To create a SAN-enabled certificate for Harbor and replace the default certificate in a Harbor OVA deployment, here’s a complete walkthrough:
Step 1: Create a SAN Certificate Using OpenSSL
SSH to harbor ova with root user.
Create a Config File (harbor-san.cnf)
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[dn]
C = AE
ST = Dubai
L = Dubai
O = bcmllab
CN = harbor1.test.com
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = harbor1.test.com
IP.1 = 172.171.20.40
Generate Key, CSR, and Self-Signed Cert
# Generate private key
openssl genrsa -out harbor.key 2048
# Generate CSR
openssl req -new -key harbor.key -out harbor.csr -config harbor-san.cnf
# Generate self-signed certificate
openssl x509 -req -in harbor.csr -signkey harbor.key -out harbor.crt -days 365 -extensions req_ext -extfile harbor-san.cnf
You now have:
harbor.crt– your certificateharbor.key– your private key
Step 2: Replace Harbor OVA Certificate
Locate Harbor Certificate Directory:
On Harbor OVA, certificates are typically stored under:
/opt/harbor/ssl/
Stop Harbor Services
docker-compose -f /opt/harbor/docker-compose.yml down
Replace Certificates
cp harbor.crt /opt/harbor/ssl/server.crt
cp harbor.key /opt/harbor/ssl/server.key
If you’re using a custom CA:
cp ca.crt /opt/harbor/ssl/ca.crtRestart Harbor
docker-compose -f /opt/harbor/docker-compose.yml up -d