ventilaar
/
random-scripts
1
Fork 0
Code Releases Activity

add docker-mutual-tls generator script

This commit is contained in:
Ventilaar 2024-01-16 16:05:00 +01:00
parent 863246f644
commit f5e33ee9eb
No known key found for this signature in database
2 changed files with 43 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
docker-mutual-tls/README.md Normal file
View File

@ -0,0 +1,25 @@
# Docker Mutual TLS
This script generates a linked mutual TLS keys and certificates
## Usage
Run the script and give the fqdn of the host you are setting up. Then the script will leave 4 files. server-key.pem server-cert.pem client-key.pem client-cert.pem. The other files are automatically cleaned up
## Requirements
Bash and openssl
## Install
- First of all make sure that systemd is not hijacking the commandline options, if so on Debian the system service is at /usr/lib/systemd/system/docker.service and remove the commandline options which are overridden in the configuration file below.
- Copy the configuration of the codeblock below to /etc/docker/daemon.json
- Install the certificates in the correct locations
- restart the systemd service (all containers will be restarted as well!!!)
```
{
"hosts": ["unix:///var/run/docker.sock", "tcp://0.0.0.0:2376"],
"tls": true,
"tlscacert": "/etc/docker/ca.pem",
"tlscert": "/etc/docker/server-cert.pem",
"tlskey": "/etc/docker/server-key.pem",
"tlsverify": true
}
```

18
docker-mutual-tls/gen_mutual_tls.sh Normal file
View File

@ -0,0 +1,18 @@
echo -n "What is the FQDN of the desired server?: "
read fqdn
echo "Using FQDN: $fqdn"
openssl genrsa -out ca-key.pem 4096
yes "" | openssl req -new -x509 -days 3650 -key ca-key.pem -sha256 -out ca.pem
openssl genrsa -out server-key.pem 4096
openssl req -subj "/CN=$fqdn" -addext "subjectAltName = DNS:$fqdn" -addext "extendedKeyUsage = serverAuth" -sha256 -new -key server-key.pem -out server.csr
openssl x509 -req -days 3650 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -out server-cert.pem
openssl genrsa -out client-key.pem 4096
openssl req -subj "/CN=client" -addext "extendedKeyUsage = clientAuth" -new -key client-key.pem -out client.csr
openssl x509 -req -days 3650 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -out client-cert.pem
rm -v client.csr server.csr ca.pem ca-key.pem
echo "Finished creating certificate pairs"