Generate trusted CA certificates for running Docker with HTTPS
#!/bin/bash | |
# | |
# Generates client and server certificates used to enable HTTPS | |
# remote authentication to a Docker daemon. | |
# | |
# See http://docs.docker.com/articles/https/ | |
# | |
# To start the Docker Daemon: | |
# | |
# sudo docker -d \ | |
# --tlsverify \ | |
# --tlscacert=ca.pem \ | |
# --tlscert=server-cert.pem \ | |
# --tlskey=server-key.pem \ | |
# -H=0.0.0.0:2376 | |
# | |
# To connect to the Docker Daemon: | |
# | |
# sudo docker \ | |
# --tlsverify \ | |
# --tlscacert=ca.pem \ | |
# --tlscert=cert.pem \ | |
# --tlskey=key.pem \ | |
# -H=localhost:2376 version | |
# | |
# IMPORTANT: when connecting via IP instead of hostname you | |
# will need to substitute --tlsverify with --tls | |
set -e | |
set -x | |
DAYS=1460 | |
PASS=$(openssl rand -hex 16) | |
# remove certificates from previous execution. | |
rm -f *.pem *.srl *.csr *.cnf | |
# generate CA private and public keys | |
echo 01 > ca.srl | |
openssl genrsa -des3 -out ca-key.pem -passout pass:$PASS 2048 | |
openssl req -subj '/CN=*/' -new -x509 -days $DAYS -passin pass:$PASS -key ca-key.pem -out ca.pem | |
# create a server key and certificate signing request (CSR) | |
openssl genrsa -des3 -out server-key.pem -passout pass:$PASS 2048 | |
openssl req -new -key server-key.pem -out server.csr -passin pass:$PASS -subj '/CN=*/' | |
# sign the server key with our CA | |
openssl x509 -req -days $DAYS -passin pass:$PASS -in server.csr -CA ca.pem -CAkey ca-key.pem -out server-cert.pem | |
# create a client key and certificate signing request (CSR) | |
openssl genrsa -des3 -out key.pem -passout pass:$PASS 2048 | |
openssl req -subj '/CN=client' -new -key key.pem -out client.csr -passin pass:$PASS | |
# create an extensions config file and sign | |
echo extendedKeyUsage = clientAuth > extfile.cnf | |
openssl x509 -req -days $DAYS -passin pass:$PASS -in client.csr -CA ca.pem -CAkey ca-key.pem -out cert.pem -extfile extfile.cnf | |
# remove the passphrase from the client and server key | |
openssl rsa -in server-key.pem -out server-key.pem -passin pass:$PASS | |
openssl rsa -in key.pem -out key.pem -passin pass:$PASS | |
# remove generated files that are no longer required | |
rm -f ca-key.pem ca.srl client.csr extfile.cnf server.csr | |
exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment