在Centos7下,使用cfssl工具生成CA证书

1.下载cfssl工具

$ wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
$ chmod +x cfssl_linux-amd64
$ sudo mv cfssl_linux-amd64 /root/local/bin/cfssl

$ wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
$ chmod +x cfssljson_linux-amd64
$ sudo mv cfssljson_linux-amd64 /root/local/bin/cfssljson

$ wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
$ chmod +x cfssl-certinfo_linux-amd64
$ sudo mv cfssl-certinfo_linux-amd64 /root/local/bin/cfssl-certinfo

$ export PATH=/root/local/bin:$PATH

2.生成默认的配置文件和证书签名请求文件

$ cfssl print-defaults config > ca-config.json
$ cfssl print-defaults csr > ca-csr.json

2.1.查看并修改CA 配置文件

# cat ca-config.json 
{
    "signing": {
        "default": {
            "expiry": "9999h"
        },
        "profiles": {
            "www": {
                "expiry": "9999h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth"
                ]
            },
            "client": {
                "expiry": "9999h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth"
                ]
            }
        }
    }
}

+ `ca-config.json`:可以定义多个 profiles,分别指定不同的过期时间、使用场景等参数;后续在签名证书时使用某个 profile;

+ `signing`:表示该证书可用于签名其它证书;生成的 ca.pem 证书中 `CA=TRUE`;

+ `server auth`:表示 client 可以用该 CA 对 server 提供的证书进行验证;

+ `client auth`:表示 server 可以用该 CA 对 client 提供的证书进行验证;

 

2.2.查看并修改 CA 证书签名请求

{
  "CN": "registry.test.com",
  "hosts": [
    "127.0.0.1",
    "172.16.160.38",
    "registry.test.com"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}

+ "CN":`Common Name`,kube-apiserver 从证书中提取该字段作为请求的用户名 (User Name);浏览器使用该字段验证网站是否合法;

+ "O":`Organization`,kube-apiserver 从证书中提取该字段作为请求用户所属的组 (Group);

3.生成 CA 证书和私钥:

[root@dev tmp]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca    #重新执行
[root@dev tmp]# ls ca*
ca-config.json  ca.csr  ca-csr.json  ca-key.pem  ca.pem

分发证书

 

4.校验证书

4.1使用 `openssl` 命令校验证书

$ openssl x509  -noout -text -in  kubernetes.pem
...
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=Kubernetes
        Validity
            Not Before: Apr  5 05:36:00 2017 GMT
            Not After : Apr  5 05:36:00 2018 GMT
        Subject: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=kubernetes
...
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                DD:52:04:43:10:13:A9:29:24:17:3A:0E:D7:14:DB:36:F8:6C:E0:E0
            X509v3 Authority Key Identifier:
                keyid:44:04:3B:60:BD:69:78:14:68:AF:A0:41:13:F6:17:07:13:63:58:CD

            X509v3 Subject Alternative Name:
                DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local, IP Address:127.0.0.1, IP Address:10.64.3.7, IP Address:10.254.0.1
...


+ 确认 `Issuer` 字段的内容和 `ca-csr.json` 一致;
+ 确认 `Subject` 字段的内容和 `kubernetes-csr.json` 一致;
+ 确认 `X509v3 Subject Alternative Name` 字段的内容和 `kubernetes-csr.json` 一致;
+ 确认 `X509v3 Key Usage、Extended Key Usage` 字段的内容和 `ca-config.json` 中 `kubernetes` profile 一致;

4.2使用 `cfssl-certinfo` 命令校验证书

$ cfssl-certinfo -cert kubernetes.pem
...
{
  "subject": {
    "common_name": "kubernetes",
    "country": "CN",
    "organization": "k8s",
    "organizational_unit": "System",
    "locality": "BeiJing",
    "province": "BeiJing",
    "names": [
      "CN",
      "BeiJing",
      "BeiJing",
      "k8s",
      "System",
      "kubernetes"
    ]
  },
  "issuer": {
    "common_name": "Kubernetes",
    "country": "CN",
    "organization": "k8s",
    "organizational_unit": "System",
    "locality": "BeiJing",
    "province": "BeiJing",
    "names": [
      "CN",
      "BeiJing",
      "BeiJing",
      "k8s",
      "System",
      "Kubernetes"
    ]
  },
  "serial_number": "174360492872423263473151971632292895707129022309",
  "sans": [
    "kubernetes",
    "kubernetes.default",
    "kubernetes.default.svc",
    "kubernetes.default.svc.cluster",
    "kubernetes.default.svc.cluster.local",
    "127.0.0.1",
    "10.64.3.7",
    "10.64.3.8",
    "10.66.3.86",
    "10.254.0.1"
  ],
  "not_before": "2017-04-05T05:36:00Z",
  "not_after": "2018-04-05T05:36:00Z",
  "sigalg": "SHA256WithRSA",
...

4.3使用浏览器验证

导入证书

    ca.pem改名为ca.crt。将正式导入浏览器。

构建https服务

[root@dev tmp]# cd /root/ssl_test
[root@dev tmp]# cat > http-server.js <<EOF
var https = require('https');
var fs = require('fs');

var options = {
    key: fs.readFileSync('./keys/app-key.pem'),
    cert: fs.readFileSync('./keys/app.pem')
};

https.createServer(options, function (req, res) {
    res.writeHead(200);
    res.end('hello world');
}).listen(8000);
EOF

[root@dev tmp]# yum install nodejs -y
[root@dev tmp]# npm install https -g
[root@dev tmp]# node http-server.js

修改hosts文件添加

172.16.160.28 www.test.com

在浏览器访问https://www.test.com:8000 发现网站显示为安全

 

 

附:

数字证书中主题(Subject)中字段的含义

  • 一般的数字证书产品的主题通常含有如下字段:
字段名字段值
公用名称 (Common Name)简称:CN 字段,对于 SSL 证书,一般为网站域名;而对于代码签名证书则为申请单位名称;而对于客户端证书则为证书申请者的姓名;
单位名称 (Organization Name)简称:O 字段,对于 SSL 证书,一般为网站域名;而对于代码签名证书则为申请单位名称;而对于客户端单位证书则为证书申请者所在单位名称;
  • 证书申请单位所在地
字段名字段值
所在城市 (Locality)简称:L 字段
所在省份 (State/Provice)简称:S 字段
所在国家 (Country)简称:C 字段,只能是国家字母缩写,如中国:CN
  • 其他一些字段
字段名字段值
电子邮件 (Email)简称:E 字段
多个姓名字段简称:G 字段
介绍Description 字段
电话号码:Phone 字段,格式要求 + 国家区号 城市区号 电话号码,如: +86 732 88888888
地址:STREET 字段
邮政编码:PostalCode 字段
显示其他内容简称:OU 字段

例子:

[root@dev ca]# cat ca-config.json 
{
    "signing": {
        "default": {
            "expiry": "9999h"
        },
        "profiles": {
            "www": {
                "expiry": "9999h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth"
                ]
            },
            "client": {
                "expiry": "9999h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth"
                ]
            }
        }
    }
}

[root@dev ca]# cat ca-csr.json 
{
  "CN": "registry.test.com",
  "hosts": [
    "127.0.0.1",
    "172.16.160.38",
    "registry.test.com"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "BeiJing",
      "L": "BeiJing",
      "O": "k8s",
      "OU": "System"
    }
  ]
}

[root@dev ca]# ll
总用量 8
-rw-r--r-- 1 root root 568 11月 14 15:59 ca-config.json
-rw-r--r-- 1 root root 289 11月 14 16:02 ca-csr.json

[root@dev ca]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca
2018/11/14 16:05:01 [INFO] generating a new CA key and certificate from CSR
2018/11/14 16:05:01 [INFO] generate received request
2018/11/14 16:05:01 [INFO] received CSR
2018/11/14 16:05:01 [INFO] generating key: rsa-2048
2018/11/14 16:05:01 [INFO] encoded CSR
2018/11/14 16:05:01 [INFO] signed certificate with serial number 303515642193399207794287652931621857332460556169

[root@dev ca]# ll
总用量 20
-rw-r--r-- 1 root root  568 11月 14 15:59 ca-config.json
-rw-r--r-- 1 root root 1082 11月 14 16:05 ca.csr
-rw-r--r-- 1 root root  289 11月 14 16:02 ca-csr.json
-rw------- 1 root root 1679 11月 14 16:05 ca-key.pem
-rw-r--r-- 1 root root 1379 11月 14 16:05 ca.pem


[root@dev ca]# openssl x509  -noout -text -in ca.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            35:2a:1c:b2:f6:1a:f3:82:38:50:05:8c:fb:65:ef:9e:89:74:8f:89
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=harbor
        Validity
            Not Before: Nov 14 08:00:00 2018 GMT
            Not After : Nov 13 08:00:00 2023 GMT
        Subject: C=CN, ST=BeiJing, L=BeiJing, O=k8s, OU=System, CN=harbor
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b7:2e:6a:52:f4:d2:34:8b:5e:3f:95:5d:c8:b0:
                    85:9a:1b:ef:c5:0f:1b:94:b9:94:12:fe:fa:66:0d:
                    8c:67:b8:9e:82:30:fc:e1:42:94:6e:00:fb:c0:fd:
                    84:be:65:2c:e4:8f:f1:f1:93:e5:ae:8e:5b:74:7a:
                    d5:94:25:9c:01:76:f9:96:4e:02:b9:27:a2:44:e0:
                    da:b3:f3:09:82:5c:9f:26:a6:26:54:35:15:e6:a6:
                    7a:4b:14:99:07:9d:e3:c3:b8:bd:3f:b6:76:53:05:
                    82:02:bb:e2:61:21:23:5b:3b:23:4c:08:eb:a7:51:
                    00:fb:01:5f:b7:f8:b9:67:5b:a1:99:19:23:42:7a:
                    d2:22:0a:11:01:1d:75:34:9e:25:9c:c8:9f:31:d7:
                    f5:f3:98:14:b8:c4:07:f3:5a:a1:fa:96:bd:0f:b3:
                    dc:13:5b:8e:03:e8:66:3b:b5:bd:8d:08:ee:61:c2:
                    4f:78:dc:9a:ee:37:f8:87:6b:5f:e3:87:ae:91:b0:
                    8c:c9:40:51:44:cb:57:47:23:f1:2d:34:af:0f:5f:
                    42:89:14:ac:de:73:d4:32:54:c2:de:99:38:96:d4:
                    b8:de:f3:df:5c:a5:55:54:8f:a1:b7:fa:42:8b:d9:
                    fe:2d:14:1f:d5:62:d9:c7:c1:4d:55:41:3b:a9:d3:
                    0d:2d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:2
            X509v3 Subject Key Identifier: 
                15:1F:81:A2:AC:41:18:DA:DD:19:36:03:61:18:7B:EF:3D:94:10:AE
            X509v3 Authority Key Identifier: 
                keyid:15:1F:81:A2:AC:41:18:DA:DD:19:36:03:61:18:7B:EF:3D:94:10:AE

            X509v3 Subject Alternative Name: 
                IP Address:127.0.0.1, IP Address:172.16.160.38
    Signature Algorithm: sha256WithRSAEncryption
         62:41:3c:40:6d:91:29:d2:0b:6d:ce:08:a1:e4:47:64:0a:66:
         0e:c0:55:eb:c4:6b:30:6d:79:51:b4:97:8c:02:1e:15:ba:0f:
         84:ce:2a:3c:c7:86:29:3c:1f:55:35:a1:da:df:70:5d:58:93:
         45:24:c4:20:4d:c1:c7:bb:83:8d:52:0c:7d:43:e2:7c:5b:00:
         5d:57:5a:b5:bf:d0:56:5a:57:32:ca:fc:29:59:23:ab:5e:1e:
         0e:9b:f9:f6:8d:e8:e4:c6:cb:e6:fe:9f:e3:cd:55:2e:7b:35:
         1e:bc:80:0f:ba:d8:66:ae:43:19:bf:d1:bb:81:17:d6:4a:3b:
         01:ba:d4:28:da:3f:19:63:82:72:6f:df:7a:b4:bc:d4:cf:a9:
         b1:fc:a6:c7:c1:5d:9b:09:2e:72:2a:d4:18:ed:f4:3d:97:1e:
         e6:43:81:5c:eb:40:2c:f9:aa:6f:90:16:70:46:77:52:09:64:
         43:83:00:0c:44:59:de:17:65:7b:7e:3d:51:df:54:6e:bb:80:
         cb:22:13:e2:20:80:91:f8:3f:5e:83:70:32:68:ad:ad:7e:4a:
         15:32:45:a7:a5:c4:ed:1c:d4:e4:cc:38:ac:8a:9d:d1:bb:4e:
         1c:21:17:56:a2:a0:f9:39:f3:73:e4:96:00:ac:98:93:f3:80:
         96:9d:b5:97
[root@dev ca]#

如果出现

[root@dev ~]# docker login registry.test.com
Username (admin): admin
Password: 
Error response from daemon: Get https://registry.mayocase.com/v1/users/: x509: certificate signed by unknown authority

检查下目录/etc/docker/certs.d/registry.test.com下是否有ca.crt文件,可能需要重启docker

[root@dev ~]# cp ca.pem /etc/docker/certs.d/registry.test.com/ca.crt
[root@dev ~]# systemctl restart docker

修改harbor证书后操作:

[root@dev harbor]# cd /data/harbor    #一定要在此目录下运行以下命令。
[root@dev harbor]# ll
总用量 878344
drwxr-xr-x 4 root root        35 7月  31 2017 common
-rw-r--r-- 1 root root      1988 7月  31 2017 docker-compose.notary.yml
-rw-r--r-- 1 root root      3155 7月  31 2017 docker-compose.yml
-rw-r--r-- 1 root root      4304 7月  31 2017 harbor_1_1_0_template
-rw-r--r-- 1 root root      4178 7月  31 2017 harbor.cfg
-rw-r--r-- 1 root root      1082 7月  31 2017 harbor.csr
-rw-r--r-- 1 root root       288 7月  31 2017 harbor-csr.json
-rw-r--r-- 1 root root 448963966 7月  31 2017 harbor.v1.1.1.tar.gz
-rw-r--r-- 1 root root 450041094 7月  31 2017 harbor.v1.1.2.tar.gz
-rwxr-xr-x 1 root root      5169 7月  31 2017 install.sh
-rw-r--r-- 1 root root    337600 7月  31 2017 LICENSE
-rw-r--r-- 1 root root       472 7月  31 2017 NOTICE
-rwxr-xr-x 1 root root     16522 7月  31 2017 prepare
-rwxr-xr-x 1 root root      4550 7月  31 2017 upgrade
[root@dev harbor]# 
# 停止 harbor
[root@dev harbor]# docker-compose down -v        #多运行几次直到所有docker都删除
# 修改配置
[root@dev harbor]# vim harbor.cfg
# 更修改的配置更新到 docker-compose.yml 文件
[root@dev harbor]# ./prepare
# 启动 harbor
[root@dev harbor]#  docker-compose up -d

 

已标记关键词 清除标记
©️2020 CSDN 皮肤主题: 大白 设计师:CSDN官方博客 返回首页