Protecting the Docker daemon socket with OpenSSL.
Ensure that you replace
$HOST in the following examples with the DNS name of the target Docker host.
Generate Private and Public Keys for a CA (Certificate Authority)
Create a directory for certificate files:
mkdir /home/ubuntu/certs cd /home/ubuntu/certs
Generate a private key:
openssl genrsa -aes256 -out ca-key.pem 4096
Generate a certificate request using the pass phrase for
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
Fill out all fields.
Ensure that you set Common Name to the DNS name of the Docker host:
Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:CA Locality Name (eg, city) :Cupertino Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Organizational Unit Name (eg, section) : Common Name (for example server FQDN or YOUR name) :$HOST Email Address :
Create a Server Key and Certificate Signing Request (CSR)
openssl genrsa -out server-key.pem 4096
openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr
Sign the Public Key with our CA
TLS connections need to be specified when creating the certificate, as the connections can be made via IP address as well as DNS name. For example, to allow local connections and remote connections from
echo subjectAltName = IP:127.0.0.1,IP:192.0.2.1,IP:192.0.2.2 > extfile.cnf
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \ -CAcreateserial -out server-cert.pem -extfile extfile.cnf
Create a Client Key and Certificate Signing Request for Client Authentication
openssl genrsa -out key.pem 4096
openssl req -subj '/CN=client' -new -key key.pem -out client.csr
To make the key suitable for client authentication, create an extensions config file:
echo extendedKeyUsage = clientAuth > extfile.cnf
Sign the public key:
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \ -CAcreateserial -out cert.pem -extfile extfile.cnf
server-cert.pem, you can safely remove the
two certificate signing requests:
rm -v client.csr server.csr
Set Permissions to Private Keys
With a default
umask of 022, secret keys are world-readable and writable for you and your group.
To protect your keys from accidental damage, remove write permissions. To make them only readable by you, change file modes as follows:
chmod -v 0400 ca-key.pem key.pem server-key.pem
Certificates can be world-readable, but you might want to remove write access to prevent accidental damage:
chmod -v 0444 ca.pem server-cert.pem cert.pem
Now you can make the Docker daemon only accept connections from clients providing a certificate trusted by our CA.