docker创建私服证书
openssl genrsa -out "root-ca.key" 4096 # 创建CA私钥
openssl req -new -key "root-ca.key" -out "root-ca.csr" -sha256 -subj '/C=CN/ST=guangdong/L=Shenzhen/O=snowballtech/CN=YourCompanyNameDockerRegistryCA' #利用私钥创建CA根证书请求文件
vi root-ca.cnf # 创建 root-ca.cnf ,详情参考下方
openssl x509 -req -days 3650 -in "root-ca.csr" -signkey "root-ca.key" -sha256 -out "root-ca.crt" -extfile "root-ca.cnf" -extensions root_ca # 签发根证书
openssl genrsa -out "docker.domain.com.key" 4096 # 生成站点SSL私钥
openssl req -new -key "docker.domain.com.key" -out "site.csr" -sha256 -subj '/C=CN/ST=guangdong/L=Shenzhen/O=snowballtech/CN=docker.domain.com' # 使用私钥生成证书请求文件
vi site.cnf # 创建site.cnf
openssl x509 -req -days 750 -in "site.csr" -sha256 -CA "root-ca.crt" -CAkey "root-ca.key" -CAcreateserial -out "docker.domain.com.crt" -extfile "site.cnf" -extensions server # 部署站点证书
root-ca.cnf
[root_ca]
basicConstraints=critical,CA:TRUE,pathlen:1
keyUsage=critical,nonRepudiation,cRLSign,keyCertSign
subjectKeyIdentifier=hash
site.cnf
[server]
authorityKeyIdentifier=keyid,issuer
basicConstraints=critical,CA:FALSE
extendedKeyUsage=serverAuth
keyUsage=critical,digitalSignature,keyEncipherment
subjectAltName=DNS:docker.domain.com,IP:127.0.0.1
subjectKeyIdentifier=hash