To create a SAN-enabled certificate for Harbor and replace the default certificate in a Harbor OVA deployment, here’s a complete walkthrough:
Step 1: Create a SAN Certificate Using OpenSSL
SSH to harbor ova with root user.
Create a Config File (harbor-san.cnf)
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[dn]
C = AE
ST = Dubai
L = Dubai
O = bcmllab
CN = harbor1.test.com
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = harbor1.test.com
IP.1 = 172.171.20.40
Generate Key, CSR, and Self-Signed Cert
# Generate private key
openssl genrsa -out harbor.key 2048
# Generate CSR
openssl req -new -key harbor.key -out harbor.csr -config harbor-san.cnf
# Generate self-signed certificate
openssl x509 -req -in harbor.csr -signkey harbor.key -out harbor.crt -days 365 -extensions req_ext -extfile harbor-san.cnf
You now have:
harbor.crt– your certificateharbor.key– your private key
Step 2: Replace Harbor OVA Certificate
1. Backup existing certificates
sudo mv /opt/bitnami/nginx/conf/bitnami/certs/tls.crt /opt/bitnami/nginx/conf/bitnami/certs/tls.crt.old
sudo mv /opt/bitnami/nginx/conf/bitnami/certs/tls.key /opt/bitnami/nginx/conf/bitnami/certs/tls.key.old
sudo mv /opt/bitnami/nginx/conf/bitnami/certs/tls.csr /opt/bitnami/nginx/conf/bitnami/certs/tls.csr.old
2. Copy your new certificate and key
sudo cp /tmp/harbor.key /opt/bitnami/nginx/conf/bitnami/certs/tls.key
sudo cp /tmp/harbor.crt /opt/bitnami/nginx/conf/bitnami/certs/tls.crt
3. Apply correct permissions
sudo chmod 644 /opt/bitnami/nginx/conf/bitnami/certs/tls.crt
sudo chmod 600 /opt/bitnami/nginx/conf/bitnami/certs/tls.key
4. Set ownership
sudo chown root:root /opt/bitnami/nginx/conf/bitnami/certs/tls.crt
sudo chown root:root /opt/bitnami/nginx/conf/bitnami/certs/tls.key
5. Restart Harbor services
sudo /opt/bitnami/ctlscript.sh restart
