harbor自建https证书生成

1.生成CA证书

# 生成 RSA 私有秘钥
openssl genrsa -out ca-key.pem 4096
# 生成CSR（Certificate Signing Request），CSR和KEY是匹配的，CSR是最终的证书和私钥配对使用
openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Guangdong/L=Shenzhen/O=example/OU=DCP/CN=registry.test.com" -key ca-key.pem -out ca.pem

2.生成服务证书

# 创建ca的配置文件
cat ca-config.json
{
    "signing": {
        "default": {
            "expiry": "87600h"
        },
        "profiles": {
            "www": {
                "expiry": "87600h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth"
                ]
            }
        }
    }
}
# 创建证书文件
cat harbor-csr.json
{
    "CN": "registry.xxx.com",
    "hosts": [
        "registry.xxx.com"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "Guangdong",
            "L": "Shenzhen",
            "O": "Test",
            "OU": "DCP"
        }
    ]
}
# 为harbor主机创建证书，这里会生成harbor-key.pem和harbor.pem
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www harbor-csr.json | cfssljson -bare harbor