First, generate a self-signed certificate
1.1, create a root CA private key
openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt Perform the following steps:
root@duke:~# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 365 -out ca.crt
Generating a 4096 bit RSA private key
.............................................++
.............................................++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: CN
State or Province Name (full name) [Some-State]: NanJing
Locality Name (eg, city) []: NanJing
Organization Name (eg, company) [Internet Widgits Pty Ltd]: rancher
Organizational Unit Name (eg, section) []: info technology
Common Name (e.g. server FQDN or YOUR name) []: duke
Email Address []: [email protected]
1.2, for the server (web) generate a certificate signing request file
If you use a similar demo.rancher.com FQDN of domain names, you need to set demo.rancher.com as CN; if you use the IP address to access, CN, compared with IP address:
openssl req -newkey rsa:4096 -nodes -sha256 -keyout demo.rancher.com.key -out demo.rancher.com.csr
or
openssl req -newkey rsa:4096 -nodes -sha256 -keyout 192.168.0.2.key -out 192.168.0.2.csr
Perform the following steps:
[Note]:
Commone the Name must if you want to grant the certificate FQDN domain name or host name, and can not be the same Commone Name root CA settings and production.
challenge password can be left blank.
root@duke:~# openssl req -newkey rsa:4096 -nodes -sha256 -keyout 192.168.0.2.key -out 192.168.0.2.csr Generating a 4096 bit RSA private key ....................................................................++ ....................................................................++ writing new private key to '192.168.0.2.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:NanJing Locality Name (eg, city) []:NanJing Organization Name (eg, company) [Internet Widgits Pty Ltd]:RANCHER Organizational Unit Name (eg, section) []:info technology Common Name (e.g. server FQDN or YOUR name) []:192.168.0.2 Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:附属属性修改密码,可以不填 An optional company name []:附属属性另一个公司名称,可以不填
1.3、用1.1创建的CA证书给1.2生成的签名请求进行签名
openssl x509 -req -days 365 -in 192.168.0.2.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out 192.168.0.2.crt
执行步骤如下:
root@duke:~# openssl x509 -req -days 365 -in 192.168.0.2.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out 192.168.0.2.crt
Signature ok
subject=/C=CN/ST=NanJing/L=NanJing/O=RANCHER/OU=info technology/CN=192.168.0.2/[email protected]
Getting CA Private Key
1.4、使用IP进行签名
如果你使用IP,例如192.168.0.2来连接,则可以改为运行以下命令
echo 'subjectAltName = IP:192.168.0.2' > extfile.cnf
openssl x509 -req -days 365 -in 192.168.0.2.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out 192.168.0.2.crt
执行步骤如下:
root@duke:~# echo 'subjectAltName = IP:192.168.0.2' > extfile.cnf
root@duke:~# openssl x509 -req -days 365 -in 192.168.0.2.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out 192.168.0.2.crt
Signature ok
subject=/C=CN/ST=NanJing/L=NanJing/O=RANCHER/OU=info technology/CN=192.168.0.2/[email protected]
Getting CA Private Key
【注意】:subjectAltName后的IP不需添加端口。
1.5、检查文件
经过上面步骤操作后,会生成ca.crt、ca.srl、ca.key、192.168.0.2.crt、192.168.0.2.key、192.168.0.2.csr、extfile.cnf这几个文件。
执行步骤如下:
root@duke:~# ls
192.168.0.2.crt 192.168.0.2.key ca.crt ca.srl docker-1.13.1.tgz kubectl shipyard var 模板 图片 下载 桌面
192.168.0.2.csr anaconda3 ca.key docker extfile.cnf mapd-docker-storage tigervncserver_1.6.80-4_amd64.deb 公共的 视频 文档 音乐
二、验证自签名证书
【注意】: 因为使用的是自签名证书,浏览器会提示证书的颁发机构是未知的。
把生成的ca证书和去除密码的私钥文件部署到web服务器(例如:harbor)后,执行以下命令验证:
2.1、不加CA证书验证
openssl s_client -connect 192.168.0.2:443 -servername 192.168.0.2
执行步骤如下:
root@duke:~# openssl s_client -connect 192.168.0.2:8443 -servername 192.168.0.2 CONNECTED(00000003) depth=0 C = CN, ST = NanJing, L = NanJing, O = rancher, OU = info technology, CN = duke, emailAddress = [email protected] verify error:num=18:self signed certificate 报错自签名不正确 verify return:1 depth=0 C = CN, ST = NanJing, L = NanJing, O = rancher, OU = info technology, CN = duke, emailAddress = [email protected] verify return:1 --- Certificate chain 0 s:/C=CN/ST=NanJing/L=NanJing/O=rancher/OU=info technology/CN=duke/[email protected] i:/C=CN/ST=NanJing/L=NanJing/O=rancher/OU=info technology/CN=duke/[email protected] --- Server certificate -----BEGIN CERTIFICATE----- MIIF6TCCA9GgAwIBAgIJALx+htau6IhyMA0GCSqGSIb3DQEBCwUAMIGKMQswCQYD VQQGEwJDTjEQMA4GA1UECAwHTmFuSmluZzEQMA4GA1UEBwwHTmFuSmluZzEQMA4G A1UECgwHcmFuY2hlcjEYMBYGA1UECwwPaW5mbyB0ZWNobm9sb2d5MQ0wCwYDVQQD DARkdWtlMRwwGgYJKoZIhvcNAQkBFg1oenc5N0AxMjYuY29tMB4XDTE4MTIyNDA2 MTU0OVoXDTE5MTIyNDA2MTU0OVowgYoxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdO YW5KaW5nMRAwDgYDVQQHDAdOYW5KaW5nMRAwDgYDVQQKDAdyYW5jaGVyMRgwFgYD VQQLDA9pbmZvIHRlY2hub2xvZ3kxDTALBgNVBAMMBGR1a2UxHDAaBgkqhkiG9w0B CQEWDWh6dzk3QDEyNi5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC AQCwxjnhRPlbrfr+wsxtDgK8MOBSPSoqpeEl6j8LoV+UFwWKlIZH9Qc82nV2/OVZ AZUP1UZ/syJlup3e8gus9UvltAuGvMZdGGeVtWqRCoEbpSgaehpspbC8yL7UOx5P TafDqyLuP5jZ4/xskpCXvsUbtDYDs1/9H5yVP4yAsZtsGFfdxx4Ztyger5SEFYwj hHdGhrgMk1Zj3f2CJu0iPDqRP2dxJp0/+Hc3MrKrkXd8/BLEWHiKL7GhQZRPEqYc TZYwtooXEqwvJBgi02VTn+SGQLKi9ekYNdUyLAp3qO1FC/G9OiIKjy625+umlgZX V06Uy5NnbrAmqkUJwN/q+jt/GsJYgOPn2PdylvIx2T+x3bh+VGj2lY8NztkDV5/1 6FCoIt7xTfOJMfCuGqHfHYAAG+QmC1W+qX04HFeMrJcTG2RSW/g6dKUFI3k+fzhU IqHqeQgTc9Pg1zJtWDzNyMZYgcxvS3J5TBrSUIXuKr5oomKEV7+tRUPjEVjjE6tb 1OAQdoahB2IOHcAxKAiutJz5AWQOd+YgWUEx9i33MBNnPZ3JjMof09fbwOO7SuhF jRob8rKas0jLx2RM7xTMY5KPHiBQ45vSX5MxmSFNNHQlzWUoIoQLVLh5Zylhavjw Q5zCeXBE8SKrKG49T2j1VgG+I/QnNfshBepfF+7ZzllhmQIDAQABo1AwTjAdBgNV HQ4EFgQUVYAauWx8AP42NMOq6IDO2g/EK0UwHwYDVR0jBBgwFoAUVYAauWx8AP42 NMOq6IDO2g/EK0UwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAVJFO tmkav5obqDDYoGeTOUBHZl1Iu6A0L0P+aL9506Vj+2vGkfG3QegwLMX1Yqs7OW2t FSJZ9TVGdL6FvCvT4+We+k5otmxg/Mo767NTioSjStIRD024ZY00rUezHBk7nodU WdRcIfcmGjLf3XTWZzriKDghyH82C6L6FMx043ETDbsfBKGFWY9LyTKb6JNHNhU6 ycdzO7AdPaJMJ17WpZTHWJZDzX+Xeep29RP4+nRpVmuTEGY4IQGLNJ7PNgS9Pe++ 4QF8ZZXsRLljfdetx0A1Yhc8A5b9+NZYQF9cjBsaCOqcwNpI5+hTfsl2As2AFllb d0j1xGJ4vqlK1wVdkYrvroO2guXfkDXse2lfKUfDDfrTRNfUysUyawUSt92TiNUU NaIILtyiE6D20mLwJe/JkyydrTemuqXD/OFxKnBT0KjTPr5JTCHvBKnYBgXEq2yd zsrR9fjeaktPxoWBNtN8VAFtadjso40FnFloqgBNRKuUSq17QZxppVTGy+DDbUAW OeIZAy+nvpisNqA9UmG2SbqSSUVuaWK1e9QIayFMEA/ytn5rSVYXTXF4FFT46lOK LCfeEOAI6owAbPOCP503f+4HeKJ7dzNbkGC2hCodrur26oflFroZ6tV6i5qjvoKc AblLKT3tuY4IhOPSjlueF0OfpLZTTBhXQ3M7xZA= -----END CERTIFICATE----- subject=/C=CN/ST=NanJing/L=NanJing/O=rancher/OU=info technology/CN=duke/[email protected] issuer=/C=CN/ST=NanJing/L=NanJing/O=rancher/OU=info technology/CN=duke/[email protected] --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 2464 bytes and written 450 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 340DBA9B6572AEAF10CFD75D77B86CBAB1ED2F91DC69C44628C08C112A84F473 Session-ID-ctx: Master-Key: C294F7E4E56D19FAA1EC1279718385BF677C4E6DC250424F2424BAB8F48E37290FCEFC0C5B8326D33AE69DAC5CF35F77 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - c7 bb 8d 3d cf cb cc 5c-61 2d 75 79 63 b0 39 57 ...=...\a-uyc.9W 0010 - 2f 80 15 34 c5 60 31 e1-43 54 7d 95 bf e4 ad 5e /..4.`1.CT}....^ 0020 - ea 62 db 2b 94 46 13 83-a2 08 c0 04 c8 7b 74 1c .b.+.F.......{t. 0030 - 26 da 21 1d b5 db d7 c4-3a 3e e2 b0 81 14 2d 87 &.!.....:>....-. 0040 - d8 0f a4 60 34 cc e9 0f-46 54 87 49 7f 1c 2a 56 ...`4...FT.I..*V 0050 - 55 e7 11 d0 cd d9 df 8c-b1 0e 8f 34 c1 ff 71 4c U..........4..qL 0060 - 46 73 61 a3 88 d7 2a 4c-90 2b c6 76 7c 28 f4 ef Fsa...*L.+.v|(.. 0070 - 69 48 a1 15 23 73 32 c5-55 c6 4a 65 b9 40 7d c3 iH..#s2.U.Je.@}. 0080 - dc 5e cf 6d 0c cf 90 59-88 0c 6c 12 76 ca d0 1a .^.m...Y..l.v... 0090 - 65 43 f9 a6 1b 5c 03 ed-ac 59 85 26 1a a9 1b bb eC...\...Y.&.... 00a0 - 53 37 d9 da f9 f7 27 f2-00 6a 27 ae a1 c1 98 f5 S7....'..j'..... 00b0 - ff 27 07 51 6f 98 d4 b3-cd 63 24 d5 9e 1b 85 99 .'.Qo....c$..... Start Time: 1545636922 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) ---
2.2、添加CA证书验证
openssl s_client -connect 192.168.0.2:8443 -servername 192.168.0.2 -CAfile ca.crt
执行步骤如下:
root@duke:~# openssl s_client -connect 192.168.0.2:8443 -servername 192.168.0.2 -CAfile ca.crt CONNECTED(00000003) depth=0 C = CN, ST = NanJing, L = NanJing, O = rancher, OU = info technology, CN = duke, emailAddress = [email protected] 没有报错,证书鉴权正确 verify return:1 --- Certificate chain 0 s:/C=CN/ST=NanJing/L=NanJing/O=rancher/OU=info technology/CN=duke/[email protected] i:/C=CN/ST=NanJing/L=NanJing/O=rancher/OU=info technology/CN=duke/[email protected] --- Server certificate -----BEGIN CERTIFICATE----- MIIF6TCCA9GgAwIBAgIJALx+htau6IhyMA0GCSqGSIb3DQEBCwUAMIGKMQswCQYD VQQGEwJDTjEQMA4GA1UECAwHTmFuSmluZzEQMA4GA1UEBwwHTmFuSmluZzEQMA4G A1UECgwHcmFuY2hlcjEYMBYGA1UECwwPaW5mbyB0ZWNobm9sb2d5MQ0wCwYDVQQD DARkdWtlMRwwGgYJKoZIhvcNAQkBFg1oenc5N0AxMjYuY29tMB4XDTE4MTIyNDA2 MTU0OVoXDTE5MTIyNDA2MTU0OVowgYoxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdO YW5KaW5nMRAwDgYDVQQHDAdOYW5KaW5nMRAwDgYDVQQKDAdyYW5jaGVyMRgwFgYD VQQLDA9pbmZvIHRlY2hub2xvZ3kxDTALBgNVBAMMBGR1a2UxHDAaBgkqhkiG9w0B CQEWDWh6dzk3QDEyNi5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC AQCwxjnhRPlbrfr+wsxtDgK8MOBSPSoqpeEl6j8LoV+UFwWKlIZH9Qc82nV2/OVZ AZUP1UZ/syJlup3e8gus9UvltAuGvMZdGGeVtWqRCoEbpSgaehpspbC8yL7UOx5P TafDqyLuP5jZ4/xskpCXvsUbtDYDs1/9H5yVP4yAsZtsGFfdxx4Ztyger5SEFYwj hHdGhrgMk1Zj3f2CJu0iPDqRP2dxJp0/+Hc3MrKrkXd8/BLEWHiKL7GhQZRPEqYc TZYwtooXEqwvJBgi02VTn+SGQLKi9ekYNdUyLAp3qO1FC/G9OiIKjy625+umlgZX V06Uy5NnbrAmqkUJwN/q+jt/GsJYgOPn2PdylvIx2T+x3bh+VGj2lY8NztkDV5/1 6FCoIt7xTfOJMfCuGqHfHYAAG+QmC1W+qX04HFeMrJcTG2RSW/g6dKUFI3k+fzhU IqHqeQgTc9Pg1zJtWDzNyMZYgcxvS3J5TBrSUIXuKr5oomKEV7+tRUPjEVjjE6tb 1OAQdoahB2IOHcAxKAiutJz5AWQOd+YgWUEx9i33MBNnPZ3JjMof09fbwOO7SuhF jRob8rKas0jLx2RM7xTMY5KPHiBQ45vSX5MxmSFNNHQlzWUoIoQLVLh5Zylhavjw Q5zCeXBE8SKrKG49T2j1VgG+I/QnNfshBepfF+7ZzllhmQIDAQABo1AwTjAdBgNV HQ4EFgQUVYAauWx8AP42NMOq6IDO2g/EK0UwHwYDVR0jBBgwFoAUVYAauWx8AP42 NMOq6IDO2g/EK0UwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAVJFO tmkav5obqDDYoGeTOUBHZl1Iu6A0L0P+aL9506Vj+2vGkfG3QegwLMX1Yqs7OW2t FSJZ9TVGdL6FvCvT4+We+k5otmxg/Mo767NTioSjStIRD024ZY00rUezHBk7nodU WdRcIfcmGjLf3XTWZzriKDghyH82C6L6FMx043ETDbsfBKGFWY9LyTKb6JNHNhU6 ycdzO7AdPaJMJ17WpZTHWJZDzX+Xeep29RP4+nRpVmuTEGY4IQGLNJ7PNgS9Pe++ 4QF8ZZXsRLljfdetx0A1Yhc8A5b9+NZYQF9cjBsaCOqcwNpI5+hTfsl2As2AFllb d0j1xGJ4vqlK1wVdkYrvroO2guXfkDXse2lfKUfDDfrTRNfUysUyawUSt92TiNUU NaIILtyiE6D20mLwJe/JkyydrTemuqXD/OFxKnBT0KjTPr5JTCHvBKnYBgXEq2yd zsrR9fjeaktPxoWBNtN8VAFtadjso40FnFloqgBNRKuUSq17QZxppVTGy+DDbUAW OeIZAy+nvpisNqA9UmG2SbqSSUVuaWK1e9QIayFMEA/ytn5rSVYXTXF4FFT46lOK LCfeEOAI6owAbPOCP503f+4HeKJ7dzNbkGC2hCodrur26oflFroZ6tV6i5qjvoKc AblLKT3tuY4IhOPSjlueF0OfpLZTTBhXQ3M7xZA= -----END CERTIFICATE----- subject=/C=CN/ST=NanJing/L=NanJing/O=rancher/OU=info technology/CN=duke/[email protected] issuer=/C=CN/ST=NanJing/L=NanJing/O=rancher/OU=info technology/CN=duke/[email protected] --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 2464 bytes and written 450 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: A6C098FEBD7A744A4B7698949AAD54C4A56B362EA357BA0F2EE66335E3584691 Session-ID-ctx: Master-Key: EFCAB47D6C3F3132B93AE60A45CF5F7776240108617CCD29894F509710D80038A08B6A0A802AF7825ECD74698D551D34 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - c7 bb 8d 3d cf cb cc 5c-61 2d 75 79 63 b0 39 57 ...=...\a-uyc.9W 0010 - 50 df ce 95 3d 8f 24 aa-4c 80 0b 4d 8e 6f b3 af P...=.$.L..M.o.. 0020 - e4 66 f7 dd ea b6 45 76-17 3e eb 7b 3e 77 52 17 .f....Ev.>.{>wR. 0030 - 33 e4 d3 54 5e d2 0d ab-ed 73 54 df ab 22 3d cd 3..T^....sT.."=. 0040 - 56 8d f8 9e c4 cd 83 33-8f f5 a2 91 68 ea cf cd V......3....h... 0050 - 2a e7 f2 3f 8e c6 e1 b8-a5 f3 28 92 98 70 01 d8 *..?......(..p.. 0060 - fd ad 08 aa ae 6b 4d ff-7f 2f 6f b6 63 23 33 4d .....kM../o.c#3M 0070 - 94 18 f2 a7 01 a8 c6 bc-a3 c5 d3 6f 71 39 f0 d0 ...........oq9.. 0080 - 9b 99 cf 5f 79 01 c0 2d-b8 69 40 15 ea ae c1 77 [email protected] 0090 - f0 77 72 ba 52 b9 6c b7-56 c8 a9 f2 f4 67 82 45 .wr.R.l.V....g.E 00a0 - ee 41 86 1f b9 97 66 2b-66 17 6c 81 b2 92 88 8a .A....f+f.l..... 00b0 - ba 96 63 75 97 f3 63 4f-4b a4 9c ab 3f b7 8c db ..cu..cOK...?... Start Time: 1545637270 Timeout : 300 (sec) Verify return code: 0 (ok) ---