参考文档:
https://goharbor.io/docs/2.5.0/install-config/configure-https/
自签名CA机构:
root@ecs-67093:/apps# mkdir /apps/harbor/certs
root@ecs-67093:/apps/harbor/certs# cd /apps/harbor/certs
root@ecs-67093:/apps/harbor/certs# openssl genrsa -out ca.key 4096
root@ecs-67093:/apps/harbor/certs# openssl req -x509 -new -nodes -sha512 -days 3650 \
> -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=magedu.com" \
> -key ca.key \
> -out ca.crt
客户端域名证书申请:
root@ecs-67093:/apps/harbor# touch /root/.rnd # Ubuntu系统用于保存证书信息,如果没有,签发csr时会告警,但是不影响使用
root@ecs-67093:/apps/harbor/certs# openssl genrsa -out magedu.net.key 4096 # 生成harbor的私钥
root@ecs-67093:/apps/harbor/certs# openssl req -sha512 -new \
> -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=magedu.net" \
> -key magedu.net.key \
> -out magedu.net.csr # 使用harbor的私钥生成csr
准备签发环境:
root@ecs-67093:/apps/harbor/certs# cat > v3.ext <<-EOF # 生成文本文件
> authorityKeyIdentifier=keyid,issuer
> basicConstraints=CA:FALSE
> keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
> extendedKeyUsage = serverAuth
> subjectAltName = @alt_names
>
> [alt_names]
> DNS.1=magedu.com
> DNS.2=harbor.magedu.net
> DNS.3=harbor.magedu.local
> EOF
使用自签名CA签发证书:
root@ecs-67093:/apps/harbor/certs# openssl x509 -req -sha512 -days 3650 \
> -extfile v3.ext \
> -CA ca.crt -CAkey ca.key -CAcreateserial \
> -in magedu.net.csr \
> -out magedu.net.crt # 生成公钥
拷贝公钥到客户端:
mkdir /etc/docker/certs.d/harbor.magedu.net -p
