-
-
Save capoferro/ba4b5b446aa6b62604cb17029c29a06c to your computer and use it in GitHub Desktop.
Generate self-signed SSL certs for docker client <— HTTPS —> daemon
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#! /bin/bash | |
# HEADS UP! Make sure to use '*' or a valid hostname for the FDQN prompt | |
echo 01 > ca.srl | |
openssl genrsa -out ca-key.pem | |
openssl req -new -x509 -days 365 -key ca-key.pem -out ca.pem | |
openssl genrsa -out server-key.pem | |
openssl req -new -key server-key.pem -out server.csr | |
echo subjectAltName = DNS:$HOST,IP:10.10.10.20,IP:127.0.0.1 > extfile.cnf | |
openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -out server-cert.pem -extfile extfile.cnf | |
openssl genrsa -out client-key.pem | |
openssl req -new -key client-key.pem -out client.csr | |
echo extendedKeyUsage = clientAuth > client-extfile.cnf | |
openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem -out client-cert.pem -extfile client-extfile.cnf | |
openssl rsa -in server-key.pem -out server-key.pem | |
openssl rsa -in client-key.pem -out client-key.pem | |
# server | |
# sudo docker -d --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H=0.0.0.0:4243 | |
# client -- note that this uses --tls instead of --tlsverify, which I had trouble with | |
# docker --tls --tlscacert=ca.pem --tlscert=client-cert.pem --tlskey=client-key.pem -H=dns-name-of-docker-host:4243 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment