生成自签https证书

首先说明一下，自己的生成的CA证书并不是权威机构的CA，在Chrome会被识别成不安全的网站，这里只做流程演示。
本文这里以为k8s dashboard生成证书的场景为例：

• 创建目录存放证书

mkdir -p /usr/program/ca && cd /usr/program/ca

• 生成私钥 （CA）

openssl genrsa -out ca.key 2048

• 生成自签名证书(CRT 用于向CA请求证书的文件)

openssl req -new -x509 -key ca.key -out ca.crt -days 3650 -subj "/C=CN/ST=shanghai/L=jingan/O=dev/OU=island/CN=*.onebean.net"

CN=名字与姓氏,OU=组织单位名称,O=组织名称,L=城市或区域名称,ST=州或省份名称,C=单位的两字母国家代码

• 生成dashboard私钥证书（KEY）

openssl genrsa -out dashboard.key 2048 &&\
export ip=192.168.146.143 &&\
openssl req -new -sha256 -key dashboard.key -out dashboard.csr -subj "/C=CN/ST=shanghai/L=jingan/O=dev/OU=island/CN=dashboard.onebean.net" &&\
cat >  dashboard.cnf  <<EOF
extensions = san
[san]
keyUsage = digitalSignature
extendedKeyUsage = clientAuth,serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = IP:$ip,IP:127.0.0.1,DNS:$ip,DNS:localhost,DNS:dashboard.onebean.net
EOF

也可不指定IP，只指定域名：

openssl genrsa -out dashboard.key 2048 &&\
openssl req -new -sha256 -key dashboard.key -out dashboard.csr -subj "/C=CN/ST=shanghai/L=jingan/O=dev/OU=island/CN=k8s.onebean.net" &&\
cat >  dashboard.cnf  <<EOF
extensions = san
[san]
keyUsage = digitalSignature
extendedKeyUsage = clientAuth,serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = DNS:k8s.onebean.net
EOF

openssl x509 -req -sha256 -days 3650 -in dashboard.csr -out dashboard.crt -CA ca.crt -CAkey ca.key -CAcreateserial -extfile dashboard.cnf