Generate server/client ssl cert with self CA.
You can find most commands I used were in the reference.

mkdir

1
2
3
mkdir -p ssl/ca
mkdir -p ssl/client
mkdir -p ssl/server

generate CA first

1
2
3
4
5
openssl genrsa -aes256 -out ssl/ca/ca-key.pem 4096
# 密码 生成 CA 的私钥 key

openssl req -new -x509 -days 365000 -key ssl/ca/ca-key.pem -sha256 -out ssl/ca/ca.pem
# 要输入密码

generate server’s key/cert

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# 下面开始服务器端 key/签名 的生成

openssl genrsa -out ssl/server/server-key.pem 4096
# 服务器的私钥 key

openssl req -subj "/CN=pikeszfish.me" -sha256 -new -key ssl/server/server-key.pem -out ssl/server/server.csr
# certificate signing request (CSR)  证书签名申请 (我自己翻译的)
# 0.0.0.0 应该是服务器名(DNS name)

echo subjectAltName = DNS:pikeszfish.me,IP:127.0.0.1 > ssl/server/extfile.cnf

openssl x509 -req -days 365000 -sha256 -in ssl/server/server.csr -CA ssl/ca/ca.pem -CAkey ssl/ca/ca-key.pem -CAcreateserial -out ssl/server/server-cert.pem -extfile ssl/server/extfile.cnf
# 用 CA 给 server.csr 签名

cp ssl/ca/ca.pem ssl/server/ca.pem

generate client’s key/cert

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# 下面开始客户端端 key/签名 的生成
openssl genrsa -out ssl/client/client-key.pem 4096
# 客户端私钥 key

openssl req -subj '/CN=client' -new -key ssl/client/client-key.pem -out ssl/client/client.csr
# certificate signing request (CSR)  证书签名申请 (我自己翻译的)

echo extendedKeyUsage = clientAuth > ssl/client/extfile.cnf
# need to find out what extfile used for

openssl x509 -req -days 365000 -sha256 -in ssl/client/client.csr -CA ssl/ca/ca.pem -CAkey ssl/ca/ca-key.pem -CAcreateserial -out ssl/client/client-cert.pem -extfile ssl/client/extfile.cnf
# 给私钥签名

cp ssl/ca/ca.pem ssl/client/ca.pem

chmod (IMPORTANT!)

1
2
chmod -v 400 ssl/ca/ca-key.pem ssl/server/server-key.pem ssl/client/client-key.pem
chmod -v 444 ssl/ca/ca.pem ssl/server/server-cert.pem ssl/client/client-cert.pem

delete .csr

1
2
# 删除 .csr
rm -v ssl/client/client.csr ssl/server/server.csr

参考

Protect the Docker daemon socket