问题描述

我已经使用kops在aws上创建了kubernetes集群.

I have created a kubernetes cluster on aws using kops.

除非我错了，否则ca.crt和ca.key文件位于非常有用的答案:

Unless I am wrong, the ca.crt and ca.key files are in the following locations as indicated by this very helpful answer:

   - s3://<BUCKET_NAME>/<CLUSTER_NAME>/pki/private/ca/*.key
   - s3://<BUCKET_NAME>/<CLUSTER_NAME>/pki/issued/ca/*.crt

但是，我不禁注意到，在我的~/.kube/config文件(由自动创建)中，我有一个条目名为:

However, I coulnd't help noticing that in my ~/.kube/config file (which was created automatically by kops), I have an entry named:

certificate-authority-data

其内容与上述两个文件均不同.

whose contents are different than both of the above files.

在颁发客户端证书时，在任何情况下我们应该使用的CA密钥/crt对是什么?

What is in any case the CA key/crt pairs we should use when issuing client certificates?

为什么(看似)有多个CA?

Why there are (seemingly) more than one CAs ?

推荐答案

您的Kubernetes配置文件中存在的证书授权数据完全不是您的证书使用base64编码的(还有很多)与没有base64编码的配置文件相比，在配置文件中使用连续文本字符串更为实用.

The certificate-authority-data present on your Kubernetes config file is nothing else that your certificate encoded in base64 (It's a lot more practical to have a continuous text string for a configuration file than without the base64 encoding).

您的.crt文件是用RSA而不是base64编码的. RSA是基于公钥和私钥(分别为.crt和.key)的安全密码系统. Base64充其量对于格式化或传输已加密的数据很有用.

Your .crt file is encoded in RSA, not base64. RSA is a secure cryptosystem based on public and private keys (your .crt and .key respectively). Base64, is, at best, useful for formatting or transmitting already encrypted data.

这篇关于多个证书颁发机构证书(?)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！