自建CA,生成CA证书
方法一
- 生成CA私钥, key
# openssl genrsa -out ca.key 4096
Generating RSA private key, 4096 bit long modulus
.....................................................++
............................................++
e is 65537 (0x10001)
# ls
ca.key
-
生成证书请求文件, csr(无)
-
签发CA证书,crt
# cat <<EOF > ca.cnf
[ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
keyUsage = critical, keyCertSign, digitalSignature, keyEncipherment
basicConstraints = critical, CA:true
EOF
# openssl req -x509 -new -nodes -key ca.key -days 1825 -out ca.crt \
-subj "/CN=ca/OU=System/C=CN/ST=Shanghai/L=Shanghai/O=devops" \
-config ca.cnf -extensions v3_req
# ls
ca.cert ca.cnf ca.key
方法二
# openssl req -nodes -subj "/CN=ca/OU=System/C=CN/ST=ShangHai/L=HaiShange/O=devops" -newkey rsa:4096 -sha256 -keyout ca.key -x509 -days 365 -out ca.crt
Generating a 4096 bit RSA private key
.....................................................................................................++
.................................................++
writing new private key to 'ca.key'
-----
# ls
ca.crt ca.key
# openssl x509 -noout -text -in ca.crt
查看CA证书信息
# openssl x509 -noout -text -in ca.crt
自签证书
- 创建私钥,key;证书请求文件,csr
# openssl req -newkey rsa:4096 -nodes -sha256 -keyout harbor.dev.ops.key \
-out harbor.dev.ops.csr \
-subj "/CN=harbor.dev.ops/C=CN/ST=ShangHai/L=HaiShange"
Generating a 4096 bit RSA private key
........................................................................................................................................++
..............................................................................................................................................................................................................................................++
writing new private key to 'harbor.dev.ops.key'
-----
# ls
harbor.dev.ops.csr harbor.dev.ops.key
- 使用自建CA证书,签发证书,crt
# openssl x509 -req -days 365 -in harbor.dev.ops.csr \
-CA ../selfCA/ca.crt -CAkey ../selfCA/ca.key -CAcreateserial \
-out harbor.dev.ops.crt
Signature ok
subject=/CN=harbor.dev.ops/C=CN/ST=ShangHai/L=HaiShange
Getting CA Private Key
# ls
harbor.dev.ops.crt harbor.dev.ops.csr harbor.dev.ops.key
- 查看CA证书信息
# openssl x509 -noout -text -in harbor.dev.ops.crt