Skip to content

Instantly share code, notes, and snippets.

@mac2000
Forked from Stono/create-docker-tls.sh
Last active March 1, 2018 00:57
Show Gist options
  • Save mac2000/746cbcac34dc96285026 to your computer and use it in GitHub Desktop.
Save mac2000/746cbcac34dc96285026 to your computer and use it in GitHub Desktop.
Creating and setting up Docker for TLS
#!/bin/bash
# At the end you will have 6 files:
# ca/ca.pem - used by both client and server to verify each other certificates
# ca/ca-key.pem - keep it in secret it may be used to generate new certificates
# client/cert.pem, client/key.pem - in conjunction with /ca/ca.pem will be used by client to speak with server
# server/cert.pem, server/key.pem - in conjunction with /ca/ca.pem will be used by server
#
# NOTICE: DO NOT FORGET to set your **Server** ip and dns in server/openssl.cnf each time you generating new server certificates
#
# Original: http://tech.paulcz.net/2016/01/secure-docker-with-tls/
echo "Certificate Authority"
echo "---------------------"
echo
mkdir -p ca
openssl genrsa -out ca/ca-key.pem 2048
openssl req -x509 -new -nodes -key ca/ca-key.pem -days 3650 -out ca/ca.pem -subj '/CN=ca'
echo "Client Certificates"
echo "-------------------"
echo
mkdir -p client
cat << EOF | tee -a client/openssl.cnf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
EOF
openssl genrsa -out client/key.pem 2048
openssl req -new -key client/key.pem -out client/cert.csr -subj '/CN=client' -config client/openssl.cnf
openssl x509 -req -in client/cert.csr -CA ca/ca.pem -CAkey ca/ca-key.pem -CAcreateserial -out client/cert.pem -days 3650 -extensions v3_req -extfile client/openssl.cnf
rm -f server/cert.csr server/openssl.cnf
echo "Server Certificates"
echo "-------------------"
echo
mkdir -p server
cat << EOF | tee -a server/openssl.cnf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = docker.rabota.local
IP.1 = 192.168.4.21
IP.2 = 127.0.0.1
EOF
openssl genrsa -out server/key.pem 2048
openssl req -new -key server/key.pem -out server/cert.csr -subj "/CN=server" -config server/openssl.cnf
openssl x509 -req -in server/cert.csr -CA ca/ca.pem -CAkey ca/ca-key.pem -CAcreateserial -out server/cert.pem -days 3650 -extensions v3_req -extfile server/openssl.cnf
rm -f server/cert.csr server/openssl.cnf
@mac2000
Copy link
Author

mac2000 commented Feb 24, 2016

modified just to generate wildcard certs without doing anything to docker

@mac2000
Copy link
Author

mac2000 commented Feb 24, 2016

move to sha

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment