1、生成一个证书颁发机构证书(Generate a Certificate Authority Certificate)
(1)Generate a CA certificate private key:
openssl genrsa -out ca.key 4096
(2)Generate the CA certificate,yourdomain.com可用IP代替:
openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Shanghai/L=Shanghai/O=develop/OU=Personal/CN=yourdomain.com" \
-key ca.key \
-out ca.crt
2、生成一个服务器证书(Generate a Server Certificate)
(1)Generate a private key:
openssl genrsa -out yourdomain.com.key 4096
(2)Generate a certificate signing request (CSR),yourdomain.com可用IP代替
openssl req -sha512 -new \
-subj "/C=CN/ST=Shanghai/L=Shanghai/O=develop/OU=Personal/CN=yourdomain.com" \
-key yourdomain.com.key \
-out yourdomain.com.csr
(3)Generate an x509 v3 extension file(
Regardless of whether you're using either an FQDN or an IP address to connect to your Harbor host, you must create this file so that you can generate a certificate for your Harbor host that complies with the Subject Alternative Name (SAN) and x509 v3 extension requirements. Replace the DNS entries to reflect your domain
):
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=yourdomain.com
DNS.2=yourdomain
DNS.3=hostname
EOF
(4)Use the v3.ext file to generate a certificate for your Harbor host:
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in yourdomain.com.csr \
-out yourdomain.com.crt
可能错误的简化操作:
openssl x509 -req -sha512 -days 3650 \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in server.csr \
-out server.crt
3、提供证书给Harbor和Docker(Provide the Certificates to Harbor and Docker)
(1)Copy the server certificate and key into the certficates folder on your Harbor host:
cp yourdomain.com.crt /data/cert/
cp yourdomain.com.key /data/cert/
(2)Convert yourdomain.com.crt to yourdomain.com.cert, for use by Docker(The Docker daemon interprets .crt files as CA certificates and .cert files as client certificates.):
openssl x509 -inform PEM -in yourdomain.com.crt -out yourdomain.com.cert
(3)Copy the server certificate, key and CA files into the Docker certificates folder on the Harbor host. You must create the appropriate folders first:
cp yourdomain.com.cert /etc/docker/certs.d/yourdomain.com/
cp yourdomain.com.key /etc/docker/certs.d/yourdomain.com/
cp ca.crt /etc/docker/certs.d/yourdomain.com/
note:
If you mapped the default nginx port 443 to a different port, create the folder /etc/docker/certs.d/yourdomain.com:port, or /etc/docker/certs.d/harbor_IP:port
(4)Restart Docker Engine
systemctl restart docker
note:The following example illustrates a configuration that uses custom certificates:
/etc/docker/certs.d/
└── yourdomain.com:port
├── yourdomain.com.cert <-- Server certificate signed by CA
├── yourdomain.com.key <-- Server key signed by CA
└── ca.crt <-- Certificate authority that signed the registry certificate
