Last active
May 27, 2024 15:59
-
-
Save bradrydzewski/a6090115b3fecfc25280 to your computer and use it in GitHub Desktop.
Generate trusted CA certificates for running Docker with HTTPS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# | |
# Generates client and server certificates used to enable HTTPS | |
# remote authentication to a Docker daemon. | |
# | |
# See http://docs.docker.com/articles/https/ | |
# | |
# To start the Docker Daemon: | |
# | |
# sudo docker -d \ | |
# --tlsverify \ | |
# --tlscacert=ca.pem \ | |
# --tlscert=server-cert.pem \ | |
# --tlskey=server-key.pem \ | |
# -H=0.0.0.0:2376 | |
# | |
# To connect to the Docker Daemon: | |
# | |
# sudo docker \ | |
# --tlsverify \ | |
# --tlscacert=ca.pem \ | |
# --tlscert=cert.pem \ | |
# --tlskey=key.pem \ | |
# -H=localhost:2376 version | |
# | |
# IMPORTANT: when connecting via IP instead of hostname you | |
# will need to substitute --tlsverify with --tls | |
set -e | |
set -x | |
DAYS=1460 | |
PASS=$(openssl rand -hex 16) | |
# remove certificates from previous execution. | |
rm -f *.pem *.srl *.csr *.cnf | |
# generate CA private and public keys | |
echo 01 > ca.srl | |
openssl genrsa -des3 -out ca-key.pem -passout pass:$PASS 2048 | |
openssl req -subj '/CN=*/' -new -x509 -days $DAYS -passin pass:$PASS -key ca-key.pem -out ca.pem | |
# create a server key and certificate signing request (CSR) | |
openssl genrsa -des3 -out server-key.pem -passout pass:$PASS 2048 | |
openssl req -new -key server-key.pem -out server.csr -passin pass:$PASS -subj '/CN=*/' | |
# sign the server key with our CA | |
openssl x509 -req -days $DAYS -passin pass:$PASS -in server.csr -CA ca.pem -CAkey ca-key.pem -out server-cert.pem | |
# create a client key and certificate signing request (CSR) | |
openssl genrsa -des3 -out key.pem -passout pass:$PASS 2048 | |
openssl req -subj '/CN=client' -new -key key.pem -out client.csr -passin pass:$PASS | |
# create an extensions config file and sign | |
echo extendedKeyUsage = clientAuth > extfile.cnf | |
openssl x509 -req -days $DAYS -passin pass:$PASS -in client.csr -CA ca.pem -CAkey ca-key.pem -out cert.pem -extfile extfile.cnf | |
# remove the passphrase from the client and server key | |
openssl rsa -in server-key.pem -out server-key.pem -passin pass:$PASS | |
openssl rsa -in key.pem -out key.pem -passin pass:$PASS | |
# remove generated files that are no longer required | |
rm -f ca-key.pem ca.srl client.csr extfile.cnf server.csr | |
exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment