1, ca create folders to store CA private key and a public key
mkdir -p /usr/local/ca
cd /usr/local/ca/
2, generates a CA private key and a public key
openssl genrsa -aes256 -out ca-key.pem 4096
Continuous enter the password twice
3, in order to enter a password, national, provincial, city, organization name, e-mail, etc.
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
Now that you have CA, Next, create a server key and certificate signing request (CSR), ensure that the "common name" with the name you use to connect to the host Docker's match.
4, generates server-key.pem
openssl genrsa -out server-key.pem 4096
5, CA to sign a public key
Since TLS connections can be through IP addresses and DNS names, you need to specify the IP address when creating the certificate. For example, 10.10.10.20 and allowed to connect 127.0.0.1:
$ Host IP or domain name into your own server outside the network
openssl req -subj "/CN=$Host" -sha256 -new -key server-key.pem -out server.csr
6, configuration whitelist
1) allows you to specify ip docker can connect to the server, you can be configured ip, separated by commas.
2) Because already ssl connection, so I recommended configuration 0.0.0.0, which is all ip can be connected (but only has a certificate before they can successfully connected), after the company configured so that others can also be used.
echo subjectAltName = IP: own servers the above mentioned id, IP: 0.0 . 0.0 >> extfile.cnf
7, the key is extended Docker daemon property to use only for authentication server
echo extendedKeyUsage = serverAuth >> extfile.cnf
8, generating a signature certificate
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \ -CAcreateserial -out server-cert.pem -extfile extfile.cnf
9, the client generates key.pem
openssl genrsa -out key.pem 4096 openssl req -subj '/CN=client' -new -key key.pem -out client.csr
10, the key for client authentication
echo extendedKeyUsage = clientAuth >> extfile.cnf
echo extendedKeyUsage = clientAuth > extfile-client.cnf
11, generating a signature certificate
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \ -CAcreateserial -out cert.pem -extfile extfile-client.cnf
Generating cert.pem, to enter the password previously set.
12, delete unnecessary files
rm -v client.csr server.csr extfile.cnf extfile-client.cnf
Way to determine
13, remove the write permission only allowed to read
chmod -v 0400 ca-key.pem key.pem server-key.pem chmod -v 0444 ca.pem server-cert.pem cert.pem
14 , imputation server certificate
cp server-*.pem /etc/docker/
cp ca.pem /etc/docker/
15, modify Docker configuration
vim /lib/systemd/system/docker.service 将 ExecStart=/usr/bin/dockerd替换为: ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/usr/local/ca/ca.pem -- tlscert=/usr/local/ca/server-cert.pem --tlskey=/usr/local/ca/server-key.pem -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock
16, reload and restart the daemon docker
systemctl daemon-reload
systemctl restart docker
17, save the relevant client pem file to a local
18, IDEA CA Configuration