cfssl生成自签证书

xiaohai 2021-06-07 09:47:00 1945人围观 标签: cfssl 
简介cfssl生成自签证书

安装cfssl

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O     /usr/local/bin/cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O      /usr/local/bin/cfssljson
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/local/bin/cfssl-certinfo
chmod +x /usr/local/bin/cfssl*

生成ca证书

#创建csr的json配置文件
[root@localhost certs]# vim ca-csr.json
{
    "CN": "k8s-ca",
    "hosts": [
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "sichuan",
            "L": "chengdu",
            "O": "hi",
            "OU": "ops"
        }
    ],
    "ca": {
        "expiry": "175200h"
    }
}

#创建基于根证书的config配置文件
[root@localhost certs]# vim ca-config.json
{
    "signing": {
        "default": {
            "expiry": "175200h"
        },
        "profiles": {
            "server": {
                "expiry": "175200h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth"
                ]
            },
            "client": {
                "expiry": "175200h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth"
                ]
            },
            "peer": {
                "expiry": "175200h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ]
            }
        }
    }
}

生成CA证书和私钥

[root@localhost certs]# cfssl gencert -initca ca-csr.json |cfssl-json -bare ca #生成命令
2020/04/24 03:33:55 [INFO] generating a new CA key and certificate from CSR
2020/04/24 03:33:55 [INFO] generate received request
2020/04/24 03:33:55 [INFO] received CSR
2020/04/24 03:33:55 [INFO] generating key: rsa-2048
2020/04/24 03:33:55 [INFO] encoded CSR
2020/04/24 03:33:55 [INFO] signed certificate with serial number 438107443971268110509803837811802775660837260854

[root@localhost certs]# ll
total 16
-rw-r--r-- 1 root root  989 Apr 24 03:33 ca.csr
-rw-r--r-- 1 root root  326 Apr 24 03:31 ca-csr.json
-rw------- 1 root root 1679 Apr 24 03:33 ca-key.pem #根证书私钥,这个需要保存好
-rw-r--r-- 1 root root 1338 Apr 24 03:33 ca.pem #根证书

生成服务器证书

[root@localhost certs]# vim hi-host-server-csr.json 

{
    "CN": "hi",
    "hosts": [
        "test.hi-host.com"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "ST": "sichuan",
            "L": "chengdu",
            "O": "hi",
            "OU": "ops"
        }
    ]
}


[root@localhost certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server hi-host-server-csr.json|cfssl-json -bare hi-host-server

[root@localhost certs]# ll | grep hi-host
-rw-r--r-- 1 root root 1045 May  1 22:33 hi-host-server.csr
-rw-r--r-- 1 root root  302 May  1 22:02 hi-host-server-csr.json
-rw------- 1 root root 1679 May  1 22:33 hi-host-server-key.pem
-rw-r--r-- 1 root root 1395 May  1 22:33 hi-host-server.pem

配置nginx

[root@localhost certs]# vim /etc/nginx/conf.d/test.hi-host.com.conf 
server {
    listen       443 ssl;
    server_name test.hi-host.com;
    client_max_body_size 1000m;

    ssl_certificate      /root/certs/hi-host-server.pem;
    ssl_certificate_key  /root/certs/hi-host-server-key.pem;

    location / {
        proxy_pass http://127.0.0.1:180;
    }
}

#重启nginx

解决浏览器访问https不安全问题

以上配置好后,就可以访问域名https://test.hi-host.com ,但是这里访问的时候还是提示不安全,但是能看到有证书,证书无效,这就是自签证书会有这样的问题。所以我们需要将ca.pem证书导入到浏览器中,这里以chrome为例,设置步骤如下:

  • 将ca.pem该后缀名为ca.crt
  • 设置
  • 搜索https—->管理证书
  • 选择受信任根证书颁发机构
  • 导入ca.crt
  • 重启浏览器
  • 重新访问