k8s master 节点证书&私钥
$ ll -R /etc/kubernetes/pki/
/etc/kubernetes/pki/:
total 60
-rw-r--r--. 1 root root 1233 Mar 3 2022 apiserver.crt
-rw-r--r--. 1 root root 1090 Mar 3 2022 apiserver-etcd-client.crt
-rw-------. 1 root root 1679 Mar 3 2022 apiserver-etcd-client.key
-rw-------. 1 root root 1679 Mar 3 2022 apiserver.key
-rw-r--r--. 1 root root 1099 Mar 3 2022 apiserver-kubelet-client.crt
-rw-------. 1 root root 1679 Mar 3 2022 apiserver-kubelet-client.key
-rw-------. 1 root root 1025 Mar 3 2022 ca.crt
-rw-------. 1 root root 1679 Mar 3 2022 ca.key
drwxr-xr-x. 2 root root 4096 Mar 3 2022 etcd
-rw-------. 1 root root 1038 Mar 3 2022 front-proxy-ca.crt
-rw-------. 1 root root 1675 Mar 3 2022 front-proxy-ca.key
-rw-r--r--. 1 root root 1058 Mar 3 2022 front-proxy-client.crt
-rw-------. 1 root root 1679 Mar 3 2022 front-proxy-client.key
-rw-------. 1 root root 1675 Mar 3 2022 sa.key
-rw-------. 1 root root 451 Mar 3 2022 sa.pub
/etc/kubernetes/pki/etcd:
total 32
-rw-------. 1 root root 1017 Mar 3 2022 ca.crt
-rw-------. 1 root root 1679 Mar 3 2022 ca.key
-rw-r--r--. 1 root root 1094 Mar 3 2022 healthcheck-client.crt
-rw-------. 1 root root 1679 Mar 3 2022 healthcheck-client.key
-rw-r--r--. 1 root root 1139 Mar 3 2022 peer.crt
-rw-------. 1 root root 1675 Mar 3 2022 peer.key
-rw-r--r--. 1 root root 1139 Mar 3 2022 server.crt
-rw-------. 1 root root 1675 Mar 3 2022 server.key
$ tree /etc/kubernetes/pki/
/etc/kubernetes/pki/
├── apiserver.crt
├── apiserver-etcd-client.crt
├── apiserver-etcd-client.key
├── apiserver.key
├── apiserver-kubelet-client.crt
├── apiserver-kubelet-client.key
├── ca.crt
├── ca.key
├── etcd
│ ├── ca.crt
│ ├── ca.key
│ ├── healthcheck-client.crt
│ ├── healthcheck-client.key
│ ├── peer.crt
│ ├── peer.key
│ ├── server.crt
│ └── server.key
├── front-proxy-ca.crt
├── front-proxy-ca.key
├── front-proxy-client.crt
├── front-proxy-client.key
├── sa.key
└── sa.pub
1 directory, 22 files
$ find /etc/kubernetes/pki/ -type f -name "*ca*"
/etc/kubernetes/pki/ca.crt
/etc/kubernetes/pki/ca.key
/etc/kubernetes/pki/front-proxy-ca.key
/etc/kubernetes/pki/front-proxy-ca.crt
/etc/kubernetes/pki/etcd/ca.crt
/etc/kubernetes/pki/etcd/ca.key
$ find /etc/kubernetes/pki/ -type f -name "*crt*"
/etc/kubernetes/pki/ca.crt
/etc/kubernetes/pki/front-proxy-ca.crt
/etc/kubernetes/pki/front-proxy-client.crt
/etc/kubernetes/pki/etcd/ca.crt
/etc/kubernetes/pki/etcd/peer.crt
/etc/kubernetes/pki/etcd/server.crt
/etc/kubernetes/pki/etcd/healthcheck-client.crt
/etc/kubernetes/pki/apiserver-kubelet-client.crt
/etc/kubernetes/pki/apiserver-etcd-client.crt
/etc/kubernetes/pki/apiserver.crt
k8s master 证书详情
$ openssl x509 -noout -text -in /etc/kubernetes/pki/ca.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=kubernetes
Validity
Not Before: Mar 3 09:13:52 2022 GMT
Not After : Feb 29 09:13:52 2032 GMT
Subject: CN=kubernetes
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b8:71:d2:d8:30:6e:f9:83:c8:9d:2e:55:c8:75:
29:ad:e6:9b:b2:cd:e4:16:7e:38:9a:0d:86:1b:c3:
5b:d6:10:55:a0:b5:4d:c6:8f:cb:8f:da:e0:84:04:
04:40:93:ad:f8:cf:f6:8a:31:43:10:a6:8f:90:30:
b9:7e:45:d9:2d:1a:fd:25:97:0a:ca:a4:ae:31:8e:
d5:92:f0:50:52:f4:6a:6e:87:c7:5f:f7:c3:a0:ac:
0b:1e:1f:83:78:47:24:a8:83:64:00:1b:62:c6:08:
3f:f6:93:ba:b2:fb:55:48:98:43:46:a3:32:3a:1f:
58:81:ca:74:8a:5f:14:d6:f2:38:98:f9:12:17:ad:
ce:7e:89:71:f8:50:79:8a:af:95:4b:d4:4b:4e:ce:
22:63:b8:9a:40:6a:a0:97:0a:93:6e:87:c1:92:40:
a4:e0:18:1f:36:12:6d:99:99:45:51:f1:c5:38:32:
b2:b3:8c:c4:24:bc:53:f0:bc:91:06:1c:a4:48:40:
ae:9e:59:88:0d:9c:ed:5f:d2:8d:ed:96:b6:7f:fe:
67:1d:34:c6:f4:bb:54:68:42:fe:30:a9:20:79:3c:
98:6d:e0:7d:e8:b4:f9:7c:42:33:9d:56:62:12:0e:
10:23:bd:ce:cb:bd:c9:c0:7b:25:b1:d6:2c:d5:7f:
fb:4b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Certificate Sign
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
42:e5:c6:c3:90:cb:85:30:d0:8b:49:5c:da:cd:43:b0:36:57:
2a:86:4e:68:45:7c:cc:82:e6:3d:f1:03:7c:18:f3:bf:4b:d5:
e6:d3:3a:bc:db:c3:ac:7c:97:48:e3:89:6c:aa:28:e8:54:71:
18:27:95:c7:ce:9e:ca:22:4b:93:00:ad:98:96:05:b9:e8:54:
2a:79:44:a3:c5:d3:4c:75:78:33:d7:75:5d:73:71:d4:dd:3d:
72:a7:22:51:81:61:a5:28:81:00:c3:87:cb:47:56:bc:4d:fb:
80:c4:f6:17:cc:bf:0c:0c:14:95:cf:48:bd:30:9d:68:09:ae:
fc:fc:f7:05:31:ea:d5:11:d9:0f:15:f9:84:2f:b0:8e:82:83:
00:50:31:92:6e:ea:cb:70:5b:18:b5:16:08:4f:ef:01:f4:27:
b8:71:81:86:e3:2e:94:ba:ba:e3:60:76:9e:52:5f:37:1e:b4:
f8:05:0d:d4:69:f3:21:99:fb:26:b9:bc:e5:78:7b:8a:47:b3:
e2:76:d4:44:f6:e1:e5:93:63:a4:b1:e6:64:e3:d7:3b:36:f0:
ab:18:d3:2a:e5:d3:7b:8d:d1:e1:15:9d:8d:c8:9e:af:21:4c:
d7:f2:3b:f0:d9:d0:b7:10:b1:1d:86:77:78:bf:b6:3b:96:73:
1e:fc:33:fd
$ openssl x509 -noout -text -in /etc/kubernetes/pki/front-proxy-ca.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=front-proxy-ca
Validity
Not Before: Mar 3 09:13:53 2022 GMT
Not After : Feb 29 09:13:53 2032 GMT
Subject: CN=front-proxy-ca
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:aa:d4:7a:3b:ef:6b:e1:9c:7e:f5:73:d3:7c:bc:
55:06:05:d2:e3:86:00:e8:1b:7d:fb:bb:fb:80:c8:
f3:e3:7a:b9:01:b8:f9:e4:72:03:e6:71:b8:b5:2f:
83:6e:ed:3f:60:c7:e4:25:2e:a0:58:6b:ef:ee:3a:
af:c0:46:53:30:e2:14:f9:85:a6:27:39:0c:20:57:
21:1d:6b:31:31:b5:e2:e3:13:28:41:63:7d:a7:ca:
a3:11:34:75:27:81:59:dc:73:21:4f:b3:2b:bc:37:
3b:5b:02:5d:9e:94:63:4a:88:d8:a3:b2:48:3b:01:
f7:69:e8:4c:ef:03:43:1e:87:d0:c6:f3:02:fd:93:
c3:10:22:aa:88:06:27:d9:2b:63:6e:17:36:57:18:
cc:27:f0:5c:fe:34:ae:6e:f5:b8:7c:b9:6f:13:51:
3f:07:43:96:43:08:c6:28:9d:18:a0:bc:3c:dd:f6:
70:70:a0:fc:4c:a3:60:bb:68:d9:c2:e2:b8:1f:57:
82:04:96:c7:31:5d:e2:7a:ef:db:f7:db:ab:f3:41:
7a:7c:97:73:c8:66:32:f5:e6:9e:cb:1d:97:be:be:
3b:32:0c:52:7f:b7:d2:b3:77:44:c5:10:ec:ce:f8:
c4:53:46:d0:6b:09:87:64:e7:05:a5:7e:41:b1:fb:
23:d5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Certificate Sign
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
9e:10:40:e1:15:b4:ee:3a:43:11:fe:d1:91:ea:f4:47:5e:3c:
14:2d:a2:d5:c3:90:cb:e5:03:55:1b:25:01:a8:21:9a:d8:ca:
15:91:01:59:ab:17:42:f8:1a:17:4f:19:a4:c8:cf:33:24:a0:
a4:44:06:42:f7:d0:ee:af:be:4c:e7:18:65:96:5c:37:41:6f:
bb:c9:e5:32:d4:76:75:5f:89:d8:a5:ec:cf:f4:ed:b5:ff:42:
96:1c:0b:c3:84:10:8c:cb:cf:fa:c6:23:b6:a3:67:7d:a8:f3:
7f:11:19:dc:22:55:e9:43:ee:6d:e4:51:92:8a:82:03:c3:fd:
8b:5e:ee:f6:f1:f4:50:ca:8b:f1:23:8d:bc:c5:e8:31:6c:6d:
41:41:c6:db:90:a2:de:24:e5:2d:5d:2a:f4:58:c8:be:4b:a4:
fd:f9:65:bf:a7:eb:77:b4:42:04:5d:63:58:aa:3d:03:63:41:
13:35:80:e0:78:db:a4:3d:77:13:b9:d9:20:9e:c7:10:61:73:
f8:7a:11:96:94:d4:cb:2e:a2:de:93:0a:e5:e0:fb:3b:9f:88:
d7:e9:b1:ac:06:ff:b6:b6:27:c2:80:7c:29:00:38:b5:bd:a5:
00:a7:ef:8c:44:3c:e2:d0:75:61:d7:9e:b9:f1:69:46:f3:c5:
83:d4:1d:70
$ openssl x509 -noout -text -in /etc/kubernetes/pki/front-proxy-client.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4797749263815225329 (0x429507892f192ff1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=front-proxy-ca
Validity
Not Before: Mar 3 09:13:53 2022 GMT
Not After : Feb 29 09:13:53 2032 GMT
Subject: CN=front-proxy-client
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:99:e1:fd:c1:aa:e7:6e:2c:36:01:98:d5:8e:c4:
ce:32:d4:92:e2:9b:4c:48:15:d5:8f:00:8e:49:49:
e1:ce:2a:96:68:f3:e7:e3:ff:6c:93:51:c7:01:c6:
e6:f6:65:fa:ec:3d:ff:cf:75:54:0e:03:51:18:6d:
eb:e2:8c:ba:59:13:1a:d7:36:ba:a5:06:f2:bf:64:
ae:d1:30:5a:5a:46:5a:84:5c:a4:28:1d:72:68:5b:
c2:ed:e7:0a:ba:e9:43:da:a6:5b:f4:04:0c:40:10:
8b:24:64:4e:f2:03:56:51:38:3f:b6:8f:02:11:4a:
51:0e:b2:34:5d:d3:72:53:24:88:c0:54:9e:6a:45:
8f:76:41:5c:1a:b7:45:64:d2:1e:8d:7c:27:11:c0:
1f:6c:f6:d1:60:a3:2a:2a:e7:ee:11:39:14:88:cb:
e7:57:9f:64:2c:9a:15:eb:7c:f8:26:84:0c:3e:f2:
fe:11:34:9b:dd:18:7d:75:1b:24:c8:d4:93:64:ed:
76:c8:81:32:30:0f:5e:cc:7e:b7:a4:00:1f:64:f0:
da:aa:17:2c:ec:70:c0:7d:c0:cd:36:9b:a6:26:97:
50:3d:90:72:08:08:83:2f:44:b9:0b:ce:6a:8d:fc:
4d:8e:e3:4d:30:b0:35:17:48:98:4b:6d:43:3b:66:
ef:c1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication
Signature Algorithm: sha256WithRSAEncryption
3f:d4:ec:b4:75:1f:9d:a4:4b:60:cc:a5:5d:ac:5e:82:0a:ec:
be:2f:c0:39:fb:71:18:24:ea:d7:9c:2b:7d:86:2d:e3:4b:fe:
de:bb:e3:7e:6b:c9:84:57:ea:02:ef:02:fd:74:2a:2e:ac:3e:
75:d6:c1:a5:88:c0:8f:2f:f8:7a:64:2b:85:2e:2a:65:21:97:
93:31:97:e6:97:90:e9:20:69:36:b3:98:fe:c5:bf:fa:00:82:
f3:94:07:8f:ee:5e:cc:ac:0b:99:ff:3e:9d:76:31:ae:14:21:
0c:24:97:35:05:59:ea:85:61:c5:b8:53:7e:6e:81:d9:47:17:
18:dd:12:f2:e2:98:5f:60:ae:85:a4:73:b4:d5:f7:33:e2:6a:
94:c5:45:1e:95:15:6b:ad:6b:b8:29:82:f5:ec:f8:c9:7a:11:
84:f9:f2:6c:03:20:dc:66:fd:90:ad:4c:b4:74:e1:76:58:47:
64:5d:40:70:cf:ec:f3:41:fa:56:ff:cc:a4:e7:1a:14:18:7f:
21:66:5d:fb:6f:17:e3:3d:ec:00:88:28:0d:89:20:7c:71:29:
f3:b6:67:49:f8:cb:41:d6:72:91:c8:e7:14:95:40:3e:a2:c9:
41:6b:20:10:09:ac:18:fc:b1:08:d0:b4:f3:df:67:6f:5b:f6:
5e:3f:3f:97
$ openssl x509 -noout -text -in /etc/kubernetes/pki/etcd/ca.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=etcd-ca
Validity
Not Before: Mar 3 09:13:53 2022 GMT
Not After : Feb 29 09:13:53 2032 GMT
Subject: CN=etcd-ca
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c0:dd:c6:02:1f:ff:8a:e0:9e:90:c9:43:3e:3b:
72:a3:21:10:29:90:7c:01:fd:0b:70:40:c7:5d:3c:
4e:d6:56:35:2a:7c:93:54:3c:5a:03:9e:69:5c:b3:
99:7a:49:cf:c7:6b:28:cf:07:ac:dc:24:eb:b1:a9:
e8:5e:d0:e0:de:9d:de:34:81:cc:ed:27:00:22:7f:
4c:00:e6:3f:e7:d5:ee:b8:3a:cd:24:6c:ef:b2:18:
40:ef:f0:b7:91:d2:d1:97:1f:ed:81:96:0f:de:a5:
c2:02:f5:bf:92:91:5e:3a:57:27:59:a7:9f:c4:88:
db:48:20:d5:e6:f8:f4:84:77:18:7e:26:db:89:0b:
79:52:62:fa:6b:5e:1f:bd:9e:05:31:40:35:57:94:
79:fc:f1:8a:10:f8:f2:9c:ec:99:a5:ea:08:08:62:
c6:5c:bf:4b:78:35:ae:0f:de:89:85:00:56:9b:37:
98:40:72:05:27:7d:f9:fd:38:a5:50:65:9d:5f:fc:
59:a2:99:48:14:8f:58:dc:c8:ea:20:22:fc:da:ea:
44:ea:c3:de:bb:d9:7c:5d:c4:4d:27:3b:0f:87:d3:
de:d5:bd:c9:9d:4e:33:90:7b:27:d4:aa:a7:1d:4f:
f7:97:7d:b1:d3:ae:07:13:29:45:5f:e9:f2:1a:c1:
c1:c9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Certificate Sign
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
b4:85:ed:88:6e:c8:93:1a:ba:e9:04:14:41:3e:07:93:70:4c:
ea:6b:2c:d6:c1:9b:f3:61:f8:88:ad:80:83:54:0b:a1:55:64:
81:0e:f4:61:ad:bb:cc:b3:ba:69:88:c3:f6:fe:e7:98:16:8f:
c1:7b:c0:b2:c2:19:e5:e7:25:34:73:39:d7:2f:a2:12:fc:40:
05:1f:c4:9e:95:62:a8:a4:aa:42:6e:16:0b:10:ad:71:b5:f7:
0a:48:d4:03:49:ce:66:f7:b6:04:c7:af:cd:3a:50:87:04:f5:
3f:57:ae:17:62:07:d7:81:39:8f:ed:75:a1:2b:7d:1c:c9:60:
b3:4b:5f:c4:2c:03:d6:f4:b9:25:3a:19:87:94:4c:fb:5f:17:
3b:24:67:c8:84:f6:22:de:0b:ac:b5:58:41:0c:f6:22:02:fb:
20:ae:b0:23:9e:51:83:55:ca:cf:15:d1:5c:06:d1:91:db:9f:
77:5a:af:f4:51:5f:4d:fb:ea:a0:ad:5b:1b:e6:df:43:9a:5e:
3f:1a:8d:8b:45:38:ca:81:a8:91:42:22:75:cc:81:4a:fb:ba:
73:f4:73:2b:86:c1:2d:d0:56:1e:67:a4:38:47:de:b7:de:2f:
e0:33:78:38:0a:ea:02:eb:c5:ea:6a:9e:3c:43:4d:8a:32:5f:
59:55:73:48
$ openssl x509 -noout -text -in /etc/kubernetes/pki/etcd/peer.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1814954491550150683 (0x1930037e7858b01b)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=etcd-ca
Validity
Not Before: Mar 3 09:13:53 2022 GMT
Not After : Feb 29 09:13:54 2032 GMT
Subject: CN=k8s-master01
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:be:16:e5:7c:bc:0f:2d:79:8c:65:47:08:03:bf:
44:5b:da:09:d1:7b:60:eb:c8:3f:97:34:d8:fc:06:
12:c4:25:b1:89:db:03:a3:62:db:83:93:54:d3:51:
00:4c:9b:b5:00:f8:da:c5:76:ac:d4:08:82:ea:8b:
a6:39:7f:d1:db:6e:bd:c2:ad:0a:70:13:f8:50:c5:
ef:f5:01:b6:7e:7c:d8:46:0b:c4:0f:37:6a:6a:b0:
9a:a0:c5:40:a9:cd:e7:c6:a6:89:09:5a:63:32:ef:
10:84:1f:7e:3f:d5:c6:7e:53:07:98:32:37:1e:c6:
1e:9f:83:76:6e:d5:43:e0:3f:d1:3c:6a:85:6b:58:
46:47:27:d1:da:65:c8:c9:e6:01:d7:cc:aa:a1:c8:
8d:bc:b5:72:fe:3a:ac:ab:8e:e1:57:59:86:29:a9:
47:79:75:5c:2b:8b:5c:9e:ae:40:e6:5e:2a:67:af:
3e:27:8c:cc:e6:8f:ea:f6:4c:60:ac:44:30:02:10:
06:77:89:53:38:c7:23:08:fc:aa:34:ef:d2:a2:2c:
fc:4f:5a:6d:6a:69:c7:ed:8a:33:d4:02:68:61:d6:
e1:ae:49:ee:00:2e:61:0d:90:ca:3e:1d:73:0e:ae:
e7:b2:f4:b7:8d:2f:f9:95:c8:48:47:fd:73:c3:be:
68:d1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:k8s-master01, DNS:localhost, IP Address:192.168.32.118, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
Signature Algorithm: sha256WithRSAEncryption
57:50:5e:be:49:bf:04:58:ba:5f:cb:69:bb:2d:1f:7a:9b:a1:
32:84:1a:e1:bc:78:c8:be:b4:ec:e1:90:83:e4:aa:00:00:61:
d1:9c:38:d3:5d:58:42:a6:8b:04:99:58:37:7f:65:73:94:ad:
ac:6f:a8:cb:9e:cf:4b:ef:f3:f7:cb:75:0d:e4:eb:b3:f2:23:
2f:7d:13:84:32:f7:1b:70:46:9d:11:af:9e:c0:af:39:ba:2c:
e1:90:74:db:88:f5:09:2c:dc:39:fe:22:92:59:be:3a:84:ed:
10:15:1b:44:4e:71:5c:16:69:78:e3:5b:e7:b2:04:1e:1c:34:
e0:e1:4d:82:bc:1e:d8:53:63:b4:5d:f1:4d:90:2d:e3:bb:50:
4d:d9:16:cf:77:ae:4c:50:94:6a:a0:9a:38:83:1b:b4:b5:3b:
50:33:b9:52:2c:4c:07:7a:e6:a5:8d:dd:81:19:d4:34:c1:4e:
b3:db:a8:d5:65:33:6e:96:6b:9e:c9:88:21:42:a1:40:a9:e2:
ef:37:9b:d1:56:57:da:61:5f:af:6f:e9:d8:f4:36:db:27:55:
5a:27:de:f9:b9:36:85:ec:dd:c2:60:60:d9:0d:a8:5f:3f:f1:
60:8b:3b:fb:9b:8a:e3:0d:b0:2e:de:65:36:24:ed:3c:1a:37:
f6:6e:94:f8
$ openssl x509 -noout -text -in /etc/kubernetes/pki/etcd/server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 7623030010625775177 (0x69ca7167f77dd649)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=etcd-ca
Validity
Not Before: Mar 3 09:13:53 2022 GMT
Not After : Feb 29 09:13:53 2032 GMT
Subject: CN=xt-master01
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d9:77:83:0d:84:f0:13:6a:a0:f9:a2:e4:43:17:
1a:2f:60:6c:8d:cf:51:27:6f:02:77:69:ca:c0:a3:
3c:b3:00:6f:db:9d:9c:98:e1:f0:94:a9:56:be:08:
37:a7:f3:67:4d:fe:59:40:48:b3:92:b2:1d:44:d8:
3d:e2:26:1c:5e:4c:d5:6e:30:85:a8:52:e8:42:b6:
d7:2b:6a:e6:b0:ce:31:d9:c6:b1:e9:27:f4:c7:6c:
c6:a6:c4:70:1d:69:9f:ff:59:dd:31:f3:e4:ff:f8:
98:4c:b6:09:ed:0b:4b:32:83:da:15:8f:66:76:62:
bc:af:93:23:10:1b:9f:47:d9:0c:e5:5e:ea:41:79:
f3:f1:67:1c:ea:90:43:14:63:17:08:1f:07:6e:22:
e4:78:ae:3d:9b:18:43:09:d7:5f:6c:20:5d:17:2e:
c2:3a:a3:24:74:f5:4e:3d:c2:cf:19:a2:42:f8:06:
e4:b4:89:08:be:e1:09:e1:7b:16:ff:47:a8:6c:a4:
aa:ca:2a:3a:4e:47:40:75:e8:a7:64:a1:a9:57:8a:
85:b8:6e:b1:8e:b7:a8:5a:5f:79:f5:55:30:c5:71:
ef:a1:d8:5d:17:f7:cf:62:47:9b:0c:88:81:c8:d1:
15:78:84:7a:bb:b5:3c:2a:7d:a9:9a:6f:cc:3d:6b:
6e:4d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:k8s-master01, DNS:localhost, IP Address:192.168.32.118, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
Signature Algorithm: sha256WithRSAEncryption
a9:c9:83:35:1e:64:ef:1e:57:97:87:b1:29:db:c5:77:60:58:
98:ed:4d:92:27:dd:9f:f0:21:b5:11:62:cb:55:ba:37:dd:98:
b3:15:20:db:42:57:9b:f7:96:5e:4a:2d:51:4a:79:05:13:e6:
28:42:87:66:fa:a0:99:98:83:9d:8f:a2:c9:c4:7a:61:a3:7e:
44:82:4b:02:06:ca:ab:ec:38:4a:bf:e6:8c:52:0d:f8:ae:65:
f7:04:b3:02:f7:c4:94:a2:08:b3:6c:ca:1a:bd:19:76:7f:7b:
8a:ea:66:f3:f5:97:76:d3:09:d8:8f:93:51:28:24:20:54:95:
11:10:e3:c6:87:05:ad:63:ce:eb:e1:57:a5:c2:7c:44:05:a4:
a6:bd:fb:e7:b7:e3:c4:94:b5:1f:f2:4b:e2:3c:7a:bc:99:c0:
6c:fc:71:bf:c6:84:21:bd:e2:a8:5f:df:da:21:ca:d9:d5:4e:
9d:70:31:80:4b:e9:cc:1a:18:6b:bf:e3:38:f7:38:10:46:23:
53:40:4b:e5:69:82:da:4e:f0:7d:0c:9b:8f:5e:55:f4:e2:f4:
6c:ae:c5:20:79:aa:fa:7f:e8:17:9c:bb:64:4d:8d:2d:b9:bf:
7a:92:19:18:18:96:da:e6:06:39:88:b8:5f:ac:41:00:3f:f8:
e4:49:b8:de
$ openssl x509 -noout -text -in /etc/kubernetes/pki/etcd/healthcheck-client.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 8004803561295611020 (0x6f16c66d7fce848c)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=etcd-ca
Validity
Not Before: Mar 3 09:13:53 2022 GMT
Not After : Feb 29 09:13:54 2032 GMT
Subject: O=system:masters, CN=kube-etcd-healthcheck-client
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d4:3c:6c:c4:7f:93:f5:7d:bd:7f:d6:ed:ea:af:
fb:4e:4b:4a:1e:1d:1e:ab:26:26:ae:5f:72:3d:58:
8d:d5:59:5a:ae:ff:98:dc:96:7a:49:ef:a7:04:74:
b9:bc:ff:43:16:ae:ea:36:ab:ba:54:3f:92:31:e1:
e6:2e:e3:c9:5d:22:b1:a7:6e:5a:af:eb:6b:20:4c:
f1:81:bb:79:cc:38:55:79:3b:ed:dd:fa:ad:0a:3d:
5d:af:8c:c6:42:8a:5f:37:0b:fb:1e:27:c5:fb:93:
58:93:12:4c:56:aa:2b:26:2b:e5:af:2e:ba:41:4f:
ec:04:6d:3e:1d:08:f2:fc:2f:1c:06:2d:ba:4e:3c:
00:b7:2f:2e:41:50:84:89:02:09:91:88:20:60:82:
1d:32:98:c4:d1:e9:bc:47:6a:b7:a3:66:3f:45:d2:
65:8e:b8:7f:3b:2d:ae:a4:f5:c6:d0:d6:6b:68:1e:
3d:4f:36:a7:83:dd:67:e6:b6:cd:2f:6e:97:06:8d:
f4:9f:94:40:e6:c8:e9:c6:8d:a2:c1:f2:70:1c:83:
be:9a:13:6f:21:68:69:53:97:ec:e8:5d:d0:f9:f2:
f3:d6:29:26:39:ec:a5:1c:77:af:c3:c8:51:6a:55:
d1:32:ac:3c:08:4c:38:42:0a:3c:a8:52:14:aa:73:
bd:3d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication
Signature Algorithm: sha256WithRSAEncryption
60:3b:3b:d1:d2:59:c4:8a:4d:17:ca:73:dc:5c:b4:91:b4:af:
72:7c:ab:93:b1:0c:ff:26:9e:9a:59:91:4a:1e:24:42:25:48:
40:4c:6f:6b:04:22:3a:22:99:25:65:55:f0:44:4a:b0:39:e9:
96:db:b5:9b:8e:77:7c:15:61:8a:0e:1e:bc:0e:bd:04:d2:bf:
bf:77:30:f8:24:b0:ce:cc:29:9d:fd:21:22:55:de:33:9c:b8:
69:55:25:84:09:94:e7:2a:b9:c7:8b:17:01:8c:c4:64:1d:68:
a2:d3:61:2f:91:af:82:53:58:f2:d8:41:11:13:fe:3a:04:1c:
0a:9e:26:32:9e:73:fc:55:cb:2a:a7:d8:1f:a7:03:e9:49:57:
00:f1:8f:3f:9a:1b:16:59:df:ae:43:5d:d4:d0:6c:94:c7:b5:
0e:98:e0:2c:8c:ea:84:8a:73:d8:88:34:5b:ae:3a:ef:f2:21:
10:a2:c9:e3:3f:72:1d:e7:bd:53:5f:87:33:42:39:af:ed:33:
ee:12:38:d0:b7:04:24:43:4c:7b:12:27:35:91:89:ae:b6:0c:
24:28:4f:8c:ea:81:e8:21:1c:93:55:88:c9:c6:e7:08:4b:e7:
7f:69:37:c6:a9:31:72:7d:c2:95:52:16:2b:07:37:8a:8f:f9:
3d:3f:9a:68
$ openssl x509 -noout -text -in /etc/kubernetes/pki/apiserver-kubelet-client.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 8431620852154216009 (0x7503227e0d6dae49)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=kubernetes
Validity
Not Before: Mar 3 09:13:52 2022 GMT
Not After : Feb 29 09:13:52 2032 GMT
Subject: O=system:masters, CN=kube-apiserver-kubelet-client
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e4:24:2a:bb:70:70:f3:44:ee:7c:77:b2:2f:9b:
4b:dd:18:43:1a:b1:f8:e3:db:9f:05:a7:24:ca:9d:
11:0c:48:eb:31:be:b9:9f:cc:00:83:f5:45:b6:40:
21:b7:fc:dc:65:54:b5:7a:a7:83:e7:2c:80:72:51:
ff:97:f4:12:5a:17:7f:0e:58:f2:22:28:0f:ea:a9:
a6:a0:c2:85:1f:9b:41:84:d1:d7:e8:4d:dd:60:4d:
17:36:c0:d2:a5:86:1d:89:20:fc:85:71:0e:f0:33:
24:d5:69:43:3f:6e:c0:6b:fb:c4:fb:f7:45:7f:7b:
21:0c:ec:0d:d9:7a:fe:8b:c3:60:f6:99:92:c5:d1:
bd:49:7d:5b:0e:56:79:f8:12:9d:c6:63:71:b4:eb:
13:ab:49:65:c6:99:f0:4f:e8:1d:34:3f:25:a7:4a:
86:b4:a7:dc:59:a6:32:43:44:c2:85:a4:25:74:ee:
fd:04:c4:4a:90:96:44:d5:18:8f:a9:98:44:45:c6:
b4:65:4a:5f:1b:f2:b9:82:ec:8d:b3:a6:6a:7d:23:
ef:2f:41:2f:e6:90:14:35:11:16:a3:4f:bc:e9:a3:
50:60:14:0a:65:94:70:3b:a3:ce:5b:15:db:44:ed:
86:5e:62:78:37:ac:ea:13:68:11:0e:75:8f:81:23:
c7:fb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication
Signature Algorithm: sha256WithRSAEncryption
16:28:cb:30:18:eb:5f:56:6e:ff:26:f5:35:bb:98:a8:ac:e6:
d0:6b:af:19:46:46:3b:2d:ba:86:05:51:a5:bc:91:78:89:82:
be:d7:c1:b0:9e:79:e6:87:da:c8:1b:5b:34:dc:0b:5c:c2:c5:
46:21:9f:ac:43:50:7e:66:ff:70:d7:1f:b5:9f:c1:d7:69:a5:
ad:0c:ab:37:a6:b2:40:d2:4c:f0:b9:cd:40:42:f2:0f:bf:ee:
40:42:54:2f:31:0a:1b:95:93:28:57:35:db:f8:2d:82:a5:ac:
f5:2a:cf:48:a3:ce:b3:a7:b8:64:b0:16:39:3c:69:25:7d:ec:
83:c3:58:16:56:64:fc:73:37:25:43:95:fd:d6:9f:af:cc:09:
5d:4c:84:5b:f3:48:1a:e5:d8:3e:a2:66:f5:73:81:da:79:8c:
98:8a:af:63:40:89:27:07:cc:48:4b:01:0b:9f:99:06:d7:17:
34:69:f2:1a:66:f0:26:47:b5:77:0a:59:28:3b:da:cb:6c:6f:
d9:79:ea:38:91:a8:73:d3:c3:e2:1c:56:c8:bc:3f:88:9d:f1:
1d:7f:08:b6:42:ed:26:81:cc:30:8e:c5:a9:53:20:51:c8:0a:
45:c8:78:31:b4:a0:59:7c:b7:10:ed:83:98:00:24:95:24:33:
55:ad:c2:ee
$ openssl x509 -noout -text -in /etc/kubernetes/pki/apiserver-etcd-client.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 6200613859956552918 (0x560d01741012f4d6)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=etcd-ca
Validity
Not Before: Mar 3 09:13:53 2022 GMT
Not After : Feb 29 09:13:54 2032 GMT
Subject: O=system:masters, CN=kube-apiserver-etcd-client
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e5:84:6d:2a:85:28:9f:de:8e:2b:83:45:e1:33:
3f:8c:f4:75:88:5c:50:6c:e7:fd:6e:ff:ce:36:8f:
ac:2c:ea:37:5a:2a:f5:9c:3b:1a:13:0b:64:c8:30:
f7:d8:aa:d3:5c:9c:e8:37:e0:15:c7:50:c8:c3:c3:
93:69:02:d2:be:81:36:33:8b:8b:38:e8:40:36:16:
c1:84:1e:a7:98:4d:e6:62:db:3f:05:b1:49:34:94:
d5:af:70:9f:5d:b1:a3:9b:1b:dd:49:57:83:8f:cd:
e0:93:7f:b6:cd:ac:a4:db:34:b7:8b:98:fb:53:ee:
40:e1:7c:f3:21:30:0e:57:be:8e:5f:0d:5f:73:09:
f4:50:3d:2c:ef:d9:7b:d5:44:3c:6a:37:c8:95:51:
95:0e:fd:0a:48:59:c5:63:e7:62:a3:80:5f:85:df:
6b:74:aa:44:97:a3:11:f2:7e:ab:ca:7f:d3:d3:b4:
00:53:7f:92:b2:a5:29:1c:83:8c:ff:9b:ab:17:fe:
97:02:eb:4d:56:3f:33:c8:03:80:50:4f:7f:74:f4:
8b:f1:98:f6:a1:69:c6:6f:23:d4:a0:9a:8b:27:e9:
3a:74:93:bd:cd:a2:91:e0:77:d9:c6:e7:12:0c:52:
58:d4:2f:46:b4:97:5d:ea:6b:47:e1:e6:34:49:15:
19:23
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication
Signature Algorithm: sha256WithRSAEncryption
8f:c0:25:56:49:cc:f2:23:0c:63:42:1f:0f:88:ec:16:7e:d4:
80:10:29:cf:dd:a6:dd:00:0c:ec:7b:d9:c0:63:b9:66:56:0c:
46:f3:5b:dc:13:c5:5c:ef:44:59:34:e5:20:fc:95:a1:33:bd:
7b:47:d8:b3:c1:05:19:06:a3:60:5f:e2:49:57:af:40:30:43:
3d:78:15:74:c5:6c:b6:31:25:de:aa:11:3c:b8:6b:0c:7b:aa:
d6:c5:4c:5a:fe:76:62:3f:03:64:cc:9a:bd:32:64:2c:36:94:
10:6a:cc:2c:0b:ba:50:ea:ba:c8:fd:e9:3d:6b:69:1b:36:7c:
8a:8e:4d:c3:5f:94:8f:fb:d1:79:33:83:af:11:78:f2:ea:7b:
e4:8a:ac:ea:b7:d1:06:b3:32:8b:7c:58:fc:67:31:13:f5:90:
9b:a7:d5:a1:77:89:0a:67:7f:0b:f1:ae:8d:17:1d:cd:4b:71:
ea:57:b9:ca:85:9e:d5:2b:19:22:a2:7e:7b:1e:74:af:a9:98:
d5:48:14:23:ac:13:1a:45:43:24:7a:1b:ef:4c:70:0a:a6:29:
66:aa:04:ef:14:5b:56:12:1a:84:e1:9c:70:d2:7c:59:1f:25:
5e:8f:16:5c:a2:05:f1:d1:ad:01:57:7a:54:89:3d:b7:22:3b:
11:77:ab:9a
$ openssl x509 -noout -text -in /etc/kubernetes/pki/apiserver.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2014944918723765793 (0x1bf685ba5a822621)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=kubernetes
Validity
Not Before: Mar 3 09:13:52 2022 GMT
Not After : Feb 29 09:13:52 2032 GMT
Subject: CN=kube-apiserver
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c2:57:89:34:ea:ca:33:19:df:21:b1:83:c4:40:
54:06:78:3c:00:a8:e1:3c:bb:7e:d7:01:cf:d5:a3:
0d:93:38:9e:d7:e6:2a:3c:75:60:c0:d5:85:79:00:
8b:db:97:a3:3e:40:61:24:01:1c:ef:c2:5d:98:4c:
b4:c2:f9:67:f4:14:46:ef:30:20:b1:8d:90:4c:bb:
64:98:e6:ca:e3:a5:56:77:3e:fd:c0:46:b8:bc:eb:
8a:29:7a:2a:07:d0:d4:d7:3a:74:24:54:33:fe:e8:
ab:a5:9c:4c:c1:67:ac:51:54:92:00:59:8b:ba:90:
b1:41:b9:bb:71:ff:2a:02:16:15:ea:2c:2f:79:77:
3d:7b:b5:22:7d:12:69:53:41:58:b8:f4:e4:f7:32:
ae:0b:18:a8:02:be:cb:25:5a:be:46:0b:a3:e6:96:
48:13:d4:46:d2:1e:3c:a0:30:84:46:f7:52:37:66:
09:83:a7:5d:4f:06:c2:5b:b6:f0:81:5c:44:d7:96:
25:06:15:20:49:d8:07:11:88:62:86:02:83:71:41:
85:58:10:79:17:ea:38:4c:be:b1:bd:87:47:50:6e:
96:17:39:88:d2:63:e7:b5:23:65:53:2b:29:27:2d:
c9:81:e0:91:60:df:34:61:c3:c9:cd:9c:83:f5:45:
e2:7f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:k8s-master01, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, IP Address:10.96.0.1, IP Address:192.168.32.118, IP Address:192.168.32.108
Signature Algorithm: sha256WithRSAEncryption
90:22:af:9c:e4:75:59:4d:a9:2e:c9:1f:42:4e:84:7d:49:89:
df:5b:72:60:f3:69:9b:94:ce:f1:33:3f:70:e6:19:b9:ae:8b:
c9:3a:80:31:20:af:0b:ed:f1:b6:48:6a:69:34:00:5a:3d:8e:
36:0a:e8:1e:9d:c1:93:dd:a1:fb:96:71:c4:db:6c:43:74:d2:
cc:73:d1:eb:5b:ad:b1:5c:64:e8:6e:5c:48:97:2c:23:a2:90:
c2:5f:99:96:c1:2e:73:54:b0:f9:7c:16:f5:eb:f5:d5:49:b1:
0c:3c:1a:82:f1:f9:d1:56:ae:78:1d:b2:13:50:9a:1e:29:03:
e0:38:8a:82:4f:09:01:2c:c2:93:0e:34:a1:23:e9:a1:5e:d8:
2d:bc:bc:9a:a0:35:dc:3d:11:55:57:c5:5a:bd:0b:8d:4d:e1:
53:c4:d3:c6:bb:2a:0a:a9:7c:0b:97:5d:f8:08:d7:34:1d:2d:
0d:39:5f:1f:3d:65:81:3f:14:78:51:ac:c7:7e:15:aa:ba:e4:
f3:e6:68:79:54:ac:5a:5b:86:47:4d:3f:97:e5:13:90:53:b6:
d4:39:89:34:e2:62:79:f0:75:1a:a8:15:1d:12:2b:5b:42:53:
fd:31:fb:49:c5:db:dd:2d:21:fe:98:33:70:a2:8f:31:76:7e:
fb:16:01:2b
X509v3 Subject Alternative Name (SAN)是 TLS 证书中的一个扩展字段,用于指定与证书主题相关的附加名称。
这些附加名称可以是 IP 地址、DNS 名称、电子邮件地址等,用于指定证书可用于哪些服务或主机。
这个字段的存在可以提高证书的灵活性和可用性,因为它允许一个证书可以同时适用于多个不同的主机或服务。
例如,一个 TLS 证书可以同时指定多个域名,这样就不需要为每个域名单独颁发证书了。
上面证书中有SAN 的证书为:
/etc/kubernetes/pki/etcd/peer.crt
/etc/kubernetes/pki/etcd/server.crt
/etc/kubernetes/pki/apiserver.crt
参考
数字证书原理
https://www.zhaohuabing.com/post/2020-03-19-pki
X.509数字证书的工作原理及应用
https://www.racent.com/blog/what-is-x509-certificate
Kubernetes 证书详解
https://www.cnblogs.com/linux-SFeng/p/17432899.html
一文带你彻底厘清 Kubernetes 中的证书工作机制
https://zhuanlan.zhihu.com/p/142990931
那些你需要了解的Kubernetes证书知识
https://juejin.cn/post/7016472622246395934
Kubernetes 文档/任务/TLS/管理集群中的 TLS 认证
https://kubernetes.io/zh-cn/docs/tasks/tls/managing-tls-in-a-cluster
网友评论