cfssl tool generates Harbor certificate to build warehouse

Harbor official website: Redirecting to

Harbor download address: GitHub - goharbor/harbor: An open source trusted cloud native registry project that stores, signs, and scans content.

The binary package of harbor provides both online and offline versions

Harbor installation method

Offline installation: the resource package is provided with offline. The file contains some image files required for installation. The capacity is relatively large, about 600M. It is suitable for production environment.

Online installation: the resource package is online, and the images and other resources required during installation need to be downloaded from the Internet. All hosts should be connected to the Internet.

It is suitable for building a private image warehouse for learning and research.

Source code installation: if you need to understand the underlying principle and implementation mode of Harbor, you can choose the source code installation mode, which is suitable for building an environment for Harbor development.

Environmental description:

Host IP:

Host configuration: 2CPU, 4G memory

1, Install docker and docker compose

# yum install -y docker-ce-19.03.8-3.el7.x86_64.rpm
# systemctl start docker.service
# systemctl enable  docker.service
# mv  docker-compose-Linux-x86_64  /usr/local/bin/docker-compose
# chmod +x   /usr/local/bin/docker-compose
# docker-compose -v
docker-compose version 1.29.2, build 5becea4c

2, Configure kernel parameters

# cat > /etc/sysctl.conf << EOF
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
sysctl -p

net.ipv4.ip_forward=1   : Turn on routing forwarding without configuring this parameter. After the host is restarted, the service status is normal, but the server cannot be accessed.

3, Configure Harbor certificate using cfssl tool

        By default, harbor does not come with a certificate. Harbor can be deployed without security so that you can connect to it over HTTP. In a production environment, HTTPS is always used. If you enable Content Trust with Notary to properly sign all images, you must use HTTPS.

      To configure HTTPS, you must create an SSL certificate. You can use a certificate signed by a trusted third-party CA or a self signed certificate. This section describes how to create a CA using cfssl and how to sign server and client certificates using your ca.

        The official use is the openssl tool to generate certificates.

1. Download and install the cfssl tool

         Online installation, offline installation, download the installation package on the official website

# wget  -O   /usr/local/bin/cfssl
# wget -O  /usr/local/bin/cfssljson
# wget  -O  /usr/local/bin/cfssl-certinfo 
# chmod +x  /usr/local/bin/cfssl*                  #Give these tools permission to execute

Cfssl json: convert the json format output obtained from cfssl and multirootca into certificate format files (certificate, key, CSR and bundle) for storage;

Cfssl certinfo: the detailed information of CSR or certificate file can be displayed; Can be used for certificate verification.

2. Generate certification authority certificate

(1) Generate and modify CA default profile

# cfssl print-defaults   config > ca-config.json            # Generate default profile
# vim ca-config.json
    "signing": {
        "default": {
            "expiry": "87600h"
        "profiles": {
            "harbor": {
                "expiry": "87600h",
                "usages": [
                    "key encipherment",
                    "server auth",
                    "client auth"

default.expiry: default certificate validity period (unit: h)

profiles.harbor: the configuration module that issues certificates for services using this configuration file;

Signing: signing, indicating that the certificate can be used to sign other certificates; CA=TRUE in the generated ca.pem certificate;

Key encryption: key encryption;

Profiles: Specifies the configuration information of different roles; Multiple profiles can be defined to specify different expiration time, usage scenario and other parameters; Use a profile when signing the certificate later.

server auth: server authentication; Indicates that the client can use the CA to verify the certificate provided by the server;

client auth: client authentication; Indicates that the server can use the CA to verify the certificate provided by the client;

(2) Generate and modify the default csr request file

# cfssl  print-defaults csr  > ca-csr.json
# vim ca-csr.json
    "CN": "harbor",
    "hosts": [
    "key": {
        "algo": "rsa",
        "size": 2048
    "names": [
            "C": "CN",
            "ST": "Beijing",
            "L": "Beijing"

hosts: the authorization scope included. Nodes or services outside this scope will report a certificate mismatch error if they use this certificate. If the certificate is not included, they may be unable to connect;

Key: Specifies the encryption algorithm to use. Generally, rsa asymmetric encryption algorithm (algo:rsa; size:2048) is used

CN: Common Name, Kube apiserver extracts this field from the certificate as the requested user name; The browser uses this field to verify whether the website is legal; CN is a domain name, that is, you can write whatever domain name you use now

O: Organization, Kube apiserver extracts this field from the certificate as the group to which the requesting user belongs;

(3) Initialize CA

# cfssl  gencert  -initca  ca-csr.json  |  cfssljson  -bare   ca
2021/11/05 17:45:13 [INFO] generating a new CA key and certificate from CSR
2021/11/05 17:45:13 [INFO] generate received request
2021/11/05 17:45:13 [INFO] received CSR
2021/11/05 17:45:13 [INFO] generating key: rsa-2048
2021/11/05 17:45:13 [INFO] encoded CSR
2021/11/05 17:45:13 [INFO] signed certificate with serial number 569300079190788296339255431042064535929535986620
# ls 
ca-config.json  ca.csr  ca-csr.json  ca-key.pem  ca.pem

You can see that ca.csr, ca-key.pem and ca.pem are newly generated in the current directory.

ca-key.pem and ca.pem are CA related certificates. The server certificate is signed through this CA.

3. Generate server certificate

(1) Create and modify the server certificate request file

# cfssl  print-defaults csr >  harbor-csr.json
# vim  harbor-csr.json
    "CN": "muli.harbor.json",
    "hosts": [],
    "key": {
        "algo": "rsa",
        "size": 2048
    "names": [
            "C": "CN",
            "ST": "Beijing",
            "L": "Beijing"

(2) Use the request file to issue certificates according to the CA configuration

# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem \
-config=ca-config.json \
-profile=harbor  harbor-csr.json | cfssljson -bare  harbor
# ls
ca-config.json  ca.csr  ca-csr.json  ca-key.pem  ca.pem  harbor.csr  harbor-csr.json  harbor-key.pem  harbor.pem
# cp harbor.pem harbor-key.pem  /etc/docker/CA/

-config: Specifies the configuration file of the CA certification authority;

-profile: specify which module in the CA configuration file is used (here harbor corresponds to harbor in the configuration file);

harbor.pem: digital certificate of harbor service

harbor-key.pem: the private key of the harbor service

4. Use certificate specified in harbor configuration file

# vim  harbor.yml
  port: 443
  certificate: /etc/docker/CA/harbor.pem
  private_key: /etc/docker/CA/harbor-key.pem

4, Deploy harbor (offline package)

4.1. Unzip the installation package

# RZ harbor-offline-installer-v2.3.1. Tgz / / upload harbor installation package
# tar  zxvf harbor-offline-installer-v2.3.1.tgz
# cd  harbor
# pwd
# ls  harbor.v2.3.1.tar.gz  harbor.yml.tmpl  LICENSE  prepare

harbor.v2.3.1.tar.gz: image package. Running the script will automatically import the image;

4.2. Create a configuration file using a template file

# cp harbor.yml.tmpl harbor.yml
# vim harbor.yml
hostname:           #Domain name or IP
  port: 80
  port: 443
  certificate: /your/certificate/path
  private_key: /your/private/key/path
#The password of Harbor administrator (admin) cannot be modified for the first time
harbor_admin_password: Harbor12345
  password: root123              #Database password
  max_idle_conns: 100
  max_open_conns: 900
data_volume: /app/harbor/data         #Container storage volume data storage location

trivy:                   #Configure Trivy scanner
  ignore_unfixed: true
  skip_update: false
  insecure: false
jobservice:                  #Configure image upload / download concurrency
  max_job_workers: 10
  webhook_job_max_retry: 10
  absolute_url: disabled
  level: info
    rotate_count: 50
    rotate_size: 200M
    location: /var/log/harbor
_version: 2.3.1
    - core
    - jobservice
    - trivy

See the official website for detailed configuration of the configuration file( Harbor docs | Configure the Harbor YML File)

4.3. Run the prepare script to enable HTTPS

  Ensure that https mode is enabled in the configuration file and the certificate is configured.

# ./prepare

4.4. Execute the script to install Gabor

   Online installation will automatically download the required images from the Internet. Offline installation will automatically import the harbor.v2.3.1.tar.gz image package into the local image.


# ./

4.5 verify whether the service is normal

# cd  /app/harbor/          
# docker-compose  ps      #It needs to be executed in the harbor installation directory
      Name                     Command                  State                 Ports          
harbor-core         /harbor/            Up (healthy)                            
harbor-db           / 96 13      Up (healthy)                            
harbor-jobservice   /harbor/            Up (healthy)                            
harbor-log          /bin/sh -c /usr/local/bin/ ...   Up (healthy)>10514/tcp
harbor-portal       nginx -g daemon off;             Up (healthy)                            
nginx               nginx -g daemon off;             Up (healthy)>8080/tcp     
redis               redis-server /etc/redis.conf     Up (healthy)                            
registry            /home/harbor/       Up (healthy)                            
registryctl         /home/harbor/            Up (healthy)

When the state is Up, the container is running normally.

5, Harbor start stop

5.1. Stop and delete existing instances

Data is retained in the file system, so no data is lost

# docker-compose down -v

5.2 restart Harbor

# docker-compose up -d

6, Log in to Harbor management console

Browser input access address:

https mode:

HTTP mode:

User: admin

Password: the value of harbor_admin_password in the harbor.cfg file.


  7, Configure docker to use Harbor image warehouse

You need to specify the Harbor Address in the docker configuration file before you can log in to harbor from the command line.

# cat /etc/docker/daemon.json
# systemctl restart docker

Command line connect / exit Harbor

# docker login -u username - p password
# docker  logout

After connecting to the harbor warehouse, you can use docker to upload and download images.


Tags: Kubernetes SSL Container

Posted on Sat, 06 Nov 2021 21:40:28 -0400 by PhilVaz