docker-tls
  1. openssl genrsa -aes256 -out ca-key.pem 4096
  2. openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
  3. openssl genrsa -out server-key.pem 4096
  4. openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr
  5. echo subjectAltName = DNS:$HOST,IP:10.10.10.20,IP:127.0.0.1 >> extfile.cnf
  6. echo extendedKeyUsage = serverAuth >> extfile.cnf
  7. openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \ -CAcreateserial -out server-cert.pem -extfile extfile.cnf
  8. openssl genrsa -out key.pem 4096
  9. openssl req -subj '/CN=client' -new -key key.pem -out client.csr
  10. echo extendedKeyUsage = clientAuth > extfile-client.cnf
  11. openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \ -CAcreateserial -out cert.pem -extfile extfile-client.cnf
  12. rm -v client.csr server.csr extfile.cnf extfile-client.cnf
  13. chmod -v 0400 ca-key.pem key.pem server-key.pem
  14. chmod -v 0444 ca.pem server-cert.pem cert.pem
  15. sudo systemctl edit docker.service 
    [Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2376 --tlsverify --tlscacert=<location of ca certificate> --tlscert=<location of server certificate> --tlskey=<location of server key>
  16. sudo systemctl daemon-reload
  17. sudo systemctl restart docker.service
  18. sudo netstat -lntp | grep dockerd