sidec · March 28, 2019 14:45 · Oct 8, 2014 · Oct 8, 2014 · Oct 8, 2014 · Oct 8, 2014
diff --git a/generate_docker_cert.sh b/generate_docker_cert.sh
@@ -24,7 +24,7 @@
 #         -H=localhost:2376 version
 #
 # IMPORTANT: when connecting via IP instead of hostname you
-#            will need to substitute --tlsverify for --tls
+#            will need to substitute --tlsverify with --tls
 
 set -e
 set -x

diff --git a/generate_docker_cert.sh b/generate_docker_cert.sh
@@ -24,7 +24,7 @@
 #         -H=localhost:2376 version
 #
 # IMPORTANT: when connecting via IP instead of hostname you
-#            will need to substitute `--tlsverify` for `--tls`
+#            will need to substitute --tlsverify for --tls
 
 set -e
 set -x

diff --git a/generate_docker_cert.sh b/generate_docker_cert.sh
@@ -23,8 +23,8 @@
 #         --tlskey=key.pem           \
 #         -H=localhost:2376 version
 #
-# IMPORTANT: when connecting via IP address you will need to
-# substitute `--tlsverify` for `--tls`
+# IMPORTANT: when connecting via IP instead of hostname you
+#            will need to substitute `--tlsverify` for `--tls`
 
 set -e
 set -x

diff --git a/generate_docker_cert.sh b/generate_docker_cert.sh
@@ -23,7 +23,7 @@
 #         --tlskey=key.pem           \
 #         -H=localhost:2376 version
 #
-# Important: when connecting via IP address you will need to
+# IMPORTANT: when connecting via IP address you will need to
 # substitute `--tlsverify` for `--tls`
 
 set -e

diff --git a/generate_docker_cert.sh b/generate_docker_cert.sh
@@ -7,16 +7,24 @@
 #
 # To start the Docker Daemon:
 #
-#     sudo docker -d --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H=0.0.0.0:2376
+#     sudo docker -d                 \
+#         --tlsverify                \
+#         --tlscacert=ca.pem         \
+#         --tlscert=server-cert.pem  \
+#         --tlskey=server-key.pem    \
+#         -H=0.0.0.0:2376
 #
-# To connect to the Docker Daemon via Hostname use `--tlsverify`:
+# To connect to the Docker Daemon:
 #
-#     sudo docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=0.0.0.0:2376 version
-#
-# To connect to the Docker Daemon via IP use `--tls`
-#
-#     sudo docker --tls --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=localhost:2376 version
+#     sudo docker                    \
+#         --tlsverify                \
+#         --tlscacert=ca.pem         \
+#         --tlscert=cert.pem         \
+#         --tlskey=key.pem           \
+#         -H=localhost:2376 version
 #
+# Important: when connecting via IP address you will need to
+# substitute `--tlsverify` for `--tls`
 
 set -e
 set -x

diff --git a/generate_docker_cert.sh b/generate_docker_cert.sh
@@ -3,7 +3,20 @@
 # Generates client and server certificates used to enable HTTPS
 # remote authentication to a Docker daemon.
 #
-# See http://docs.docker.com/articles/https/
+#     See http://docs.docker.com/articles/https/
+#
+# To start the Docker Daemon:
+#
+#     sudo docker -d --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H=0.0.0.0:2376
+#
+# To connect to the Docker Daemon via Hostname use `--tlsverify`:
+#
+#     sudo docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=0.0.0.0:2376 version
+#
+# To connect to the Docker Daemon via IP use `--tls`
+#
+#     sudo docker --tls --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=localhost:2376 version
+#
 
 set -e
 set -x
@@ -42,9 +55,4 @@ openssl rsa -in key.pem -out key.pem -passin pass:$PASS
 # remove generated files that are no longer required
 rm -f ca-key.pem ca.srl client.csr extfile.cnf server.csr
 
-
-# sudo docker -d --tls       --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H=localhost:2376
-# sudo docker -d --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H=0.0.0.0:2376
-# sudo docker    --tlsverify --tlscacert=ca.pem --tlscert=cert.pem        --tlskey=key.pem        -H=0.0.0.0:2376 version
-
 exit 0
diff --git a/generate_docker_cert.sh b/generate_docker_cert.sh
@@ -0,0 +1,50 @@
+#!/bin/bash
+#
+# Generates client and server certificates used to enable HTTPS
+# remote authentication to a Docker daemon.
+#
+# See http://docs.docker.com/articles/https/
+
+set -e
+set -x
+
+DAYS=1460
+PASS=$(openssl rand -hex 16)
+
+# remove certificates from previous execution.
+rm -f *.pem *.srl *.csr *.cnf
+
+
+# generate CA private and public keys
+echo 01 > ca.srl
+openssl genrsa -des3 -out ca-key.pem -passout pass:$PASS 2048
+openssl req -subj '/CN=*/' -new -x509 -days $DAYS -passin pass:$PASS -key ca-key.pem -out ca.pem
+
+# create a server key and certificate signing request (CSR)
+openssl genrsa -des3 -out server-key.pem -passout pass:$PASS 2048
+openssl req -new -key server-key.pem -out server.csr -passin pass:$PASS -subj '/CN=*/'
+
+# sign the server key with our CA
+openssl x509 -req -days $DAYS -passin pass:$PASS -in server.csr -CA ca.pem -CAkey ca-key.pem -out server-cert.pem
+
+# create a client key and certificate signing request (CSR)
+openssl genrsa -des3 -out key.pem -passout pass:$PASS 2048
+openssl req -subj '/CN=client' -new -key key.pem -out client.csr -passin pass:$PASS
+
+# create an extensions config file and sign
+echo extendedKeyUsage = clientAuth > extfile.cnf
+openssl x509 -req -days $DAYS -passin pass:$PASS -in client.csr -CA ca.pem -CAkey ca-key.pem -out cert.pem -extfile extfile.cnf
+
+# remove the passphrase from the client and server key
+openssl rsa -in server-key.pem -out server-key.pem -passin pass:$PASS
+openssl rsa -in key.pem -out key.pem -passin pass:$PASS
+
+# remove generated files that are no longer required
+rm -f ca-key.pem ca.srl client.csr extfile.cnf server.csr
+
+
+# sudo docker -d --tls       --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H=localhost:2376
+# sudo docker -d --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H=0.0.0.0:2376
+# sudo docker    --tlsverify --tlscacert=ca.pem --tlscert=cert.pem        --tlskey=key.pem        -H=0.0.0.0:2376 version
+
+exit 0