总示意图:
- # 通过rsa算法生成2048位长度的秘钥
- openssl genrsa -out myCA.key 2048
- # 公钥包含了机构信息,在输入下面的指令之后会有一系列的信息输入,
- # 这些信息便是机构信息,公司名称地址什么的
- # 这里还有一个过期信息,CA证书也会过期,openssl默认是一个月,这里设置为10年
- openssl req -new -x509 -key myCA.key -out myCA.cer -days 3650
执行命令过程如下图所示:
参数名称 | 参数值 |
Country Name | 国家代码,比如中国就是CN |
State or Province Name | 省名称 |
Locality Name | 城市名称 |
Organization Name | 机构名称 |
Organizational Unit Name | 机构单位名称 |
Common Name | 重点参数:授权给什么,因为机构是根节点所以是授权给自己 |
Email Address | 邮件地址 |
在得到CA证书之后,需要通过openssl
工具对证书进行转换得到公钥(.crt文件
)和密钥(.key文件
),无论CA证书是怎么来的到这里之后就没有任何区别了,服务器证书的制作流程相较CA证书要复杂一点点。
openssl
工具创建服务器的秘钥- # 通过RSA算法生成长度2048位的秘钥
- openssl genrsa -out server.key 2048
首先https
证书的公钥不同于自定义情况下的加密证书,这里需要安装浏览器标准进行配置,首先openssl
默认的证书版本是V1,V1在支持https
时部分浏览器依旧会认为不安全,所以需要使用V3版本;同时openssl
即便是使用V3版本依旧没有附带V3的subjectAltName
字段数据(这里是证书对应的IP地址或者域名,可以用通配符)。但是这些东西命令行没法指定所以需要配置文件,我这里准备了一个:
创建openssl.cnf
文件,并添加如下内容:
- tsa_policy2 = 1.2.3.4.5.6
- tsa_policy3 = 1.2.3.4.5.7
- [ ca ]
- default_ca = CA_default # The default ca section
- [ CA_default ]
- dir = ./demoCA # Where everything is kept
- certs = $dir/certs # Where the issued certs are kept
- crl_dir = $dir/crl # Where the issued crl are kept
- database = $dir/index.txt # database index file.
- new_certs_dir = $dir/newcerts # default place for new certs.
- certificate = $dir/cacert.pem # The CA certificate
- serial = $dir/serial # The current serial number
- crlnumber = $dir/crlnumber # the current crl number
- crl = $dir/crl.pem # The current CRL
- private_key = $dir/private/cakey.pem# The private key
- RANDFILE = $dir/private/.rand # private random number file
- x509_extensions = usr_cert # The extentions to add to the cert
- name_opt = ca_default # Subject Name options
- cert_opt = ca_default # Certificate field options
- default_days = 365 # how long to certify for
- default_crl_days= 30 # how long before next CRL
- default_md = default # use public key default MD
- preserve = no # keep passed DN ordering
- policy = policy_match
- [ policy_match ]
- countryName = match
- stateOrProvinceName = match
- organizationName = match
- organizationalUnitName = optional
- commonName = supplied
- emailAddress = optional
- [ policy_anything ]
- countryName = optional
- stateOrProvinceName = optional
- localityName = optional
- organizationName = optional
- organizationalUnitName = optional
- commonName = supplied
- emailAddress = optional
- [ req ]
- default_bits = 1024
- default_keyfile = privkey.pem
- distinguished_name = req_distinguished_name
- attributes = req_attributes
- x509_extensions = v3_ca # The extentions to add to the self signed cert
- string_mask = utf8only
- req_extensions = v3_req # The extensions to add to a certificate request
- [ req_distinguished_name ]
- countryName = Country Name (2 letter code)
- countryName_default = CN
- countryName_min = 2
- countryName_max = 2
- stateOrProvinceName = State or Province Name (full name)
- stateOrProvinceName_default = BeiJing
- localityName = Locality Name (eg, city)
- 0.organizationName = Organization Name (eg, company)
- 0.organizationName_default = myca
- organizationalUnitName = Organizational Unit Name (eg, section)
- commonName = Common Name (e.g. server FQDN or YOUR name)
- commonName_max = 64
- emailAddress = Email Address
- emailAddress_max = 64
- [ req_attributes ]
- challengePassword = A challenge password
- challengePassword_min = 4
- challengePassword_max = 20
- unstructuredName = An optional company name
- [ usr_cert ]
- basicConstraints=CA:FALSE
- nsCertType = client, email, objsign
- keyUsage = nonRepudiation, digitalSignature, keyEncipherment
- nsComment = "OpenSSL Generated Certificate"
- subjectKeyIdentifier=hash
- authorityKeyIdentifier=keyid,issuer
- [ svr_cert ]
- basicConstraints=CA:FALSE
- nsCertType = server
- keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement
- subjectKeyIdentifier=hash
- authorityKeyIdentifier=keyid,issuer
- extendedKeyUsage = serverAuth,clientAuth
- [ v3_req ]
- subjectAltName = @alt_names
- # 这里是重点,需要将里面配置为最终服务端需要的域名或者IP
- # 这里可以写多个,能够自行添加DNS.X = XXXXXX, 支持通配符
- [ alt_names ]
- DNS.1 = www.k8s-harbor.com
- DNS.2 = k8s-harbor.com
- [ v3_ca ]
- subjectKeyIdentifier=hash
- authorityKeyIdentifier=keyid:always,issuer
- basicConstraints = CA:true
- [ crl_ext ]
- authorityKeyIdentifier=keyid:always
- [ proxy_cert_ext ]
- basicConstraints=CA:FALSE
- nsComment = "OpenSSL Generated Certificate"
- subjectKeyIdentifier=hash
- authorityKeyIdentifier=keyid,issuer
- proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
- [ tsa ]
- default_tsa = tsa_config1 # the default TSA section
- [ tsa_config1 ]
- dir = ./demoCA # TSA root directory
- serial = $dir/tsaserial # The current serial number (mandatory)
- crypto_device = builtin # OpenSSL engine to use for signing
- signer_cert = $dir/tsacert.pem # The TSA signing certificate
- # (optional)
- certs = $dir/cacert.pem # Certificate chain to include in reply
- # (optional)
- signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
- default_policy = tsa_policy1 # Policy if request did not specify it
- # (optional)
- other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
- digests = md5, sha1 # Acceptable message digests (mandatory)
- accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
- clock_precision_digits = 0 # number of digits after dot. (optional)
- ordering = yes # Is ordering defined for timestamps?
- # (optional, default: no)
- tsa_name = yes # Must the TSA name be included in the reply?
- # (optional, default: no)
- ess_cert_id_chain = no # Must the ESS cert id chain be included?
- # (optional, default: no)
将上面的配置内容保存为openssl.cnf
放到生成的服务器证书文件的目录下(注意:修改alt_names里面的域名或者IP为最终部署需要的地址,支持通配符),然后执行创建签名申请文件即可,执行运行:
注意:在
openssl.conf
中一定要加有关的域名,然后生成对应服务器的证书的时候也使用域名就可以实现正常的访问了。
- # 和创建CA时一样这里需要输入一堆服务器信息,输入项也是相同的。
- # 不过在输入Common Name(CN)最好直接输入服务器的IP地址或者域名。
- openssl req -config openssl.cnf -new -out server.req -key server.key
执行命令过程如下图所示:
这里服务器的公钥是由CA证书的密钥配对加密来的。
- # 这里本质上就是将签名请求文件进行签名最终得到服务器的公钥
- openssl x509 -req \
- -extfile openssl.cnf \
- -extensions v3_req \
- -CAkey myCA.key \
- -CA myCA.cer \
- -days 3650 \
- -in server.req \
- -out server.cer \
- -CAcreateserial -CAserial serial
命令如下:
openssl x509 -inform PEM -in server.cer -out server.crt
命令如下:
openssl x509 -inform PEM -in server.crt -out server.cert
- # 方法一:
- keytool -import \
- -alias certificate_alias \
- -file server.cer \
- -keystore server.jks
-
- # 方法二:
- # 1. 将cer证书转换为PKCS12格式的证书
- keytool -importcert \
- -file server.cer \
- -keystore server.p12 \
- -storetype PKCS12
-
- # 2. 将PKCS12格式的证书转换为JKS格式的证书
- keytool -importkeystore \
- -destkeystore server.jks \
- -srckeystore server.p12 \
- -srcstoretype pkcs12 \
- -alias alias_name # 无 alias 则不加此参数
通过openssl
创建的CA证书,只需要将CA证书的公钥(myCA.cer文件
)导入到系统信任的根证书颁发机构里面就行了,即直接双击cer
文件进行证书安装,最终不光是windows系统,任何操作系统都可以安装证书来进行对CA机构的进行信任操作。
或者,通过chrome 浏览器添加证书(use):
打开 "设置" --》 "隐私和安全" --》"安全" --》“管理设备证书”--》"受信任的根证书颁发机构" --》"导入",最终导入myCA.cer
证书文件即可。
导入成功后,可在 "受信任的根证书颁发机构"列表查看到该证书。
(1) 将服务端证书拷贝至 /data/cert/目录下
- mkdir -p /data/cert/
- cp server.crt /data/cert/
- cp server.key /data/cert/
(2) 将 server.crt 文件拷贝到docker的证书目录下,注意替换为自己的域名
- mkdir -p /etc/docker/certs.d/www.k8s-harbor.com/
- cp server.crt /etc/docker/certs.d/www.k8s-harbor.com/
这里需要注意的是,如果nginx中对https没有使用默认的443端口,修改为其他端口了,则此时的需要创建的目录为:/etc/docker/certs.d/yourdomain.com:port, 或者 /etc/docker/certs.d/harbor_IP:port
(3) 重启docker
systemctl restart docker
修改harbor.yml配置 (位于/usr/local/harbor),开启 https 配置。
如下前面部署 http 模式的时候将https的部分注释了,这里要将 https 的配置放开注释,而且修改证书的文件路径,如下所示
- # Configuration file of Harbor
-
- # The IP address or hostname to access admin UI and registry service.
- # DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
- hostname: harbor.ninexch.com #更改为本地解析IP的域名
-
- # http related config
- http:
- # port for http, default is 80. If https enabled, this port will redirect to https port
- port: 80
- # https related config
- https: #开启Https
- # https port for harbor, default is 443
- port: 443 #开启端口
- # The path of cert and key files for nginx
- certificate: /data/cert/server.crt #指定SSL公有证书
- private_key: /data/cert/server.key #指定SSL私有证书
然后执行如下命令更新 harbor
- # 重新安装(harbor相关容器会被删除,数据正常不会丢失)
- ./install.sh
-
- # 重新编译配置文件(数据会丢失) -- no use
- ./prepare
- docker-compose down -v
- docker-compose up -d
修改 nginx.conf 配置,增加监听 443 端口的,跳转到harbor的8443端口,此外在这里需要指定证书文件的路径
- server {
- listen 443 ssl;
- server_name www.k8s-harbor.com;
-
- ssl_certificate /data/cert/server.crt;
- ssl_certificate_key /data/cert/server.key;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
-
- ssl_session_cache shared:SSL:1m;
- ssl_session_timeout 5m;
-
- location / {
- client_max_body_size 1024M;
- client_body_buffer_size 1024M;
- proxy_redirect off;
- proxy_pass https://172.22.27.162:8443;
-
- proxy_set_header Host $host;
-
- proxy_set_header X-Real-IP $remote_addr;
-
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- }
-
- error_page 500 502 503 504 /50x.html;
- location = /50x.html {
- root html;
- }
- }
然后将 http 的跳转到 https
- server {
- listen 80;
- server_name www.k8s-harbor.com;
- return 301 https://www.k8s-harbor.com$request_uri;
- }
然后重新加载配置文件
nginx -s reload
此时在浏览器就可以 通过 http://www.k8s-harbor.com 和 https://www.k8s-harbor.com 访问,当使用 http://www.k8s-harbor.com 时会发现自动跳转到 https://www.k8s-harbor.com
注意,如果出现类似如下错误:
nginx: [emerg] unknown directive "ssl_certificate" in /usr/local/nginx/conf/nginx.conf
或者类似如下错误;
error: SSL modules require the OpenSSL library.
说明 nginx 没有安装ssl,此时进入nginx的源码目录,执行如下命令
- ./configure \
- --prefix=/usr/local/nginx \
- --with-http_stub_status_module \
- --with-http_ssl_module \
- --with-openssl=/usr/local/src/openssl-1.1.1o
其中:
然后使用 make 编译,注意,不要使用 make install,否则会覆盖
make
然后备份原有的nginx 命令,并将新编译的nginx拷贝的nginx命令所在的目录
- # 将原有的命令重命名备份
- mv /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bark
-
- # 将新编译的nginx命令拷贝到nginx命令的目录下
- cp objs/nginx /usr/local/nginx/sbin/
然后执行 nginx -V ,如下,出现 —with-http_ssl_module 表示安装成功
- [root@redrose2100 nginx-1.21.4]# nginx -V
- nginx version: nginx/1.21.4
- built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
- built with OpenSSL 1.1.1o 3 May 2022
- TLS SNI support enabled
- configure arguments: --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-openssl=/usr/local/src/openssl-1.1.1o
- [root@redrose2100 nginx-1.21.4]#
然后再次执行如下命令重新加载nginx配置
nginx -s reload
只有CA机构的公钥证书被安装在受信任的根证书颁发机构,才能达到将做到让系统信任。
因为我们自定义的CA机构一定不再请求的信任区内的,所以我们需要手动添加一下才可以。
1, 局域网内搭建浏览器可信任的SSL证书
2, 将cer格式的证书转为crt格式
3, 生成可信任的https证书 - 简书