openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -days 10000 -out ca.crt -subj "/C=CN/ST=Beijing/L=Beijing/O=kubernetes/OU=Kubernetes-manual/CN=kubernetes-ca"
openssl genrsa -out etcd-ca.key 2048
openssl req -x509 -new -nodes -key etcd-ca.key -days 10000 -out etcd-ca.crt -subj "/C=CN/ST=Beijing/L=Beijing/O=kubernetes/OU=Kubernetes-manual/CN=etcd-ca"
openssl genrsa -out front-proxy-ca.key 2048
openssl req -x509 -new -nodes -key front-proxy-ca.key -days 10000 -out front-proxy-ca.crt -subj "/C=CN/ST=Beijing/L=Beijing/O=kubernetes/OU=Kubernetes-manual/CN=kubernetes-front-proxy-ca"
openssl genrsa -out kube-etcd.key 2048
openssl req -new -key kube-etcd.key -out kube-etcd.csr -subj "/CN=kube-etcd"
openssl x509 -req -in kube-etcd.csr -CA etcd-ca.crt -CAkey etcd-ca.key -CAcreateserial -out kube-etcd.crt -days 10000 -extensions v3_ext -extfile etcdssl.cnf -sha256
openssl genrsa -out kube-etcd-peer.key 2048
openssl req -new -key kube-etcd-peer.key -out kube-etcd-peer.csr -subj "/CN=kube-etcd-peer"
openssl x509 -req -in kube-etcd-peer.csr -CA etcd-ca.crt -CAkey etcd-ca.key -CAcreateserial -out kube-etcd-peer.crt -days 10000 -extensions v3_ext -extfile etcdssl.cnf -sha256
openssl genrsa -out apiserver-etcd-client.key 2048
openssl req -new -key apiserver-etcd-client.key -out apiserver-etcd-client.csr -subj "/CN=kube-apiserver-etcd-client/O=system:masters"
openssl x509 -req -in apiserver-etcd-client.csr -CA etcd-ca.crt -CAkey etcd-ca.key -CAcreateserial -out apiserver-etcd-client.crt -days 3650
openssl genrsa -out kube-etcd-healthcheck-client.key 2048
openssl req -new -key kube-etcd-healthcheck-client.key -out kube-etcd-healthcheck-client.csr -subj "/CN=kube-etcd-healthcheck-client"
openssl x509 -req -in kube-etcd-healthcheck-client.csr -CA etcd-ca.crt -CAkey etcd-ca.key -CAcreateserial -out kube-etcd-healthcheck-client.crt -days 3650
openssl genrsa -out apiserver.key 2048
openssl req -new -key apiserver.key -out apiserver.csr -subj "/CN=kube-apiserver"
openssl x509 -req -in apiserver.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out apiserver.crt -days 10000 -extensions v3_ext -extfile openssl.cnf -sha256
openssl genrsa -out apiserver-kubelet-client.key 2048
openssl req -new -key apiserver-kubelet-client.key -out apiserver-kubelet-client.csr -subj "/CN=kube-apiserver-kubelet-client/O=system:masters"
openssl x509 -req -in apiserver-kubelet-client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out apiserver-kubelet-client.crt -days 3650
openssl genrsa -out front-proxy-client.key 2048
openssl req -new -key front-proxy-client.key -out front-proxy-client.csr -subj "/CN=front-proxy-client"
openssl x509 -req -in front-proxy-client.csr -CA front-proxy-ca.crt -CAkey front-proxy-ca.key -CAcreateserial -out front-proxy-client.crt -days 3650
openssl genrsa -out admin.key 2048
openssl req -new -key admin.key -out admin.csr -subj "/CN=kubernetes-admin/O=system:masters/OU=System"
openssl x509 -req -in admin.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out admin.crt -days 3650
openssl genrsa -out kube-proxy.key 2048
openssl req -new -key kube-proxy.key -out kube-proxy.csr -subj "/CN=system:kube-proxy/O=system:kube-proxy/OU=System"
openssl x509 -req -in kube-proxy.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out kube-proxy.crt -days 3650
openssl genrsa -out kube-controller-manager.key 2048
openssl req -new -key kube-controller-manager.key -out kube-controller-manager.csr -subj "/CN=system:kube-controller-manager"
openssl x509 -req -in kube-controller-manager.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out kube-controller-manager.crt -days 3650
openssl genrsa -out kube-scheduler.key 2048
openssl req -new -key kube-scheduler.key -out kube-scheduler.csr -subj "/CN=system:kube-scheduler"
openssl x509 -req -in kube-scheduler.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out kube-scheduler.crt -days 3650
openssl genrsa -out sa.key 2048
openssl rsa -in sa.key -pubout -out sa.pub