CA证书制作

1. Create your own CA certificate:

# 执行命令:

openssl req \
    -newkey rsa:4096 -nodes -sha256 -keyout ca.key \
    -x509 -days 365 -out ca.crt


# 执行过程
Generating a 4096 bit RSA private key
.................................................................................++
..................................++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:boco
Organizational Unit Name (eg, section) []:oss
Common Name (eg, your name or your server's hostname) []:cloud2.xdpp.boco
Email Address []:[email protected]

2. Generate a Certificate Signing Request:

如果你使用域名的方式访问你的仓库地址,那必须使用 reg.yourdomain.com 作为CN。如果使用ip地址访问,这个值可以为任意。

# 执行命令:
openssl req \
    -newkey rsa:4096 -nodes -sha256 -keyout cloud2.xdpp.boco.key \
    -out cloud2.xdpp.boco.csr
    
# 执行过程:
Generating a 4096 bit RSA private key
.....................................................................................................................................................++
...................................................++
writing new private key to 'cloud2.xdpp.boco.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:boco
Organizational Unit Name (eg, section) []:oss
Common Name (eg, your name or your server's hostname) []:cloud2.xdpp.boco
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:yiyangboco
An optional company name []:boco

3. Generate the certificate of your registry host

如果使用域名进行访问,则执行以下命令:

# 执行命令
openssl x509 -req -days 3650 -in cloud2.xdpp.boco.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out cloud2.xdpp.boco.crt

#执行结果:

Signature ok
subject=/C=cn/ST=beijing/L=beijing/O=boco/OU=oss/CN=cloud2.xdpp.boco/[email protected]
Getting CA Private Key


如果使用IP进行访问:

  echo subjectAltName = IP:192.168.1.101 > extfile.cnf

  openssl x509 -req -days 365 -in yourdomain.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out yourdomain.com
.crt

4. Configuration and Installation

  • 当生成了 yourdomain.com.crt and yourdomain.com.key 后,将其放置于harbor可以访问的路径下。
mkdir -p /data/cert
cp /opt/ca/cloud2.xdpp.boco.{crt,key} /data/cert
cd /data/cert
rename cloud2.xdpp.boco server *
  • Generate configuration files for Harbor:
# 切换至 harbor的工作目录
  ./prepare
  • 重启 harbor
# 切换至 harbor的工作目录

docker-compose down  
docker-compose up -d

5. 验证

你可能感兴趣的:(CA证书制作)