CA 自签名证书生成(简单版)
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Shanghai/L=Shanghai/O=Ez/OU=Personal/CN=ca.kuku.org" \
-key ca.key \
-out ca.crt
openssl genrsa -out harbor.kuku.org.key 4096
openssl req -sha512 -new \
-subj "/C=CN/ST=Shanghai/L=Shanghai/O=Ezsub/OU=Personal/CN=harbor.kuku.org" \
-key harbor.kuku.org.key \
-out harbor.kuku.org.csr
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=harbor.kuku.org
DNS.2=harbor.kuku
DNS.3=harbor
EOF
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in harbor.kuku.org.csr \
-out harbor.kuku.org.crt
.crt 一般是CA服务器用的证书,客户端只认cert 所以进行转换
openssl x509 -inform PEM -in harbor.kuku.org.crt -out harbor.kuku.org.cert
然后把ca.crt 或者直接把harbor.kuku.org.cert 给客户端(浏览器or docker客户端 进行https登录 )就能用了
docker客户端把ca.crt 放在这个目录 /etc/docker/certs.d/harbor.kuku.org