#!/bin/bash # # Generates client and server certificates used to enable HTTPS # remote authentication to a Docker daemon. # # See http://docs.docker.com/articles/https/ # # To start the Docker Daemon: # # sudo docker -d \ # --tlsverify \ # --tlscacert=ca.pem \ # --tlscert=server-cert.pem \ # --tlskey=server-key.pem \ # -H=0.0.0.0:2376 # # To connect to the Docker Daemon: # # sudo docker \ # --tlsverify \ # --tlscacert=ca.pem \ # --tlscert=cert.pem \ # --tlskey=key.pem \ # -H=localhost:2376 version # # IMPORTANT: when connecting via IP instead of hostname you # will need to substitute --tlsverify with --tls set -e set -x DAYS=1460 PASS=$(openssl rand -hex 16) # remove certificates from previous execution. rm -f *.pem *.srl *.csr *.cnf # generate CA private and public keys echo 01 > ca.srl openssl genrsa -des3 -out ca-key.pem -passout pass:$PASS 2048 openssl req -subj '/CN=*/' -new -x509 -days $DAYS -passin pass:$PASS -key ca-key.pem -out ca.pem # create a server key and certificate signing request (CSR) openssl genrsa -des3 -out server-key.pem -passout pass:$PASS 2048 openssl req -new -key server-key.pem -out server.csr -passin pass:$PASS -subj '/CN=*/' # sign the server key with our CA openssl x509 -req -days $DAYS -passin pass:$PASS -in server.csr -CA ca.pem -CAkey ca-key.pem -out server-cert.pem # create a client key and certificate signing request (CSR) openssl genrsa -des3 -out key.pem -passout pass:$PASS 2048 openssl req -subj '/CN=client' -new -key key.pem -out client.csr -passin pass:$PASS # create an extensions config file and sign echo extendedKeyUsage = clientAuth > extfile.cnf openssl x509 -req -days $DAYS -passin pass:$PASS -in client.csr -CA ca.pem -CAkey ca-key.pem -out cert.pem -extfile extfile.cnf # remove the passphrase from the client and server key openssl rsa -in server-key.pem -out server-key.pem -passin pass:$PASS openssl rsa -in key.pem -out key.pem -passin pass:$PASS # remove generated files that are no longer required rm -f ca-key.pem ca.srl client.csr extfile.cnf server.csr exit 0