CA自签名

CA用于签发证书

Pigsty默认会在初始化时,在管理节点生成一个自签名的CA。

CA密钥放置于元节点的 /etc/pigsty/ca/ 目录中。

当您需要使用 SSL,数字签名,高级安全特性时,可以使用此 CA。

如果您已经有了自己的 CA 公私钥,将其放置于 files/ 目录,并将 ca_method 修改为 copy,则Pigsty会使用用户提供的CA证书与私钥。

FHS规约

/etc/pki              # CA与证书目录
/etc/pki/ca           # CA证书目录

/etc/pki/ca/cert           # CA证书目录

常见操作

查看证书的内容:

openssl x509 -text -in /etc/pigsty/ca/ca.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0b:e1:0b:39:c9:67:56:e5:b2:3d:6d:db:6a:b4:74:c5:50:0e:00:4e
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=Pigsty CA, CN=pigsty-ca
        Validity
            Not Before: Jul 13 07:52:21 2022 GMT
            Not After : Jun 19 07:52:21 2122 GMT
        Subject: O=Pigsty CA, CN=pigsty-ca
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    ........................................
                    73:09:b5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:pigsty-ca
            X509v3 Key Usage:
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:1
            X509v3 Subject Key Identifier:
                ........................................
    Signature Algorithm: sha256WithRSAEncryption
         ........................................
-----BEGIN CERTIFICATE-----
........................................
-----END CERTIFICATE-----

```

最后修改 2023-02-27: update zh docs (a5a4cc0)