#!/bin/bash # Generate TLS certificates for secure Docker communication set -e CERT_DIR="./docker-certs" CA_DIR="$CERT_DIR/ca" SERVER_DIR="$CERT_DIR/server" CLIENT_DIR="$CERT_DIR/client" # Create directories mkdir -p "$CA_DIR" "$SERVER_DIR" "$CLIENT_DIR" # Generate CA private key openssl genrsa -out "$CA_DIR/ca-key.pem" 4096 # Generate CA certificate openssl req -new -x509 -days 365 -key "$CA_DIR/ca-key.pem" -sha256 -out "$CA_DIR/ca.pem" -subj "/C=US/ST=CA/L=San Francisco/O=Docker/CN=docker-ca" # Generate server private key openssl genrsa -out "$SERVER_DIR/server-key.pem" 4096 # Generate server certificate signing request openssl req -subj "/CN=docker-daemon" -new -key "$SERVER_DIR/server-key.pem" -out "$SERVER_DIR/server.csr" # Create server extensions file cat > "$SERVER_DIR/server-extfile.cnf" << EOF subjectAltName = DNS:docker-daemon,IP:127.0.0.1,IP:172.18.0.1 extendedKeyUsage = serverAuth EOF # Sign server certificate openssl x509 -req -days 365 -in "$SERVER_DIR/server.csr" -CA "$CA_DIR/ca.pem" -CAkey "$CA_DIR/ca-key.pem" -CAcreateserial -out "$SERVER_DIR/cert.pem" -extfile "$SERVER_DIR/server-extfile.cnf" # Generate client private key openssl genrsa -out "$CLIENT_DIR/key.pem" 4096 # Generate client certificate signing request openssl req -subj "/CN=docker-client" -new -key "$CLIENT_DIR/key.pem" -out "$CLIENT_DIR/client.csr" # Create client extensions file cat > "$CLIENT_DIR/client-extfile.cnf" << EOF extendedKeyUsage = clientAuth EOF # Sign client certificate openssl x509 -req -days 365 -in "$CLIENT_DIR/client.csr" -CA "$CA_DIR/ca.pem" -CAkey "$CA_DIR/ca-key.pem" -CAcreateserial -out "$CLIENT_DIR/cert.pem" -extfile "$CLIENT_DIR/client-extfile.cnf" # Copy CA certificate to client and server directories cp "$CA_DIR/ca.pem" "$CLIENT_DIR/ca.pem" cp "$CA_DIR/ca.pem" "$SERVER_DIR/ca.pem" # Set appropriate permissions chmod 600 "$CA_DIR/ca-key.pem" "$SERVER_DIR/server-key.pem" "$CLIENT_DIR/key.pem" chmod 644 "$CA_DIR/ca.pem" "$SERVER_DIR/cert.pem" "$CLIENT_DIR/cert.pem" echo "TLS certificates generated successfully in $CERT_DIR" echo "CA certificate: $CA_DIR/ca.pem" echo "Server cert: $SERVER_DIR/cert.pem" echo "Client cert: $CLIENT_DIR/cert.pem"