docker-https-with-self-CA enables https communication between client and server.
- Using Docker compose
- Using self certification authority(CA) with mkcert
- Certificate Authority(CA)
rootCA-key.pem
: private key of CArootCA.pem
: root certificate of CA
- Server
server-key.pem
: private key of Serverserver-req.pem
: certificate signing request(CSR) of Serverserver.pem
: certificate valid for Server
For https communication between Client and Server, a server certificate is required on the Server side and a root certificate of the CA is required on the Client side.
-
Create private key(
server-key.pem
) and CSR(server-req.pem
) of Server on Local. These files are mounted with the server container after the server is launched with docker compose.cd server/cert openssl req -nodes -newkey rsa:4096 -keyout server-key.pem -out server-req.pem -subj "/C=JP/ST=Osaka/CN=server"
Note: Common Name(CN) must be match container name of server.
-
Run CA
make up-CA
-
In
myca
, create self CA usingmkcert -install
command.docker compose exec myca /bin/bash root@myca:/# cd ~ root@myca:~# pwd /root root@myca:~# mkcert -install Created a new local CA 💥 The local CA is now installed in the system trust store! ⚡️
-
Then, CA private key(
rootCA-key.pem
) and root CA certificate(rootCA.pem
) are generated.root@myca:~# ls .local/share/mkcert/ rootCA-key.pem rootCA.pem
-
Copy the CSR(
server-req.pem
) to themkcert
directory mounted inside the CA container(myca
). In this way, the CSR file can be uploaded insidemyca
in a pseudo-style.cp server/cert/server-req.pem mkcert/
-
server.pem
file is server certificate.root@myca:~# mkcert -csr server-req.pem Created a new certificate valid for the following names 📜 - "server" The certificate is at "./server.pem" ✅ It will expire on 16 August 2025 🗓
-
Copy the server certificate(
server.pem
) to theserver/cert
directory mounted inside the server container(server
). In this way, the certificate file can be send toserver
by CA(myca
) in a pseudo-style.cp mkcert/server.pem server/cert
-
Run server.
make up-server
-
Run client.
make up-client
-
Copy the root CA certificate(
rootCA.pem
) to theclient/cert/
directory mounted inside the Client container(client
). In this way, the certificate can be send toclient
by CA(myca
) in a pseudo-style.cp mkcert/.local/share/mkcert/rootCA.pem client/cert/
-
In the Client container, place the root certificate in the appropriate directory.
docker compose exec client sh -c "cp client/cert/rootCA.pem /etc/ssl/certs/"
Throw https request from client to server.
curl localhost:8081
{"message":"Hello, World!, Current Time:2023/05/22 16:54:25"}
make start-server-packet-capture
- This command allows packet capture in the server container for 3 minutes.
- During the 3 minutes, throw a request from the client to the server(
curl localhost:8081
). - The resulting pcap file will be output under the captured/server directory.
- You can analyzed pcap files using WireShark or similar.
- https://www.openssl.org/docs/man3.0/man1/openssl.html
- https://github.com/FiloSottile/mkcert
- https://dev.to/techschoolguru/how-to-create-sign-ssl-tls-certificates-2aai
- https://github.com/luizhlelis/go-lang-https-self-signed
🐶 I hope this repository helps you studying self signed CA.