Loading

cfssl 创建证书

先提一下使用openssl 创建自签证书的方法

方法一

(umask 077; openssl genrsa -out ./harbor-key.pem 4096)

openssl req -new -key ./harbor-key.pem -out ./harbor.csr \
-subj "/C=CN/ST=BJ/L=BJ/O=UnitedStack/OU=Devops/CN=myharbor.com"

openssl req -new -x509 -key harbor-key.pem -out harbor.pem \
-subj "/C=CN/ST=BJ/L=BJ/OU=IT/OU=Devops/CN=devops.com" -days 3650

方法二

openssl req -newkey rsa:2048 -nodes -sha256 -x509 -days 3650 \
-subj /C=CN/ST=BJ/L=BJ/O=IT/OU=Devops/CN=*.devops.com \
-keyout ./domain.key  -out ./domain.crt

-subj 指定的字段解释

  • C : Country Name (2 letter code)
  • ST : State or Province Name (full name)
  • L : Locality Name (eg, city) [Default City]
  • O : Organization Name (eg, company) [Default Company Ltd]
  • OU : Organizational Unit Name (eg, section)
  • CN : Common Name (eg, your name or your server's hostname)

使用CFSSL

安装 CFSSL 直接使用二进制文件安装

cfssl 仓库:https://github.com/cloudflare/cfssl

curl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl
curl https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson
curl https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo
chmod +x /usr/local/bin/cfssl*
备用链接
链接:https://pan.baidu.com/s/16GCd2GSnp0AODFfKEmsOIQ
提取码:5akt

创建ca证书请求文件

cat << EOF > ca-csr.json
{
  "CN": "Private CA Root certificate",
  "key": {
    "algo": "rsa","size": 2048
  },
  "ca": {
     "expiry": "262800h"
  },
  "names": [
    {
      "C": "CN",
      "L": "BJ",
      "ST": "BeiJing",
      "O": "Private CA certificates are issued",
      "OU": "IT"
    }
  ]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca

CA 证书需要导入到浏览器中,才能让CA 签署过的证书在浏览器上显示安全,但要注意hosts区域的域名不要写错,同时浏览器使用域名访问

过期时间查看

openssl x509  -noout -text -in ca.pem |grep -A 5 Validity
cfssl certinfo -cert ca.pem
结果如下所示
Validity
    Not Before: Jan 12 03:42:00 2020 GMT
    Not After : Dec 19 03:42:00 2119 GMT
Subject: C=CN, ST=BeiJing, L=BJ, O=Private CA certificates are issued, CN=Private CA Root certificate
Subject Public Key Info:
    Public Key Algorithm: rsaEncryption

创建配置文件,即告诉ca要生成什么样的证书

cat << EOF > ca-config.json
{
  "signing": {
    "default": {
      "expiry": "8760h"
    },
    "profiles": {
      "www": {
        "expiry": "87600h",        
        "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF

字段说明

ca-config.json:可以定义多个 profiles,分别指定不同的参数;后续在签名证书时使用某个profile;
signing:表示该证书可用于签名其它证书;生成的 ca.pem 证书中 CA=TRUE;
server auth:表示client可以用该 CA 对server提供的证书进行验证;
client auth:表示server可以用该CA对client提供的证书进行验证;
profiles 中的 www 是后面cfssl gencert 命令值profiles 指定的值,要相互对应。

创建证书签名请求文件(www)

cat << EOF > www-csr.json
{
    "CN": "139.224.75.128",
    "hosts": [
        "127.0.0.1",
        "139.224.75.128",
        "www.yonge.com",
        "blog.yonge.com"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "ZJ",            
            "ST": "HZ",
            "O": "test server",
            "OU": "IT"
        }
    ]
}
EOF

生成证书

cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -profile=www www-csr.json | cfssljson -bare www

创建证书签名请求文件(harbor)

cat << EOF > harbor-csr.json
{
    "CN": "harbor.hub.com",
    "hosts": [
        "127.0.0.1",
        "10.10.10.21",
        "harbor.hub.com"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "ZJ",            
            "ST": "HZ",
            "O": "harbor",
            "OU": "IT"
        }
    ]
}
EOF

生成harbor证书,使用了上面定义的环境变量

cfssl gencert \
  -ca=ca.pem \
  -ca-key=ca-key.pem \
  -config=ca-config.json \
  -profile=www harbor-csr.json | cfssljson -bare harbor
posted @ 2020-01-12 11:44  Outsrkem  阅读(2315)  评论(1编辑  收藏  举报