版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
Docker - 通过脚本自动创建 Docker TLS 证书
1、具体脚本
通过脚本一键生成Docker TLS 的证书
#!/bin/bash
# -------------------------------------------------------------
# 自动创建 Docker TLS 证书
# -------------------------------------------------------------
# config
# --[BEGIN]------------------------------
# 代码,可以随便写
CODE="WRETCHANT"
# 服务器的外网IP
IP=""
# CA证书的密码
PASSWORD="CA-PASSWORD.12345678"
# 国家
COUNTRY="CN"
# 地区
STATE="zhejiang"
# 城市
CITY="hangzhou"
# 组织
ORGANIZATION="WRETCHANT.EDU"
ORGANIZATIONAL_UNIT="Dev"
COMMON_NAME="$IP"
# 邮件地址
EMAIL="[email protected]"
# --[END]--
# 创建存放脚本的文件夹
mkdir -p /etc/docker/cert.init/
cd /etc/docker/cert.init/
# Generate CA key
openssl genrsa -aes256 -passout "pass:$PASSWORD" -out "ca-key-$CODE.pem" 4096
# Generate CA
openssl req -new -x509 -days 365 -key "ca-key-$CODE.pem" -sha256 -out "ca-$CODE.pem" -passin "pass:$PASSWORD" -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/OU=$ORGANIZATIONAL_UNIT/CN=$COMMON_NAME/emailAddress=$EMAIL"
# Generate Server key
openssl genrsa -out "server-key-$CODE.pem" 4096
# Generate Server Certs.
openssl req -subj "/CN=$COMMON_NAME" -sha256 -new -key "server-key-$CODE.pem" -out server.csr
echo "subjectAltName = IP:$IP,IP:127.0.0.1" >> extfile.cnf
echo "extendedKeyUsage = serverAuth" >> extfile.cnf
openssl x509 -req -days 365 -sha256 -in server.csr -passin "pass:$PASSWORD" -CA "ca-$CODE.pem" -CAkey "ca-key-$CODE.pem" -CAcreateserial -out "server-cert-$CODE.pem" -extfile extfile.cnf
# Generate Client Certs.
rm -f extfile.cnf
openssl genrsa -out "key-$CODE.pem" 4096
openssl req -subj '/CN=client' -new -key "key-$CODE.pem" -out client.csr
echo extendedKeyUsage = clientAuth >> extfile.cnf
openssl x509 -req -days 365 -sha256 -in client.csr -passin "pass:$PASSWORD" -CA "ca-$CODE.pem" -CAkey "ca-key-$CODE.pem" -CAcreateserial -out "cert-$CODE.pem" -extfile extfile.cnf
rm -vf client.csr server.csr
chmod -v 0400 "ca-key-$CODE.pem" "key-$CODE.pem" "server-key-$CODE.pem"
chmod -v 0444 "ca-$CODE.pem" "server-cert-$CODE.pem" "cert-$CODE.pem"
# 打包客户端证书成tar.gz包
mkdir -p "tls-client-certs-$CODE"
cp -f "ca-$CODE.pem" "cert-$CODE.pem" "key-$CODE.pem" "tls-client-certs-$CODE/"
cd "tls-client-certs-$CODE"
tar zcf "tls-client-certs-$CODE.tar.gz" *
mv "tls-client-certs-$CODE.tar.gz" ../
cd ..
rm -rf "tls-client-certs-$CODE"
# 拷贝服务端证书,保存在docker 目录下
mkdir -p /etc/docker/certs.d
cp "ca-$CODE.pem" "server-cert-$CODE.pem" "server-key-$CODE.pem" /etc/docker/certs.d/
2、修改配置为自己的配置
需要修改配置为自己的配置,然后再运行脚本
# config
# --[BEGIN]------------------------------
# 代码,可以随便写
CODE="WRETCHANT"
# 服务器的外网IP
IP=""
# CA证书的密码
PASSWORD="CA-PASSWORD.12345678"
# 国家
COUNTRY="CN"
# 地区
STATE="zhejiang"
# 城市
CITY="hangzhou"
# 组织
ORGANIZATION="WRETCHANT.EDU"
ORGANIZATIONAL_UNIT="Dev"
COMMON_NAME="$IP"
# 邮件地址
EMAIL="[email protected]"
# --[END]--
3、客户端证书下载
证书生成完成后,客户端需要拿到证书进行远程连接
进入证书存放目录
cd /etc/docker/cert.init
下载:tls-client-certs-WRETCHANT.tar.gz 文件,里面包含了客户端连接所需的证书