-
-
Save mac2000/746cbcac34dc96285026 to your computer and use it in GitHub Desktop.
Creating and setting up Docker for TLS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # At the end you will have 6 files: | |
| # ca/ca.pem - used by both client and server to verify each other certificates | |
| # ca/ca-key.pem - keep it in secret it may be used to generate new certificates | |
| # client/cert.pem, client/key.pem - in conjunction with /ca/ca.pem will be used by client to speak with server | |
| # server/cert.pem, server/key.pem - in conjunction with /ca/ca.pem will be used by server | |
| # | |
| # NOTICE: DO NOT FORGET to set your **Server** ip and dns in server/openssl.cnf each time you generating new server certificates | |
| # | |
| # Original: http://tech.paulcz.net/2016/01/secure-docker-with-tls/ | |
| echo "Certificate Authority" | |
| echo "---------------------" | |
| echo | |
| mkdir -p ca | |
| openssl genrsa -out ca/ca-key.pem 2048 | |
| openssl req -x509 -new -nodes -key ca/ca-key.pem -days 3650 -out ca/ca.pem -subj '/CN=ca' | |
| echo "Client Certificates" | |
| echo "-------------------" | |
| echo | |
| mkdir -p client | |
| cat << EOF | tee -a client/openssl.cnf | |
| [req] | |
| req_extensions = v3_req | |
| distinguished_name = req_distinguished_name | |
| [req_distinguished_name] | |
| [ v3_req ] | |
| basicConstraints = CA:FALSE | |
| keyUsage = nonRepudiation, digitalSignature, keyEncipherment | |
| extendedKeyUsage = serverAuth, clientAuth | |
| EOF | |
| openssl genrsa -out client/key.pem 2048 | |
| openssl req -new -key client/key.pem -out client/cert.csr -subj '/CN=client' -config client/openssl.cnf | |
| openssl x509 -req -in client/cert.csr -CA ca/ca.pem -CAkey ca/ca-key.pem -CAcreateserial -out client/cert.pem -days 3650 -extensions v3_req -extfile client/openssl.cnf | |
| rm -f server/cert.csr server/openssl.cnf | |
| echo "Server Certificates" | |
| echo "-------------------" | |
| echo | |
| mkdir -p server | |
| cat << EOF | tee -a server/openssl.cnf | |
| [req] | |
| req_extensions = v3_req | |
| distinguished_name = req_distinguished_name | |
| [req_distinguished_name] | |
| [ v3_req ] | |
| basicConstraints = CA:FALSE | |
| keyUsage = nonRepudiation, digitalSignature, keyEncipherment | |
| extendedKeyUsage = serverAuth, clientAuth | |
| subjectAltName = @alt_names | |
| [alt_names] | |
| DNS.1 = docker.rabota.local | |
| IP.1 = 192.168.4.21 | |
| IP.2 = 127.0.0.1 | |
| EOF | |
| openssl genrsa -out server/key.pem 2048 | |
| openssl req -new -key server/key.pem -out server/cert.csr -subj "/CN=server" -config server/openssl.cnf | |
| openssl x509 -req -in server/cert.csr -CA ca/ca.pem -CAkey ca/ca-key.pem -CAcreateserial -out server/cert.pem -days 3650 -extensions v3_req -extfile server/openssl.cnf | |
| rm -f server/cert.csr server/openssl.cnf |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
modified just to generate wildcard certs without doing anything to docker