// 生成 CA 私钥 root@docker-manager:~# openssl genrsa -aes256 -out ca-key.pem 4096 Generating RSA private key, 4096 bit long modulus (2 primes) .........................................................................++++ .............................................++++ e is 65537 (0x010001) // 需要输入两次自定义密码 Enter pass phrase for ca-key.pem: Verifying - Enter pass phrase for ca-key.pem:
// 生成 CA 公钥 root@docker-manager:~# openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem // 这里需要输入第一步设置的密码 Enter pass phrase for ca-key.pem: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:zhejiang Locality Name (eg, city) []:hangzhou Organization Name (eg, company) [Internet Widgits Pty Ltd]:Docker Inc Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []: $HOST Email Address []:
创建服务器密钥和证书签名请求(CSR)
1 2 3 4 5 6 7
root@docker-manager:~# openssl genrsa -out server-key.pem 4096 Generating RSA private key, 4096 bit long modulus (2 primes) ......................................................................................................++++ ................++++ e is 65537 (0x010001)
root@docker-manager:~# chmod -v 0400 ca-key.pem key.pem server-key.pem mode of 'ca-key.pem' changed from 0600 (rw-------) to 0400 (r--------) mode of 'key.pem' changed from 0600 (rw-------) to 0400 (r--------) mode of 'server-key.pem' changed from 0600 (rw-------) to 0400 (r--------)
证书可以在世界范围内读取,但您可能希望删除写访问权限以防止意外损坏:
1 2 3 4
root@docker-manager:~# chmod -v 0444 ca.pem server-cert.pem cert.pem mode of 'ca.pem' changed from 0644 (rw-r--r--) to 0444 (r--r--r--) mode of 'server-cert.pem' changed from 0644 (rw-r--r--) to 0444 (r--r--r--) mode of 'cert.pem' changed from 0644 (rw-r--r--) to 0444 (r--r--r--)
修改docker配置并重启docker
编辑docker配置文件(我的是ubuntu机器): vim /lib/systemd/system/docker.service