ca-key.pem -> ca.pem
server-key.pem -> server.csr -> server.csr + (ca-key.pem + ca.pem) -> server.cert
client-key.pem -> client.csr -> client.csr + (ca-key.pem + ca.pem) -> client.cert
[ CA 생성 ]
1. ca-key.pem => ca.pem (ca.crt: client ca 파일)
$ sudo mkdir -p /etc/docker
$ cd /etc/docker
$ echo 01 | sudo tee ca.srl
$ sudo openssl genrsa -des3 -out ca-key.pem
Enter pass phrase for ca-key.pem:
Verifying - Enter pass phrase for ca-key.pem:
$ sudo openssl req -new -days 365 -key ca-key.pem -out ca.pem
Enter pass phrase for ca-key.pem:
...
Common Name (e.g. server FQDN or Your name) []: * (ex : www.ahnseungkyu.com)
[ Server Cert 생성 ]
1. server-key.pem => server.csr (Common Name : e.g. server FQDN 이 중요)
$ sudo openssl genrsa -des3 -out server-key.pem
Enter pass phrase for server-key.pem:
Verifying - Enter pass phrase for server-key.pem:
$ sudo openssl req -new -key server-key.pem -out server.csr
Enter pass phrase for server-key.pem:
...
Common Name (e.g. server FQDN or Your name) []: * (ex : www.ahnseungkyu.com)
2. ca-key.pem + ca.pem + server.csr => server-cert.pem (server.cert: 서버 cert 파일)
$ sudo openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -out server-cert.pem
Enter pass phrase for ca-key.pem:
3. server-key.pem 의 phrase 를 삭제 (server.key: 서버 private key 파일)
$ sudo openssl rsa -in server-key.pem -out server-key.pem
Enter pass phrase for server-key.pem:
writing RSA key
4. 퍼미션 수정
$ sudo chmod 600 /etc/docker/server-key.pem /etc/docker/server-cert.pem /etc/docker/ca-key.pem /etc/docker/ca.pem
[ Docker 데몬 설정 ]
Ubuntu, Debian : /etc/default/docker
RHEL, Fedora : /etc/sysconfig/docker
systemd 버전 : /usr/lib/systemd/system/docker.service
[ systemd Docker Server 실행 ]
ExecStart=/usr/bin/docker -d -H tcp://0.0.0.0.2376 --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server-cert.pem --tlskey=/etc/docker/server-key.pem
[ Docker 데몬 reload 및 재시작 필요 ]
$ sudo systemctl --system daemon-reload
[ Client Cert 생성 ]
1. client-key.pem => client.csr
$ sudo openssl genrsa -des3 -out client-key.pem
Enter pass phrase for client-key.pem:
Verifying - Enter pass phrase for client-key.pem:
$ sudo openssl req -new -key client-key.pem -out client.csr
Enter pass phrase for client-key.pem:
...
Common Name (e.g. server FQDN or Your name) []:
2. Client 인증 속성 추가
$ echo extendedKeyUsage = clientAuth > extfile.cnf
3. ca-key.pem + ca.pem + client.csr => client-cert.pem
$ sudo openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem -out client-cert.pem -extfile extfile.cnf
Enter pass phrase for ca-key.pem:
4. client-key 의 phrase 를 삭제
$ sudo openssl rsa -in client-key.pem -out client-key.pem
Enter pass phrase for client-key.pem:
writing RSA key
[ Docker 클라이언트에 ssl 설정 ]
$ mkdir -p ~/.docker
$ cp ca.pem ~/.docker/ca.pem
$ ca client-key.pem ~/.docker/key.pem
$ ca client-cert.pem ~/.docker/cert.pem
$ chmod 600 ~/.docker/key.pem ~/.docker/cert.pem
# docker 연결 테스트
$ sudo docker -H=docker.example.com:2376 --tlsverify info
# server
# sudo docker -d --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem \
--tlskey=server-key.pem -H=0.0.0.0:4243
# client -- note that this uses --tls instead of --tlsverify, which I had trouble with
# docker --tls --tlscacert=ca.pem --tlscert=client-cert.pem --tlskey=client-key.pem \
-H=dns-name-of-docker-host:4243