Docker - 通过脚本自动创建 Docker TLS 证书

Docker - 通过脚本自动创建 Docker TLS 证书

---

1、具体脚本

通过脚本一键生成Docker TLS 的证书

#!/bin/bash
# -------------------------------------------------------------
# 自动创建 Docker TLS 证书
# -------------------------------------------------------------

# config
# --[BEGIN]------------------------------

# 代码，可以随便写
CODE="WRETCHANT"
# 服务器的外网IP
IP=""
# CA证书的密码
PASSWORD="CA-PASSWORD.12345678"
# 国家
COUNTRY="CN"
# 地区
STATE="zhejiang"
# 城市
CITY="hangzhou"
# 组织
ORGANIZATION="WRETCHANT.EDU"
ORGANIZATIONAL_UNIT="Dev"
COMMON_NAME="$IP"
# 邮件地址
EMAIL="[email protected]"

# --[END]--


# 创建存放脚本的文件夹
mkdir -p /etc/docker/cert.init/
cd /etc/docker/cert.init/


# Generate CA key
openssl genrsa -aes256 -passout "pass:$PASSWORD" -out "ca-key-$CODE.pem" 4096
# Generate CA
openssl req -new -x509 -days 365 -key "ca-key-$CODE.pem" -sha256 -out "ca-$CODE.pem"   -passin "pass:$PASSWORD" -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/OU=$ORGANIZATIONAL_UNIT/CN=$COMMON_NAME/emailAddress=$EMAIL"
# Generate Server key
openssl genrsa -out "server-key-$CODE.pem" 4096

# Generate Server Certs.
openssl req -subj "/CN=$COMMON_NAME" -sha256 -new -key "server-key-$CODE.pem" -out server.csr

echo "subjectAltName = IP:$IP,IP:127.0.0.1" >> extfile.cnf
echo "extendedKeyUsage = serverAuth" >> extfile.cnf

openssl x509 -req -days 365 -sha256 -in server.csr -passin "pass:$PASSWORD" -CA "ca-$CODE.pem" -CAkey "ca-key-$CODE.pem" -CAcreateserial -out "server-cert-$CODE.pem" -extfile extfile.cnf

# Generate Client Certs.
rm -f extfile.cnf

openssl genrsa -out "key-$CODE.pem" 4096
openssl req -subj '/CN=client' -new -key "key-$CODE.pem" -out client.csr
echo extendedKeyUsage = clientAuth >> extfile.cnf
openssl x509 -req -days 365 -sha256 -in client.csr -passin "pass:$PASSWORD" -CA "ca-$CODE.pem" -CAkey "ca-key-$CODE.pem" -CAcreateserial -out "cert-$CODE.pem" -extfile extfile.cnf

rm -vf client.csr server.csr

chmod -v 0400 "ca-key-$CODE.pem" "key-$CODE.pem" "server-key-$CODE.pem"
chmod -v 0444 "ca-$CODE.pem" "server-cert-$CODE.pem" "cert-$CODE.pem"

# 打包客户端证书成tar.gz包
mkdir -p "tls-client-certs-$CODE"
cp -f "ca-$CODE.pem" "cert-$CODE.pem" "key-$CODE.pem" "tls-client-certs-$CODE/"
cd "tls-client-certs-$CODE"
tar zcf "tls-client-certs-$CODE.tar.gz" *
mv "tls-client-certs-$CODE.tar.gz" ../
cd ..
rm -rf "tls-client-certs-$CODE"

# 拷贝服务端证书，保存在docker 目录下
mkdir -p /etc/docker/certs.d
cp "ca-$CODE.pem" "server-cert-$CODE.pem" "server-key-$CODE.pem" /etc/docker/certs.d/

2、修改配置为自己的配置

需要修改配置为自己的配置，然后再运行脚本

# config
# --[BEGIN]------------------------------

# 代码，可以随便写
CODE="WRETCHANT"
# 服务器的外网IP
IP=""
# CA证书的密码
PASSWORD="CA-PASSWORD.12345678"
# 国家
COUNTRY="CN"
# 地区
STATE="zhejiang"
# 城市
CITY="hangzhou"
# 组织
ORGANIZATION="WRETCHANT.EDU"
ORGANIZATIONAL_UNIT="Dev"
COMMON_NAME="$IP"
# 邮件地址
EMAIL="[email protected]"

# --[END]--

3、客户端证书下载

证书生成完成后，客户端需要拿到证书进行远程连接

进入证书存放目录

cd /etc/docker/cert.init

下载：tls-client-certs-WRETCHANT.tar.gz 文件，里面包含了客户端连接所需的证书