Skip to content

Instantly share code, notes, and snippets.

@bradrydzewski
Last active May 27, 2024 15:59
Show Gist options
  • Save bradrydzewski/a6090115b3fecfc25280 to your computer and use it in GitHub Desktop.
Save bradrydzewski/a6090115b3fecfc25280 to your computer and use it in GitHub Desktop.
Generate trusted CA certificates for running Docker with HTTPS
#!/bin/bash
#
# Generates client and server certificates used to enable HTTPS
# remote authentication to a Docker daemon.
#
# See http://docs.docker.com/articles/https/
#
# To start the Docker Daemon:
#
# sudo docker -d \
# --tlsverify \
# --tlscacert=ca.pem \
# --tlscert=server-cert.pem \
# --tlskey=server-key.pem \
# -H=0.0.0.0:2376
#
# To connect to the Docker Daemon:
#
# sudo docker \
# --tlsverify \
# --tlscacert=ca.pem \
# --tlscert=cert.pem \
# --tlskey=key.pem \
# -H=localhost:2376 version
#
# IMPORTANT: when connecting via IP instead of hostname you
# will need to substitute --tlsverify with --tls
set -e
set -x
DAYS=1460
PASS=$(openssl rand -hex 16)
# remove certificates from previous execution.
rm -f *.pem *.srl *.csr *.cnf
# generate CA private and public keys
echo 01 > ca.srl
openssl genrsa -des3 -out ca-key.pem -passout pass:$PASS 2048
openssl req -subj '/CN=*/' -new -x509 -days $DAYS -passin pass:$PASS -key ca-key.pem -out ca.pem
# create a server key and certificate signing request (CSR)
openssl genrsa -des3 -out server-key.pem -passout pass:$PASS 2048
openssl req -new -key server-key.pem -out server.csr -passin pass:$PASS -subj '/CN=*/'
# sign the server key with our CA
openssl x509 -req -days $DAYS -passin pass:$PASS -in server.csr -CA ca.pem -CAkey ca-key.pem -out server-cert.pem
# create a client key and certificate signing request (CSR)
openssl genrsa -des3 -out key.pem -passout pass:$PASS 2048
openssl req -subj '/CN=client' -new -key key.pem -out client.csr -passin pass:$PASS
# create an extensions config file and sign
echo extendedKeyUsage = clientAuth > extfile.cnf
openssl x509 -req -days $DAYS -passin pass:$PASS -in client.csr -CA ca.pem -CAkey ca-key.pem -out cert.pem -extfile extfile.cnf
# remove the passphrase from the client and server key
openssl rsa -in server-key.pem -out server-key.pem -passin pass:$PASS
openssl rsa -in key.pem -out key.pem -passin pass:$PASS
# remove generated files that are no longer required
rm -f ca-key.pem ca.srl client.csr extfile.cnf server.csr
exit 0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment