先提一下使用openssl 创建自签证书的方法
方法一
(umask 077; openssl genrsa -out ./harbor-key.pem 4096)
openssl req -new -key ./harbor-key.pem -out ./harbor.csr
-subj "/C=CN/ST=BJ/L=BJ/O=UnitedStack/OU=Devops/CN=myharbor.com"
openssl req -new -x509 -key harbor-key.pem -out harbor.pem
-subj "/C=CN/ST=BJ/L=BJ/O=UnitedStack/OU=Devops/CN=myharbor.com" -days 3650
方法二
openssl req
-newkey rsa:4096 -nodes -sha256 -keyout ./domain.key -x509 -out ./domain.crt
-subj /C=CN/ST=BJ/L=BJ/O=UnitedStack/OU=Devops/CN=devops.com -days 3650
-subj 指定的字段解释
- C : Country Name (2 letter code)
- ST : State or Province Name (full name)
- L : Locality Name (eg, city) [Default City]
- O : Organization Name (eg, company) [Default Company Ltd]
- OU : Organizational Unit Name (eg, section)
- CN : Common Name (eg, your name or your server's hostname)
- emailAddress : Email Address
使用CFSSL
安装 CFSSL 直接使用二进制文件安装
if ! which cfssl; then
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/local/bin/cfssl
fi
if ! which cfssljson; then
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/local/bin/cfssljson
fi
if ! which cfssl-certinfo; then
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/local/bin/cfssl-certinfo
fi
chmod +x /usr/local/bin/cfssl*
备用链接
链接:https://pan.baidu.com/s/16GCd2GSnp0AODFfKEmsOIQ
提取码:5akt
创建ca证书请求文件
cat << EOF > ca-csr.json
{
"CN": "Private CA Root certificate",
"key": {
"algo": "rsa","size": 2048
},
"ca": {
"expiry": "262800h"
},
"names": [
{
"C": "CN",
"L": "BJ",
"ST": "BeiJing",
"O": "Private CA certificates are issued",
"OU": "IT"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
CA 证书需要导入到浏览器中,才能让CA 签署过的证书在浏览器上显示安全,但要注意hosts区域的域名不要写错,同时浏览器使用域名访问
过期时间查看
openssl x509 -noout -text -in ca.pem |grep -A 5 Validity
cfssl certinfo -cert ca.pem
结果如下所示
Validity
Not Before: Jan 12 03:42:00 2020 GMT
Not After : Dec 19 03:42:00 2119 GMT
Subject: C=CN, ST=BeiJing, L=BJ, O=Private CA certificates are issued, CN=Private CA Root certificate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
创建配置文件,即告诉ca要生成什么样的证书
cat << EOF > ca-config.json
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"www": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
字段说明
ca-config.json:可以定义多个 profiles,分别指定不同的参数;后续在签名证书时使用某个profile;
signing:表示该证书可用于签名其它证书;生成的 ca.pem 证书中 CA=TRUE;
server auth:表示client可以用该 CA 对server提供的证书进行验证;
client auth:表示server可以用该CA对client提供的证书进行验证;
profiles 中的 www 是后面cfssl gencert 命令值profiles 指定的值,要相互对应。
创建证书签名请求文件(www)
cat << EOF > www-csr.json
{
"CN": "139.224.75.128",
"hosts": [
"127.0.0.1",
"139.224.75.128",
"www.yonge.com",
"blog.yonge.com"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "ZJ",
"ST": "HZ",
"O": "test server",
"OU": "IT"
}
]
}
EOF
生成证书
cfssl gencert
-ca=ca.pem
-ca-key=ca-key.pem
-config=ca-config.json
-profile=www www-csr.json | cfssljson -bare www
创建证书签名请求文件(harbor)
cat << EOF > harbor-csr.json
{
"CN": "harbor.hub.com",
"hosts": [
"127.0.0.1",
"10.10.10.21",
"harbor.hub.com"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "ZJ",
"ST": "HZ",
"O": "harbor",
"OU": "IT"
}
]
}
EOF
生成harbor证书,使用了上面定义的环境变量
cfssl gencert
-ca=ca.pem
-ca-key=ca-key.pem
-config=ca-config.json
-profile=www harbor-csr.json | cfssljson -bare harbor