docker 配置私服证书

docker建立私服证书

openssl genrsa -out "root-ca.key" 4096  # 建立CA私钥

openssl req -new -key "root-ca.key" -out "root-ca.csr" -sha256 -subj '/C=CN/ST=guangdong/L=Shenzhen/O=snowballtech/CN=YourCompanyNameDockerRegistryCA'  #利用私钥建立CA根证书请求文件 

vi root-ca.cnf # 建立 root-ca.cnf ,详情参考下方


openssl x509 -req -days 3650 -in "root-ca.csr" -signkey "root-ca.key" -sha256 -out "root-ca.crt" -extfile "root-ca.cnf" -extensions root_ca  # 签发根证书

openssl genrsa -out "docker.domain.com.key" 4096  # 生成站点SSL私钥

openssl req -new -key "docker.domain.com.key" -out "site.csr" -sha256 -subj '/C=CN/ST=guangdong/L=Shenzhen/O=snowballtech/CN=docker.domain.com'  # 使用私钥生成证书请求文件

vi site.cnf  # 建立site.cnf

openssl x509 -req -days 750 -in "site.csr" -sha256 -CA "root-ca.crt" -CAkey "root-ca.key" -CAcreateserial -out "docker.domain.com.crt" -extfile "site.cnf" -extensions server  # 部署站点证书

 

root-ca.cnf

[root_ca]
basicConstraints=critical,CA:TRUE,pathlen:1
keyUsage=critical,nonRepudiation,cRLSign,keyCertSign
subjectKeyIdentifier=hash

 

site.cnf

[server]
authorityKeyIdentifier=keyid,issuer
basicConstraints=critical,CA:FALSE
extendedKeyUsage=serverAuth
keyUsage=critical,digitalSignature,keyEncipherment
subjectAltName=DNS:docker.domain.com,IP:127.0.0.1
subjectKeyIdentifier=hash