Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Generate self-signed SSL certs for docker client <— HTTPS (verified!)—> daemon
#! /bin/bash
set -e
echo 01 > ca.srl
openssl genrsa -out ca-key.pem
cat << CNF > ca.cnf
req_extensions = v3_req
[ req ]
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
localityName = Locality Name (eg, city)
localityName_default = Palo Alto
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = ACME Inc.
commonName = Common Name (eg, YOUR name)
commonName_max = 64
commonName_default = *
emailAddress = Email Address
emailAddress_max = 40
emailAddress_default = no-reply.self-signed@localhost
[ v3_req ]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName=critical,email:no-reply.self-signed@localhost,DNS:localhost
[dir_sect]
C=US
O=My Example Organization
OU=My Example Unit
CN=My Example Name
CNF
openssl req -new -x509 -days 365 -batch -subject -key ca-key.pem -config ca.cnf -out ca.pem
openssl genrsa -out server-key.pem
openssl req -new -batch -config ca.cnf -key server-key.pem -out server.csr
openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -out server-cert.pem
openssl genrsa -out client-key.pem
openssl req -new -batch -key client-key.pem -out client.csr
echo extendedKeyUsage = clientAuth > extfile.cnf
openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem -out client-cert.pem -extfile extfile.cnf
openssl rsa -in server-key.pem -out server-key.pem
openssl rsa -in client-key.pem -out client-key.pem
# server
# [sudo] docker -d --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H=:4243
# client
# docker --tlsverify --tlscacert=ca.pem --tlscert=client-cert.pem --tlskey=client-key.pem -H={{dns-name-of-docker-host}}:4243
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment