1.3.6. 替换管理入口证书
您可以替换管理入口证书。
1.3.6.1. 替换管理入口证书的先决条件
将您的 management-ingress
证书和私钥准备妥当。如果需要,您可以使用 OpenSSL 生成 TLS 证书。将证书上的通用名称参数 CN
设置为 manangement-ingress
。如果您要生成证书,请加入以下设置:
在您的证书主题备用名称(SAN)列表中包括 Red Hat Advanced Cluster Management for Kubernetes 的路由名称作为域名。
-
管理入口的服务名称:
management-ingress
。 包括 Red Hat Advanced Cluster Management for Kubernetes 的路由名称。
运行以下命令来接收路由名称:
oc get route -n open-cluster-management
您可能会收到以下响应:
multicloud-console.apps.grchub2.dev08.red-chesterfield.com
-
添加 localhost IP 地址:
127.0.0.1
. -
添加 localhost 条目:
localhost
。
-
管理入口的服务名称:
1.3.6.1.1. 用于生成证书的示例配置文件
以下示例配置文件和 OpenSSL 命令提供了有关如何使用 OpenSSL 生成 TLS 证书的示例。查看以下 csr.cnf
配置文件,该文件定义了用来使用 OpenSSL 生成证书的配置设置。
[ req ] # Main settings default_bits = 2048 # Default key size in bits. prompt = no # Disables prompting for certificate values so the configuration file values are used. default_md = sha256 # Specifies the digest algorithm. req_extensions = req_ext # Specifies the configuration file section that includes any extensions. distinguished_name = dn # Specifies the section that includes the distinguished name information. [ dn ] # Distinguished name settings C = US # Country ST = North Carolina # State or province L = Raleigh # Locality O = Red Hat Open Shift # Organization OU = Red Hat Advanced Container Management # Organizational unit CN = management-ingress # Common name. [ req_ext ] # Extensions subjectAltName = @alt_names # Subject alternative names [ alt_names ] # Subject alternative names DNS.1 = management-ingress DNS.2 = multicloud-console.apps.grchub2.dev08.red-chesterfield.com DNS.3 = localhost DNS.4 = 127.0.0.1 [ v3_ext ] # x509v3 extensions authorityKeyIdentifier=keyid,issuer:always # Specifies the public key that corresponds to the private key that is used to sign a certificate. basicConstraints=CA:FALSE # Indicates whether the certificate is a CA certificate during the certificate chain verification process. #keyUsage=keyEncipherment,dataEncipherment # Defines the purpose of the key that is contained in the certificate. extendedKeyUsage=serverAuth # Defines the purposes for which the public key can be used. subjectAltName=@alt_names # Identifies the subject alternative names for the identify that is bound to the public key by the CA.
备注:请务必使用您的管理入口的正确主机名更新标记的 SAN,即 DNS.2
。
1.3.6.1.2. 用于生成证书的 OpenSSL 命令
以下 OpenSSL 命令与上述配置文件一同用来生成所需的 TLS 证书。
生成您的证书颁发机构 (CA) RSA 私钥:
openssl genrsa -out ca.key 4096
使用您的 CA 密钥生成自签名 CA 证书:
openssl req -x509 -new -nodes -key ca.key -subj "/C=US/ST=North Carolina/L=Raleigh/O=Red Hat OpenShift" -days 400 -out ca.crt
为您的证书生成 RSA 私钥:
openssl genrsa -out ingress.key 4096
使用私钥生成证书签名请求 (CSR):
openssl req -new -key ingress.key -out ingress.csr -config csr.cnf
使用您的 CA 证书和密钥及 CSR 生成签名证书:
openssl x509 -req -in ingress.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out ingress.crt -sha256 -days 300 -extensions v3_ext -extfile csr.cnf
检查证书内容:
openssl x509 -noout -text -in ./ingress.crt