在Centos7下,使用cfssl工具生成CA证书
2018-11-14 15:41
274 查看
1.下载cfssl工具
[code]$ wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 $ chmod +x cfssl_linux-amd64 $ sudo mv cfssl_linux-amd64 /root/local/bin/cfssl $ wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 $ chmod +x cfssljson_linux-amd64 $ sudo mv cfssljson_linux-amd64 /root/local/bin/cfssljson $ wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 $ chmod +x cfssl-certinfo_linux-amd64 $ sudo mv cfssl-certinfo_linux-amd64 /root/local/bin/cfssl-certinfo $ export PATH=/root/local/bin:$PATH
2.生成默认的配置文件和证书签名请求文件
[code]$ cfssl print-defaults config > ca-config.json $ cfssl print-defaults csr > ca-csr.json
2.1.查看并修改CA 配置文件
[code]# cat ca-config.json { "signing": { "default": { "expiry": "9999h" }, "profiles": { "www": { "expiry": "9999h", "usages": [ "signing", "key encipherment", "server auth" ] }, "client": { "expiry": "9999h", "usages": [ "signing", "key encipherment", "client auth" ] } } } }
+ `ca-config.json`:可以定义多个 profiles,分别指定不同的过期时间、使用场景等参数;后续在签名证书时使用某个 profile;
+ `signing`:表示该证书可用于签名其它证书;生成的 ca.pem 证书中 `CA=TRUE`;
+ `server auth`:表示 client 可以用该 CA 对 server 提供的证书进行验证;
+ `client auth`:表示 server 可以用该 CA 对 client 提供的证书进行验证;
2.2.查看并修改 CA 证书签名请求
[code]{ "CN": "registry.test.com", "hosts": [ "127.0.0.1", "172.16.160.38", "registry.test.com" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "System" } ] }
+ "CN":`Common Name`,kube-apiserver 从证书中提取该字段作为请求的用户名 (User Name);浏览器使用该字段验证网站是否合法;
+ "O":`Organization`,kube-apiserver 从证书中提取该字段作为请求用户所属的组 (Group);
3.生成 CA 证书和私钥:
[code][root@dev tmp]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca #重新执行 [root@dev tmp]# ls ca* ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem
分发证书
4.校验证书
4.1使用 `openssl` 命令校验证书
[code]$ openssl x509 -noout -text -in kubernetes.pem ... Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=Kubernetes Validity Not Before: Apr 5 05:36:00 2017 GMT Not After : Apr 5 05:36:00 2018 GMT Subject: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=kubernetes ... X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: DD:52:04:43:10:13:A9:29:24:17:3A:0E:D7:14:DB:36:F8:6C:E0:E0 X509v3 Authority Key Identifier: keyid:44:04:3B:60:BD:69:78:14:68:AF:A0:41:13:F6:17:07:13:63:58:CD X509v3 Subject Alternative Name: DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local, IP Address:127.0.0.1, IP Address:10.64.3.7, IP Address:10.254.0.1 ... + 确认 `Issuer` 字段的内容和 `ca-csr.json` 一致; + 确认 `Subject` 字段的内容和 `kubernetes-csr.json` 一致; + 确认 `X509v3 Subject Alternative Name` 字段的内容和 `kubernetes-csr.json` 一致; + 确认 `X509v3 Key Usage、Extended Key Usage` 字段的内容和 `ca-config.json` 中 `kubernetes` profile 一致;
4.2使用 `cfssl-certinfo` 命令校验证书
[code]$ cfssl-certinfo -cert kubernetes.pem ... { "subject": { "common_name": "kubernetes", "country": "CN", "organization": "k8s", "organizational_unit": "System", "locality": "BeiJing", "province": "BeiJing", "names": [ "CN", "BeiJing", "BeiJing", "k8s", "System", "kubernetes" ] }, "issuer": { "common_name": "Kubernetes", "country": "CN", "organization": "k8s", "organizational_unit": "System", "locality": "BeiJing", "province": "BeiJing", "names": [ "CN", "BeiJing", "BeiJing", "k8s", "System", "Kubernetes" ] }, "serial_number": "174360492872423263473151971632292895707129022309", "sans": [ "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local", "127.0.0.1", "10.64.3.7", "10.64.3.8", "10.66.3.86", "10.254.0.1" ], "not_before": "2017-04-05T05:36:00Z", "not_after": "2018-04-05T05:36:00Z", "sigalg": "SHA256WithRSA", ...
4.3使用浏览器验证
导入证书
ca.pem改名为ca.crt。将正式导入浏览器。
构建https服务
[code][root@dev tmp]# cd /root/ssl_test [root@dev tmp]# cat > http-server.js <<EOF var https = require('https'); var fs = require('fs'); var options = { key: fs.readFileSync('./keys/app-key.pem'), cert: fs.readFileSync('./keys/app.pem') }; https.createServer(options, function (req, res) { res.writeHead(200); res.end('hello world'); }).listen(8000); EOF [root@dev tmp]# yum install nodejs -y [root@dev tmp]# npm install https -g [root@dev tmp]# node http-server.js
修改hosts文件添加
[code]172.16.160.28 www.test.com
在浏览器访问https://www.test.com:8000 发现网站显示为安全
附:
数字证书中主题(Subject)中字段的含义
- 一般的数字证书产品的主题通常含有如下字段:
字段名 | 字段值 |
---|---|
公用名称 (Common Name) | 简称:CN 字段,对于 SSL 证书,一般为网站域名;而对于代码签名证书则为申请单位名称;而对于客户端证书则为证书申请者的姓名; |
单位名称 (Organization Name) | 简称:O 字段,对于 SSL 证书,一般为网站域名;而对于代码签名证书则为申请单位名称;而对于客户端单位证书则为证书申请者所在单位名称; |
- 证书申请单位所在地
字段名 | 字段值 |
---|---|
所在城市 (Locality) | 简称:L 字段 |
所在省份 (State/Provice) | 简称:S 字段 |
所在国家 (Country) | 简称:C 字段,只能是国家字母缩写,如中国:CN |
- 其他一些字段
字段名 | 字段值 |
---|---|
电子邮件 (Email) | 简称:E 字段 |
多个姓名字段 | 简称:G 字段 |
介绍 | Description 字段 |
电话号码: | Phone 字段,格式要求 + 国家区号 城市区号 电话号码,如: +86 732 88888888 |
地址: | STREET 字段 |
邮政编码: | PostalCode 字段 |
显示其他内容 | 简称:OU 字段 |
例子:
[code][root@dev ca]# cat ca-config.json { "signing": { "default": { "expiry": "9999h" }, "profiles": { "www": { "expiry": "9999h", "usages": [ "signing", "key encipherment", "server auth" ] }, "client": { "expiry": "9999h", "usages": [ "signing", "key encipherment", "client auth" ] } } } } [root@dev ca]# cat ca-csr.json { "CN": "registry.test.com", "hosts": [ "127.0.0.1", "172.16.160.38", "registry.test.com" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "BeiJing", "L": "BeiJing", "O": "k8s", "OU": "System" } ] } [root@dev ca]# ll 总用量 8 -rw-r--r-- 1 root root 568 11月 14 15:59 ca-config.json -rw-r--r-- 1 root root 289 11月 14 16:02 ca-csr.json [root@dev ca]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca 2018/11/14 16:05:01 [INFO] generating a new CA key and certificate from CSR 2018/11/14 16:05:01 [INFO] generate received request 2018/11/14 16:05:01 [INFO] received CSR 2018/11/14 16:05:01 [INFO] generating key: rsa-2048 2018/11/14 16:05:01 [INFO] encoded CSR 2018/11/14 16:05:01 [INFO] signed certificate with serial number 303515642193399207794287652931621857332460556169 [root@dev ca]# ll 总用量 20 -rw-r--r-- 1 root root 568 11月 14 15:59 ca-config.json -rw-r--r-- 1 root root 1082 11月 14 16:05 ca.csr -rw-r--r-- 1 root root 289 11月 14 16:02 ca-csr.json -rw------- 1 root root 1679 11月 14 16:05 ca-key.pem -rw-r--r-- 1 root root 1379 11月 14 16:05 ca.pem [root@dev ca]# openssl x509 -noout -text -in ca.pem Certificate: Data: Version: 3 (0x2) Serial Number: 35:2a:1c:b2:f6:1a:f3:82:38:50:05:8c:fb:65:ef:9e:89:74:8f:89 Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=harbor Validity Not Before: Nov 14 08:00:00 2018 GMT Not After : Nov 13 08:00:00 2023 GMT Subject: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=harbor Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b7:2e:6a:52:f4:d2:34:8b:5e:3f:95:5d:c8:b0: 85:9a:1b:ef:c5:0f:1b:94:b9:94:12:fe:fa:66:0d: 8c:67:b8:9e:82:30:fc:e1:42:94:6e:00:fb:c0:fd: 84:be:65:2c:e4:8f:f1:f1:93:e5:ae:8e:5b:74:7a: d5:94:25:9c:01:76:f9:96:4e:02:b9:27:a2:44:e0: da:b3:f3:09:82:5c:9f:26:a6:26:54:35:15:e6:a6: 7a:4b:14:99:07:9d:e3:c3:b8:bd:3f:b6:76:53:05: 82:02:bb:e2:61:21:23:5b:3b:23:4c:08:eb:a7:51: 00:fb:01:5f:b7:f8:b9:67:5b:a1:99:19:23:42:7a: d2:22:0a:11:01:1d:75:34:9e:25:9c:c8:9f:31:d7: f5:f3:98:14:b8:c4:07:f3:5a:a1:fa:96:bd:0f:b3: dc:13:5b:8e:03:e8:66:3b:b5:bd:8d:08:ee:61:c2: 4f:78:dc:9a:ee:37:f8:87:6b:5f:e3:87:ae:91:b0: 8c:c9:40:51:44:cb:57:47:23:f1:2d:34:af:0f:5f: 42:89:14:ac:de:73:d4:32:54:c2:de:99:38:96:d4: b8:de:f3:df:5c:a5:55:54:8f:a1:b7:fa:42:8b:d9: fe:2d:14:1f:d5:62:d9:c7:c1:4d:55:41:3b:a9:d3: 0d:2d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE, pathlen:2 X509v3 Subject Key Identifier: 15:1F:81:A2:AC:41:18:DA:DD:19:36:03:61:18:7B:EF:3D:94:10:AE X509v3 Authority Key Identifier: keyid:15:1F:81:A2:AC:41:18:DA:DD:19:36:03:61:18:7B:EF:3D:94:10:AE X509v3 Subject Alternative Name: IP Address:127.0.0.1, IP Address:172.16.160.38 Signature Algorithm: sha256WithRSAEncryption 62:41:3c:40:6d:91:29:d2:0b:6d:ce:08:a1:e4:47:64:0a:66: 0e:c0:55:eb:c4:6b:30:6d:79:51:b4:97:8c:02:1e:15:ba:0f: 84:ce:2a:3c:c7:86:29:3c:1f:55:35:a1:da:df:70:5d:58:93: 45:24:c4:20:4d:c1:c7:bb:83:8d:52:0c:7d:43:e2:7c:5b:00: 5d:57:5a:b5:bf:d0:56:5a:57:32:ca:fc:29:59:23:ab:5e:1e: 0e:9b:f9:f6:8d:e8:e4:c6:cb:e6:fe:9f:e3:cd:55:2e:7b:35: 1e:bc:80:0f:ba:d8:66:ae:43:19:bf:d1:bb:81:17:d6:4a:3b: 01:ba:d4:28:da:3f:19:63:82:72:6f:df:7a:b4:bc:d4:cf:a9: b1:fc:a6:c7:c1:5d:9b:09:2e:72:2a:d4:18:ed:f4:3d:97:1e: e6:43:81:5c:eb:40:2c:f9:aa:6f:90:16:70:46:77:52:09:64: 43:83:00:0c:44:59:de:17:65:7b:7e:3d:51:df:54:6e:bb:80: cb:22:13:e2:20:80:91:f8:3f:5e:83:70:32:68:ad:ad:7e:4a: 15:32:45:a7:a5:c4:ed:1c:d4:e4:cc:38:ac:8a:9d:d1:bb:4e: 1c:21:17:56:a2:a0:f9:39:f3:73:e4:96:00:ac:98:93:f3:80: 96:9d:b5:97 [root@dev ca]#
如果出现
[code][root@dev ~]# docker login registry.test.com Username (admin): admin Password: Error response from daemon: Get https://registry.mayocase.com/v1/users/: x509: certificate signed by unknown authority
检查下目录/etc/docker/certs.d/registry.test.com下是否有ca.crt文件,可能需要重启docker
[code][root@dev ~]# cp ca.pem /etc/docker/certs.d/registry.test.com/ca.crt [root@dev ~]# systemctl restart docker
修改harbor证书后操作:
[code][root@dev harbor]# cd /data/harbor #一定要在此目录下运行以下命令。 [root@dev harbor]# ll 总用量 878344 drwxr-xr-x 4 root root 35 7月 31 2017 common -rw-r--r-- 1 root root 1988 7月 31 2017 docker-compose.notary.yml -rw-r--r-- 1 root root 3155 7月 31 2017 docker-compose.yml -rw-r--r-- 1 root root 4304 7月 31 2017 harbor_1_1_0_template -rw-r--r-- 1 root root 4178 7月 31 2017 harbor.cfg -rw-r--r-- 1 root root 1082 7月 31 2017 harbor.csr -rw-r--r-- 1 root root 288 7月 31 2017 harbor-csr.json -rw-r--r-- 1 root root 448963966 7月 31 2017 harbor.v1.1.1.tar.gz -rw-r--r-- 1 root root 450041094 7月 31 2017 harbor.v1.1.2.tar.gz -rwxr-xr-x 1 root root 5169 7月 31 2017 install.sh -rw-r--r-- 1 root root 337600 7月 31 2017 LICENSE -rw-r--r-- 1 root root 472 7月 31 2017 NOTICE -rwxr-xr-x 1 root root 16522 7月 31 2017 prepare -rwxr-xr-x 1 root root 4550 7月 31 2017 upgrade [root@dev harbor]# # 停止 harbor [root@dev harbor]# docker-compose down -v #多运行几次直到所有docker都删除 # 修改配置 [root@dev harbor]# vim harbor.cfg # 更修改的配置更新到 docker-compose.yml 文件 [root@dev harbor]# ./prepare # 启动 harbor [root@dev harbor]# docker-compose up -d
阅读更多
相关文章推荐
- CentOS 7下使用yum工具安装MySQL 5.7数据库
- CentOS压力测试工具Tsung安装、使用和图形报表生成
- CentOS 7下使用yum工具安装MySQL 5.7数据库
- CentOS 7下使用yum工具安装MySQL 5.7数据库
- CentOS 7下使用yum工具安装MySQL 5.7数据库
- CentOS 7下使用yum工具安装MySQL 5.7数据库
- ActiveMQ SSL应用之二 使用keytool工具生成密钥和证书文件
- CentOS 7下使用yum工具安装MySQL 5.7数据库
- SSL第四讲 超级工具生成的证书的使用讲解和超级工具代码的讲解
- CentOS 7下使用yum工具安装MySQL 5.7数据库
- CentOS 7下使用yum工具安装MySQL 5.7数据库
- 原来win+apache实现ssl的证书认证如此简单 +使用openssl来生成CA证书、申请证书、颁发证书以及撤销证书的过程
- CentOS 7下使用yum工具安装MySQL 5.7数据库
- CentOS 7下使用yum工具安装MySQL 5.7数据库
- CentOS 7下使用yum工具安装MySQL 5.7数据库
- CentOS 7下使用yum工具安装MySQL 5.7数据库
- 使用keytool和openssl工具生成SSL双向认证密钥对和证书库
- CentOS 7下使用yum工具安装MySQL 5.7数据库
- 使用CloudFlare 的 PKI 工具集 cfssl 来生成 Certificate Authority (CA) 证书和秘钥文件
- CentOS 7下使用yum工具安装MySQL 5.7数据库