cfssl生成链式自签名证书

生成大纲

总共生成三个证书,一个根证书,一个中间证书签发商,一个服务证书。为方便理解,根证书表示为ca0,中间证书表示为ca1,服务证书表示为server。在本文中,服务证书为生成给harbor使用的证书。

生成

生成所有的证书请求文件和配置

mkdir -p server  ca1  ca0
# 生成配置文件
cat << EOF > config.json
 {
   "signing": {
     "default": {
       "expiry": "262800h"
     },
     "profiles": {
       "intermediate": {
         "usages": ["cert sign", "crl sign"],
         "expiry": "700800h",
         "ca_constraint": {
           "is_ca": true,
           "max_path_len": 1
         }
      },
      "host": {
        "usages": [
            "client auth",
          "signing",
          "digital signing",
          "key encipherment",
          "server auth"
        ],
        "expiry": "262800h"
      }
     }
   }
 }
EOF

# 生成ca0证书请求文件
cat << EOF > ca0/ca0.json
{
    "CN": "Zeng Chunmiao",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Guangzhou",
            "O": "Zeng Chunmiao",
            "OU": "Zeng Chunmiao Root CA",
            "ST": "China"
        }
    ]
}
EOF
# 生成ca1证书请求文件
cat << EOF > ca1/ca1.json
{
  "CN": "kubernetes",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "HangZhou",
      "L": "XS",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

# 生成服务证书请求
cat << EOF > server/server-csr.json
{
  "CN": "harbor",
  "hosts": [
    "127.0.0.1",
    "harbor.ggdefe.com",
    "harbor.ggdefe.com.cn"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "HangZhou",
      "L": "XS",
      "O": "k8s",
      "OU": "System"
    }
  ]
}
EOF

开始生成

  • 生成根证书ca0
cfssl gencert -initca ca0/ca0.json | cfssljson -bare ca0/ca0
ls ca0
  • 生成中间证书ca1
cfssl gencert -ca=./ca0/ca0.pem -ca-key=./ca0/ca0-key.pem -config=./config.json -profile=intermediate ./ca1/ca1.json | cfssljson -bare ./ca1/ca1
ls ca1
  • 生成服务证书
cfssl gencert -ca=./ca1/ca1.pem -ca-key=./ca1/ca1-key.pem -config=./config.json -profile=host ./server/server-csr.json | cfssljson -bare ./server/server
ls server
  • 生成链式证书
mkdir chain -p
# 生成公钥 注意顺序
cat server/server.pem ca1/ca1.pem > ./chain/chain.crt
# 生成私钥
cp server/server-key.pem ./chain/server-key.pem

输出结果

  🛹  find ./
./
./ca0
./ca0/ca0-key.pem
./ca0/ca0.csr
./ca0/ca0.json
./ca0/ca0.pem
./ca1
./ca1/ca1-key.pem
./ca1/ca1.csr
./ca1/ca1.json
./ca1/ca1.pem
./chain
./chain/chain.crt
./chain/server-key.pem
./config.json
./server
./server/server-csr.json
./server/server-key.pem
./server/server.csr
./server/server.pem
posted @ 2022-11-14 17:27  小小记录本  阅读(279)  评论(0编辑  收藏  举报