一、创建证书存放目录
mkdir /etc/pki/cloudos
cd /etc/pki/cloudos
mkdir ca server client
二、创建CA根证书:
1.生成根证书私钥:
openssl genrsa -out /etc/pki/cloudos/ca/ca.key 1024 -passout pass:cloudOS@123
2.生成根证书:
openssl req -x509 -new -key /etc/pki/cloudos/ca/ca.key -out /etc/pki/cloudos/ca/ca.crt -days 3650 -subj "/C=CN/ST=Beijing/L=Beijing/O=cloud/OU=cloud/CN={cloud-vip}" -passout pass:cloudOS@123
三、创建服务端证书:
1.生成服务端私钥:
openssl genrsa -out /etc/pki/cloudos/server/server.key 1024 -passout pass:cloudOS@123
2.生成服务端证书请求文件:
openssl req -new -key /etc/pki/cloudos/server/server.key -out /etc/pki/cloudos/server/server.csr -passin pass:cloudOS@123 -subj "/C=CN/ST=Beijing/L=Beijing/O=cloud/OU=cloud/CN={cloud-vip}"
3.用根证书签发服务端证书请求文件,生成服务端证书:
openssl x509 -req -in /etc/pki/cloudos/server/server.csr -CA /etc/pki/cloudos/ca/ca.crt -CAkey /etc/pki/cloudos/ca/ca.key -CAcreateserial -days 3650 -out /etc/pki/cloudos/server/server.crt
4.Haproxy使用的证书:
cat /etc/pki/cloudos/server/server.key /etc/pki/cloudos/server/server.crt | tee /etc/pki/cloudos/server/server-allinone.pem
四、创建客户端私钥:
1.生成客户端私钥
openssl genrsa -out /etc/pki/cloudos/client/client.key 1024 -passout pass:cloudOS@123
2.生成客户端证书请求文件:
openssl req -new -key /etc/pki/cloudos/client/client.key -out /etc/pki/cloudos/client/client.csr -passin pass:cloudOS@123 -subj "/C=CN/ST=Beijing/L=Beijing/O=cloud/OU=cloud/CN={cloud-vip}"
3.用根证书签发客户端证书请求文件,生成客户端证书:
echo -e "y\ny" | openssl ca -in /etc/pki/cloudos/client/client.csr -cert /etc/pki/cloudos/ca/ca.crt -keyfile /etc/pki/cloudos/ca/ca.key -days 3650 -out /etc/pki/cloudos/client/client.crt
4.打包客户端证书和私钥:
openssl pkcs12 -export -in /etc/pki/cloudos/client/client.crt -inkey /etc/pki/cloudos/client/client.key -out /etc/pki/cloudos/client/client.p12 -passin pass:cloudOS@123 -passout pass:cloudOS@123 -name cloud_client
五、配置Haporxy
listen nova_novncproxy
bind {cloud-vip}:6080 ssl crt /etc/pki/cloudos/server/server-allinone.pem ca-file /etc/pki/cloudos/ca/ca.crt verify required
frontend server_console
bind {cloud-vip}:443 ssl crt /etc/pki/cloudos/server/server-allinone.pem ca-file /etc/pki/cloudos/ca/ca.crt verify required
六、本机安装client证书
证书:/etc/pki/cloudos/client/client.p12
密码:cloudOS@123
问题:
-
报错解决:
openssl TXT_DB error number 2 failed to update database
-
删除/etc/pki/CA/下的index.txt,并再touch
-
将 common name(CN)设置成不同的
-
将 index.txt.attr中
unique_subject = yes
改为unique_subject = no
-