生成大纲
总共生成三个证书,一个根证书,一个中间证书签发商,一个服务证书。为方便理解,根证书表示为ca0,中间证书表示为ca1,服务证书表示为server。在本文中,服务证书为生成给harbor使用的证书。
生成
生成所有的证书请求文件和配置
mkdir -p server ca1 ca0
# 生成配置文件
cat << EOF > config.json
{
"signing": {
"default": {
"expiry": "262800h"
},
"profiles": {
"intermediate": {
"usages": ["cert sign", "crl sign"],
"expiry": "700800h",
"ca_constraint": {
"is_ca": true,
"max_path_len": 1
}
},
"host": {
"usages": [
"client auth",
"signing",
"digital signing",
"key encipherment",
"server auth"
],
"expiry": "262800h"
}
}
}
}
EOF
# 生成ca0证书请求文件
cat << EOF > ca0/ca0.json
{
"CN": "Zeng Chunmiao",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Guangzhou",
"O": "Zeng Chunmiao",
"OU": "Zeng Chunmiao Root CA",
"ST": "China"
}
]
}
EOF
# 生成ca1证书请求文件
cat << EOF > ca1/ca1.json
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "HangZhou",
"L": "XS",
"O": "k8s",
"OU": "System"
}
]
}
EOF
# 生成服务证书请求
cat << EOF > server/server-csr.json
{
"CN": "harbor",
"hosts": [
"127.0.0.1",
"harbor.ggdefe.com",
"harbor.ggdefe.com.cn",
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "HangZhou",
"L": "XS",
"O": "k8s",
"OU": "System"
}
]
}
EOF
开始生成
- 生成根证书ca0
cfssl gencert -initca ca0/ca0.json | cfssljson -bare ca0/ca0
ls ca0
- 生成中间证书ca1
cfssl gencert -ca=./ca0/ca0.pem -ca-key=./ca0/ca0-key.pem -config=./config.json -profile=intermediate ./ca1/ca1.json | cfssljson -bare ./ca1/ca1
ls ca1
- 生成服务证书
cfssl gencert -ca=./ca1/ca1.pem -ca-key=./ca1/ca1-key.pem -config=./config.json -profile=host ./server/server-csr.json | cfssljson -bare ./server/server
ls server
- 生成链式证书
mkdir chain
# 生成公钥 注意顺序
cat ca1/ca1.pem server/server.pem > chain.crt
# 生成私钥
cp server/server-key.pem > key.crt