DrSnowbird · July 25, 2018 22:24
diff --git a/generate-Docker-CA-cert-server-client-cert.sh b/generate-Docker-CA-cert-server-client-cert.sh
 #!/bin/bash -x

 # ref: https://docs.docker.com/engine/security/https/

 mkdir CA-server-client-keys
 cd CA-server-client-keys/

 ## Create a CA, server and client keys with OpenSSL

 ## ----------------------------------------------------------------------------
 ## 1.) on the Docker daemon’s host machine, generate CA private and public keys
 ## ----------------------------------------------------------------------------

 openssl genrsa -aes256 -out ca-key.pem 4096

 #Generating RSA private key, 4096 bit long modulus
 #.............................................................++
 #..++
 #e is 65537 (0x10001)
 #Enter pass phrase for ca-key.pem:
 #Verifying - Enter pass phrase for ca-key.pem:

 openssl req -new -x509 -days 1095 -key ca-key.pem -sha256 -out ca.pem
 #Enter pass phrase for ca-key.pem:
 #You are about to be asked to enter information that will be incorporated
 #into your certificate request.
 #What you are about to enter is what is called a Distinguished Name or a DN.
 #There are quite a few fields but you can leave some blank
 #For some fields there will be a default value,
 #If you enter '.', the field will be left blank.
 #-----
 #Country Name (2 letter code) [XX]:US
 #State or Province Name (full name) []:State
 #Locality Name (eg, city) [Default City]:
 #Organization Name (eg, company) [Default Company Ltd]:
 #Organizational Unit Name (eg, section) []:
 #Common Name (eg, your name or your server's hostname) []:my.domain.org
 #Email Address []:

 #total 8
 #-rw-rw-r--. 1 rsheu rsheu 3326 Jul 25 17:03 ca-key.pem
 #-rw-rw-r--. 1 rsheu rsheu 2037 Jul 25 17:07 ca.pem

 ## ----------------------------------------------------------------------------
 ## 2.) Now that you have a CA, you can create a server key and certificate signing request (CSR). 
 ##     Make sure that “Common Name” matches the hostname you use to connect to Docker:
 ## ----------------------------------------------------------------------------

 openssl genrsa -out server-key.pem
 #Generating RSA private key, 2048 bit long modulus
 #....................................................................................+++
 #...................................................................................................................................................................................+++
 #e is 65537 (0x10001)


 openssl req -subj "/CN=my.domain.org" -sha256 -new -key server-key.pem -out server.csr

 #total 16
 #-rw-rw-r--. 1 rsheu rsheu 3326 Jul 25 17:03 ca-key.pem
 #-rw-rw-r--. 1 rsheu rsheu 2037 Jul 25 17:07 ca.pem
 #-rw-rw-r--. 1 rsheu rsheu  903 Jul 25 17:24 server.csr
 #-rw-rw-r--. 1 rsheu rsheu 1675 Jul 25 17:09 server-key.pem

 ## ----------------------------------------------------------------------------
 ## 3.) Next, we’re going to sign the public key with our CA
 ## ----------------------------------------------------------------------------
 # Since TLS connections can be made via IP address as well as DNS name, 
 # the IP addresses need to be specified when creating the certificate. 
 # For example, to allow connections using 10.10.10.20 and 127.0.0.1
 echo subjectAltName = DNS:my.domain.org,IP:10.84.237.61,IP:127.0.0.1 >> extfile.cnf
 cat *cnf
 #subjectAltName = DNS:my.domain.org,IP:10.84.237.61,IP:127.0.0.1

 ## ----------------------------------------------------------------------------
 ## 4.) Now, generate the signed certificate:
 ## ----------------------------------------------------------------------------
 openssl x509 -req -days 1095 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf 
 #Signature ok
 #subject=/CN=my.domain.org
 #Getting CA Private Key
 #Enter pass phrase for ca-key.pem:

 #total 28
 #-rw-rw-r--. 1 rsheu rsheu 3326 Jul 25 17:03 ca-key.pem
 #-rw-rw-r--. 1 rsheu rsheu 2037 Jul 25 17:07 ca.pem
 #-rw-rw-r--. 1 rsheu rsheu   17 Jul 25 17:30 ca.srl
 #-rw-rw-r--. 1 rsheu rsheu   70 Jul 25 17:28 extfile.cnf
 #-rw-rw-r--. 1 rsheu rsheu 1533 Jul 25 17:30 server-cert.pem
 #-rw-rw-r--. 1 rsheu rsheu  903 Jul 25 17:24 server.csr
 #-rw-rw-r--. 1 rsheu rsheu 1675 Jul 25 17:09 server-key.pem

 ## ----------------------------------------------------------------------------
 ## 5.) For client authentication, create a client key :
 # for simplicity of the next couple of steps, you may perform this step on the Docker daemon’s host machine as well.
 ## ----------------------------------------------------------------------------
 openssl genrsa -out client-key.pem 4096

 ## Replace "client" with actual cient hostname, e.g., mm21325-pc
 openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr

 # To make the key suitable for client authentication, create an extensions config file:
 echo extendedKeyUsage = clientAuth >> extfile-client.cnf
 cat extfile-client.cnf

 ## ----------------------------------------------------------------------------
 ## 6.) For client authentication, create a client certificate signing request:
 # Now, generate the signed certificate:
 ## ----------------------------------------------------------------------------
 openssl x509 -req -days 1095 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \
  -CAcreateserial -out cert.pem -extfile extfile-client.cnf
 #Signature ok
 #subject=/CN=client
 #Getting CA Private Key
 #Enter pass phrase for ca-key.pem:

 #total 52
 #-rw-rw-r--. 1 rsheu rsheu 3326 Jul 25 17:03 ca-key.pem
 #-rw-rw-r--. 1 rsheu rsheu 2037 Jul 25 17:07 ca.pem
 #-rw-rw-r--. 1 rsheu rsheu   17 Jul 25 18:17 ca.srl
 #-rw-rw-r--. 1 rsheu rsheu 1830 Jul 25 18:17 cert.pem
 #-rw-rw-r--. 1 rsheu rsheu 1582 Jul 25 18:15 client.csr
 #-rw-rw-r--. 1 rsheu rsheu 3247 Jul 25 18:15 client-key.pem
 #-rw-rw-r--. 1 rsheu rsheu   30 Jul 25 18:16 extfile-client.cnf
 #-rw-rw-r--. 1 rsheu rsheu   70 Jul 25 17:28 extfile.cnf
 #-rw-rw-r--. 1 rsheu rsheu 7171 Jul 25 18:16 generate-ca-key-pem-server-key-pem-cert-pem.sh
 #-rw-rw-r--. 1 rsheu rsheu 1533 Jul 25 17:30 server-cert.pem
 #-rw-rw-r--. 1 rsheu rsheu  903 Jul 25 17:24 server.csr
 #-rw-rw-r--. 1 rsheu rsheu 1675 Jul 25 17:09 server-key.pem

 ## ----------------------------------------------------------------------------
 ## 7.) Clean up CSR requests files
 ## ----------------------------------------------------------------------------
 # After generating cert.pem and server-cert.pem you can safely remove the two certificate signing requests
 rm -v client.csr server.csr

 # To protect your keys from accidental damage, remove their write permissions. 
 # To make them only readable by you, change file modes as follows:
 chmod -v 0400 ca-key.pem client-key.pem server-key.pem

 #total 44
 #-r--------. 1 rsheu rsheu 3326 Jul 25 17:03 ca-key.pem
 #-rw-rw-r--. 1 rsheu rsheu 2037 Jul 25 17:07 ca.pem
 #-rw-rw-r--. 1 rsheu rsheu   17 Jul 25 18:17 ca.srl
 #-rw-rw-r--. 1 rsheu rsheu 1830 Jul 25 18:17 cert.pem
 #-r--------. 1 rsheu rsheu 3247 Jul 25 18:15 client-key.pem
 #-rw-rw-r--. 1 rsheu rsheu   30 Jul 25 18:16 extfile-client.cnf
 #-rw-rw-r--. 1 rsheu rsheu   70 Jul 25 17:28 extfile.cnf
 #-rw-rw-r--. 1 rsheu rsheu 7902 Jul 25 18:17 generate-ca-key-pem-server-key-pem-cert-pem.sh
 #-rw-rw-r--. 1 rsheu rsheu 1533 Jul 25 17:30 server-cert.pem
 #-r--------. 1 rsheu rsheu 1675 Jul 25 17:09 server-key.pem

 ## ----------------------------------------------------------------------------
 ## 8.) Now you can make the Docker daemon only accept connections from clients providing a certificate trusted by your CA:
 ## ----------------------------------------------------------------------------

 dockerd --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H=0.0.0.0:2376

 ## ----------------------------------------------------------------------------
 ## 9.) To connect to Docker and validate its certificate, provide your client keys, certificates and trusted CA:
 ## ----------------------------------------------------------------------------
 ## Run it on the client machine
 ## replace all instances of $HOST in the following example with the DNS name of your Docker daemon’s host.
 #(client)$  docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=$HOST:2376 version

 # 10.) Connecting to the secure Docker port using curl
 ## To use curl to make test API requests, you need to use three extra command line flags:

 # curl https://$HOST:2376/images/json \
 #   --cert ~/.docker/cert.pem \
 #   --key ~/.docker/key.pem \
 #   --cacert ~/.docker/ca.pem
	#!/bin/bash -x

	# ref: https://docs.docker.com/engine/security/https/

	mkdir CA-server-client-keys
	cd CA-server-client-keys/

	## Create a CA, server and client keys with OpenSSL

	## ----------------------------------------------------------------------------
	## 1.) on the Docker daemon’s host machine, generate CA private and public keys
	## ----------------------------------------------------------------------------

	openssl genrsa -aes256 -out ca-key.pem 4096

	#Generating RSA private key, 4096 bit long modulus
	#.............................................................++
	#..++
	#e is 65537 (0x10001)
	#Enter pass phrase for ca-key.pem:
	#Verifying - Enter pass phrase for ca-key.pem:

	openssl req -new -x509 -days 1095 -key ca-key.pem -sha256 -out ca.pem
	#Enter pass phrase for ca-key.pem:
	#You are about to be asked to enter information that will be incorporated
	#into your certificate request.
	#What you are about to enter is what is called a Distinguished Name or a DN.
	#There are quite a few fields but you can leave some blank
	#For some fields there will be a default value,
	#If you enter '.', the field will be left blank.
	#-----
	#Country Name (2 letter code) [XX]:US
	#State or Province Name (full name) []:State
	#Locality Name (eg, city) [Default City]:
	#Organization Name (eg, company) [Default Company Ltd]:
	#Organizational Unit Name (eg, section) []:
	#Common Name (eg, your name or your server's hostname) []:my.domain.org
	#Email Address []:

	#total 8
	#-rw-rw-r--. 1 rsheu rsheu 3326 Jul 25 17:03 ca-key.pem
	#-rw-rw-r--. 1 rsheu rsheu 2037 Jul 25 17:07 ca.pem

	## ----------------------------------------------------------------------------
	## 2.) Now that you have a CA, you can create a server key and certificate signing request (CSR).
	## Make sure that “Common Name” matches the hostname you use to connect to Docker:
	## ----------------------------------------------------------------------------

	openssl genrsa -out server-key.pem
	#Generating RSA private key, 2048 bit long modulus
	#....................................................................................+++
	#...................................................................................................................................................................................+++
	#e is 65537 (0x10001)


	openssl req -subj "/CN=my.domain.org" -sha256 -new -key server-key.pem -out server.csr

	#total 16
	#-rw-rw-r--. 1 rsheu rsheu 3326 Jul 25 17:03 ca-key.pem
	#-rw-rw-r--. 1 rsheu rsheu 2037 Jul 25 17:07 ca.pem
	#-rw-rw-r--. 1 rsheu rsheu 903 Jul 25 17:24 server.csr
	#-rw-rw-r--. 1 rsheu rsheu 1675 Jul 25 17:09 server-key.pem

	## ----------------------------------------------------------------------------
	## 3.) Next, we’re going to sign the public key with our CA
	## ----------------------------------------------------------------------------
	# Since TLS connections can be made via IP address as well as DNS name,
	# the IP addresses need to be specified when creating the certificate.
	# For example, to allow connections using 10.10.10.20 and 127.0.0.1
	echo subjectAltName = DNS:my.domain.org,IP:10.84.237.61,IP:127.0.0.1 >> extfile.cnf
	cat *cnf
	#subjectAltName = DNS:my.domain.org,IP:10.84.237.61,IP:127.0.0.1

	## ----------------------------------------------------------------------------
	## 4.) Now, generate the signed certificate:
	## ----------------------------------------------------------------------------
	openssl x509 -req -days 1095 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
	#Signature ok
	#subject=/CN=my.domain.org
	#Getting CA Private Key
	#Enter pass phrase for ca-key.pem:

	#total 28
	#-rw-rw-r--. 1 rsheu rsheu 3326 Jul 25 17:03 ca-key.pem
	#-rw-rw-r--. 1 rsheu rsheu 2037 Jul 25 17:07 ca.pem
	#-rw-rw-r--. 1 rsheu rsheu 17 Jul 25 17:30 ca.srl
	#-rw-rw-r--. 1 rsheu rsheu 70 Jul 25 17:28 extfile.cnf
	#-rw-rw-r--. 1 rsheu rsheu 1533 Jul 25 17:30 server-cert.pem
	#-rw-rw-r--. 1 rsheu rsheu 903 Jul 25 17:24 server.csr
	#-rw-rw-r--. 1 rsheu rsheu 1675 Jul 25 17:09 server-key.pem

	## ----------------------------------------------------------------------------
	## 5.) For client authentication, create a client key :
	# for simplicity of the next couple of steps, you may perform this step on the Docker daemon’s host machine as well.
	## ----------------------------------------------------------------------------
	openssl genrsa -out client-key.pem 4096

	## Replace "client" with actual cient hostname, e.g., mm21325-pc
	openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr

	# To make the key suitable for client authentication, create an extensions config file:
	echo extendedKeyUsage = clientAuth >> extfile-client.cnf
	cat extfile-client.cnf

	## ----------------------------------------------------------------------------
	## 6.) For client authentication, create a client certificate signing request:
	# Now, generate the signed certificate:
	## ----------------------------------------------------------------------------
	openssl x509 -req -days 1095 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \
	-CAcreateserial -out cert.pem -extfile extfile-client.cnf
	#Signature ok
	#subject=/CN=client
	#Getting CA Private Key
	#Enter pass phrase for ca-key.pem:

	#total 52
	#-rw-rw-r--. 1 rsheu rsheu 3326 Jul 25 17:03 ca-key.pem
	#-rw-rw-r--. 1 rsheu rsheu 2037 Jul 25 17:07 ca.pem
	#-rw-rw-r--. 1 rsheu rsheu 17 Jul 25 18:17 ca.srl
	#-rw-rw-r--. 1 rsheu rsheu 1830 Jul 25 18:17 cert.pem
	#-rw-rw-r--. 1 rsheu rsheu 1582 Jul 25 18:15 client.csr
	#-rw-rw-r--. 1 rsheu rsheu 3247 Jul 25 18:15 client-key.pem
	#-rw-rw-r--. 1 rsheu rsheu 30 Jul 25 18:16 extfile-client.cnf
	#-rw-rw-r--. 1 rsheu rsheu 70 Jul 25 17:28 extfile.cnf
	#-rw-rw-r--. 1 rsheu rsheu 7171 Jul 25 18:16 generate-ca-key-pem-server-key-pem-cert-pem.sh
	#-rw-rw-r--. 1 rsheu rsheu 1533 Jul 25 17:30 server-cert.pem
	#-rw-rw-r--. 1 rsheu rsheu 903 Jul 25 17:24 server.csr
	#-rw-rw-r--. 1 rsheu rsheu 1675 Jul 25 17:09 server-key.pem

	## ----------------------------------------------------------------------------
	## 7.) Clean up CSR requests files
	## ----------------------------------------------------------------------------
	# After generating cert.pem and server-cert.pem you can safely remove the two certificate signing requests
	rm -v client.csr server.csr

	# To protect your keys from accidental damage, remove their write permissions.
	# To make them only readable by you, change file modes as follows:
	chmod -v 0400 ca-key.pem client-key.pem server-key.pem

	#total 44
	#-r--------. 1 rsheu rsheu 3326 Jul 25 17:03 ca-key.pem
	#-rw-rw-r--. 1 rsheu rsheu 2037 Jul 25 17:07 ca.pem
	#-rw-rw-r--. 1 rsheu rsheu 17 Jul 25 18:17 ca.srl
	#-rw-rw-r--. 1 rsheu rsheu 1830 Jul 25 18:17 cert.pem
	#-r--------. 1 rsheu rsheu 3247 Jul 25 18:15 client-key.pem
	#-rw-rw-r--. 1 rsheu rsheu 30 Jul 25 18:16 extfile-client.cnf
	#-rw-rw-r--. 1 rsheu rsheu 70 Jul 25 17:28 extfile.cnf
	#-rw-rw-r--. 1 rsheu rsheu 7902 Jul 25 18:17 generate-ca-key-pem-server-key-pem-cert-pem.sh
	#-rw-rw-r--. 1 rsheu rsheu 1533 Jul 25 17:30 server-cert.pem
	#-r--------. 1 rsheu rsheu 1675 Jul 25 17:09 server-key.pem

	## ----------------------------------------------------------------------------
	## 8.) Now you can make the Docker daemon only accept connections from clients providing a certificate trusted by your CA:
	## ----------------------------------------------------------------------------

	dockerd --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H=0.0.0.0:2376

	## ----------------------------------------------------------------------------
	## 9.) To connect to Docker and validate its certificate, provide your client keys, certificates and trusted CA:
	## ----------------------------------------------------------------------------
	## Run it on the client machine
	## replace all instances of $HOST in the following example with the DNS name of your Docker daemon’s host.
	#(client)$ docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=$HOST:2376 version

	# 10.) Connecting to the secure Docker port using curl
	## To use curl to make test API requests, you need to use three extra command line flags:

	# curl https://$HOST:2376/images/json \
	# --cert ~/.docker/cert.pem \
	# --key ~/.docker/key.pem \
	# --cacert ~/.docker/ca.pem