说明:
文中所有IP可使用域名代替
操作系统:centos
一、openssl证书制作操作记录
1. Create ROOT CA certificate:
openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout certs/ROOT.key \
-x509 -days 3650 -out certs/ROOT.crt
2. Generate CA Certificate Signing Request:
If you use FQDN like reg.yourdomain.com to connect your registry host, then you must use reg.yourdomain.com as CN (Common Name). Otherwise, if you use IP address to connect your registry host, CN can be anything like your name and so on:
openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout certs/CA.key \
-out certs/CA.csr
3. Generate the CA Certificate:
openssl ca -extensions v3_ca -in certs/CA.csr -config /etc/pki/tls/openssl.cnf -days 3650 -out certs/CA.crt -cert certs/ROOT.crt -keyfile certs/ROOT.key
4. Generate a Certificate Signing Request:
If you use FQDN like reg.yourdomain.com to connect your registry host, then you must use reg.yourdomain.com as CN (Common Name). Otherwise, if you use IP address to connect your registry host, CN can be anything like your name and so on: