1.下载cfssl工具
$ wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
$ chmod +x cfssl_linux-amd64
$ sudo mv cfssl_linux-amd64 /root/local/bin/cfssl
$ wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
$ chmod +x cfssljson_linux-amd64
$ sudo mv cfssljson_linux-amd64 /root/local/bin/cfssljson
$ wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
$ chmod +x cfssl-certinfo_linux-amd64
$ sudo mv cfssl-certinfo_linux-amd64 /root/local/bin/cfssl-certinfo
$ export PATH=/root/local/bin:$PATH2.生成默认的配置文件和证书签名请求文件
$ cfssl print-defaults config > ca-config.json
$ cfssl print-defaults csr > ca-csr.json2.1.查看并修改CA 配置文件
# cat ca-config.json
{
"signing": {
"default": {
"expiry": "9999h"
},
"profiles": {
"www": {
"expiry": "9999h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "9999h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
}
}
}
}
+ `ca-config.json`:可以定义多个 profiles,分别指定不同的过期时间、使用场景等参数;后续在签名证书时使用某个 profile;
+ `signing`:表示该证书可用于签名其它证书;生成的 ca.pem 证书中 `CA=TRUE`;
+ `server auth`:表示 client 可以用该 CA 对 server 提供的证书进行验证;
+ `client auth`:表示 server 可以用该 CA 对 client 提供的证书进行验证;
2.2.查看并修改 CA 证书签名请求
{
"CN": "registry.test.com",
"hosts": [
"127.0.0.1",
"172.16.160.38",
"registry.test.com"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}+ "CN":`Common Name`,kube-apiserver 从证书中提取该字段作为请求的用户名 (User Name);浏览器使用该字段验证网站是否合法;
+ "O":`Organization`,kube-apiserver 从证书中提取该字段作为请求用户所属的组 (Group);
3.生成 CA 证书和私钥:
[root@dev tmp]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca #重新执行
[root@dev tmp]# ls ca*
ca-config.json ca.csr ca-csr.json ca-key.pem ca.pem分发证书
4.校验证书
4.1使用 `openssl` 命令校验证书
$ openssl x509 -noout -text -in kubernetes.pem
...
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=Kubernetes
Validity
Not Before: Apr 5 05:36:00 2017 GMT
Not After : Apr 5 05:36:00 2018 GMT
Subject: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=kubernetes
...
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
DD:52:04:43:10:13:A9:29:24:17:3A:0E:D7:14:DB:36:F8:6C:E0:E0
X509v3 Authority Key Identifier:
keyid:44:04:3B:60:BD:69:78:14:68:AF:A0:41:13:F6:17:07:13:63:58:CD
X509v3 Subject Alternative Name:
DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local, IP Address:127.0.0.1, IP Address:10.64.3.7, IP Address:10.254.0.1
...
+ 确认 `Issuer` 字段的内容和 `ca-csr.json` 一致;
+ 确认 `Subject` 字段的内容和 `kubernetes-csr.json` 一致;
+ 确认 `X509v3 Subject Alternative Name` 字段的内容和 `kubernetes-csr.json` 一致;
+ 确认 `X509v3 Key Usage、Extended Key Usage` 字段的内容和 `ca-config.json` 中 `kubernetes` profile 一致;4.2使用 `cfssl-certinfo` 命令校验证书
$ cfssl-certinfo -cert kubernetes.pem
...
{
"subject": {
"common_name": "kubernetes",
"country": "CN",
"organization": "k8s",
"organizational_unit": "System",
"locality": "BeiJing",
"province": "BeiJing",
"names": [
"CN",
"BeiJing",
"BeiJing",
"k8s",
"System",
"kubernetes"
]
},
"issuer": {
"common_name": "Kubernetes",
"country": "CN",
"organization": "k8s",
"organizational_unit": "System",
"locality": "BeiJing",
"province": "BeiJing",
"names": [
"CN",
"BeiJing",
"BeiJing",
"k8s",
"System",
"Kubernetes"
]
},
"serial_number": "174360492872423263473151971632292895707129022309",
"sans": [
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local",
"127.0.0.1",
"10.64.3.7",
"10.64.3.8",
"10.66.3.86",
"10.254.0.1"
],
"not_before": "2017-04-05T05:36:00Z",
"not_after": "2018-04-05T05:36:00Z",
"sigalg": "SHA256WithRSA",
...4.3使用浏览器验证
导入证书
ca.pem改名为ca.crt。将正式导入浏览器。
构建https服务
[root@dev tmp]# cd /root/ssl_test
[root@dev tmp]# cat > http-server.js <<EOF
var https = require('https');
var fs = require('fs');
var options = {
key: fs.readFileSync('./keys/app-key.pem'),
cert: fs.readFileSync('./keys/app.pem')
};
https.createServer(options, function (req, res) {
res.writeHead(200);
res.end('hello world');
}).listen(8000);
EOF
[root@dev tmp]# yum install nodejs -y
[root@dev tmp]# npm install https -g
[root@dev tmp]# node http-server.js修改hosts文件添加
172.16.160.28 www.test.com在浏览器访问https://www.test.com:8000 发现网站显示为安全
附:
数字证书中主题(Subject)中字段的含义
- 一般的数字证书产品的主题通常含有如下字段:
| 字段名 | 字段值 |
|---|---|
| 公用名称 (Common Name) | 简称:CN 字段,对于 SSL 证书,一般为网站域名;而对于代码签名证书则为申请单位名称;而对于客户端证书则为证书申请者的姓名; |
| 单位名称 (Organization Name) | 简称:O 字段,对于 SSL 证书,一般为网站域名;而对于代码签名证书则为申请单位名称;而对于客户端单位证书则为证书申请者所在单位名称; |
- 证书申请单位所在地
| 字段名 | 字段值 |
|---|---|
| 所在城市 (Locality) | 简称:L 字段 |
| 所在省份 (State/Provice) | 简称:S 字段 |
| 所在国家 (Country) | 简称:C 字段,只能是国家字母缩写,如中国:CN |
- 其他一些字段
| 字段名 | 字段值 |
|---|---|
| 电子邮件 (Email) | 简称:E 字段 |
| 多个姓名字段 | 简称:G 字段 |
| 介绍 | Description 字段 |
| 电话号码: | Phone 字段,格式要求 + 国家区号 城市区号 电话号码,如: +86 732 88888888 |
| 地址: | STREET 字段 |
| 邮政编码: | PostalCode 字段 |
| 显示其他内容 | 简称:OU 字段 |
例子:
[root@dev ca]# cat ca-config.json
{
"signing": {
"default": {
"expiry": "9999h"
},
"profiles": {
"www": {
"expiry": "9999h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "9999h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
}
}
}
}
[root@dev ca]# cat ca-csr.json
{
"CN": "registry.test.com",
"hosts": [
"127.0.0.1",
"172.16.160.38",
"registry.test.com"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
[root@dev ca]# ll
总用量 8
-rw-r--r-- 1 root root 568 11月 14 15:59 ca-config.json
-rw-r--r-- 1 root root 289 11月 14 16:02 ca-csr.json
[root@dev ca]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca
2018/11/14 16:05:01 [INFO] generating a new CA key and certificate from CSR
2018/11/14 16:05:01 [INFO] generate received request
2018/11/14 16:05:01 [INFO] received CSR
2018/11/14 16:05:01 [INFO] generating key: rsa-2048
2018/11/14 16:05:01 [INFO] encoded CSR
2018/11/14 16:05:01 [INFO] signed certificate with serial number 303515642193399207794287652931621857332460556169
[root@dev ca]# ll
总用量 20
-rw-r--r-- 1 root root 568 11月 14 15:59 ca-config.json
-rw-r--r-- 1 root root 1082 11月 14 16:05 ca.csr
-rw-r--r-- 1 root root 289 11月 14 16:02 ca-csr.json
-rw------- 1 root root 1679 11月 14 16:05 ca-key.pem
-rw-r--r-- 1 root root 1379 11月 14 16:05 ca.pem
[root@dev ca]# openssl x509 -noout -text -in ca.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
35:2a:1c:b2:f6:1a:f3:82:38:50:05:8c:fb:65:ef:9e:89:74:8f:89
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=harbor
Validity
Not Before: Nov 14 08:00:00 2018 GMT
Not After : Nov 13 08:00:00 2023 GMT
Subject: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=harbor
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b7:2e:6a:52:f4:d2:34:8b:5e:3f:95:5d:c8:b0:
85:9a:1b:ef:c5:0f:1b:94:b9:94:12:fe:fa:66:0d:
8c:67:b8:9e:82:30:fc:e1:42:94:6e:00:fb:c0:fd:
84:be:65:2c:e4:8f:f1:f1:93:e5:ae:8e:5b:74:7a:
d5:94:25:9c:01:76:f9:96:4e:02:b9:27:a2:44:e0:
da:b3:f3:09:82:5c:9f:26:a6:26:54:35:15:e6:a6:
7a:4b:14:99:07:9d:e3:c3:b8:bd:3f:b6:76:53:05:
82:02:bb:e2:61:21:23:5b:3b:23:4c:08:eb:a7:51:
00:fb:01:5f:b7:f8:b9:67:5b:a1:99:19:23:42:7a:
d2:22:0a:11:01:1d:75:34:9e:25:9c:c8:9f:31:d7:
f5:f3:98:14:b8:c4:07:f3:5a:a1:fa:96:bd:0f:b3:
dc:13:5b:8e:03:e8:66:3b:b5:bd:8d:08:ee:61:c2:
4f:78:dc:9a:ee:37:f8:87:6b:5f:e3:87:ae:91:b0:
8c:c9:40:51:44:cb:57:47:23:f1:2d:34:af:0f:5f:
42:89:14:ac:de:73:d4:32:54:c2:de:99:38:96:d4:
b8:de:f3:df:5c:a5:55:54:8f:a1:b7:fa:42:8b:d9:
fe:2d:14:1f:d5:62:d9:c7:c1:4d:55:41:3b:a9:d3:
0d:2d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:2
X509v3 Subject Key Identifier:
15:1F:81:A2:AC:41:18:DA:DD:19:36:03:61:18:7B:EF:3D:94:10:AE
X509v3 Authority Key Identifier:
keyid:15:1F:81:A2:AC:41:18:DA:DD:19:36:03:61:18:7B:EF:3D:94:10:AE
X509v3 Subject Alternative Name:
IP Address:127.0.0.1, IP Address:172.16.160.38
Signature Algorithm: sha256WithRSAEncryption
62:41:3c:40:6d:91:29:d2:0b:6d:ce:08:a1:e4:47:64:0a:66:
0e:c0:55:eb:c4:6b:30:6d:79:51:b4:97:8c:02:1e:15:ba:0f:
84:ce:2a:3c:c7:86:29:3c:1f:55:35:a1:da:df:70:5d:58:93:
45:24:c4:20:4d:c1:c7:bb:83:8d:52:0c:7d:43:e2:7c:5b:00:
5d:57:5a:b5:bf:d0:56:5a:57:32:ca:fc:29:59:23:ab:5e:1e:
0e:9b:f9:f6:8d:e8:e4:c6:cb:e6:fe:9f:e3:cd:55:2e:7b:35:
1e:bc:80:0f:ba:d8:66:ae:43:19:bf:d1:bb:81:17:d6:4a:3b:
01:ba:d4:28:da:3f:19:63:82:72:6f:df:7a:b4:bc:d4:cf:a9:
b1:fc:a6:c7:c1:5d:9b:09:2e:72:2a:d4:18:ed:f4:3d:97:1e:
e6:43:81:5c:eb:40:2c:f9:aa:6f:90:16:70:46:77:52:09:64:
43:83:00:0c:44:59:de:17:65:7b:7e:3d:51:df:54:6e:bb:80:
cb:22:13:e2:20:80:91:f8:3f:5e:83:70:32:68:ad:ad:7e:4a:
15:32:45:a7:a5:c4:ed:1c:d4:e4:cc:38:ac:8a:9d:d1:bb:4e:
1c:21:17:56:a2:a0:f9:39:f3:73:e4:96:00:ac:98:93:f3:80:
96:9d:b5:97
[root@dev ca]#如果出现
[root@dev ~]# docker login registry.test.com
Username (admin): admin
Password:
Error response from daemon: Get https://registry.mayocase.com/v1/users/: x509: certificate signed by unknown authority检查下目录/etc/docker/certs.d/registry.test.com下是否有ca.crt文件,可能需要重启docker
[root@dev ~]# cp ca.pem /etc/docker/certs.d/registry.test.com/ca.crt
[root@dev ~]# systemctl restart docker修改harbor证书后操作:
[root@dev harbor]# cd /data/harbor #一定要在此目录下运行以下命令。
[root@dev harbor]# ll
总用量 878344
drwxr-xr-x 4 root root 35 7月 31 2017 common
-rw-r--r-- 1 root root 1988 7月 31 2017 docker-compose.notary.yml
-rw-r--r-- 1 root root 3155 7月 31 2017 docker-compose.yml
-rw-r--r-- 1 root root 4304 7月 31 2017 harbor_1_1_0_template
-rw-r--r-- 1 root root 4178 7月 31 2017 harbor.cfg
-rw-r--r-- 1 root root 1082 7月 31 2017 harbor.csr
-rw-r--r-- 1 root root 288 7月 31 2017 harbor-csr.json
-rw-r--r-- 1 root root 448963966 7月 31 2017 harbor.v1.1.1.tar.gz
-rw-r--r-- 1 root root 450041094 7月 31 2017 harbor.v1.1.2.tar.gz
-rwxr-xr-x 1 root root 5169 7月 31 2017 install.sh
-rw-r--r-- 1 root root 337600 7月 31 2017 LICENSE
-rw-r--r-- 1 root root 472 7月 31 2017 NOTICE
-rwxr-xr-x 1 root root 16522 7月 31 2017 prepare
-rwxr-xr-x 1 root root 4550 7月 31 2017 upgrade
[root@dev harbor]#
# 停止 harbor
[root@dev harbor]# docker-compose down -v #多运行几次直到所有docker都删除
# 修改配置
[root@dev harbor]# vim harbor.cfg
# 更修改的配置更新到 docker-compose.yml 文件
[root@dev harbor]# ./prepare
# 启动 harbor
[root@dev harbor]# docker-compose up -d
1631
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
