suconghou/generate_docker_cert.sh

## generate_docker_cert.sh
#!/bin/bash
#
# Generates client and server certificates used to enable HTTPS
# remote authentication to a Docker daemon.
#


set -e
set -x

DAYS=3650
PASS=$(openssl rand -hex 16)
HOST1=*.ourwill.cn
HOST2=*.suconghou.cn
ROOTHOST=suconghou.cn
ORG=ourwill
COMP=will
NAME=will
OPENSLL_CONFIG=/etc/ssl/openssl.cnf

# remove certificates from previous execution.
rm -f *.pem *.srl *.csr *.cnf

# 根证书及私钥创建
openssl genrsa -aes256 -out ca-key.pem -passout pass:$PASS 4096
openssl req -subj "/CN=$ROOTHOST/" -new -x509 -days $DAYS -passin pass:$PASS -key ca-key.pem -out ca.pem

# 服务端证书签发
openssl genrsa -out server-key.pem -passout pass:$PASS 4096
openssl req -new -sha256 -key server-key.pem -out server.csr -passin pass:$PASS -reqexts SAN -config <(cat $OPENSLL_CONFIG <(printf "\n[SAN]\nsubjectAltName=DNS:$HOST1,DNS:$HOST2")) -subj "/C=CN/OU=$ORG/O=$COMP/CN=$NAME"

# sign the server key with our CA
openssl x509 -req -days $DAYS -passin pass:$PASS -in server.csr -CA ca.pem -CAkey ca-key.pem -out server-cert.pem -CAcreateserial -extensions SAN -extfile <(cat $OPENSLL_CONFIG <(printf "[SAN]\nsubjectAltName=DNS:$HOST1,DNS:$HOST2"))

# 验证查看

openssl x509 -noout -text -in server-cert.pem

# 客户端证书 create a client key and certificate signing request (CSR)
openssl genrsa -out key.pem -passout pass:$PASS 4096
openssl req -subj '/CN=client' -new -key key.pem -out client.csr -passin pass:$PASS

# 使用最开始的 ca 证书来生成客户端证书
openssl x509 -req -days $DAYS -sha256 -passin pass:$PASS -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem

# remove the passphrase from the client and server key
openssl rsa -in server-key.pem -out server-key.pem -passin pass:$PASS
openssl rsa -in key.pem -out key.pem -passin pass:$PASS

# remove generated files that are no longer required
rm -f ca-key.pem ca.srl client.csr server.csr

exit 0
	#!/bin/bash
	#
	# Generates client and server certificates used to enable HTTPS
	# remote authentication to a Docker daemon.
	#



	set -e
	set -x

	DAYS=3650
	PASS=$(openssl rand -hex 16)
	HOST1=*.ourwill.cn
	HOST2=*.suconghou.cn
	ROOTHOST=suconghou.cn
	ORG=ourwill
	COMP=will
	NAME=will
	OPENSLL_CONFIG=/etc/ssl/openssl.cnf

	# remove certificates from previous execution.
	rm -f .pem .srl .csr .cnf

	# 根证书及私钥创建
	openssl genrsa -aes256 -out ca-key.pem -passout pass:$PASS 4096
	openssl req -subj "/CN=$ROOTHOST/" -new -x509 -days $DAYS -passin pass:$PASS -key ca-key.pem -out ca.pem

	# 服务端证书签发
	openssl genrsa -out server-key.pem -passout pass:$PASS 4096
	openssl req -new -sha256 -key server-key.pem -out server.csr -passin pass:$PASS -reqexts SAN -config <(cat $OPENSLL_CONFIG <(printf "\n[SAN]\nsubjectAltName=DNS:$HOST1,DNS:$HOST2")) -subj "/C=CN/OU=$ORG/O=$COMP/CN=$NAME"

	# sign the server key with our CA
	openssl x509 -req -days $DAYS -passin pass:$PASS -in server.csr -CA ca.pem -CAkey ca-key.pem -out server-cert.pem -CAcreateserial -extensions SAN -extfile <(cat $OPENSLL_CONFIG <(printf "[SAN]\nsubjectAltName=DNS:$HOST1,DNS:$HOST2"))

	# 验证查看

	openssl x509 -noout -text -in server-cert.pem

	# 客户端证书 create a client key and certificate signing request (CSR)
	openssl genrsa -out key.pem -passout pass:$PASS 4096
	openssl req -subj '/CN=client' -new -key key.pem -out client.csr -passin pass:$PASS

	# 使用最开始的 ca 证书来生成客户端证书
	openssl x509 -req -days $DAYS -sha256 -passin pass:$PASS -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem

	# remove the passphrase from the client and server key
	openssl rsa -in server-key.pem -out server-key.pem -passin pass:$PASS
	openssl rsa -in key.pem -out key.pem -passin pass:$PASS

	# remove generated files that are no longer required
	rm -f ca-key.pem ca.srl client.csr server.csr

	exit 0