Docker Trusted Registry - Initial login

gistfile1.txt

DTR uses SSL certificates in addition to a login/password to login. 

The steps to use openssl to create a self-signed certificate as below:

1. First create a private key (myserver.key) and a certificate signing request (server.csr)
openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr

2. Finally create the SSL certificate (server.crt) using the csr and private key just created:
openssl x509 -req -days 365 -in server.csr -signkey myserver.key -out server.crt

3. In the DTR web interface, go to Settings -> Security and paste the contents of the SSL certificate 
and the private key in the appropriate text areas.

Now when running the docker login command, you should be able to login using the credentials provided:

$>> docker login engine.docker.demo
Username: anoop
Password:
Email: abc@anoop.com
WARNING: login credentials saved in /home/vagrant/.dockercfg.
Login Succeeded

1. Create a CA: Start by creating a private key (ca-key.pem) for the CA [This key should be protected always]
   openssl genrsa -aes256 -out ca-key.pem 4096
2. Create the certificate (ca-cert.pem:aka the public key):
   openssl req -key ca-key.pem -new -x509 -days 365 -sha256 -out ca-cert.pem
3. Create the private key for the server / host:
   openssl genrsa -aes256 -outhostname -f.pem 4096
4. Use the server's key and create a CSR:
   openssl req -new -sha256 -keyhostname -f.pem -outhostname -f.csr.pem
5. Now to sign the server's key using the ca private key and ca's certificate:

sudo touch /etc/pki/CA/index.txt
sudo echo "01">/etc/pki/CA/serial
sudo openssl ca -keyfile ca-key.pem -cert ca-cert.pem -days 365 -notext -md sha256 -in `hostname -f`.csr.pem -out `hostname -f`.cert.pem

The output should be similar to the below:

Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca-key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Aug 27 17:33:54 2015 GMT
            Not After : Aug 26 17:33:54 2016 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = VA
            organizationName          = Docker
            organizationalUnitName    = CS
            commonName                = engine.docker.demo
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                DC:6B:E2:A1:D8:11:BC:A5:01:4F:1F:29:87:80:3E:9E:7C:F6:9F:A6
            X509v3 Authority Key Identifier:
                keyid:F9:0D:1F:A0:35:16:C4:83:19:8D:57:75:DA:FC:96:79:2A:78:26:ED

Certificate is to be certified until Aug 26 17:33:54 2016 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

On CentOS [These have been tested to work].

Ensure DNS is setup or /etc/hosts file updated on all hosts. All hosts should be able to resolve the DTR host`

export DOMAIN_NAME=<DNS of DTR>
sudo update-ca-trust enable
openssl s_client -connect $DOMAIN_NAME:443 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM | sudo tee /etc/pki/ca-trust/source/anchors/$DOMAIN_NAME.crt
sudo update-ca-trust extract

sudo systemctl restart docker.service
docker login --username=anoop --password=password --email=anoop@abc.com $DOMAIN_NAME