Bash script to create certificates for securing and authenticating docker on a remote machine with tls.

createCertificates.sh

#/bin/bash
domain="sebfia.net"
ipAddress=""
years=1
days=365
printip="127.0.0.1"
writeip="IP:127.0.0.1"
pwd=""
read -p "Enter the domain for your server certificate: [$domain] >" response
if [[ $response != "" ]]; then
  domain=$response
fi
clientName=$(echo $domain | tr '.' '_')
read -p "Enter a forward facing ip-address besides loopback or leave empty: [$ipAddress] >" response
if [[ $response != "" ]]; then
  ipAddress=$response
  printip="127.0.0.1 and "$ipAddress
  writeip="IP:127.0.0.1,IP:"$ipAddress
fi
read -p "Enter the number of years your certificates should be valid for: [$years] >" response
if [[ $response != "" ]]; then
  years=$response
  let days=$days*$years
fi
read -s -p "Enter the password for your Certificate Authority: " pwd
response="yes"
printf "Creating certificates for '$domain' and ip-address(es): $printip with a validity of $days days.\n"
read -p "Continue (yes|no)? [$response]" response
if [[ $response != "no" ]]; then
  #create server certificate
  openssl genrsa -out ./certs/server-key.pem 4096
  openssl req -subj "/CN=$domain" -sha256 -new -key ./certs/server-key.pem -out ./certs/server.csr
  echo subjectAltName = $writeip > ./certs/extfile.cnf
  openssl x509 -req -days $days -sha256 -in ./certs/server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ./certs/server-cert.pem -extfile ./certs/extfile.cnf -passin pass:$pwd
  printf "Server certificate has been generated. Creating client certificate..."
  #create client certificate
  openssl genrsa -out ./certs/$clientName-key.pem 4096
  openssl req -subj '/CN=client' -new -key ./certs/$clientName-key.pem -out ./certs/client.csr
  echo extendedKeyUsage = clientAuth > ./certs/extfile.cnf
  openssl x509 -req -days $days -sha256 -in ./certs/client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ./certs/$clientName-cert.pem -extfile ./certs/extfile.cnf -passin pass:$pwd
  #clean up
  rm -v ./certs/{client.csr,server.csr,extfile.cnf}
  chmod -v 0400 ./certs/{$clientName-key.pem,server-key.pem}
  chmod -v 0444 ./certs/{server-cert.pem,$clientName-cert.pem}
  response="no"
  printf "Done creating certificates!\n"
  read -p "Would you like to move the authentication certificate to your local .docker directory (yes|no)? [$response] >" response
  if [[ $response != "no" ]]; then
    mv -v ./certs/{$clientName-key.pem,$clientName-cert.pem} ~/.docker/
    printf "Client certificates have been moved.\n"
  fi
  response="no"
  read -p "Would you like to transfer your server certificates to a remote machine (yes|no)? [$response] >" response
  if [[ $response != "no" ]]; then
    domain="192.168.1.10"
    read -p "Enter the address of your remote machine (can be IP or domain): [$domain] >" response
    if [[ $response != "" ]]; then
      domain=$response
    fi
    user="root"
    read -p "Enter the user on your remote machine (you will need the user's password or ssh-key): [$user] >" response
    if [[ $response != "" ]]; then
      user=$response
    fi
    destDir="/tmp/"
    read -p "Enter the directory on your remote machine where you would like to put the certificates: [$destDir] >" response
    if [[ $response != "" ]]; then
      destDir=$response
    fi
    scp -v {ca.pem,./certs/server-*.*} $user@$domain:$destDir
    response="yes"
    read -p "Done copying! Remove server certs?: [$response] >" response
    if [[ $response != "no" ]]; then
      rm -v ./certs/*.*
    fi
  fi
fi
printf "OK, we're done. Don't forget to change the DOCKER_OPTS on your remote machine's /etc/default/docker file!"