Created
September 10, 2015 17:23
-
-
Save sebfia/5f6dbeaa59126a381e97 to your computer and use it in GitHub Desktop.
Bash script to create certificates for securing and authenticating docker on a remote machine with tls.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#/bin/bash | |
domain="sebfia.net" | |
ipAddress="" | |
years=1 | |
days=365 | |
printip="127.0.0.1" | |
writeip="IP:127.0.0.1" | |
pwd="" | |
read -p "Enter the domain for your server certificate: [$domain] >" response | |
if [[ $response != "" ]]; then | |
domain=$response | |
fi | |
clientName=$(echo $domain | tr '.' '_') | |
read -p "Enter a forward facing ip-address besides loopback or leave empty: [$ipAddress] >" response | |
if [[ $response != "" ]]; then | |
ipAddress=$response | |
printip="127.0.0.1 and "$ipAddress | |
writeip="IP:127.0.0.1,IP:"$ipAddress | |
fi | |
read -p "Enter the number of years your certificates should be valid for: [$years] >" response | |
if [[ $response != "" ]]; then | |
years=$response | |
let days=$days*$years | |
fi | |
read -s -p "Enter the password for your Certificate Authority: " pwd | |
response="yes" | |
printf "Creating certificates for '$domain' and ip-address(es): $printip with a validity of $days days.\n" | |
read -p "Continue (yes|no)? [$response]" response | |
if [[ $response != "no" ]]; then | |
#create server certificate | |
openssl genrsa -out ./certs/server-key.pem 4096 | |
openssl req -subj "/CN=$domain" -sha256 -new -key ./certs/server-key.pem -out ./certs/server.csr | |
echo subjectAltName = $writeip > ./certs/extfile.cnf | |
openssl x509 -req -days $days -sha256 -in ./certs/server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ./certs/server-cert.pem -extfile ./certs/extfile.cnf -passin pass:$pwd | |
printf "Server certificate has been generated. Creating client certificate..." | |
#create client certificate | |
openssl genrsa -out ./certs/$clientName-key.pem 4096 | |
openssl req -subj '/CN=client' -new -key ./certs/$clientName-key.pem -out ./certs/client.csr | |
echo extendedKeyUsage = clientAuth > ./certs/extfile.cnf | |
openssl x509 -req -days $days -sha256 -in ./certs/client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ./certs/$clientName-cert.pem -extfile ./certs/extfile.cnf -passin pass:$pwd | |
#clean up | |
rm -v ./certs/{client.csr,server.csr,extfile.cnf} | |
chmod -v 0400 ./certs/{$clientName-key.pem,server-key.pem} | |
chmod -v 0444 ./certs/{server-cert.pem,$clientName-cert.pem} | |
response="no" | |
printf "Done creating certificates!\n" | |
read -p "Would you like to move the authentication certificate to your local .docker directory (yes|no)? [$response] >" response | |
if [[ $response != "no" ]]; then | |
mv -v ./certs/{$clientName-key.pem,$clientName-cert.pem} ~/.docker/ | |
printf "Client certificates have been moved.\n" | |
fi | |
response="no" | |
read -p "Would you like to transfer your server certificates to a remote machine (yes|no)? [$response] >" response | |
if [[ $response != "no" ]]; then | |
domain="192.168.1.10" | |
read -p "Enter the address of your remote machine (can be IP or domain): [$domain] >" response | |
if [[ $response != "" ]]; then | |
domain=$response | |
fi | |
user="root" | |
read -p "Enter the user on your remote machine (you will need the user's password or ssh-key): [$user] >" response | |
if [[ $response != "" ]]; then | |
user=$response | |
fi | |
destDir="/tmp/" | |
read -p "Enter the directory on your remote machine where you would like to put the certificates: [$destDir] >" response | |
if [[ $response != "" ]]; then | |
destDir=$response | |
fi | |
scp -v {ca.pem,./certs/server-*.*} $user@$domain:$destDir | |
response="yes" | |
read -p "Done copying! Remove server certs?: [$response] >" response | |
if [[ $response != "no" ]]; then | |
rm -v ./certs/*.* | |
fi | |
fi | |
fi | |
printf "OK, we're done. Don't forget to change the DOCKER_OPTS on your remote machine's /etc/default/docker file!" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment