Skip to content

Commit

Permalink
Merge pull request moby#9896 from flowlo/doc-https
Browse files Browse the repository at this point in the history
doc: Improve article on HTTPS
  • Loading branch information
SvenDowideit committed Jan 7, 2015
2 parents 1aba281 + 26187bd commit 2f588c6
Showing 1 changed file with 15 additions and 29 deletions.
44 changes: 15 additions & 29 deletions docs/sources/articles/https.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,29 +15,27 @@ In the daemon mode, it will only allow connections from clients
authenticated by a certificate signed by that CA. In the client mode,
it will only connect to servers with a certificate signed by that CA.

> **Warning**:
> **Warning**:
> Using TLS and managing a CA is an advanced topic. Please familiarize yourself
> with OpenSSL, x509 and TLS before using it in production.
> **Warning**:
> These TLS commands will only generate a working set of certificates on Linux.
> Mac OS X comes with a version of OpenSSL that is incompatible with the
> Mac OS X comes with a version of OpenSSL that is incompatible with the
> certificates that Docker requires.
## Create a CA, server and client keys with OpenSSL

First, initialize the CA serial file and generate CA private and public
keys:
First generate CA private and public keys:

$ echo 01 > ca.srl
$ openssl genrsa -des3 -out ca-key.pem 2048
$ openssl genrsa -aes256 -out ca-key.pem 2048
Generating RSA private key, 2048 bit long modulus
......+++
...............+++
e is 65537 (0x10001)
Enter pass phrase for ca-key.pem:
Verifying - Enter pass phrase for ca-key.pem:
$ openssl req -new -x509 -days 365 -key ca-key.pem -out ca.pem
$ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
Enter pass phrase for ca-key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
Expand All @@ -58,20 +56,17 @@ Now that we have a CA, you can create a server key and certificate
signing request (CSR). Make sure that "Common Name" (i.e. server FQDN or YOUR
name) matches the hostname you will use to connect to Docker:

$ openssl genrsa -des3 -out server-key.pem 2048
$ openssl genrsa -out server-key.pem 2048
Generating RSA private key, 2048 bit long modulus
......................................................+++
............................................+++
e is 65537 (0x10001)
Enter pass phrase for server-key.pem:
Verifying - Enter pass phrase for server-key.pem:
$ openssl req -subj '/CN=<Your Hostname Here>' -new -key server-key.pem -out server.csr
Enter pass phrase for server-key.pem:

Next, we're going to sign the key with our CA:

$ openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem \
-out server-cert.pem
-CAcreateserial -out server-cert.pem
Signature ok
subject=/CN=your.host.com
Getting CA Private Key
Expand All @@ -80,15 +75,12 @@ Next, we're going to sign the key with our CA:
For client authentication, create a client key and certificate signing
request:

$ openssl genrsa -des3 -out key.pem 2048
$ openssl genrsa -out key.pem 2048
Generating RSA private key, 2048 bit long modulus
...............................................+++
...............................................................+++
e is 65537 (0x10001)
Enter pass phrase for key.pem:
Verifying - Enter pass phrase for key.pem:
$ openssl req -subj '/CN=client' -new -key key.pem -out client.csr
Enter pass phrase for key.pem:

To make the key suitable for client authentication, create an extensions
config file:
Expand All @@ -98,21 +90,12 @@ config file:
Now sign the key:

$ openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem \
-out cert.pem -extfile extfile.cnf
-CAcreateserial -out cert.pem -extfile extfile.cnf
Signature ok
subject=/CN=client
Getting CA Private Key
Enter pass phrase for ca-key.pem:

Finally, you need to remove the passphrase from the client and server key:

$ openssl rsa -in server-key.pem -out server-key.pem
Enter pass phrase for server-key.pem:
writing RSA key
$ openssl rsa -in key.pem -out key.pem
Enter pass phrase for key.pem:
writing RSA key

Now you can make the Docker daemon only accept connections from clients
providing a certificate trusted by our CA:

Expand All @@ -128,7 +111,7 @@ need to provide your client keys, certificates and trusted CA:
> **Note**:
> Docker over TLS should run on TCP port 2376.
> **Warning**:
> **Warning**:
> As shown in the example above, you don't have to run the `docker` client
> with `sudo` or the `docker` group when you use certificate authentication.
> That means anyone with the keys can give any instructions to your Docker
Expand All @@ -137,7 +120,7 @@ need to provide your client keys, certificates and trusted CA:
## Secure by default

If you want to secure your Docker client connections by default, you can move
If you want to secure your Docker client connections by default, you can move
the files to the `.docker` directory in your home directory - and set the
`DOCKER_HOST` and `DOCKER_TLS_VERIFY` variables as well (instead of passing
`-H=tcp://:2376` and `--tlsverify` on every call).
Expand Down Expand Up @@ -184,4 +167,7 @@ location using the environment variable `DOCKER_CERT_PATH`.
To use `curl` to make test API requests, you need to use three extra command line
flags:

$ curl --insecure --cert ~/.docker/cert.pem --key ~/.docker/key.pem https://boot2docker:2376/images/json`
$ curl https://boot2docker:2376/images/json \
--cert ~/.docker/cert.pem \
--key ~/.docker/key.pem \
--cacert ~/.docker/ca.pem

0 comments on commit 2f588c6

Please sign in to comment.