yuanying · January 8, 2020 10:00
diff --git a/ca.rb b/ca.rb
 require 'openssl'
 OpenSSL::Random.seed File.read('/dev/random', 16)

 root_key = OpenSSL::PKey::RSA.new 2048 # the CA's public/private key
 root_ca = OpenSSL::X509::Certificate.new

 root_ca.version = 2 # cf. RFC 5280 - to make it a "v3" certificate
 root_ca.serial = 1
 root_ca.subject = OpenSSL::X509::Name.parse "/CN=kube-ca"
 root_ca.issuer = root_ca.subject # root CA's are "self-signed"
 root_ca.public_key = root_key.public_key
 root_ca.not_before = Time.now
 root_ca.not_after = root_ca.not_before + 2 * 365 * 24 * 60 * 60 # 2 years validity
 ef = OpenSSL::X509::ExtensionFactory.new
 ef.subject_certificate = root_ca
 ef.issuer_certificate = root_ca
 root_ca.add_extension(ef.create_extension("basicConstraints","CA:TRUE",true))
 root_ca.add_extension(ef.create_extension("keyUsage","keyCertSign, cRLSign", true))
 root_ca.add_extension(ef.create_extension("subjectKeyIdentifier","hash",false))
 root_ca.add_extension(ef.create_extension("authorityKeyIdentifier","keyid:always",false))
 root_ca.sign(root_key, OpenSSL::Digest::SHA256.new)

 File.open 'tmp/ca.key', 'wb' do |f|
  f.write root_key.export(nil, nil)
 end

 File.open 'tmp/ca.crt', 'wb' do |f|
  f.write root_ca.to_pem
 end
diff --git a/server.rb b/server.rb
 require 'openssl'
 OpenSSL::Random.seed File.read('/dev/random', 16)

 root_key = OpenSSL::PKey::RSA.new File.read('tmp/ca.key')
 root_ca = OpenSSL::X509::Certificate.new(File.read('tmp/ca.crt'))

 key = OpenSSL::PKey::RSA.new 2048
 cert = OpenSSL::X509::Certificate.new
 cert.version = 2
 cert.serial = 2
 cert.subject = OpenSSL::X509::Name.parse "/CN=kube-client"
 cert.issuer = root_ca.subject # root CA is the issuer
 cert.public_key = key.public_key
 cert.not_before = Time.now
 cert.not_after = cert.not_before + 1 * 365 * 24 * 60 * 60 # 1 years validity
 ef = OpenSSL::X509::ExtensionFactory.new
 ef.subject_certificate = cert
 ef.issuer_certificate = root_ca
 cert.add_extension(ef.create_extension("basicConstraints","CA:FALSE",true))
 cert.add_extension(ef.create_extension("keyUsage","nonRepudiation, digitalSignature, keyEncipherment", true))
 cert.add_extension(ef.create_extension("extendedKeyUsage","clientAuth, serverAuth",true))
 cert.add_extension(ef.create_extension("subjectAltName","DNS:kubernetes,DNS:kubernetes.default,DNS:kubernetes.default.svc,DNS:kubernetes.default.svc.cluster.local",true))
 cert.sign(root_key, OpenSSL::Digest::SHA256.new)

 File.open 'tmp/server.key', 'wb' do |f|
  f.write key.export(nil, nil)
 end

 File.open 'tmp/server.crt', 'wb' do |f|
  f.write cert.to_pem
 end
	require 'openssl'
	OpenSSL::Random.seed File.read('/dev/random', 16)

	root_key = OpenSSL::PKey::RSA.new 2048 # the CA's public/private key
	root_ca = OpenSSL::X509::Certificate.new

	root_ca.version = 2 # cf. RFC 5280 - to make it a "v3" certificate
	root_ca.serial = 1
	root_ca.subject = OpenSSL::X509::Name.parse "/CN=kube-ca"
	root_ca.issuer = root_ca.subject # root CA's are "self-signed"
	root_ca.public_key = root_key.public_key
	root_ca.not_before = Time.now
	root_ca.not_after = root_ca.not_before + 2 * 365 * 24 * 60 * 60 # 2 years validity
	ef = OpenSSL::X509::ExtensionFactory.new
	ef.subject_certificate = root_ca
	ef.issuer_certificate = root_ca
	root_ca.add_extension(ef.create_extension("basicConstraints","CA:TRUE",true))
	root_ca.add_extension(ef.create_extension("keyUsage","keyCertSign, cRLSign", true))
	root_ca.add_extension(ef.create_extension("subjectKeyIdentifier","hash",false))
	root_ca.add_extension(ef.create_extension("authorityKeyIdentifier","keyid:always",false))
	root_ca.sign(root_key, OpenSSL::Digest::SHA256.new)

	File.open 'tmp/ca.key', 'wb' do \|f\|
	f.write root_key.export(nil, nil)
	end

	File.open 'tmp/ca.crt', 'wb' do \|f\|
	f.write root_ca.to_pem
	end
	require 'openssl'
	OpenSSL::Random.seed File.read('/dev/random', 16)

	root_key = OpenSSL::PKey::RSA.new File.read('tmp/ca.key')
	root_ca = OpenSSL::X509::Certificate.new(File.read('tmp/ca.crt'))

	key = OpenSSL::PKey::RSA.new 2048
	cert = OpenSSL::X509::Certificate.new
	cert.version = 2
	cert.serial = 2
	cert.subject = OpenSSL::X509::Name.parse "/CN=kube-client"
	cert.issuer = root_ca.subject # root CA is the issuer
	cert.public_key = key.public_key
	cert.not_before = Time.now
	cert.not_after = cert.not_before + 1 * 365 * 24 * 60 * 60 # 1 years validity
	ef = OpenSSL::X509::ExtensionFactory.new
	ef.subject_certificate = cert
	ef.issuer_certificate = root_ca
	cert.add_extension(ef.create_extension("basicConstraints","CA:FALSE",true))
	cert.add_extension(ef.create_extension("keyUsage","nonRepudiation, digitalSignature, keyEncipherment", true))
	cert.add_extension(ef.create_extension("extendedKeyUsage","clientAuth, serverAuth",true))
	cert.add_extension(ef.create_extension("subjectAltName","DNS:kubernetes,DNS:kubernetes.default,DNS:kubernetes.default.svc,DNS:kubernetes.default.svc.cluster.local",true))
	cert.sign(root_key, OpenSSL::Digest::SHA256.new)

	File.open 'tmp/server.key', 'wb' do \|f\|
	f.write key.export(nil, nil)
	end

	File.open 'tmp/server.crt', 'wb' do \|f\|
	f.write cert.to_pem
	end