#!/bin/bash # Docker TLS Certificate Generation Script # Generates CA, server, and client certificates for secure Docker API access set -e CERTS_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)/certs" SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" # Configuration DAYS=3650 # 10 years COUNTRY="NO" STATE="Norway" CITY="Oslo" ORG="Lovdata Chat" OU="DevOps" EMAIL="admin@lovdata-chat.local" # Environment-specific settings ENVIRONMENT="${DOCKER_ENV:-development}" DOCKER_HOST_IP="${DOCKER_HOST_IP:-127.0.0.1}" DOCKER_HOST_NAME="${DOCKER_HOST_NAME:-localhost}" echo "Generating Docker TLS certificates for environment: $ENVIRONMENT" echo "Certificate directory: $CERTS_DIR" # Create certificates directory mkdir -p "$CERTS_DIR" # Generate CA private key and certificate echo "Generating CA certificate..." openssl genrsa -aes256 -passout pass:password -out "$CERTS_DIR/ca-key.pem" 4096 openssl req -new -x509 -days $DAYS -key "$CERTS_DIR/ca-key.pem" -passin pass:password -sha256 \ -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORG/OU=$OU/CN=Docker-CA-$ENVIRONMENT/emailAddress=$EMAIL" \ -out "$CERTS_DIR/ca.pem" # Generate server private key and certificate echo "Generating server certificate..." openssl genrsa -out "$CERTS_DIR/server-key.pem" 4096 # Create server certificate signing request openssl req -subj "/CN=$DOCKER_HOST_NAME" -new -key "$CERTS_DIR/server-key.pem" \ -out "$CERTS_DIR/server.csr" # Create server extensions file cat > "$CERTS_DIR/server-extfile.cnf" << EOF subjectAltName = IP:$DOCKER_HOST_IP,DNS:$DOCKER_HOST_NAME,DNS:localhost,IP:127.0.0.1 extendedKeyUsage = serverAuth EOF # Sign server certificate openssl x509 -req -days $DAYS -in "$CERTS_DIR/server.csr" -CA "$CERTS_DIR/ca.pem" \ -CAkey "$CERTS_DIR/ca-key.pem" -passin pass:password -CAcreateserial \ -out "$CERTS_DIR/server-cert.pem" -sha256 -extfile "$CERTS_DIR/server-extfile.cnf" # Generate client private key and certificate echo "Generating client certificate..." openssl genrsa -out "$CERTS_DIR/client-key.pem" 4096 # Create client certificate signing request openssl req -subj "/CN=docker-client-$ENVIRONMENT" -new -key "$CERTS_DIR/client-key.pem" \ -out "$CERTS_DIR/client.csr" # Create client extensions file cat > "$CERTS_DIR/client-extfile.cnf" << EOF extendedKeyUsage = clientAuth EOF # Sign client certificate openssl x509 -req -days $DAYS -in "$CERTS_DIR/client.csr" -CA "$CERTS_DIR/ca.pem" \ -CAkey "$CERTS_DIR/ca-key.pem" -passin pass:password -CAcreateserial \ -out "$CERTS_DIR/client-cert.pem" -sha256 -extfile "$CERTS_DIR/client-extfile.cnf" # Clean up temporary files rm -f "$CERTS_DIR/ca.srl" "$CERTS_DIR/server.csr" "$CERTS_DIR/client.csr" rm -f "$CERTS_DIR/server-extfile.cnf" "$CERTS_DIR/client-extfile.cnf" # Set proper permissions chmod 0400 "$CERTS_DIR/ca-key.pem" "$CERTS_DIR/server-key.pem" "$CERTS_DIR/client-key.pem" chmod 0444 "$CERTS_DIR/ca.pem" "$CERTS_DIR/server-cert.pem" "$CERTS_DIR/client-cert.pem" echo "Certificate generation complete!" echo "" echo "Generated files:" echo " CA Certificate: $CERTS_DIR/ca.pem" echo " Server Certificate: $CERTS_DIR/server-cert.pem" echo " Server Key: $CERTS_DIR/server-key.pem" echo " Client Certificate: $CERTS_DIR/client-cert.pem" echo " Client Key: $CERTS_DIR/client-key.pem" echo "" echo "Environment variables for docker-compose.yml:" echo " DOCKER_TLS_VERIFY=1" echo " DOCKER_CERT_PATH=$CERTS_DIR" echo " DOCKER_HOST=tcp://$DOCKER_HOST_IP:2376" echo "" echo "For production, ensure certificates are securely stored and rotated regularly."