Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Creating and setting up Docker for TLS
#!/bin/bash
# At the end you will have 6 files:
# ca/ca.pem - used by both client and server to verify each other certificates
# ca/ca-key.pem - keep it in secret it may be used to generate new certificates
# client/cert.pem, client/key.pem - in conjunction with /ca/ca.pem will be used by client to speak with server
# server/cert.pem, server/key.pem - in conjunction with /ca/ca.pem will be used by server
#
# NOTICE: DO NOT FORGET to set your **Server** ip and dns in server/openssl.cnf each time you generating new server certificates
#
# Original: http://tech.paulcz.net/2016/01/secure-docker-with-tls/
echo "Certificate Authority"
echo "---------------------"
echo
mkdir -p ca
openssl genrsa -out ca/ca-key.pem 2048
openssl req -x509 -new -nodes -key ca/ca-key.pem -days 3650 -out ca/ca.pem -subj '/CN=ca'
echo "Client Certificates"
echo "-------------------"
echo
mkdir -p client
cat << EOF | tee -a client/openssl.cnf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
EOF
openssl genrsa -out client/key.pem 2048
openssl req -new -key client/key.pem -out client/cert.csr -subj '/CN=client' -config client/openssl.cnf
openssl x509 -req -in client/cert.csr -CA ca/ca.pem -CAkey ca/ca-key.pem -CAcreateserial -out client/cert.pem -days 3650 -extensions v3_req -extfile client/openssl.cnf
rm -f server/cert.csr server/openssl.cnf
echo "Server Certificates"
echo "-------------------"
echo
mkdir -p server
cat << EOF | tee -a server/openssl.cnf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = docker.rabota.local
IP.1 = 192.168.4.21
IP.2 = 127.0.0.1
EOF
openssl genrsa -out server/key.pem 2048
openssl req -new -key server/key.pem -out server/cert.csr -subj "/CN=server" -config server/openssl.cnf
openssl x509 -req -in server/cert.csr -CA ca/ca.pem -CAkey ca/ca-key.pem -CAcreateserial -out server/cert.pem -days 3650 -extensions v3_req -extfile server/openssl.cnf
rm -f server/cert.csr server/openssl.cnf
@mac2000

This comment has been minimized.

Copy link
Owner Author

@mac2000 mac2000 commented Feb 24, 2016

modified just to generate wildcard certs without doing anything to docker

@mac2000

This comment has been minimized.

Copy link
Owner Author

@mac2000 mac2000 commented Feb 24, 2016

move to sha

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.