diff --git a/content/zh/docs/tasks/traffic-management/egress/egress-gateway-tls-origination-sds/index.md b/content/zh/docs/tasks/traffic-management/egress/egress-gateway-tls-origination-sds/index.md index 6e6fbef934..34cc8f9811 100644 --- a/content/zh/docs/tasks/traffic-management/egress/egress-gateway-tls-origination-sds/index.md +++ b/content/zh/docs/tasks/traffic-management/egress/egress-gateway-tls-origination-sds/index.md @@ -70,7 +70,7 @@ TLS 所需的私钥、服务器证书和 root 证书是通过以下方式配置 {{< text bash >}} $ openssl req -out my-nginx.mesh-external.svc.cluster.local.csr -newkey rsa:2048 -nodes -keyout my-nginx.mesh-external.svc.cluster.local.key -subj "/CN=my-nginx.mesh-external.svc.cluster.local/O=some organization" - $ openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in my-nginx.mesh-external.svc.cluster.local.csr -out my-nginx.mesh-external.svc.cluster.local.crt + $ openssl x509 -req -sha256 -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in my-nginx.mesh-external.svc.cluster.local.csr -out my-nginx.mesh-external.svc.cluster.local.crt {{< /text >}} ### 部署一个简单的 TLS 服务器{#deploy-a-simple-TLS-server} @@ -373,14 +373,14 @@ Egress 网关将使用 SDS 而不是文件挂载来提供客户端证书。 {{< text bash >}} $ openssl req -out my-nginx.mesh-external.svc.cluster.local.csr -newkey rsa:2048 -nodes -keyout my-nginx.mesh-external.svc.cluster.local.key -subj "/CN=my-nginx.mesh-external.svc.cluster.local/O=some organization" - $ openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in my-nginx.mesh-external.svc.cluster.local.csr -out my-nginx.mesh-external.svc.cluster.local.crt + $ openssl x509 -req -sha256 -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in my-nginx.mesh-external.svc.cluster.local.csr -out my-nginx.mesh-external.svc.cluster.local.crt {{< /text >}} 1. 生成客户端的证书和私钥: {{< text bash >}} $ openssl req -out client.example.com.csr -newkey rsa:2048 -nodes -keyout client.example.com.key -subj "/CN=client.example.com/O=client organization" - $ openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 1 -in client.example.com.csr -out client.example.com.crt + $ openssl x509 -req -sha256 -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 1 -in client.example.com.csr -out client.example.com.crt {{< /text >}} ### 部署一个双向TLS服务器{deploy-a-mutual-TLS-server} diff --git a/content/zh/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/index.md b/content/zh/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/index.md index 7e05b56c03..c2eaaff7b9 100644 --- a/content/zh/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/index.md +++ b/content/zh/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/index.md @@ -252,14 +252,14 @@ $ kubectl delete destinationrule egressgateway-for-cnn {{< text bash >}} $ openssl req -out my-nginx.mesh-external.svc.cluster.local.csr -newkey rsa:2048 -nodes -keyout my-nginx.mesh-external.svc.cluster.local.key -subj "/CN=my-nginx.mesh-external.svc.cluster.local/O=some organization" - $ openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in my-nginx.mesh-external.svc.cluster.local.csr -out my-nginx.mesh-external.svc.cluster.local.crt + $ openssl x509 -req -sha256 -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in my-nginx.mesh-external.svc.cluster.local.csr -out my-nginx.mesh-external.svc.cluster.local.crt {{< /text >}} 1. 生成客户端证书和私钥: {{< text bash >}} $ openssl req -out client.example.com.csr -newkey rsa:2048 -nodes -keyout client.example.com.key -subj "/CN=client.example.com/O=client organization" - $ openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 1 -in client.example.com.csr -out client.example.com.crt + $ openssl x509 -req -sha256 -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 1 -in client.example.com.csr -out client.example.com.crt {{< /text >}} ### 部署一个双向 TLS 服务器{#deploy-a-mutual-TLS-server} diff --git a/content/zh/docs/tasks/traffic-management/ingress/secure-ingress-mount/index.md b/content/zh/docs/tasks/traffic-management/ingress/secure-ingress-mount/index.md index 875e46204e..61c319d974 100644 --- a/content/zh/docs/tasks/traffic-management/ingress/secure-ingress-mount/index.md +++ b/content/zh/docs/tasks/traffic-management/ingress/secure-ingress-mount/index.md @@ -38,7 +38,7 @@ TLS 所必需的私钥、服务器证书和根证书使用基于文件挂载的 {{< text bash >}} $ openssl req -out httpbin.example.com.csr -newkey rsa:2048 -nodes -keyout httpbin.example.com.key -subj "/CN=httpbin.example.com/O=httpbin organization" - $ openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in httpbin.example.com.csr -out httpbin.example.com.crt + $ openssl x509 -req -sha256 -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in httpbin.example.com.csr -out httpbin.example.com.crt {{< /text >}} ## 基于文件挂载的方式配置 TLS ingress 网关{#configure-a-TLS-ingress-gateway-with-a-file-mount-based-approach} @@ -231,7 +231,7 @@ TLS 所必需的私钥、服务器证书和根证书使用基于文件挂载的 {{< text bash >}} $ openssl req -out httpbin-client.example.com.csr -newkey rsa:2048 -nodes -keyout httpbin-client.example.com.key -subj "/CN=httpbin-client.example.com/O=httpbin's client organization" - $ openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in httpbin-client.example.com.csr -out httpbin-client.example.com.crt + $ openssl x509 -req -sha256 -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in httpbin-client.example.com.csr -out httpbin-client.example.com.crt {{< /text >}} 1. 重新用 _curl_ 发送之前的请求,这次通过参数传递客户端证书(添加 `--cert` 选项)和您的私钥(`--key` 选项): @@ -264,7 +264,7 @@ Ingress 网关将向客户端提供与每个请求的服务器相对应的唯一 {{< text bash >}} $ openssl req -out bookinfo.com.csr -newkey rsa:2048 -nodes -keyout bookinfo.com.key -subj "/CN=bookinfo.com/O=bookinfo organization" -$ openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in bookinfo.com.csr -out bookinfo.com.crt +$ openssl x509 -req -sha256 -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in bookinfo.com.csr -out bookinfo.com.crt {{< /text >}} ### 使用新证书重新部署 `istio-ingressgateway`{#redeploy-Istio-ingress-gateway-with-the-new-certificate} diff --git a/content/zh/docs/tasks/traffic-management/ingress/secure-ingress/index.md b/content/zh/docs/tasks/traffic-management/ingress/secure-ingress/index.md index 36f6329022..4bb734c30c 100644 --- a/content/zh/docs/tasks/traffic-management/ingress/secure-ingress/index.md +++ b/content/zh/docs/tasks/traffic-management/ingress/secure-ingress/index.md @@ -39,7 +39,7 @@ test: yes {{< text bash >}} $ openssl req -out httpbin.example.com.csr -newkey rsa:2048 -nodes -keyout httpbin.example.com.key -subj "/CN=httpbin.example.com/O=httpbin organization" - $ openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in httpbin.example.com.csr -out httpbin.example.com.crt + $ openssl x509 -req -sha256 -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in httpbin.example.com.csr -out httpbin.example.com.crt {{< /text >}} ### 配置单机TLS入口网关 @@ -123,7 +123,7 @@ test: yes $ mkdir new_certificates $ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=example.com' -keyout new_certificates/example.com.key -out new_certificates/example.com.crt $ openssl req -out new_certificates/httpbin.example.com.csr -newkey rsa:2048 -nodes -keyout new_certificates/httpbin.example.com.key -subj "/CN=httpbin.example.com/O=httpbin organization" - $ openssl x509 -req -days 365 -CA new_certificates/example.com.crt -CAkey new_certificates/example.com.key -set_serial 0 -in new_certificates/httpbin.example.com.csr -out new_certificates/httpbin.example.com.crt + $ openssl x509 -req -sha256 -days 365 -CA new_certificates/example.com.crt -CAkey new_certificates/example.com.key -set_serial 0 -in new_certificates/httpbin.example.com.csr -out new_certificates/httpbin.example.com.crt $ kubectl create -n istio-system secret tls httpbin-credential \ --key=new_certificates/httpbin.example.com.key \ --cert=new_certificates/httpbin.example.com.crt @@ -223,7 +223,7 @@ test: yes {{< text bash >}} $ openssl req -out helloworld-v1.example.com.csr -newkey rsa:2048 -nodes -keyout helloworld-v1.example.com.key -subj "/CN=helloworld-v1.example.com/O=helloworld organization" - $ openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 1 -in helloworld-v1.example.com.csr -out helloworld-v1.example.com.crt + $ openssl x509 -req -sha256 -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 1 -in helloworld-v1.example.com.csr -out helloworld-v1.example.com.crt {{< /text >}} 1. 创建 `helloworld-credential` secret: @@ -372,7 +372,7 @@ $ kubectl create -n istio-system secret generic httpbin-credential --from-file=t {{< text bash >}} $ openssl req -out client.example.com.csr -newkey rsa:2048 -nodes -keyout client.example.com.key -subj "/CN=client.example.com/O=client organization" - $ openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 1 -in client.example.com.csr -out client.example.com.crt + $ openssl x509 -req -sha256 -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 1 -in client.example.com.csr -out client.example.com.crt {{< /text >}} 1. 重新发送带客户端证书和私钥的 `curl` 请求。使用 --cert 标志传递客户端证书,使用 --key 标志传递私钥。