一、背景
项目中有自己的CA服务器,各组件的证书都由项目维护的CA来签发。
现在需要用CA提供的ca.crt 和ca.key为 docker镜像仓库nexus签发SSL证书。
二、生成签发证书
1. 生成服务端nexus的keystore.jks
2. 用keystore.jks生成证书签名请求文件client.csr
3. 用CA提供的ca.crt 和ca.key签client.csr,生成client.crt
4.将ca.crt 和client.crt 导入到keysore.jks,拷贝至nexus证书相关目录
# cat genCert.sh
############################################################
#!/bin/bash
# signing certificates with CA
# ca.crt ca.key is provided by CA
# Use ca.crt ca.key to signe keystore.jks
# nexus listen IP
nexus_ip="xx.xx.xx.xx"
keytool -genkey \
-alias keystore \
-keyalg RSA \
-keysize 2048 \
-keystore keystore.jks \
-storepass Nexus@123 \
-keypass Nexus@456 \
-validity 3650 \
-dname "CN=*.test.com,OU=Test,O=Test,L=ShenZhen,ST=GuangDong,C=CN" \
-ext "SAN=IP:${nexus_ip},DNS:nexus.test.com" \
-ext "BC=ca:false"
echo "
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName=IP:${nexus_ip},DNS:nexus.test.com
" > v3.ext
keytool -keystore keystore.jks -certreq -alias keystore -keyalg rsa -file client.csr -keypass "Nexus@456" -storepass "Nexus@123"
openssl x509 -req -CA ca.crt -CAkey ca.key -extfile v3.ext -in client.csr -out client.crt -days 3650 -CAcreateserial
keytool -import -keystore keystore.jks -file ca.crt -alias CARoot -storepass "Nexus@123" -noprompt
keytool -import -keystore keystore.jks -file client.crt -alias keystore -storepass "Nexus@123"
keytool -list -v -keystore keystore.jks -storepass "Nexus@123"
###################################################
三、证书拷贝分发
将ca.crt拷贝给客户端
# cp ca.crt /etc/pki/ca-trust/source/anchors
# update-ca-trust
将keystore.jks拷贝给nexus
$ cp keystore.jks /path/to/nexus/ssl/
$ sudo sysytemctl restart neuxs
四、在客户端测试访问
# curl https://xx.xx.xx.xx:XX
# curl -cacert /path/to/ca.crt https://xx.xx.xx.xx:XX
五、参考
openssl 生成自签证书及查看证书细节
https://www.cnblogs.com/threegun/p/7130985.html
openssl查看证书细节
http://blog.51cto.com/colinzhouyj/1566250
Signing Certificates With Your Own CA
https://docs.oracle.com/cd/E19509-01/820-3503/ggezy/index.html
Creating an x509 v3 user certificate by signing CSR
https://stackoverflow.com/questions/18233835/creating-an-x509-v3-user-certificate-by-signing-csr
Standard X.509 v3 Certificate Extension Reference
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.0/html/Admin_Guide/Standard_X.509_v3_Certificate_Extensions.html
https://github.com/interledgerjs/ilp-wm-provider/blob/master/cert/v3.ext
How do I display the contents of a SSL certificate?
https://support.qacafe.com/knowledge-base/how-do-i-display-the-contents-of-a-ssl-certificate
keytool - Key and Certificate Management Tool
https://docs.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html
KeyStores and TrustStores
https://docs.oracle.com/cd/E19509-01/820-3503/ggffo/index.html
Class X509v3CertificateBuilder
http://www.bouncycastle.org/docs/pkixdocs1.5on/org/bouncycastle/cert/X509v3CertificateBuilder.html
x509v3_config.html
https://www.openssl.org/docs/manmaster/man5/x509v3_config.html
http://openssl.cs.utah.edu/docs/apps/x509v3_config.html
Missing X509 extensions with an openssl-generated certificate
https://security.stackexchange.com/questions/150078/missing-x509-extensions-with-an-openssl-generated-certificate
Create X509 certificate with v3 extensions using command line tools
https://unix.stackexchange.com/questions/209861/create-x509-certificate-with-v3-extensions-using-command-line-tools
Certificate Extensions
https://www.dogtagpki.org/wiki/Certificate_Extensions