先提一下使用openssl 創建自簽證書的方法
方法一
(umask 077; openssl genrsa -out ./harbor-key.pem 4096)
openssl req -new -key ./harbor-key.pem -out ./harbor.csr \
-subj "/C=CN/ST=BJ/L=BJ/O=UnitedStack/OU=Devops/CN=myharbor.com"
openssl req -new -x509 -key harbor-key.pem -out harbor.pem \
-subj "/C=CN/ST=BJ/L=BJ/O=UnitedStack/OU=Devops/CN=myharbor.com" -days 3650
方法二
openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout ./domain.key -x509 -out ./domain.crt \
-subj /C=CN/ST=BJ/L=BJ/O=UnitedStack/OU=Devops/CN=devops.com -days 3650
-subj 指定的字段解釋
- C : Country Name (2 letter code)
- ST : State or Province Name (full name)
- L : Locality Name (eg, city) [Default City]
- O : Organization Name (eg, company) [Default Company Ltd]
- OU : Organizational Unit Name (eg, section)
- CN : Common Name (eg, your name or your server's hostname)
- emailAddress : Email Address
使用CFSSL
安裝 CFSSL 直接使用二進制文件安裝
if ! which cfssl; then
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/local/bin/cfssl
fi
if ! which cfssljson; then
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/local/bin/cfssljson
fi
if ! which cfssl-certinfo; then
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/local/bin/cfssl-certinfo
fi
chmod +x /usr/local/bin/cfssl*
備用鏈接
鏈接:https://pan.baidu.com/s/16GCd2GSnp0AODFfKEmsOIQ
提取碼:5akt
創建ca證書請求文件
cat << EOF > ca-csr.json
{
"CN": "Private CA Root certificate",
"key": {
"algo": "rsa","size": 2048
},
"ca": {
"expiry": "262800h"
},
"names": [
{
"C": "CN",
"L": "BJ",
"ST": "BeiJing",
"O": "Private CA certificates are issued",
"OU": "IT"
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
CA 證書需要導入到瀏覽器中,才能讓CA 簽署過的證書在瀏覽器上顯示安全,但要注意hosts區域的域名不要寫錯,同時瀏覽器使用域名訪問
過期時間查看
openssl x509 -noout -text -in ca.pem |grep -A 5 Validity
cfssl certinfo -cert ca.pem
結果如下所示
Validity
Not Before: Jan 12 03:42:00 2020 GMT
Not After : Dec 19 03:42:00 2119 GMT
Subject: C=CN, ST=BeiJing, L=BJ, O=Private CA certificates are issued, CN=Private CA Root certificate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
創建配置文件,即告訴ca要生成什么樣的證書
cat << EOF > ca-config.json
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"www": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
字段說明
ca-config.json:可以定義多個 profiles,分別指定不同的參數;后續在簽名證書時使用某個profile;
signing:表示該證書可用於簽名其它證書;生成的 ca.pem 證書中 CA=TRUE;
server auth:表示client可以用該 CA 對server提供的證書進行驗證;
client auth:表示server可以用該CA對client提供的證書進行驗證;
profiles 中的 www 是后面cfssl gencert 命令值profiles 指定的值,要相互對應。
創建證書簽名請求文件(www)
cat << EOF > www-csr.json
{
"CN": "139.224.75.128",
"hosts": [
"127.0.0.1",
"139.224.75.128",
"www.yonge.com",
"blog.yonge.com"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "ZJ",
"ST": "HZ",
"O": "test server",
"OU": "IT"
}
]
}
EOF
生成證書
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=www www-csr.json | cfssljson -bare www
創建證書簽名請求文件(harbor)
cat << EOF > harbor-csr.json
{
"CN": "harbor.hub.com",
"hosts": [
"127.0.0.1",
"10.10.10.21",
"harbor.hub.com"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "ZJ",
"ST": "HZ",
"O": "harbor",
"OU": "IT"
}
]
}
EOF
生成harbor證書,使用了上面定義的環境變量
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=www harbor-csr.json | cfssljson -bare harbor