Today, when I tried to build a docker registry private warehouse on a mac machine, I discovered that the latest registry is forced to use ssl authentication for security reasons, so I learned more about how to use openssl on linux/mac, and came into contact with a bunch of new English abbreviations. Organized as follows:
TLS: Abbreviation for Transport Layer Security
SSL: Abbreviation for Secure Socket Layer
For developers who are not professional in security, TLS and SSL can be considered similar. The two are in a parallel relationship. For detailed differences, see http://kb.cnblogs.com/page/197396/
KEY usually refers to a private key.
CSR is the abbreviation of Certificate Signing Request, that is, a certificate signing request. This is not a certificate. It can be simply understood as a public key. When generating a certificate, it must be submitted to an authoritative certification authority.
CRT is the abbreviation of certificate, that is, certificate.
X.509 is a certificate format. For X.509 certificates, the authenticator is always a CA or a person designated by a CA. An X.509 certificate is a collection of standard fields that contain information about users or devices and Information about its corresponding public key.
The X.509 certificate file generally ends with .crt. According to the content encoding format of the file, it can be divided into the following two formats:
PEM - Privacy Enhanced Mail, open to see the text format, start with "-----BEGIN..." and end with "-----END...", the content is BASE64 encoding.
Apache and *NIX servers prefer Use this encoding format.
DER - Distinguished Encoding Rules, opened in binary format, unreadable.
Java and Windows servers prefer to use this encoding format
OpenSSL is equivalent to an implementation of SSL. If the SSL specification is regarded as an interface in OO, then OpenSSL is considered an implementation of the interface. The interface specification itself is safe, but the specific implementation may have imperfections, such as the previous "Heartbleed" vulnerability, which is a bug in OpenSSL.
Steps for openssl to issue a certificate to itself:
Premise: first create a cert directory, cd to this directory, the current path of all the following commands is this directory
1. Generate private key KEY
openssl genrsa -des3 -out server.key 2048
After this step is executed, the server.key file will be generated in the cert directory
2. Generate a certificate request file CSR
openssl req -new -key server.key -out server.csr
This command first enters the interactive mode, allowing you to fill in a bunch of things, refer to the following figure:
It should be noted that the Common Name must be filled in with the domain name or host name that uses the SSL certificate (ie: https protocol), otherwise the browser will consider it insecure. For example: If you plan to use https://yjm-docker/xxx in the future, fill in yjm-docker here
3. Generate CA certificate
As mentioned earlier, the authenticator of the X.509 certificate is always the CA or the person designated by the CA, so you must first generate a CA certificate
openssl req -new -x509 -key server.key -out ca.crt -days 3650
4. Finally Use the CA certificate in step 3 to issue a certificate to yourself and play with
openssl x509 -req -days 3650 -in server.csr \
-CA ca.crt -CAkey server.key \
-CAcreateserial -out server.crt
After execution, cert The server.crt in the directory is the certificate we need. Of course, if you want to display the safe green lock logo in browsers such as Google, the certificate issued by yourself is definitely not good, and you have to spend money to apply to a third-party authoritative certificate authority (ie: step 4 is handed over to the authority to do it) , we only need to submit server.key, server.csr, oh, and Grandpa Mao)