From f5e33ee9eb8feca2793c48d4d4704e9147e2c544 Mon Sep 17 00:00:00 2001
From: Ventilaar <34913684+ventilaar@users.noreply.github.com>
Date: Tue, 16 Jan 2024 16:05:00 +0100
Subject: [PATCH] add docker-mutual-tls generator script

---
 docker-mutual-tls/README.md         | 25 +++++++++++++++++++++++++
 docker-mutual-tls/gen_mutual_tls.sh | 18 ++++++++++++++++++
 2 files changed, 43 insertions(+)
 create mode 100644 docker-mutual-tls/README.md
 create mode 100644 docker-mutual-tls/gen_mutual_tls.sh

diff --git a/docker-mutual-tls/README.md b/docker-mutual-tls/README.md
new file mode 100644
index 0000000..fae9a20
--- /dev/null
+++ b/docker-mutual-tls/README.md
@@ -0,0 +1,25 @@
+# Docker Mutual TLS
+This script generates a linked mutual TLS keys and certificates
+
+## Usage
+Run the script and give the fqdn of the host you are setting up. Then the script will leave 4 files. server-key.pem server-cert.pem client-key.pem client-cert.pem. The other files are automatically cleaned up
+
+## Requirements
+Bash and openssl
+
+## Install
+- First of all make sure that systemd is not hijacking the commandline options, if so on Debian the system service is at /usr/lib/systemd/system/docker.service and remove the commandline options which are overridden in the configuration file below.
+- Copy the configuration of the codeblock below to /etc/docker/daemon.json
+- Install the certificates in the correct locations
+- restart the systemd service (all containers will be restarted as well!!!)
+
+```
+{
+  "hosts": ["unix:///var/run/docker.sock", "tcp://0.0.0.0:2376"],
+  "tls": true,
+  "tlscacert": "/etc/docker/ca.pem",
+  "tlscert": "/etc/docker/server-cert.pem",
+  "tlskey": "/etc/docker/server-key.pem",
+  "tlsverify": true
+}
+```
\ No newline at end of file
diff --git a/docker-mutual-tls/gen_mutual_tls.sh b/docker-mutual-tls/gen_mutual_tls.sh
new file mode 100644
index 0000000..d79f893
--- /dev/null
+++ b/docker-mutual-tls/gen_mutual_tls.sh
@@ -0,0 +1,18 @@
+echo -n "What is the FQDN of the desired server?: "
+read fqdn
+echo "Using FQDN: $fqdn"
+
+
+openssl genrsa -out ca-key.pem 4096
+yes "" | openssl req -new -x509 -days 3650 -key ca-key.pem -sha256 -out ca.pem
+
+openssl genrsa -out server-key.pem 4096
+openssl req -subj "/CN=$fqdn" -addext "subjectAltName = DNS:$fqdn" -addext "extendedKeyUsage = serverAuth" -sha256 -new -key server-key.pem -out server.csr
+openssl x509 -req -days 3650 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -out server-cert.pem
+
+openssl genrsa -out client-key.pem 4096
+openssl req -subj "/CN=client" -addext "extendedKeyUsage = clientAuth" -new -key client-key.pem -out client.csr
+openssl x509 -req -days 3650 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -out client-cert.pem
+
+rm -v client.csr server.csr ca.pem ca-key.pem
+echo "Finished creating certificate pairs"
\ No newline at end of file