Forked from lloesche/Cert with X509v3 extension subjectAltName IP and DNS
Last active
December 12, 2017 08:59
-
-
Save jakedsouza/45cbe007ba7fb670155d1ac2e513543a to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### gen certs | |
# Create your CA crt and key: | |
openssl req -new -x509 -nodes -newkey rsa:4096 \ | |
-extensions v3_ca -sha256 -days 3650 \ | |
-subj "/C=US/ST=CA/L=Palo Alto/O=Jakes Inc./CN=Jake Certificate Authority" \ | |
-keyout ca.key \ | |
-out ca.crt | |
chmod 600 ca.key | |
# Create a CSR: | |
openssl req -newkey rsa:2048 -nodes -sha256 \ | |
-keyout cert.key -out cert.csr \ | |
-subj "/C=US/ST=CA/L=Palo Alto/O=Snakeoil Inc./OU=Core/CN=testing.harborpks.vmware.com" | |
# Sign the CSR, resulting in CRT and add the v3 SAN extension: | |
openssl x509 -req \ | |
-in cert.csr -out cert.crt \ | |
-CA ca.crt -CAkey ca.key -CAcreateserial \ | |
-sha256 -days 1095 \ | |
-extensions SAN -extfile <(cat /usr/lib/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName = @san_names\nbasicConstraints = CA:FALSE\nkeyUsage = nonRepudiation, digitalSignature, keyEncipherment\n[san_names]\nDNS.1 = *.harborpks.vmware.com\nIP.1 = 30.0.0.3\n")) | |
chmod 600 cert.key | |
# Check contents of CRT (optional) | |
openssl x509 -in cert.crt -text -noout | |
# Copy the cert for docker | |
sudo cp cert.crt /etc/docker/certs.d/30.0.0.3/ca.crt | |
docker login |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment