zoukankan      html  css  js  c++  java

  • cfssl 创建证书

    先提一下使用openssl 创建自签证书的方法

    方法一

    (umask 077; openssl genrsa -out ./harbor-key.pem 4096)

openssl req -new -key ./harbor-key.pem -out ./harbor.csr 
-subj "/C=CN/ST=BJ/L=BJ/O=UnitedStack/OU=Devops/CN=myharbor.com"

openssl req -new -x509 -key harbor-key.pem -out harbor.pem 
-subj "/C=CN/ST=BJ/L=BJ/O=UnitedStack/OU=Devops/CN=myharbor.com" -days 3650

    方法二

    openssl req 
-newkey rsa:4096 -nodes -sha256 -keyout ./domain.key -x509 -out ./domain.crt 
-subj /C=CN/ST=BJ/L=BJ/O=UnitedStack/OU=Devops/CN=devops.com -days 3650

    -subj 指定的字段解释

    • C : Country Name (2 letter code)
    • ST : State or Province Name (full name)
    • L : Locality Name (eg, city) [Default City]
    • O : Organization Name (eg, company) [Default Company Ltd]
    • OU : Organizational Unit Name (eg, section)
    • CN : Common Name (eg, your name or your server's hostname)
    • emailAddress : Email Address

    使用CFSSL

    安装 CFSSL 直接使用二进制文件安装

    if ! which cfssl; then
    wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/local/bin/cfssl
fi
if ! which cfssljson; then
    wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/local/bin/cfssljson
fi
if ! which cfssl-certinfo; then
    wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/local/bin/cfssl-certinfo
fi
chmod +x /usr/local/bin/cfssl*
备用链接
链接:https://pan.baidu.com/s/16GCd2GSnp0AODFfKEmsOIQ
提取码:5akt

    创建ca证书请求文件

    cat << EOF > ca-csr.json
{
  "CN": "Private CA Root certificate",
  "key": {
    "algo": "rsa","size": 2048
  },
  "ca": {
     "expiry": "262800h"
  },
  "names": [
    {
      "C": "CN",
      "L": "BJ",
      "ST": "BeiJing",
      "O": "Private CA certificates are issued",
      "OU": "IT"
    }
  ]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca

    CA 证书需要导入到浏览器中,才能让CA 签署过的证书在浏览器上显示安全,但要注意hosts区域的域名不要写错,同时浏览器使用域名访问

    过期时间查看

    openssl x509  -noout -text -in ca.pem |grep -A 5 Validity
cfssl certinfo -cert ca.pem
结果如下所示
Validity
    Not Before: Jan 12 03:42:00 2020 GMT
    Not After : Dec 19 03:42:00 2119 GMT
Subject: C=CN, ST=BeiJing, L=BJ, O=Private CA certificates are issued, CN=Private CA Root certificate
Subject Public Key Info:
    Public Key Algorithm: rsaEncryption

    创建配置文件,即告诉ca要生成什么样的证书

    cat << EOF > ca-config.json
{
  "signing": {
    "default": {
      "expiry": "8760h"
    },
    "profiles": {
      "www": {
        "expiry": "87600h",        
        "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF

    字段说明

    ca-config.json:可以定义多个 profiles,分别指定不同的参数;后续在签名证书时使用某个profile;
signing:表示该证书可用于签名其它证书;生成的 ca.pem 证书中 CA=TRUE;
server auth:表示client可以用该 CA 对server提供的证书进行验证;
client auth:表示server可以用该CA对client提供的证书进行验证;
profiles 中的 www 是后面cfssl gencert 命令值profiles 指定的值,要相互对应。

    创建证书签名请求文件(www)

    cat << EOF > www-csr.json
{
    "CN": "139.224.75.128",
    "hosts": [
        "127.0.0.1",
        "139.224.75.128",
        "www.yonge.com",
        "blog.yonge.com"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "ZJ",            
            "ST": "HZ",
            "O": "test server",
            "OU": "IT"
        }
    ]
}
EOF

    生成证书

    cfssl gencert 
  -ca=ca.pem 
  -ca-key=ca-key.pem 
  -config=ca-config.json 
  -profile=www www-csr.json | cfssljson -bare www

    创建证书签名请求文件(harbor)

    cat << EOF > harbor-csr.json
{
    "CN": "harbor.hub.com",
    "hosts": [
        "127.0.0.1",
        "10.10.10.21",
        "harbor.hub.com"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "ZJ",            
            "ST": "HZ",
            "O": "harbor",
            "OU": "IT"
        }
    ]
}
EOF

    生成harbor证书,使用了上面定义的环境变量

    cfssl gencert 
  -ca=ca.pem 
  -ca-key=ca-key.pem 
  -config=ca-config.json 
  -profile=www harbor-csr.json | cfssljson -bare harbor


    作者:Outsrkem
    出处:https://www.cnblogs.com/outsrkem/
    本文版权归作者和博客园共有,欢迎转载,但未经作者同意必须保留此段声明,且在文章页面明显位置给出原文连接,否则保留追究法律责任的权利。

  • 相关阅读:
    查找数据库表中重复的 Image 类型值
    C#中的引用传递和值传递。
    用JS解决Asp.net Mvc返回JsonResult中DateTime类型数据格式的问题
    根据业务自己设计的.NET工厂模式架构
    封装EF code first用存储过程的分页方法
    2013款MacBook Air装Windows7单系统
    js判断是否在微信浏览器中打开
    EF Code First连接现有数据库
    JS中for循序中延迟加载实现动态效果
    DIV+CSS左右两列自适应高度的方法
  • 原文地址:https://www.cnblogs.com/outsrkem/p/12182243.html
Copyright © 2011-2022 走看看