一、生成自签名证书
1.1、创建root CA私钥
openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt
执行步骤如下:
root@duke:~# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt
Generating a 4096 bit RSA private key .............................................++ .............................................++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:NanJing Locality Name (eg, city) []:NanJing Organization Name (eg, company) [Internet Widgits Pty Ltd]:rancher Organizational Unit Name (eg, section) []:info technology Common Name (e.g. server FQDN or YOUR name) []:duke Email Address []:[email protected]
1.2、为服务端(web)生成证书签名请求文件
如果你使用类似demo.rancher.com的FQDN域名访问,则需要设置demo.rancher.com作为CN;如果你使用IP地址访问,CN则为IP地址:
openssl req -newkey rsa:4096 -nodes -sha256 -keyout demo.rancher.com.key -out demo.rancher.com.csr 或者 openssl req -newkey rsa:4096 -nodes -sha256 -keyout 192.168.0.2.key -out 192.168.0.2.csr
执行步骤如下:
【注意】:
Commone Name一定要是你要授予证书的FQDN域名或主机名,并且不能与生成root CA设置的Commone Name相同。
challenge password可以不填。
Commone Name一定要是你要授予证书的FQDN域名或主机名,并且不能与生成root CA设置的Commone Name相同。
challenge password可以不填。
root@duke:~# openssl req -newkey rsa:4096 -nodes -sha256 -keyout 192.168.0.2.key -out 192.168.0.2.csr Generating a 4096 bit RSA private key ....................................................................++ ....................................................................++ writing new private key to '192.168.0.2.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:NanJing Locality Name (eg, city) []:NanJing Organization Name (eg, company) [Internet Widgits Pty Ltd]:RANCHER Organizational Unit Name (eg, section) []:info technology Common Name (e.g. server FQDN or YOUR name) []:192.168.0.2 Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:附属属性修改密码,可以不填 An optional company name []:附属属性另一个公司名称,可以不填
1.3、用1.1创建的CA证书给1.2生成的签名请求进行签名
openssl x509 -req -days 365 -in 192.168.0.2.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out 192.168.0.2.crt
执行步骤如下:
root@duke:~# openssl x509 -req -days 365 -in 192.168.0.2.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out 192.168.0.2.crt
Signature ok
subject=/C=CN/ST=NanJing/L=NanJing/O=RANCHER/OU=info technology/CN=192.168.0.2/[email protected]
Getting CA Private Key
1.4、使用IP进行签名
如果你使用IP,例如192.168.0.2来连接,则可以改为运行以下命令
echo 'subjectAltName = IP:192.168.0.2' > extfile.cnf openssl x509 -req -days 365 -in 192.168.0.2.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out 192.168.0.2.crt
执行步骤如下:
root@duke:~# echo 'subjectAltName = IP:192.168.0.2' > extfile.cnf
root@duke:~# openssl x509 -req -days 365 -in 192.168.0.2.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out 192.168.0.2.crt
Signature ok
subject=/C=CN/ST=NanJing/L=NanJing/O=RANCHER/OU=info technology/CN=192.168.0.2/[email protected]
Getting CA Private Key
【注意】:subjectAltName后的IP不需添加端口。
1.5、检查文件
经过上面步骤操作后,会生成ca.crt、ca.srl、ca.key、192.168.0.2.crt、192.168.0.2.key、192.168.0.2.csr、extfile.cnf这几个文件。
执行步骤如下:
root@duke:~# ls
192.168.0.2.crt 192.168.0.2.key ca.crt ca.srl docker-1.13.1.tgz kubectl shipyard var 模板 图片 下载 桌面
192.168.0.2.csr anaconda3 ca.key docker extfile.cnf mapd-docker-storage tigervncserver_1.6.80-4_amd64.deb 公共的 视频 文档 音乐
二、验证自签名证书
【注意】: 因为使用的是自签名证书,浏览器会提示证书的颁发机构是未知的。
把生成的ca证书和去除密码的私钥文件部署到web服务器(例如:harbor)后,执行以下命令验证:
2.1、不加CA证书验证
openssl s_client -connect 192.168.0.2:443 -servername 192.168.0.2
执行步骤如下:
root@duke:~# openssl s_client -connect 192.168.0.2:8443 -servername 192.168.0.2 CONNECTED(00000003) depth=0 C = CN, ST = NanJing, L = NanJing, O = rancher, OU = info technology, CN = duke, emailAddress = [email protected] verify error:num=18:self signed certificate 报错自签名不正确 verify return:1 depth=0 C = CN, ST = NanJing, L = NanJing, O = rancher, OU = info technology, CN = duke, emailAddress = [email protected] verify return:1 --- Certificate chain 0 s:/C=CN/ST=NanJing/L=NanJing/O=rancher/OU=info technology/CN=duke/[email protected] i:/C=CN/ST=NanJing/L=NanJing/O=rancher/OU=info technology/CN=duke/[email protected] --- Server certificate -----BEGIN CERTIFICATE----- MIIF6TCCA9GgAwIBAgIJALx+htau6IhyMA0GCSqGSIb3DQEBCwUAMIGKMQswCQYD VQQGEwJDTjEQMA4GA1UECAwHTmFuSmluZzEQMA4GA1UEBwwHTmFuSmluZzEQMA4G A1UECgwHcmFuY2hlcjEYMBYGA1UECwwPaW5mbyB0ZWNobm9sb2d5MQ0wCwYDVQQD DARkdWtlMRwwGgYJKoZIhvcNAQkBFg1oenc5N0AxMjYuY29tMB4XDTE4MTIyNDA2 MTU0OVoXDTE5MTIyNDA2MTU0OVowgYoxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdO YW5KaW5nMRAwDgYDVQQHDAdOYW5KaW5nMRAwDgYDVQQKDAdyYW5jaGVyMRgwFgYD VQQLDA9pbmZvIHRlY2hub2xvZ3kxDTALBgNVBAMMBGR1a2UxHDAaBgkqhkiG9w0B CQEWDWh6dzk3QDEyNi5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC AQCwxjnhRPlbrfr+wsxtDgK8MOBSPSoqpeEl6j8LoV+UFwWKlIZH9Qc82nV2/OVZ AZUP1UZ/syJlup3e8gus9UvltAuGvMZdGGeVtWqRCoEbpSgaehpspbC8yL7UOx5P TafDqyLuP5jZ4/xskpCXvsUbtDYDs1/9H5yVP4yAsZtsGFfdxx4Ztyger5SEFYwj hHdGhrgMk1Zj3f2CJu0iPDqRP2dxJp0/+Hc3MrKrkXd8/BLEWHiKL7GhQZRPEqYc TZYwtooXEqwvJBgi02VTn+SGQLKi9ekYNdUyLAp3qO1FC/G9OiIKjy625+umlgZX V06Uy5NnbrAmqkUJwN/q+jt/GsJYgOPn2PdylvIx2T+x3bh+VGj2lY8NztkDV5/1 6FCoIt7xTfOJMfCuGqHfHYAAG+QmC1W+qX04HFeMrJcTG2RSW/g6dKUFI3k+fzhU IqHqeQgTc9Pg1zJtWDzNyMZYgcxvS3J5TBrSUIXuKr5oomKEV7+tRUPjEVjjE6tb 1OAQdoahB2IOHcAxKAiutJz5AWQOd+YgWUEx9i33MBNnPZ3JjMof09fbwOO7SuhF jRob8rKas0jLx2RM7xTMY5KPHiBQ45vSX5MxmSFNNHQlzWUoIoQLVLh5Zylhavjw Q5zCeXBE8SKrKG49T2j1VgG+I/QnNfshBepfF+7ZzllhmQIDAQABo1AwTjAdBgNV HQ4EFgQUVYAauWx8AP42NMOq6IDO2g/EK0UwHwYDVR0jBBgwFoAUVYAauWx8AP42 NMOq6IDO2g/EK0UwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAVJFO tmkav5obqDDYoGeTOUBHZl1Iu6A0L0P+aL9506Vj+2vGkfG3QegwLMX1Yqs7OW2t FSJZ9TVGdL6FvCvT4+We+k5otmxg/Mo767NTioSjStIRD024ZY00rUezHBk7nodU WdRcIfcmGjLf3XTWZzriKDghyH82C6L6FMx043ETDbsfBKGFWY9LyTKb6JNHNhU6 ycdzO7AdPaJMJ17WpZTHWJZDzX+Xeep29RP4+nRpVmuTEGY4IQGLNJ7PNgS9Pe++ 4QF8ZZXsRLljfdetx0A1Yhc8A5b9+NZYQF9cjBsaCOqcwNpI5+hTfsl2As2AFllb d0j1xGJ4vqlK1wVdkYrvroO2guXfkDXse2lfKUfDDfrTRNfUysUyawUSt92TiNUU NaIILtyiE6D20mLwJe/JkyydrTemuqXD/OFxKnBT0KjTPr5JTCHvBKnYBgXEq2yd zsrR9fjeaktPxoWBNtN8VAFtadjso40FnFloqgBNRKuUSq17QZxppVTGy+DDbUAW OeIZAy+nvpisNqA9UmG2SbqSSUVuaWK1e9QIayFMEA/ytn5rSVYXTXF4FFT46lOK LCfeEOAI6owAbPOCP503f+4HeKJ7dzNbkGC2hCodrur26oflFroZ6tV6i5qjvoKc AblLKT3tuY4IhOPSjlueF0OfpLZTTBhXQ3M7xZA= -----END CERTIFICATE----- subject=/C=CN/ST=NanJing/L=NanJing/O=rancher/OU=info technology/CN=duke/[email protected] issuer=/C=CN/ST=NanJing/L=NanJing/O=rancher/OU=info technology/CN=duke/[email protected] --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 2464 bytes and written 450 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 340DBA9B6572AEAF10CFD75D77B86CBAB1ED2F91DC69C44628C08C112A84F473 Session-ID-ctx: Master-Key: C294F7E4E56D19FAA1EC1279718385BF677C4E6DC250424F2424BAB8F48E37290FCEFC0C5B8326D33AE69DAC5CF35F77 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - c7 bb 8d 3d cf cb cc 5c-61 2d 75 79 63 b0 39 57 ...=...\a-uyc.9W 0010 - 2f 80 15 34 c5 60 31 e1-43 54 7d 95 bf e4 ad 5e /..4.`1.CT}....^ 0020 - ea 62 db 2b 94 46 13 83-a2 08 c0 04 c8 7b 74 1c .b.+.F.......{t. 0030 - 26 da 21 1d b5 db d7 c4-3a 3e e2 b0 81 14 2d 87 &.!.....:>....-. 0040 - d8 0f a4 60 34 cc e9 0f-46 54 87 49 7f 1c 2a 56 ...`4...FT.I..*V 0050 - 55 e7 11 d0 cd d9 df 8c-b1 0e 8f 34 c1 ff 71 4c U..........4..qL 0060 - 46 73 61 a3 88 d7 2a 4c-90 2b c6 76 7c 28 f4 ef Fsa...*L.+.v|(.. 0070 - 69 48 a1 15 23 73 32 c5-55 c6 4a 65 b9 40 7d c3 iH..#s2.U.Je.@}. 0080 - dc 5e cf 6d 0c cf 90 59-88 0c 6c 12 76 ca d0 1a .^.m...Y..l.v... 0090 - 65 43 f9 a6 1b 5c 03 ed-ac 59 85 26 1a a9 1b bb eC...\...Y.&.... 00a0 - 53 37 d9 da f9 f7 27 f2-00 6a 27 ae a1 c1 98 f5 S7....'..j'..... 00b0 - ff 27 07 51 6f 98 d4 b3-cd 63 24 d5 9e 1b 85 99 .'.Qo....c$..... Start Time: 1545636922 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) ---
2.2、添加CA证书验证
openssl s_client -connect 192.168.0.2:8443 -servername 192.168.0.2 -CAfile ca.crt
执行步骤如下:
root@duke:~# openssl s_client -connect 192.168.0.2:8443 -servername 192.168.0.2 -CAfile ca.crt CONNECTED(00000003) depth=0 C = CN, ST = NanJing, L = NanJing, O = rancher, OU = info technology, CN = duke, emailAddress = [email protected] 没有报错,证书鉴权正确 verify return:1 --- Certificate chain 0 s:/C=CN/ST=NanJing/L=NanJing/O=rancher/OU=info technology/CN=duke/[email protected] i:/C=CN/ST=NanJing/L=NanJing/O=rancher/OU=info technology/CN=duke/[email protected] --- Server certificate -----BEGIN CERTIFICATE----- MIIF6TCCA9GgAwIBAgIJALx+htau6IhyMA0GCSqGSIb3DQEBCwUAMIGKMQswCQYD VQQGEwJDTjEQMA4GA1UECAwHTmFuSmluZzEQMA4GA1UEBwwHTmFuSmluZzEQMA4G A1UECgwHcmFuY2hlcjEYMBYGA1UECwwPaW5mbyB0ZWNobm9sb2d5MQ0wCwYDVQQD DARkdWtlMRwwGgYJKoZIhvcNAQkBFg1oenc5N0AxMjYuY29tMB4XDTE4MTIyNDA2 MTU0OVoXDTE5MTIyNDA2MTU0OVowgYoxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdO YW5KaW5nMRAwDgYDVQQHDAdOYW5KaW5nMRAwDgYDVQQKDAdyYW5jaGVyMRgwFgYD VQQLDA9pbmZvIHRlY2hub2xvZ3kxDTALBgNVBAMMBGR1a2UxHDAaBgkqhkiG9w0B CQEWDWh6dzk3QDEyNi5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC AQCwxjnhRPlbrfr+wsxtDgK8MOBSPSoqpeEl6j8LoV+UFwWKlIZH9Qc82nV2/OVZ AZUP1UZ/syJlup3e8gus9UvltAuGvMZdGGeVtWqRCoEbpSgaehpspbC8yL7UOx5P TafDqyLuP5jZ4/xskpCXvsUbtDYDs1/9H5yVP4yAsZtsGFfdxx4Ztyger5SEFYwj hHdGhrgMk1Zj3f2CJu0iPDqRP2dxJp0/+Hc3MrKrkXd8/BLEWHiKL7GhQZRPEqYc TZYwtooXEqwvJBgi02VTn+SGQLKi9ekYNdUyLAp3qO1FC/G9OiIKjy625+umlgZX V06Uy5NnbrAmqkUJwN/q+jt/GsJYgOPn2PdylvIx2T+x3bh+VGj2lY8NztkDV5/1 6FCoIt7xTfOJMfCuGqHfHYAAG+QmC1W+qX04HFeMrJcTG2RSW/g6dKUFI3k+fzhU IqHqeQgTc9Pg1zJtWDzNyMZYgcxvS3J5TBrSUIXuKr5oomKEV7+tRUPjEVjjE6tb 1OAQdoahB2IOHcAxKAiutJz5AWQOd+YgWUEx9i33MBNnPZ3JjMof09fbwOO7SuhF jRob8rKas0jLx2RM7xTMY5KPHiBQ45vSX5MxmSFNNHQlzWUoIoQLVLh5Zylhavjw Q5zCeXBE8SKrKG49T2j1VgG+I/QnNfshBepfF+7ZzllhmQIDAQABo1AwTjAdBgNV HQ4EFgQUVYAauWx8AP42NMOq6IDO2g/EK0UwHwYDVR0jBBgwFoAUVYAauWx8AP42 NMOq6IDO2g/EK0UwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAVJFO tmkav5obqDDYoGeTOUBHZl1Iu6A0L0P+aL9506Vj+2vGkfG3QegwLMX1Yqs7OW2t FSJZ9TVGdL6FvCvT4+We+k5otmxg/Mo767NTioSjStIRD024ZY00rUezHBk7nodU WdRcIfcmGjLf3XTWZzriKDghyH82C6L6FMx043ETDbsfBKGFWY9LyTKb6JNHNhU6 ycdzO7AdPaJMJ17WpZTHWJZDzX+Xeep29RP4+nRpVmuTEGY4IQGLNJ7PNgS9Pe++ 4QF8ZZXsRLljfdetx0A1Yhc8A5b9+NZYQF9cjBsaCOqcwNpI5+hTfsl2As2AFllb d0j1xGJ4vqlK1wVdkYrvroO2guXfkDXse2lfKUfDDfrTRNfUysUyawUSt92TiNUU NaIILtyiE6D20mLwJe/JkyydrTemuqXD/OFxKnBT0KjTPr5JTCHvBKnYBgXEq2yd zsrR9fjeaktPxoWBNtN8VAFtadjso40FnFloqgBNRKuUSq17QZxppVTGy+DDbUAW OeIZAy+nvpisNqA9UmG2SbqSSUVuaWK1e9QIayFMEA/ytn5rSVYXTXF4FFT46lOK LCfeEOAI6owAbPOCP503f+4HeKJ7dzNbkGC2hCodrur26oflFroZ6tV6i5qjvoKc AblLKT3tuY4IhOPSjlueF0OfpLZTTBhXQ3M7xZA= -----END CERTIFICATE----- subject=/C=CN/ST=NanJing/L=NanJing/O=rancher/OU=info technology/CN=duke/[email protected] issuer=/C=CN/ST=NanJing/L=NanJing/O=rancher/OU=info technology/CN=duke/[email protected] --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 2464 bytes and written 450 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: A6C098FEBD7A744A4B7698949AAD54C4A56B362EA357BA0F2EE66335E3584691 Session-ID-ctx: Master-Key: EFCAB47D6C3F3132B93AE60A45CF5F7776240108617CCD29894F509710D80038A08B6A0A802AF7825ECD74698D551D34 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - c7 bb 8d 3d cf cb cc 5c-61 2d 75 79 63 b0 39 57 ...=...\a-uyc.9W 0010 - 50 df ce 95 3d 8f 24 aa-4c 80 0b 4d 8e 6f b3 af P...=.$.L..M.o.. 0020 - e4 66 f7 dd ea b6 45 76-17 3e eb 7b 3e 77 52 17 .f....Ev.>.{>wR. 0030 - 33 e4 d3 54 5e d2 0d ab-ed 73 54 df ab 22 3d cd 3..T^....sT.."=. 0040 - 56 8d f8 9e c4 cd 83 33-8f f5 a2 91 68 ea cf cd V......3....h... 0050 - 2a e7 f2 3f 8e c6 e1 b8-a5 f3 28 92 98 70 01 d8 *..?......(..p.. 0060 - fd ad 08 aa ae 6b 4d ff-7f 2f 6f b6 63 23 33 4d .....kM../o.c#3M 0070 - 94 18 f2 a7 01 a8 c6 bc-a3 c5 d3 6f 71 39 f0 d0 ...........oq9.. 0080 - 9b 99 cf 5f 79 01 c0 2d-b8 69 40 15 ea ae c1 77 [email protected] 0090 - f0 77 72 ba 52 b9 6c b7-56 c8 a9 f2 f4 67 82 45 .wr.R.l.V....g.E 00a0 - ee 41 86 1f b9 97 66 2b-66 17 6c 81 b2 92 88 8a .A....f+f.l..... 00b0 - ba 96 63 75 97 f3 63 4f-4b a4 9c ab 3f b7 8c db ..cu..cOK...?... Start Time: 1545637270 Timeout : 300 (sec) Verify return code: 0 (ok) ---