Skip to content

Instantly share code, notes, and snippets.

@mateothegreat

mateothegreat/generate_certs.sh

Last active April 9, 2018 22:32
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save mateothegreat/c528c1941328aa81b265bb43506b6281 to your computer and use it in GitHub Desktop.
Save mateothegreat/c528c1941328aa81b265bb43506b6281 to your computer and use it in GitHub Desktop.
Download ZIP
Secure Docker Daemon with TLS
Raw
generate_certs.sh
openssl genrsa -out ca-key.pem 4096
openssl req -x509 -new -nodes -key ca-key.pem -days 10000 -out ca.pem -subj '/CN=docker-CA'
openssl genrsa -out key.pem 4096
openssl req -new -key key.pem -out cert.csr -subj '/CN=docker-client' -config openssl.cnf
openssl x509 -req -in cert.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -days 365 -extensions v3_req -extfile openssl.cnf
Raw
openssl.cnf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = docker.local
IP.1 = 172.17.8.101
IP.2 = 127.0.0.1
Raw
systemd_docker-external.conf
# /etc/systemd/system/docker.service.d/docker-external.conf
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/cert.pem --tlskey=/etc/docker/key.pem -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment