cfssl生成自签证书
简介cfssl生成自签证书
安装cfssl
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/local/bin/cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/local/bin/cfssljson
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/local/bin/cfssl-certinfo
chmod +x /usr/local/bin/cfssl*
生成ca证书
#创建csr的json配置文件
[root@localhost certs]# vim ca-csr.json
{
"CN": "k8s-ca",
"hosts": [
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "sichuan",
"L": "chengdu",
"O": "hi",
"OU": "ops"
}
],
"ca": {
"expiry": "175200h"
}
}
#创建基于根证书的config配置文件
[root@localhost certs]# vim ca-config.json
{
"signing": {
"default": {
"expiry": "175200h"
},
"profiles": {
"server": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
生成CA证书和私钥
[root@localhost certs]# cfssl gencert -initca ca-csr.json |cfssl-json -bare ca #生成命令
2020/04/24 03:33:55 [INFO] generating a new CA key and certificate from CSR
2020/04/24 03:33:55 [INFO] generate received request
2020/04/24 03:33:55 [INFO] received CSR
2020/04/24 03:33:55 [INFO] generating key: rsa-2048
2020/04/24 03:33:55 [INFO] encoded CSR
2020/04/24 03:33:55 [INFO] signed certificate with serial number 438107443971268110509803837811802775660837260854
[root@localhost certs]# ll
total 16
-rw-r--r-- 1 root root 989 Apr 24 03:33 ca.csr
-rw-r--r-- 1 root root 326 Apr 24 03:31 ca-csr.json
-rw------- 1 root root 1679 Apr 24 03:33 ca-key.pem #根证书私钥,这个需要保存好
-rw-r--r-- 1 root root 1338 Apr 24 03:33 ca.pem #根证书
生成服务器证书
[root@localhost certs]# vim hi-host-server-csr.json
{
"CN": "hi",
"hosts": [
"test.hi-host.com"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "sichuan",
"L": "chengdu",
"O": "hi",
"OU": "ops"
}
]
}
[root@localhost certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server hi-host-server-csr.json|cfssl-json -bare hi-host-server
[root@localhost certs]# ll | grep hi-host
-rw-r--r-- 1 root root 1045 May 1 22:33 hi-host-server.csr
-rw-r--r-- 1 root root 302 May 1 22:02 hi-host-server-csr.json
-rw------- 1 root root 1679 May 1 22:33 hi-host-server-key.pem
-rw-r--r-- 1 root root 1395 May 1 22:33 hi-host-server.pem
配置nginx
[root@localhost certs]# vim /etc/nginx/conf.d/test.hi-host.com.conf
server {
listen 443 ssl;
server_name test.hi-host.com;
client_max_body_size 1000m;
ssl_certificate /root/certs/hi-host-server.pem;
ssl_certificate_key /root/certs/hi-host-server-key.pem;
location / {
proxy_pass http://127.0.0.1:180;
}
}
#重启nginx
解决浏览器访问https不安全问题
以上配置好后,就可以访问域名https://test.hi-host.com ,但是这里访问的时候还是提示不安全,但是能看到有证书,证书无效,这就是自签证书会有这样的问题。所以我们需要将ca.pem证书导入到浏览器中,这里以chrome为例,设置步骤如下:
- 将ca.pem该后缀名为ca.crt
- 设置
- 搜索https—->管理证书
- 选择受信任根证书颁发机构
- 导入ca.crt
- 重启浏览器
- 重新访问