署名

mkdir -p /home/ictsc/harbor/cert && cd /home/ictsc/harbor/cert

# 秘密鍵の作成
openssl genrsa -out harbor.key 2048

# CSR（証明書署名要求）の作成
openssl req -new -key harbor.key \
  -subj "/C=JP/ST=Tokyo/L=Chiyoda/O=MyOrg/OU=IT Dept/CN=your.harbor.domain" \
  -out harbor.csr

# 自己署名証明書の生成（有効期限365日）
openssl x509 -req -in harbor.csr -signkey harbor.key \
  -days 365 -out harbor.crt

openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 \
 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=MyPersonal Root CA" \
 -key ca.key \
 -out ca.crt
 
openssl genrsa -out yourdomain.com.key 4096
 
openssl req -sha512 -new \
   -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=yourdomain.com" \
   -key yourdomain.com.key \
   -out yourdomain.com.csr

cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=yourdomain.com
DNS.2=yourdomain
DNS.3=hostname
EOF

openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in yourdomain.com.csr \
    -out yourdomain.com.crt

# 1) CA 用秘密鍵を生成
openssl genrsa -out ca.key 4096

# 2) CA 証明書を自己署名で生成（有効期限 10 年）
openssl req -x509 -new -nodes -sha512 -days 3650 \
  -subj "/C=JP/ST=Tokyo/L=Chiyoda/O=MyOrg/OU=IT Dept/CN=MyRootCA" \
  -key ca.key \
  -out ca.crt

cat > v3.ext <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
IP.1 = 172.16.250.46
EOF

# 1) サーバー用秘密鍵を生成
openssl genrsa -out 172.16.250.46.key 4096

# 2) CSR（証明書署名要求）を作成（CN に IP）
openssl req -new -key 172.16.250.46.key \
  -subj "/CN=172.16.250.46" \
  -out 172.16.250.46.csr

# 3) CA で CSR に署名して証明書を生成
openssl x509 -req -in 172.16.250.46.csr \
  -CA ca.crt -CAkey ca.key -CAcreateserial \
  -out 172.16.250.46.crt -days 365 \
  -extfile v3.ext



# docker用に
cd ~/harbor/cert
openssl x509 -inform PEM -in 172.16.250.46.crt -out 172.16.250.46.cert

sudo mkdir -p /etc/docker/certs.d/172.16.250.46

← Go home