cfssl 与nginx 集成简单说明
就是一个简单的集成说明,方便后续使用
cfssl 的功能
支持基于cli 以及rest api 的证书生成以及管理
参考使用
- 生成root ca
配置定义
{
"signing": {
"default": {
"expiry": "876000h"
},
"profiles": {
"server": {
"expiry": "876000h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "876000h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
}
}
}
}
需要基于ca 证书请求文件,进行ca 的初始化
./cfssl gencert -initca ca-csr.json | ./cfssljson -bare ca
ca-csr.json 内容
{
"CN": "dalongrong.net",
"CA": {
"expiry": "876000h",
"pathlen": 0
},
"key": {
"algo": "rsa",
"size": 4096
},
"names": [
{
"C": "US",
"ST": "CA",
"L": "San Francisco"
}
],
"expiry": "876000h"
}
- 生成server 证书
./cfssl gencert -ca ca.pem -ca-key ca-key.pem -config ca-config.json -profile server server-csr.json| ./cfssljson -bare server
server-csr.json
{
"CN": "me.dalongrong.net",
"hosts": [
"me.dalongrong.net"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"ST": "CA",
"L": "San Francisco"
}
]
}
- nginx 配置证书
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name me.dalongrong.net;
ssl_certificate /opt/cert/server.pem;
ssl_certificate_key /opt/cert/server-key.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
容器root ca 配置
FROM nginx:alpine
COPY ca.pem /usr/local/share/ca-certificates/ca.crt
RUN /usr/sbin/update-ca-certificates
- web 浏览器访问
可以自建dns 同时操作系统添加root ca 到可信根证书中,这样就可以可信的访问自签tls 了
说明
以上是一个简单使用说明,对于证书check 可以通过openssl,比如如下查看ca 的信息
openssl x509 -noout -text -in ca.pem
浙公网安备 33010602011771号