参考资料与常见问题
参考资料:
http://segmentfault.com/a/1190000000801162
http://www.111cn.net/sys/linux/61591.htm
创建基本证书
[root@VM_CentOS ~]# cd /etc/pki/CA/
[root@VM_CentOS CA]# echo “00” > /etc/pki/CA/serial
[root@VM_CentOS CA]# openssl genrsa -out private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus
.......+++
............+++
e is 65537 (0x10001)[root@VM_CentOS CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:OnO
Organizational Unit Name (eg, section) []:OnO
Common Name (eg, your name or your server's hostname) []:
Email Address []:ono.lol生成 docker registry 使用的 Https 证书
[root@VM_CentOS CA]# cd /etc/ssl/certs/
[root@VM_CentOS certs]# openssl genrsa -out docker-registry.key 2048
Generating RSA private key, 2048 bit long modulus
.........+++
..........................................+++
e is 65537 (0x10001)[root@VM_CentOS certs]# openssl req -new -key docker-registry.key -out docker-registry.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:OnO
Organizational Unit Name (eg, section) []:OnO
Common Name (eg, your name or your server's hostname) []:xxx.com
Email Address []:ono.lol
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:xxx
An optional company name []:xxx[root@VM_CentOS certs]# openssl ca -in docker-registry.csr -out docker-registry.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Feb 9 17:33:00 2016 GMT
Not After : Feb 8 17:33:00 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = ono
organizationalUnitName = ono
commonName = docker.xxx.com
emailAddress = ono.lol
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
E7:B1:F9:76:BA:46:E4:A8:27:81:C4:45:EF:DF:83:6C:C4:59:CD:C9
X509v3 Authority Key Identifier:
keyid:95:52:8C:02:96:5B:3A:93:D9:13:69:FB:6D:BF:51:EA:B6:22:B3:FC
Certificate is to be certified until Feb 8 17:33:00 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated生成 docker registry ui 使用的 Https 证书
[root@VM_CentOS certs]# openssl genrsa -out docker-repo.key 2048
Generating RSA private key, 2048 bit long modulus
............................................................+++
...............................+++
e is 65537 (0x10001)[root@VM_CentOS certs]# openssl req -new -key docker-repo.key -out docker-repo.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:OnO
Organizational Unit Name (eg, section) []:OnO
Common Name (eg, your name or your server's hostname) []:repo.docker.xxx.com
Email Address []:ono.lol
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:xxx
An optional company name []:xxx[root@VM_CentOS certs]# openssl ca -in docker-repo.csr -out docker-repo.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Feb 9 17:33:56 2016 GMT
Not After : Feb 8 17:33:56 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = xxx
organizationalUnitName = xxx
commonName = repo.docker.xxx.com
emailAddress = ono.lol
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
74:99:BF:FA:7D:B3:8B:F3:4B:BA:B9:CC:AA:CE:D8:1E:7F:05:03:CB
X509v3 Authority Key Identifier:
keyid:95:52:8C:02:96:5B:3A:93:D9:13:69:FB:6D:BF:51:EA:B6:22:B3:FC
Certificate is to be certified until Feb 8 17:33:56 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated[root@VM_CentOS certs]# ll
-rw-r--r-- 1 root root 4572 Feb 10 01:33 docker-registry.crt
-rw-r--r-- 1 root root 1127 Feb 10 01:24 docker-registry.csr
-rw-r--r-- 1 root root 1679 Feb 10 01:22 docker-registry.key
-rw-r--r-- 1 root root 4585 Feb 10 01:34 docker-repo.crt
-rw-r--r-- 1 root root 1131 Feb 10 01:26 docker-repo.csr
-rw-r--r-- 1 root root 1675 Feb 10 01:24 docker-repo.key
