forked from Vizuri/docker-tls
-
Notifications
You must be signed in to change notification settings - Fork 0
/
setup-tls
executable file
·102 lines (80 loc) · 3.51 KB
/
setup-tls
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
#!/bin/bash
umask 077
#verify a hostname
[[ -z $HOSTNAME ]] && HOSTNAME=$(hostname)
[[ -z $HOSTNAME ]] && echo 'Warning! No hostname set, key works with IP only' >&2
# Get the primary IP address of the system
IPADDR=$(ip route get 1 | awk 'NR==1{print $NF}')
BOLD_ON=$(tput bold)
BOLD_OFF=$(tput sgr0)
function pause(){
sleep $1
shift
echo '-=~-=~-=~-=~-=~-=~-=~-=~-=~-=~-=~-=~-=~-=~-=~-=~-=~-=~-=~-=~-'
echo "$BOLD_ON" "$*" "$BOLD_OFF"
read -rs -N 1 -p 'press any key to proceed...'
echo; echo
}
# arg-1 : function that was performed
# arg-2 : exit status
# hard exit if exit status was not zero
function statusCheck(){
if test $# -ne 2
then
echo "error calling statusCheck"
exit 1
fi
if test $2 -ne 0
then
echo "error in $1"
exit 1
fi
}
pause 0 'Set up a working space. We will use the directory docker-ca in the home directory.'
WORKING="docker-certs"
mkdir -v ~/$WORKING && cd ~/$WORKING && pwd
if test $(basename $(pwd)) != "$WORKING"
then
echo "error, unable to use directory $WORKING"
exit 1
fi
# Private CA
pause 3 'Create the CA private key. You be prompted for a passphrase. Make sure you remember it.'
( set -x; openssl genrsa -aes256 -out ca-key.pem 2048 )
statusCheck "create CA private key" $?
pause 3 'Create the CA certificate (public key)'
( set -x; openssl req -new -x509 -days 90 -key ca-key.pem -sha256 -out ca.pem )
statusCheck "create CA certificate" $?
ls -l ~/$WORKING/
pause 1 'You now have the CA keys created. This is the central point of trust. These keys sign other keys (generating certificates).'
# Server setup
pause 3 'Create the server private key.'
( set -x; openssl genrsa -out server-key.pem 2048 )
statusCheck "create server private key" $?
pause 3 'Create the certificate signing request (CSR) and specify the IP address of the machine that the Docker daemon is running on.'
( set -x; openssl req -subj "/CN=$HOSTNAME" -new -key server-key.pem -out server.csr )
statusCheck "create certificate signing key" $?
pause 3 'Generate an extention file, used by the CA to certify additional IPs for which the certificate is valid.'
( set -x; echo subjectAltName = IP:$IPADDR,IP:127.0.0.1 > srvExtfile.cnf )
statusCheck "create extention file" $?
pause 3 'Sign the server key.'
( set -x; openssl x509 -req -days 90 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile srvExtfile.cnf )
statusCheck "sign server key" $?
ls -l ~/$WORKING/
pause 1 'You now have the server certificate created. This would normally be done for all of your servers (one cert each).'
# Client setup
pause 3 'Generate the client private key.'
( set -x; openssl genrsa -out client-key.pem 2048 )
statusCheck "generate client private key" $?
pause 3 'Create the client certificate signing request (CSR).'
( set -x; openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr )
statusCheck "create client certificate" $?
pause 3 'Generate an extention file, used by the CA to indicate that the certificate is not valid for servers, only clients.'
( set -x; echo extendedKeyUsage = clientAuth > clientExtfile.cnf )
statusCheck "generating clientextention file" $?
pause 3 'Sign our client public key.'
( set -x; openssl x509 -req -days 90 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -extfile clientExtfile.cnf )
statusCheck "signing client public key" $?
ls -l ~/$WORKING/
pause 3 'You now have the client certificate created.'
pause 0 'Pick up at EX 2.6, secure & copy the keys, and configure the system.'