的修改已成功，在此版的dashboard中还尚未成功。