安装 CFSSL 直接使用二进制包安装
if ! which cfssl; then
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/local/bin/cfssl
fi
if ! which cfssljson; then
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/local/bin/cfssljson
fi
if ! which cfssl-certinfo; then
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/local/bin/cfssl-certinfo
fi
chmod +x /usr/local/bin/cfssl*
备用链接
链接:https://pan.baidu.com/s/16GCd2GSnp0AODFfKEmsOIQ
提取码:5akt创建ca证书请求文件
cat << EOF > ca-csr.json
{
"CN": "Private CA Root certificate",
"key": {
"algo": "rsa","size": 2048
},
"ca": {
"expiry": "876000h"
},
"names": [
{
"C": "CN",
"L": "BJ",
"ST": "BeiJing",
"O": "Private CA certificates are issued",
"OU": ""
}
]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca如果CA证书过期,则可以使用下面方法重新生成CA证书
# 使用现有的CA私钥,重新生成:
cfssl gencert -initca -ca-key ca-key.pem ca-csr.json | cfssljson -bare ca
# 使用现有的CA私钥和CA证书,重新生成:
cfssl gencert -renewca -ca-key ca-key.pem -ca ca.pem | cfssljson -bare ca过期时间查看
openssl x509 -noout -text -in ca.pem |grep -A 5 Validity
cfssl certinfo -cert ca.pem
结果如下所示
Validity
Not Before: Jan 12 03:42:00 2020 GMT
Not After : Dec 19 03:42:00 2119 GMT
Subject: C=CN, ST=BeiJing, L=BJ, O=Private CA certificates are issued, CN=Private CA Root certificate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
申明环境变量,也可以不申明
export CA=/usr/local/CA_root/ca.pem
export CA_KEY=/usr/local/CA_root/ca-key.pem
export CONFIG=/usr/local/CA_root/ca-config.json 创建配置文件,即告诉ca要生成什么样的证书
cat << EOF > ca-config.json
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"www": {
"expiry": "876000h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF字段说明
ca-config.json:可以定义多个 profiles,分别指定不同的参数;后续在签名证书时使用某个profile;
signing:表示该证书可用于签名其它证书;生成的 ca.pem 证书中 CA=TRUE;
server auth:表示client可以用该 CA 对server提供的证书进行验证;
client auth:表示server可以用该CA对client提供的证书进行验证;创建证书签名请求文件(www)
cat << EOF > www-csr.json
{
"CN": "139.224.75.128",
"hosts": [
"127.0.0.1",
"139.224.75.128",
"www.yonge.com",
"blog.yonge.com"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "ZJ",
"ST": "HZ",
"O": "test server",
"OU": ""
}
]
}
EOF生成证书
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=www www-csr.json | cfssljson -bare www创建证书签名请求文件(harbor)
cat << EOF > harbor-csr.json
{
"CN": "harbor.hub.com",
"hosts": [
"127.0.0.1",
"10.10.10.53",
"harbor.hub.com"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "ZJ",
"ST": "HZ",
"O": "harbor",
"OU": ""
}
]
}
EOF生成harbor证书,使用了上面定义的环境变量
cfssl gencert \
-ca=${CA} \
-ca-key=${CA_KEY} \
-config=${CONFIG} \
-profile=www harbor-csr.json | cfssljson -bare harbor