mac2000/create-docker-tls.sh

## create-docker-tls.sh
#!/bin/bash

# At the end you will have 6 files:
# ca/ca.pem - used by both client and server to verify each other certificates
# ca/ca-key.pem - keep it in secret it may be used to generate new certificates
# client/cert.pem, client/key.pem - in conjunction with /ca/ca.pem will be used by client to speak with server
# server/cert.pem, server/key.pem - in conjunction with /ca/ca.pem will be used by server
#
# NOTICE: DO NOT FORGET to set your **Server** ip and dns in server/openssl.cnf each time you generating new server certificates
#
# Original: http://tech.paulcz.net/2016/01/secure-docker-with-tls/

echo "Certificate Authority"
echo "---------------------"
echo
mkdir -p ca
openssl genrsa -out ca/ca-key.pem 2048
openssl req -x509 -new -nodes -key ca/ca-key.pem -days 3650 -out ca/ca.pem -subj '/CN=ca'


echo "Client Certificates"
echo "-------------------"
echo
mkdir -p client
cat << EOF | tee -a client/openssl.cnf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
EOF

openssl genrsa -out client/key.pem 2048
openssl req -new -key client/key.pem -out client/cert.csr -subj '/CN=client' -config client/openssl.cnf
openssl x509 -req -in client/cert.csr -CA ca/ca.pem -CAkey ca/ca-key.pem -CAcreateserial -out client/cert.pem -days 3650 -extensions v3_req -extfile client/openssl.cnf
rm -f server/cert.csr server/openssl.cnf


echo "Server Certificates"
echo "-------------------"
echo
mkdir -p server
cat << EOF | tee -a server/openssl.cnf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = docker.rabota.local
IP.1 = 192.168.4.21
IP.2 = 127.0.0.1
EOF

openssl genrsa -out server/key.pem 2048
openssl req -new -key server/key.pem -out server/cert.csr -subj "/CN=server" -config server/openssl.cnf
openssl x509 -req -in server/cert.csr -CA ca/ca.pem -CAkey ca/ca-key.pem -CAcreateserial -out server/cert.pem -days 3650 -extensions v3_req -extfile server/openssl.cnf
rm -f server/cert.csr server/openssl.cnf
	#!/bin/bash

	# At the end you will have 6 files:
	# ca/ca.pem - used by both client and server to verify each other certificates
	# ca/ca-key.pem - keep it in secret it may be used to generate new certificates
	# client/cert.pem, client/key.pem - in conjunction with /ca/ca.pem will be used by client to speak with server
	# server/cert.pem, server/key.pem - in conjunction with /ca/ca.pem will be used by server
	#
	# NOTICE: DO NOT FORGET to set your Server ip and dns in server/openssl.cnf each time you generating new server certificates
	#
	# Original: http://tech.paulcz.net/2016/01/secure-docker-with-tls/

	echo "Certificate Authority"
	echo "---------------------"
	echo
	mkdir -p ca
	openssl genrsa -out ca/ca-key.pem 2048
	openssl req -x509 -new -nodes -key ca/ca-key.pem -days 3650 -out ca/ca.pem -subj '/CN=ca'


	echo "Client Certificates"
	echo "-------------------"
	echo
	mkdir -p client
	cat << EOF \| tee -a client/openssl.cnf
	[req]
	req_extensions = v3_req
	distinguished_name = req_distinguished_name
	[req_distinguished_name]
	[ v3_req ]
	basicConstraints = CA:FALSE
	keyUsage = nonRepudiation, digitalSignature, keyEncipherment
	extendedKeyUsage = serverAuth, clientAuth
	EOF

	openssl genrsa -out client/key.pem 2048
	openssl req -new -key client/key.pem -out client/cert.csr -subj '/CN=client' -config client/openssl.cnf
	openssl x509 -req -in client/cert.csr -CA ca/ca.pem -CAkey ca/ca-key.pem -CAcreateserial -out client/cert.pem -days 3650 -extensions v3_req -extfile client/openssl.cnf
	rm -f server/cert.csr server/openssl.cnf


	echo "Server Certificates"
	echo "-------------------"
	echo
	mkdir -p server
	cat << EOF \| tee -a server/openssl.cnf
	[req]
	req_extensions = v3_req
	distinguished_name = req_distinguished_name
	[req_distinguished_name]
	[ v3_req ]
	basicConstraints = CA:FALSE
	keyUsage = nonRepudiation, digitalSignature, keyEncipherment
	extendedKeyUsage = serverAuth, clientAuth
	subjectAltName = @alt_names

	[alt_names]
	DNS.1 = docker.rabota.local
	IP.1 = 192.168.4.21
	IP.2 = 127.0.0.1
	EOF

	openssl genrsa -out server/key.pem 2048
	openssl req -new -key server/key.pem -out server/cert.csr -subj "/CN=server" -config server/openssl.cnf
	openssl x509 -req -in server/cert.csr -CA ca/ca.pem -CAkey ca/ca-key.pem -CAcreateserial -out server/cert.pem -days 3650 -extensions v3_req -extfile server/openssl.cnf
	rm -f server/cert.csr server/openssl.cnf