生成证书
可以直接使用openssl生成证书,也可以使用工具来生成证书。
我是使用certstrap 工具直接生成证书,所以后面配置也以 certstrap为准
openssl 生成证书
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
| #!/bin/bash
CODE="dp"
IP="docker服务器ip"
PASSWORD="证书密码"
COUNTRY="CN"
STATE="BEIJING"
CITY="BEIJING"
ORGANIZATION="公司"
ORGANIZATIONAL_UNIT="Dev"
COMMON_NAME="$IP"
EMAIL="邮箱"
openssl genrsa -aes256 -passout "pass:$PASSWORD" -out "ca-key-$CODE.pem" 4096
openssl req -new -x509 -days 365 -key "ca-key-$CODE.pem" -sha256 -out "ca-$CODE.pem" -passin "pass:$PASSWORD" -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/OU=$ORGANIZATIONAL_UNIT/CN=$COMMON_NAME/emailAddress=$EMAIL"
openssl genrsa -out "server-key-$CODE.pem" 4096
openssl req -subj "/CN=$COMMON_NAME" -sha256 -new -key "server-key-$CODE.pem" -out server.csr
echo "subjectAltName = IP:$IP,IP:127.0.0.1" >> extfile.cnf
echo "extendedKeyUsage = serverAuth" >> extfile.cnf
openssl x509 -req -days 365 -sha256 -in server.csr -passin "pass:$PASSWORD" -CA "ca-$CODE.pem" -CAkey "ca-key-$CODE.pem" -CAcreateserial -out "server-cert-$CODE.pem" -extfile extfile.cnf
rm -f extfile.cnf
openssl genrsa -out "key-$CODE.pem" 4096
openssl req -subj '/CN=client' -new -key "key-$CODE.pem" -out client.csr
echo extendedKeyUsage = clientAuth >> extfile.cnf
openssl x509 -req -days 365 -sha256 -in client.csr -passin "pass:$PASSWORD" -CA "ca-$CODE.pem" -CAkey "ca-key-$CODE.pem" -CAcreateserial -out "cert-$CODE.pem" -extfile extfile.cnf
rm -vf client.csr server.csr
chmod -v 0400 "ca-key-$CODE.pem" "key-$CODE.pem" "server-key-$CODE.pem"
chmod -v 0444 "ca-$CODE.pem" "server-cert-$CODE.pem" "cert-$CODE.pem"
mkdir -p "tls-client-certs-$CODE"
cp -f "ca-$CODE.pem" "cert-$CODE.pem" "key-$CODE.pem" "tls-client-certs-$CODE/"
cd "tls-client-certs-$CODE"
tar zcf "tls-client-certs-$CODE.tar.gz" *
mv "tls-client-certs-$CODE.tar.gz" ../
cd ..
rm -rf "tls-client-certs-$CODE"
mkdir -p /etc/docker/certs.d
cp "ca-$CODE.pem" "server-cert-$CODE.pem" "server-key-$CODE.pem" /etc/docker/certs.d/
|
certstrap 生成证书
安装/编译
1
2
3
| $ git clone https://github.com/square/certstrap
$ cd certstrap
$ ./build
|
生成CA证书:
1
2
3
4
5
| $ bin/certstrap init --common-name "Root CA"
Created out/Root_CA.key
Created out/Root_CA.crt
Created out/Root_CA.crl
|
生成服务器证书:
1
2
3
4
5
6
7
8
9
10
| $
$ bin/certstrap request-cert -common-name server -ip 172.16.10.128
Created out/server.key
Created out/server.csr
$ bin/certstrap sign server --CA Root_CA --years 10
Created out/server.crt from out/server.csr signed by out/Root_CA.key
|
生成客户端证书:
1
2
3
4
5
6
7
8
9
| $ bin/certstrap request-cert -common-name localhost -ip 127.0.0.1
Created out/localhost.key
Created out/localhost.csr
$ bin/certstrap sign localhost --years 10 --CA Root_CA
Created out/localhost.crt from out/localhost.csr signed by out/Root_CA.key
|
查看证书:
1
2
3
4
5
6
7
8
9
10
11
| $ ll
391190 -r--r--r-- 1 root root 1521 9月 7 22:09 localhost.crt * 客户端证书
391188 -r--r--r-- 1 root root 936 9月 7 22:09 localhost.csr
391189 -r--r----- 1 root root 1679 9月 7 22:09 localhost.key * 客户端私钥
391182 -r--r--r-- 1 root root 1525 9月 7 22:04 server.crt * 服务端证书
391148 -r--r--r-- 1 root root 944 9月 7 21:57 server.csr
391181 -r--r----- 1 root root 1679 9月 7 21:57 server.key * 服务端私钥
391147 -r--r--r-- 1 root root 922 9月 7 21:55 Root_CA.crl
391143 -r--r--r-- 1 root root 1757 9月 7 21:55 Root_CA.crt * CA证书
391144 -r--r----- 1 root root 3243 9月 7 21:55 Root_CA.key
|
配置docker
停止docker, 修改docker 服务 配置文件
1
2
| $ systemctl stop docker
$ vim /lib/systemd/system/docker.service
|
将原来配置文件中的启动命令注释掉
1
| ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
|
改为
1
| ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/root/.docker/Root_CA.crt --tlscert=/root/.docker/server.crt --tlskey=/root/.docker/server.key -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock
|
重载服务,启动docker
1
2
| $ systemctl daemon-reload
$ systemctl start docker
|