Last active
December 1, 2017 18:07
-
-
Save cwilhit/714a66fb4d15c41cafc07a2e4c2254ef to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
:#!/bin/bash | |
#Generate CA private key | |
openssl genrsa -aes256 -out ca-key.pem 4096 | |
#Generate CA public key | |
openssl req -subj "/C=US/ST=Washington/L=Redmond/O=./OU=." -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem | |
#Generate server key | |
openssl genrsa -out server-key.pem 4096 | |
#Generate server signing request | |
HOST=$(cat /etc/hostname) | |
openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr | |
echo subjectAltName = DNS:$HOST,IP:127.0.0.1 >> extfile.cnf | |
echo extendedKeyUsage = serverAuth >> extfile.cnf | |
#Sign the public key | |
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf | |
#Generate the client key | |
openssl genrsa -out key.pem 4096 | |
#Generate the client request | |
openssl req -subj '/CN=client' -new -key key.pem -out client.csr | |
echo extendedKeyUsage = clientAuth >> extfile.cnf | |
#Sign the public key | |
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf | |
#Now remove the certificate signing request | |
rm -v client.csr server.csr | |
#Remove write permissions to preserve from accidental damage | |
chmod -v 0400 ca-key.pem key.pem server-key.pem | |
chmod -v 0444 ca.pem server-cert.pem cert.pem | |
#Move the server keys over to the host | |
cp -v ca.pem /mnt/c/ProgramData/Docker | |
cp -v server* /mnt/c/ProgramData/Docker | |
#Make our connections secure by default | |
mkdir -pv ~/.docker | |
cp -v {ca,cert,key}.pem ~/.docker | |
export DOCKER_HOST=tcp://127.0.0.1:2376 DOCKER_TLS_VERIFY=1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Docker daemon.json needs to be updated to reflect the server keys.