Skip to content

Instantly share code, notes, and snippets.

@tuxdna

tuxdna/docker-tls-howto.md

Last active March 10, 2016 15:49
Show Gist options
  • Save tuxdna/0fd962480bc8560ce509 to your computer and use it in GitHub Desktop.
Save tuxdna/0fd962480bc8560ce509 to your computer and use it in GitHub Desktop.
Download ZIP
Docker TLS Howto
Raw
docker-tls-howto.md

Docker TLS Howto

Understanding PKI - Public Key Infrastructure

Public key and Private keys

Public key and Private key are two numbers that are mathematically related.

  • Given only a public key, mathemically very difficult and time consuming to obtain corresponding private key.

Message and Digital Signature

Mesage = Body + Digital Signature

Digital Signature = a message digest of Body that is signed by the sender's private key

Therefore Digital Signature can be decrpyted by sender's public key.

Organizations involved

RA - Registration Authority

RA confirms the identity of the people involved in PKI

  • it is usually driven by policies
  • performs background checks

CA - Certificate Authority

CA signs and issues certificates in PKI

  • issues certificates
  • encrypt all the issued public keys ( using CA's private keys ) which ensures that key was actually generated by the CA

Some common terms used while creating certificates:

CN - Common Name

O - Organization

OU - Organizational Unit

Setting up Docker with TLS

Quick start

Generate all keys / certificates

mkdir -p /etc/docker/certs
cd /etc/docker/certs
PASSWORD=docker
echo $PASSWORD | openssl genrsa -aes256 -passout stdin -out ca-key.pem 2048
echo $PASSWORD | openssl req -new -x509 -passin stdin -days 365 -key ca-key.pem -sha256 -out ca.pem -subj "/C=/ST=/L=/O=/OU=/CN=example.com"
openssl genrsa -out server-key.pem 2048
openssl req -subj "/CN=example.com" -new -key server-key.pem -out server.csr
echo subjectAltName = IP:127.0.0.1 > ext.conf
echo $PASSWORD | openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -passin stdin -extfile ext.conf
openssl genrsa -out key.pem 2048
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
echo extendedKeyUsage = clientAuth > client.conf
echo $PASSWORD | openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile client.conf -passin stdin

Inspect the keys / certificates

$ file *
ca-key.pem:      PEM RSA private key
ca.pem:          PEM certificate
ca.srl:          ASCII text
server-cert.pem: PEM certificate
server.csr:      PEM certificate request
server-key.pem:  PEM RSA private key
ext.conf:        ASCII text
cert.pem:        PEM certificate
client.conf:     ASCII text
client.csr:      PEM certificate request
key.pem:         PEM RSA private key

Update /etc/sysconfig/docker

OPTIONS='--selinux-enabled --log-driver=journald -H tcp://0.0.0.0:2375 --tlscacert=/etc/docker/certs/ca.pem --tlscert=/etc/docker/certs/server-cert.pem --tlskey=/etc/docker/certs/server-key.pem --tlsverify'

Restart docker daemon:

systemctl docker restart

Setup Client:

mkdir -p $HOME/.docker/
cp ca.pem key.pem cert.pem $HOME/.docker/
export DOCKER_HOST=tcp://127.0.0.1:2375
export DOCKER_CERT_PATH=$HOME/.docker/
export DOCKER_TLS_VERIFY=1

IMPORTANT STEP: Add your CA certificate to trusted list.

# cd /etc/docker/certs/
# cp ca.pem /etc/pki/ca-trust/source/anchors/
# update-ca-trust

Verify it:

$ openssl verify cert.pem 
cert.pem: OK

Detailed steps

Files to be generated

CA

  • ca-key.pem
  • ca.pem

Server

  • server-key.pem
  • server.csr
  • server-cert.pem

Client

  • client-key.pem
  • client-cert.pem

First pick some strong random passphrase. Below is only for demo:

PASSWORD=docker  # in reality pick a strong random passphrase

CA setup

# Generate the CA
# generate ca-key.pem
echo $PASSWORD | openssl genrsa -aes256 -passout stdin -out ca-key.pem 2048

# generate ca.pem
echo $PASSWORD | openssl req -new -x509 -passin stdin -days 365 -key ca-key.pem -sha256 -out ca.pem -subj "/C=/ST=/L=/O=/OU=/CN=example.com"

Server side key/certificate generation:

# Generate Server Key and Sign it

# generate server-key.pem
openssl genrsa -out server-key.pem 2048

# generate server.csr
openssl req -subj "/CN=example.com" -new -key server-key.pem -out server.csr

# generate server-cert.pem
echo subjectAltName = IP:127.0.0.1 > ext.conf
echo $PASSWORD | openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -passin stdin -extfile ext.conf

Client side key/certificate generation:

# generate key.pem
openssl genrsa -out key.pem 2048

# generate client.csr
openssl req -subj '/CN=client' -new -key key.pem -out client.csr

# generate cert.pem
echo extendedKeyUsage = clientAuth > client.conf
echo $PASSWORD | openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile client.conf -passin stdin

Changes to be done in Docker server startup scripts. Files we would need:

  • ca.pem
  • server-key.pem
  • server-cert.pem
# update the docker config to listen on TCP as well as unix socket
Replace in: /etc/sysconfig/docker
OPTIONS=*
OPTIONS='--selinux-enabled --log-driver=journald -H tcp://0.0.0.0:2375 --tlscacert=/etc/docker/certs/ca.pem --tlscert=/etc/docker/certs/server-cert.pem --tlskey=/etc/docker/certs/server-key.pem --tlsverify'

Changes to be done at the client side. Files we would need:

  • ca.pem
  • key.pem
  • cert.pem
$ mkdir -p $HOME/.docker/
$ cp ca.pem key.pem cert.pem $HOME/.docker/

Export environment variables:

export DOCKER_HOST=tcp://127.0.0.1:2375
export DOCKER_CERT_PATH=$HOME/.docker/
export DOCKER_TLS_VERIFY=1

That's all we need.

TIPS:

To inspect what is in a .pem file you can use either of two ways

Java's keytool

$ keytool -printcert -file ca.pem
Owner: CN=example.com
Issuer: CN=example.com
Serial number: c16341f752a966dd
Valid from: Thu Mar 10 14:34:57 IST 2016 until: Fri Mar 10 14:34:57 IST 2017
Certificate fingerprints:
	 MD5:  4C:B8:07:FC:00:CF:E3:EA:18:98:08:DB:47:F5:92:DD
	 SHA1: 8B:F4:3B:F1:3A:99:93:F2:51:7B:E0:B8:43:A9:A1:4A:93:5B:FB:21
	 SHA256: A2:C2:47:6F:39:62:2D:4A:7A:9D:DE:84:C4:82:D2:DF:FD:13:84:27:72:B8:F3:1E:78:26:34:9A:FA:E7:3B:33
	 Signature algorithm name: SHA256withRSA
	 Version: 3

Extensions: 

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 83 7A 1A BF 11 96 67 1C   22 79 40 57 4D C2 B4 A8  .z....g."y@WM...
0010: D7 F1 B9 56                                        ...V
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 83 7A 1A BF 11 96 67 1C   22 79 40 57 4D C2 B4 A8  .z....g."y@WM...
0010: D7 F1 B9 56                                        ...V
]
]

Using openssl tool

$ openssl x509 -in ca.pem -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 13935054202514007773 (0xc16341f752a966dd)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=example.com
        Validity
            Not Before: Mar 10 09:04:57 2016 GMT
            Not After : Mar 10 09:04:57 2017 GMT
        Subject: CN=example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ce:4a:9d:bc:5f:bf:df:db:5f:9c:62:e7:42:34:
                    cb:f1:23:cd:64:06:b5:4a:ed:65:50:d3:a2:71:66:
                    3e:02:81:08:78:ae:d8:63:1d:60:f5:a6:1e:57:da:
                    a0:06:f5:83:7b:25:17:35:7f:ba:a3:fc:06:17:85:
                    d3:03:69:f1:d4:e2:e6:f5:e6:0d:3e:ae:27:86:47:
                    ca:4f:4a:95:49:fe:8d:72:23:27:6d:61:7b:81:d9:
                    82:4b:d5:e0:9c:d7:43:bd:a9:24:85:e8:34:4e:23:
                    36:97:85:33:d0:d0:a3:bc:c9:1d:4d:a1:15:bb:b3:
                    df:10:ee:80:f8:56:ed:36:0f:75:3d:47:d3:5e:22:
                    73:53:49:b4:21:22:b9:1e:69:df:a0:77:04:3b:96:
                    e4:7a:98:c0:ae:87:66:b2:bf:d1:d8:cd:45:0c:b9:
                    6b:90:49:0c:35:0b:23:9c:17:a3:87:43:33:f6:37:
                    54:6d:f2:9f:8b:13:b8:b8:4f:ca:93:23:86:b2:42:
                    25:f0:10:46:26:a1:32:c7:cb:ab:94:c8:e6:00:14:
                    d7:34:eb:7f:b1:cd:77:f6:85:fb:7b:91:8e:6a:ff:
                    ae:fb:4a:13:08:e5:4d:a2:c0:88:38:85:4c:ed:3e:
                    75:02:d2:d5:37:b8:c9:c8:8c:62:47:ca:61:e8:ac:
                    8d:47
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                83:7A:1A:BF:11:96:67:1C:22:79:40:57:4D:C2:B4:A8:D7:F1:B9:56
            X509v3 Authority Key Identifier: 
                keyid:83:7A:1A:BF:11:96:67:1C:22:79:40:57:4D:C2:B4:A8:D7:F1:B9:56

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         b0:83:f8:dc:8e:0f:e2:1d:17:dd:dd:e8:71:5c:26:58:2b:3c:
         ea:5d:30:13:37:fd:db:0f:ba:6e:ce:c3:73:40:d0:ea:54:02:
         42:7d:27:dd:52:50:99:7c:32:39:da:9c:d4:ed:39:9e:60:f6:
         86:ec:db:89:54:d6:d1:3f:7a:6d:41:a8:fe:3f:b8:30:a1:58:
         4a:15:d6:1b:6a:89:e5:ae:a9:2f:aa:53:23:3a:dc:35:ca:c0:
         5d:52:c2:11:39:4c:9d:ee:d8:88:9e:f0:03:b9:46:06:6f:0e:
         a0:09:b5:89:9d:99:08:41:d9:54:ec:50:ea:36:a7:8c:63:26:
         81:bf:48:ff:6c:a2:66:08:95:8a:d1:f1:bb:ec:d5:22:5c:ad:
         fa:3c:4a:6d:14:a2:65:3d:c6:d3:50:ae:69:27:49:7e:d4:9d:
         b1:ba:63:20:ee:47:e8:81:79:54:f1:7e:a1:2a:76:b8:4e:a3:
         1e:47:dd:0f:a8:75:26:2e:ec:f0:3a:69:1e:3b:2f:cf:c2:b4:
         70:34:b9:44:4d:bf:47:6d:fb:7e:43:91:aa:f4:ef:6a:6f:03:
         06:c6:67:07:fd:4a:92:98:55:66:dc:a1:10:9f:b3:05:be:65:
         63:86:dd:05:ec:f9:0a:25:02:f6:13:7b:ae:bc:fb:48:3b:0e:
         90:50:73:71
-----BEGIN CERTIFICATE-----
MIIC/zCCAeegAwIBAgIJAMFjQfdSqWbdMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV
BAMMC2V4YW1wbGUuY29tMB4XDTE2MDMxMDA5MDQ1N1oXDTE3MDMxMDA5MDQ1N1ow
FjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDOSp28X7/f21+cYudCNMvxI81kBrVK7WVQ06JxZj4CgQh4rthjHWD1
ph5X2qAG9YN7JRc1f7qj/AYXhdMDafHU4ub15g0+rieGR8pPSpVJ/o1yIydtYXuB
2YJL1eCc10O9qSSF6DROIzaXhTPQ0KO8yR1NoRW7s98Q7oD4Vu02D3U9R9NeInNT
SbQhIrkead+gdwQ7luR6mMCuh2ayv9HYzUUMuWuQSQw1CyOcF6OHQzP2N1Rt8p+L
E7i4T8qTI4ayQiXwEEYmoTLHy6uUyOYAFNc063+xzXf2hft7kY5q/677ShMI5U2i
wIg4hUztPnUC0tU3uMnIjGJHymHorI1HAgMBAAGjUDBOMB0GA1UdDgQWBBSDehq/
EZZnHCJ5QFdNwrSo1/G5VjAfBgNVHSMEGDAWgBSDehq/EZZnHCJ5QFdNwrSo1/G5
VjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCwg/jcjg/iHRfd3ehx
XCZYKzzqXTATN/3bD7puzsNzQNDqVAJCfSfdUlCZfDI52pzU7TmeYPaG7NuJVNbR
P3ptQaj+P7gwoVhKFdYbaonlrqkvqlMjOtw1ysBdUsIROUyd7tiInvADuUYGbw6g
CbWJnZkIQdlU7FDqNqeMYyaBv0j/bKJmCJWK0fG77NUiXK36PEptFKJlPcbTUK5p
J0l+1J2xumMg7kfogXlU8X6hKna4TqMeR90PqHUmLuzwOmkeOy/PwrRwNLlETb9H
bft+Q5Gq9O9qbwMGxmcH/UqSmFVm3KEQn7MFvmVjht0F7PkKJQL2E3uuvPtIOw6Q
UHNx
-----END CERTIFICATE-----

RSA key

$ echo docker | openssl rsa -in ca-key.pem -text -passin stdin
Private-Key: (2048 bit)
modulus:
    00:ce:4a:9d:bc:5f:bf:df:db:5f:9c:62:e7:42:34:
    cb:f1:23:cd:64:06:b5:4a:ed:65:50:d3:a2:71:66:
    3e:02:81:08:78:ae:d8:63:1d:60:f5:a6:1e:57:da:
    a0:06:f5:83:7b:25:17:35:7f:ba:a3:fc:06:17:85:
    d3:03:69:f1:d4:e2:e6:f5:e6:0d:3e:ae:27:86:47:
    ca:4f:4a:95:49:fe:8d:72:23:27:6d:61:7b:81:d9:
    82:4b:d5:e0:9c:d7:43:bd:a9:24:85:e8:34:4e:23:
    36:97:85:33:d0:d0:a3:bc:c9:1d:4d:a1:15:bb:b3:
    df:10:ee:80:f8:56:ed:36:0f:75:3d:47:d3:5e:22:
    73:53:49:b4:21:22:b9:1e:69:df:a0:77:04:3b:96:
    e4:7a:98:c0:ae:87:66:b2:bf:d1:d8:cd:45:0c:b9:
    6b:90:49:0c:35:0b:23:9c:17:a3:87:43:33:f6:37:
    54:6d:f2:9f:8b:13:b8:b8:4f:ca:93:23:86:b2:42:
    25:f0:10:46:26:a1:32:c7:cb:ab:94:c8:e6:00:14:
    d7:34:eb:7f:b1:cd:77:f6:85:fb:7b:91:8e:6a:ff:
    ae:fb:4a:13:08:e5:4d:a2:c0:88:38:85:4c:ed:3e:
    75:02:d2:d5:37:b8:c9:c8:8c:62:47:ca:61:e8:ac:
    8d:47
publicExponent: 65537 (0x10001)
privateExponent:
    00:c8:5d:44:d3:80:14:77:33:35:ac:49:8b:e0:8c:
    33:41:a5:ca:8a:4a:d1:af:52:e0:c3:1e:ab:7a:85:
    19:d9:88:c6:57:a1:4b:5f:09:5b:f1:7c:45:a0:83:
    22:47:60:13:32:7a:96:0e:4a:5f:57:83:23:cf:99:
    15:99:0d:3f:eb:cb:ef:14:0b:3b:f6:13:65:24:51:
    7a:38:85:72:77:0a:1d:0c:2d:04:d0:82:8c:59:54:
    8f:ef:64:6e:e3:27:5a:0e:4e:c8:c0:9f:06:9e:96:
    29:22:06:28:8b:ba:fa:2e:15:10:b7:23:ac:5e:41:
    98:79:73:8e:24:a7:19:83:14:c4:14:d4:3e:d5:f3:
    54:46:34:8b:4d:92:2b:cd:8b:3a:c6:99:03:34:98:
    49:74:26:1c:68:51:a1:eb:03:29:22:24:ad:94:a4:
    55:aa:6b:68:07:31:e5:52:98:b7:e3:52:57:6c:82:
    68:67:a1:79:f4:44:2e:25:92:f5:26:fd:4f:1a:ba:
    85:7c:c9:f8:2f:7f:ee:19:0f:56:cf:bc:96:bd:4c:
    39:1e:6c:d8:3d:73:68:c1:44:e8:6b:e3:2c:99:1a:
    85:34:c1:52:ed:08:e8:7b:ff:96:b8:02:71:99:b1:
    46:80:91:c5:98:b1:76:72:7f:ac:b6:a1:8d:d1:d0:
    5d:11
prime1:
    00:fc:c1:ab:e2:2f:03:9c:7c:d1:f8:b2:15:38:d1:
    ab:c2:89:55:ed:b8:9b:3c:c3:b2:e7:c6:96:73:19:
    db:12:83:5c:01:86:fe:e1:cd:c9:1b:3e:72:d7:47:
    b4:8f:95:13:95:e8:46:a6:2d:ed:a0:51:79:b4:44:
    3f:07:c2:16:c2:c4:dd:af:41:72:88:6c:9c:f6:56:
    90:49:f3:48:bf:5d:8a:7f:a3:88:8f:ed:5d:2a:f1:
    b7:fe:60:34:91:b4:33:9d:73:84:35:ec:f1:37:9c:
    5e:94:36:10:b6:e0:97:65:ae:e1:0c:54:9d:9d:ab:
    b0:4b:9f:4e:46:58:fa:1b:ad
prime2:
    00:d0:f0:4d:7e:d0:1e:42:59:4e:ca:f5:0f:2f:4d:
    93:33:4a:83:0a:d3:77:da:b9:77:28:9d:7f:a4:5b:
    b7:ef:c2:22:82:d7:ea:d6:88:23:d5:61:36:2c:71:
    7a:ea:b7:08:85:e7:8c:9d:b4:58:49:f7:52:a1:3a:
    dd:22:8e:f4:66:b8:21:46:87:4d:43:1b:17:c8:8c:
    3c:77:bf:01:aa:4a:88:62:c5:17:13:68:26:2d:e7:
    62:07:c0:d5:de:e9:6d:27:73:a7:6d:ae:6d:0d:cf:
    13:48:f5:5d:2e:60:5b:8b:fe:98:0d:09:a7:80:9e:
    24:65:02:2d:37:20:fe:6b:43
exponent1:
    00:8d:82:91:0d:2d:6d:44:2b:ce:13:03:01:46:b2:
    7d:0b:89:80:86:7b:98:ce:48:72:dd:b9:1d:7a:8b:
    bb:4f:7e:24:00:e6:e7:c4:dc:45:ff:ee:d2:b5:1c:
    fc:46:77:1c:64:0d:8b:a0:76:8e:57:f7:c5:bf:db:
    85:be:7e:37:e8:0b:f8:61:aa:ae:c9:1a:a6:36:74:
    f8:8b:ae:9d:c8:26:42:e8:7b:52:75:e2:5b:0b:34:
    11:e3:65:51:89:51:ee:a3:f4:8c:cc:f4:3f:88:f7:
    0f:2c:c3:a8:4f:fb:26:48:53:c4:c3:f6:8b:d8:3e:
    cb:91:4b:3b:b3:bf:15:28:71
exponent2:
    11:85:95:7a:25:09:e4:96:88:bd:0c:80:11:7f:77:
    f0:bd:36:f0:19:7b:db:a3:e2:12:4d:e2:fe:6d:92:
    a7:50:a8:84:40:87:39:26:81:9a:cb:64:37:a5:ec:
    a0:f2:68:8c:92:36:80:a3:37:24:3c:d1:79:23:ee:
    97:8f:55:7f:a7:c1:62:a0:c6:21:f2:8b:b4:0d:ce:
    a4:5c:28:4f:97:a0:88:67:ee:df:79:c4:79:e5:05:
    9b:90:d8:5e:b1:44:ae:22:4c:d0:2d:e8:87:57:ee:
    4e:18:05:90:76:14:37:51:4a:7f:0d:68:36:a9:0c:
    74:4c:12:6e:a5:1d:b0:f1
coefficient:
    6e:38:5c:38:b3:0c:da:0c:8b:12:5f:5d:d5:91:64:
    a7:16:9b:ff:91:bb:ca:95:ca:cb:75:8a:24:e8:11:
    da:f5:f4:dd:d8:92:78:75:64:c2:b3:2e:36:87:25:
    a2:11:c0:b2:7d:88:be:b7:91:a6:eb:67:1c:18:d6:
    87:dd:76:25:97:7a:2a:a9:71:ce:a3:72:6e:d8:f6:
    36:f1:8e:c5:8b:96:0a:f8:4f:b0:d9:25:70:a5:35:
    83:82:67:0b:25:4e:db:44:cf:db:9b:43:78:da:af:
    9c:80:7f:19:de:d3:2f:51:09:12:1d:3e:62:4e:40:
    69:eb:26:83:86:85:d2:e7
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAzkqdvF+/39tfnGLnQjTL8SPNZAa1Su1lUNOicWY+AoEIeK7Y
Yx1g9aYeV9qgBvWDeyUXNX+6o/wGF4XTA2nx1OLm9eYNPq4nhkfKT0qVSf6NciMn
bWF7gdmCS9XgnNdDvakkheg0TiM2l4Uz0NCjvMkdTaEVu7PfEO6A+FbtNg91PUfT
XiJzU0m0ISK5HmnfoHcEO5bkepjArodmsr/R2M1FDLlrkEkMNQsjnBejh0Mz9jdU
bfKfixO4uE/KkyOGskIl8BBGJqEyx8urlMjmABTXNOt/sc139oX7e5GOav+u+0oT
COVNosCIOIVM7T51AtLVN7jJyIxiR8ph6KyNRwIDAQABAoIBAQDIXUTTgBR3MzWs
SYvgjDNBpcqKStGvUuDDHqt6hRnZiMZXoUtfCVvxfEWggyJHYBMyepYOSl9XgyPP
mRWZDT/ry+8UCzv2E2UkUXo4hXJ3Ch0MLQTQgoxZVI/vZG7jJ1oOTsjAnwaeliki
BiiLuvouFRC3I6xeQZh5c44kpxmDFMQU1D7V81RGNItNkivNizrGmQM0mEl0Jhxo
UaHrAykiJK2UpFWqa2gHMeVSmLfjUldsgmhnoXn0RC4lkvUm/U8auoV8yfgvf+4Z
D1bPvJa9TDkebNg9c2jBROhr4yyZGoU0wVLtCOh7/5a4AnGZsUaAkcWYsXZyf6y2
oY3R0F0RAoGBAPzBq+IvA5x80fiyFTjRq8KJVe24mzzDsufGlnMZ2xKDXAGG/uHN
yRs+ctdHtI+VE5XoRqYt7aBRebREPwfCFsLE3a9BcohsnPZWkEnzSL9din+jiI/t
XSrxt/5gNJG0M51zhDXs8TecXpQ2ELbgl2Wu4QxUnZ2rsEufTkZY+hutAoGBANDw
TX7QHkJZTsr1Dy9NkzNKgwrTd9q5dyidf6Rbt+/CIoLX6taII9VhNixxeuq3CIXn
jJ20WEn3UqE63SKO9Ga4IUaHTUMbF8iMPHe/AapKiGLFFxNoJi3nYgfA1d7pbSdz
p22ubQ3PE0j1XS5gW4v+mA0Jp4CeJGUCLTcg/mtDAoGBAI2CkQ0tbUQrzhMDAUay
fQuJgIZ7mM5Ict25HXqLu09+JADm58TcRf/u0rUc/EZ3HGQNi6B2jlf3xb/bhb5+
N+gL+GGqrskapjZ0+IuuncgmQuh7UnXiWws0EeNlUYlR7qP0jMz0P4j3DyzDqE/7
JkhTxMP2i9g+y5FLO7O/FShxAoGAEYWVeiUJ5JaIvQyAEX938L028Bl726PiEk3i
/m2Sp1CohECHOSaBmstkN6XsoPJojJI2gKM3JDzReSPul49Vf6fBYqDGIfKLtA3O
pFwoT5egiGfu33nEeeUFm5DYXrFEriJM0C3oh1fuThgFkHYUN1FKfw1oNqkMdEwS
bqUdsPECgYBuOFw4swzaDIsSX13VkWSnFpv/kbvKlcrLdYok6BHa9fTd2JJ4dWTC
sy42hyWiEcCyfYi+t5Gm62ccGNaH3XYll3oqqXHOo3Ju2PY28Y7Fi5YK+E+w2SVw
pTWDgmcLJU7bRM/bm0N42q+cgH8Z3tMvUQkSHT5iTkBp6yaDhoXS5w==
-----END RSA PRIVATE KEY-----

Print Server Key

$ openssl rsa -in server-key.pem -text
Private-Key: (2048 bit)
modulus:
    00:a8:7d:b8:bb:a0:fb:16:32:fc:35:1a:ba:d5:b2:
    fb:44:b3:8b:a1:79:19:cd:6a:5c:8d:e6:ab:41:a0:
    4c:d5:3c:51:7a:3f:55:7e:bc:94:3d:49:81:81:ae:
    75:7e:ad:5b:ba:6d:9b:aa:9c:02:84:27:24:23:8c:
    db:9c:65:24:ea:2e:90:43:95:2f:c4:09:74:f7:c3:
    0c:ee:c8:3e:75:47:eb:2f:55:d6:40:4f:8c:b7:20:
    b4:39:7b:dd:07:a1:1c:0f:01:c1:d8:e2:7a:b3:50:
    d2:d7:da:6a:4c:be:3b:26:19:f4:75:ad:f5:a6:5d:
    40:67:94:b8:06:be:b3:9a:94:57:89:cd:09:e3:a1:
    aa:23:57:51:1f:ac:fc:39:e0:86:be:53:95:29:97:
    f9:22:bf:03:83:9e:b8:cd:c4:0d:7c:80:3f:38:71:
    20:a8:fe:da:b2:e8:e8:a4:82:15:c4:1e:a5:24:68:
    b3:61:95:98:72:f0:47:20:88:e9:3b:71:23:fb:cc:
    88:a7:2c:dc:8c:74:2f:d2:29:b3:28:d2:c7:37:fa:
    c4:ed:6e:56:fd:a2:d9:e4:60:b9:56:88:15:ba:6d:
    0c:7c:e8:a9:8c:d9:fa:8c:6c:c8:73:23:98:29:b1:
    ce:00:20:71:19:e3:b9:51:bf:f7:d2:e8:d5:df:f6:
    d6:1d
publicExponent: 65537 (0x10001)
privateExponent:
    00:8c:b1:b6:c1:8e:92:3c:1e:44:f5:ff:25:06:6f:
    57:5c:2d:e5:29:e7:da:c0:e9:d0:f1:79:2d:86:36:
    5a:12:31:35:04:34:c0:aa:7c:c3:f8:4d:5a:04:34:
    ee:cd:e1:ea:d7:c8:d1:14:ed:03:38:e1:0a:4f:59:
    3e:c4:e0:bc:ab:84:48:58:f6:c9:95:14:24:85:03:
    6d:d8:32:83:dd:21:39:e5:23:f3:2d:6e:7f:dd:27:
    44:f7:3f:53:f9:1b:f2:37:21:cb:81:d4:d4:8a:c9:
    b1:d6:26:ff:5e:a7:f6:f2:40:f8:1e:10:2e:31:46:
    6b:12:53:60:3b:d9:a0:56:31:af:88:b8:12:27:59:
    3c:89:fe:1a:4c:85:9f:1c:cb:ba:e1:36:43:92:92:
    37:c5:30:c8:8a:95:e3:a7:c6:fd:ee:5d:87:f9:7c:
    cf:b6:fe:0b:e8:a7:65:f1:ce:db:bc:bb:0d:4d:68:
    81:4a:63:2b:fe:87:97:23:ae:1b:68:89:1d:c0:6b:
    47:b8:b8:6c:9c:83:c1:0b:a9:c1:c3:3d:95:11:af:
    cf:73:fd:e4:2f:e8:f4:ce:b2:3f:fc:48:65:cd:d2:
    23:56:02:00:4b:2d:9f:4c:c5:18:29:ca:66:55:a2:
    38:19:97:86:7e:fb:15:61:18:d9:26:30:b4:6e:9f:
    2a:01
prime1:
    00:da:02:52:8d:6a:03:a9:65:86:0c:10:08:1e:ae:
    64:3e:c1:69:40:13:a2:2c:dd:06:65:75:1a:a3:1c:
    4f:01:4c:59:e5:2e:da:30:7f:6d:85:68:5b:7e:af:
    ce:d1:c1:81:2b:3a:91:bc:d0:04:73:26:9f:26:75:
    af:5d:fa:83:12:d6:e2:9a:d3:58:7b:0a:72:9c:54:
    42:44:fb:1e:9b:4d:45:b0:1f:cf:ce:4a:5a:f0:89:
    f3:2e:ca:9e:4d:dd:00:60:6e:8c:2f:c0:0f:e6:a1:
    56:9d:bd:93:5e:6e:dd:14:b6:4d:ac:e2:59:aa:7f:
    b8:0f:84:8f:36:ba:93:83:81
prime2:
    00:c5:da:55:fd:54:dd:92:66:e5:ff:0f:ef:35:78:
    29:62:91:78:cc:c5:82:8f:61:e7:33:98:33:19:65:
    1e:a0:f9:0a:a4:88:92:ba:1f:b0:63:f4:09:87:de:
    cb:5e:56:ed:32:8b:71:cd:e1:64:ce:72:ef:69:69:
    a5:c7:0b:43:21:13:21:ff:82:92:bd:11:c0:b1:fb:
    0b:5d:42:29:d9:26:1b:bb:b4:18:47:f5:68:53:86:
    78:6b:3c:10:51:30:7b:44:3a:88:8c:c4:a5:3d:d3:
    7a:d9:b0:1c:67:67:ae:c8:44:9b:f2:01:c3:82:b7:
    26:81:31:e0:4d:1a:57:30:9d
exponent1:
    00:8c:1c:c2:01:b1:08:f9:6e:0e:60:e2:4c:d5:ab:
    2f:32:46:0b:e6:ea:b7:68:2e:05:56:5f:94:e7:0f:
    e2:96:eb:03:3b:90:89:1a:72:4b:69:5a:50:b3:73:
    3a:71:04:f4:87:5b:f5:1e:6c:72:ef:ae:fa:ca:35:
    08:a8:55:c0:b7:f2:f3:60:9e:44:57:8f:b7:69:51:
    9d:e5:c7:9f:3c:20:c5:91:14:60:f2:2c:47:96:20:
    92:f2:97:b6:76:44:7b:61:7e:ab:0a:65:5d:d2:d4:
    0e:5f:02:e0:1b:e9:14:9d:a3:2c:f8:d7:e0:d8:fb:
    8c:c8:2c:61:fe:c2:9a:dc:01
exponent2:
    00:80:ea:48:89:2e:58:c8:e1:bf:0e:b8:85:36:a3:
    ba:e3:7c:c1:e7:3a:f2:5d:16:7f:9d:00:98:9a:fd:
    66:3d:a0:c7:ac:79:48:91:79:c0:67:00:45:8d:80:
    3f:a6:92:a1:2f:03:e8:fd:2a:d5:92:27:15:93:eb:
    c0:96:b6:e1:e0:95:24:db:e5:6a:53:43:53:f9:24:
    08:3d:95:b4:ca:c6:a7:df:5f:f3:4a:3f:be:e0:5d:
    87:ec:e7:50:02:76:c2:7a:ac:60:f8:c7:d0:9b:3e:
    46:97:bc:c6:65:22:0b:a2:76:01:de:68:03:ca:12:
    28:46:9a:06:fa:76:25:45:89
coefficient:
    79:b4:fd:d5:cc:1e:71:f5:42:3d:83:69:34:67:40:
    b0:0c:17:59:08:84:cc:8b:db:9f:6c:21:6b:46:84:
    64:a2:93:5a:40:c8:8a:0d:b8:6d:37:29:a7:2c:53:
    97:a7:91:91:9a:21:d1:29:52:7f:21:8b:3f:a7:f1:
    5e:9f:7e:cb:dd:d7:85:96:4a:98:49:19:a8:ea:4c:
    f6:b4:d9:9a:dc:d2:d4:70:a1:62:1f:79:80:37:fd:
    b9:54:66:2f:24:6a:35:a0:23:45:b5:b0:95:ff:5c:
    3b:2e:0f:db:db:b8:ee:f4:5e:04:3f:38:ac:36:4d:
    92:2a:c0:62:62:47:8c:11
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAqH24u6D7FjL8NRq61bL7RLOLoXkZzWpcjearQaBM1TxRej9V
fryUPUmBga51fq1bum2bqpwChCckI4zbnGUk6i6QQ5UvxAl098MM7sg+dUfrL1XW
QE+MtyC0OXvdB6EcDwHB2OJ6s1DS19pqTL47Jhn0da31pl1AZ5S4Br6zmpRXic0J
46GqI1dRH6z8OeCGvlOVKZf5Ir8Dg564zcQNfIA/OHEgqP7asujopIIVxB6lJGiz
YZWYcvBHIIjpO3Ej+8yIpyzcjHQv0imzKNLHN/rE7W5W/aLZ5GC5VogVum0MfOip
jNn6jGzIcyOYKbHOACBxGeO5Ub/30ujV3/bWHQIDAQABAoIBAQCMsbbBjpI8HkT1
/yUGb1dcLeUp59rA6dDxeS2GNloSMTUENMCqfMP4TVoENO7N4erXyNEU7QM44QpP
WT7E4LyrhEhY9smVFCSFA23YMoPdITnlI/Mtbn/dJ0T3P1P5G/I3IcuB1NSKybHW
Jv9ep/byQPgeEC4xRmsSU2A72aBWMa+IuBInWTyJ/hpMhZ8cy7rhNkOSkjfFMMiK
leOnxv3uXYf5fM+2/gvop2Xxztu8uw1NaIFKYyv+h5cjrhtoiR3Aa0e4uGycg8EL
qcHDPZURr89z/eQv6PTOsj/8SGXN0iNWAgBLLZ9MxRgpymZVojgZl4Z++xVhGNkm
MLRunyoBAoGBANoCUo1qA6llhgwQCB6uZD7BaUAToizdBmV1GqMcTwFMWeUu2jB/
bYVoW36vztHBgSs6kbzQBHMmnyZ1r136gxLW4prTWHsKcpxUQkT7HptNRbAfz85K
WvCJ8y7Knk3dAGBujC/AD+ahVp29k15u3RS2TaziWap/uA+Ejza6k4OBAoGBAMXa
Vf1U3ZJm5f8P7zV4KWKReMzFgo9h5zOYMxllHqD5CqSIkrofsGP0CYfey15W7TKL
cc3hZM5y72lppccLQyETIf+Ckr0RwLH7C11CKdkmG7u0GEf1aFOGeGs8EFEwe0Q6
iIzEpT3TetmwHGdnrshEm/IBw4K3JoEx4E0aVzCdAoGBAIwcwgGxCPluDmDiTNWr
LzJGC+bqt2guBVZflOcP4pbrAzuQiRpyS2laULNzOnEE9Idb9R5scu+u+so1CKhV
wLfy82CeRFePt2lRneXHnzwgxZEUYPIsR5YgkvKXtnZEe2F+qwplXdLUDl8C4Bvp
FJ2jLPjX4Nj7jMgsYf7CmtwBAoGBAIDqSIkuWMjhvw64hTajuuN8wec68l0Wf50A
mJr9Zj2gx6x5SJF5wGcARY2AP6aSoS8D6P0q1ZInFZPrwJa24eCVJNvlalNDU/kk
CD2VtMrGp99f80o/vuBdh+znUAJ2wnqsYPjH0Js+Rpe8xmUiC6J2Ad5oA8oSKEaa
Bvp2JUWJAoGAebT91cwecfVCPYNpNGdAsAwXWQiEzIvbn2wha0aEZKKTWkDIig24
bTcppyxTl6eRkZoh0SlSfyGLP6fxXp9+y93XhZZKmEkZqOpM9rTZmtzS1HChYh95
gDf9uVRmLyRqNaAjRbWwlf9cOy4P29u47vReBD84rDZNkirAYmJHjBE=
-----END RSA PRIVATE KEY-----

Print Certificate Signing Request file:

$ keytool -printcertreq -file server.csr 
PKCS #10 Certificate Request (Version 1.0)
Subject: CN=example.com
Public Key: X.509 format RSA key



$ openssl req -noout -text -in  server.csr 
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: CN=example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a8:7d:b8:bb:a0:fb:16:32:fc:35:1a:ba:d5:b2:
                    fb:44:b3:8b:a1:79:19:cd:6a:5c:8d:e6:ab:41:a0:
                    4c:d5:3c:51:7a:3f:55:7e:bc:94:3d:49:81:81:ae:
                    75:7e:ad:5b:ba:6d:9b:aa:9c:02:84:27:24:23:8c:
                    db:9c:65:24:ea:2e:90:43:95:2f:c4:09:74:f7:c3:
                    0c:ee:c8:3e:75:47:eb:2f:55:d6:40:4f:8c:b7:20:
                    b4:39:7b:dd:07:a1:1c:0f:01:c1:d8:e2:7a:b3:50:
                    d2:d7:da:6a:4c:be:3b:26:19:f4:75:ad:f5:a6:5d:
                    40:67:94:b8:06:be:b3:9a:94:57:89:cd:09:e3:a1:
                    aa:23:57:51:1f:ac:fc:39:e0:86:be:53:95:29:97:
                    f9:22:bf:03:83:9e:b8:cd:c4:0d:7c:80:3f:38:71:
                    20:a8:fe:da:b2:e8:e8:a4:82:15:c4:1e:a5:24:68:
                    b3:61:95:98:72:f0:47:20:88:e9:3b:71:23:fb:cc:
                    88:a7:2c:dc:8c:74:2f:d2:29:b3:28:d2:c7:37:fa:
                    c4:ed:6e:56:fd:a2:d9:e4:60:b9:56:88:15:ba:6d:
                    0c:7c:e8:a9:8c:d9:fa:8c:6c:c8:73:23:98:29:b1:
                    ce:00:20:71:19:e3:b9:51:bf:f7:d2:e8:d5:df:f6:
                    d6:1d
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         58:2b:bd:3d:30:3b:59:2e:86:68:c1:5c:f5:36:36:f9:77:1b:
         c7:14:ae:f9:99:9a:f0:40:c1:af:ea:e0:33:16:e8:31:61:8d:
         3b:db:c5:0c:df:15:b9:42:b8:b0:c4:ae:67:63:06:43:82:d6:
         61:4e:7f:6c:5c:46:12:82:d8:15:74:79:1c:01:33:f5:b2:39:
         01:2b:a3:90:7d:33:36:59:18:33:c0:58:4d:5b:ce:f5:d4:b2:
         6e:00:e6:b5:3e:05:70:ed:e4:ad:38:c0:99:7c:4a:72:71:31:
         25:41:1c:d7:80:dd:25:7e:37:80:d8:67:4e:6e:71:8e:99:43:
         22:32:ae:e2:07:bd:e6:57:ec:29:30:1c:a0:e4:22:f8:d1:e3:
         d8:2c:b2:3a:b5:7b:4d:07:42:48:78:cd:b1:52:57:a7:59:0a:
         f2:f2:22:e7:76:24:15:fa:ab:97:eb:01:59:35:70:63:84:4b:
         0c:b2:fb:45:55:e2:5b:33:a1:3a:cb:35:be:f4:e9:27:a0:57:
         b6:04:95:29:96:6d:e6:05:3e:2c:ea:7f:91:d3:e4:f8:44:e5:
         d8:23:17:a8:3b:1e:13:88:cb:af:04:a8:15:50:0e:24:10:2c:
         ff:b9:2b:62:8e:40:46:f2:6a:25:cb:f4:3b:ef:cf:cd:03:36:
         fd:46:58:88
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment