32 lines
954 B
Markdown
32 lines
954 B
Markdown
This demonstrates using Cloudflare's [cfssl](https://github.com/cloudflare/cfssl) to easily generate certificates for an etcd cluster.
|
|
|
|
Defaults generate an ECDSA-384 root and leaf certificates for `localhost`. etcd nodes will use the same certificates for both sides of mutual authentication, but won't require client certs for non-peer clients.
|
|
|
|
**Instructions**
|
|
|
|
1. Install git, go, and make
|
|
2. Amend https://github.com/coreos/etcd/blob/master/hack/tls-setup/config/req-csr.json - IP's currently in the config should be replaced/added with IP addresses of each cluster node, please note 127.0.0.1 is always required for loopback purposes:
|
|
```json
|
|
Example:
|
|
{
|
|
"CN": "etcd",
|
|
"hosts": [
|
|
"3.8.121.201",
|
|
"46.4.19.20",
|
|
"127.0.0.1"
|
|
],
|
|
"key": {
|
|
"algo": "ecdsa",
|
|
"size": 384
|
|
},
|
|
"names": [
|
|
{
|
|
"O": "autogenerated",
|
|
"OU": "etcd cluster",
|
|
"L": "the internet"
|
|
}
|
|
]
|
|
}
|
|
```
|
|
3. Run `make` to generate the certs
|