Manage your CA using EasyRSA¶

We choose to use EasyRSA CLI utility to build and manage our PKI CA. Their README.quickstart.md has good informations on basic usage. Please refer to their documentation for general usage of EasyRSA.

Note

We are used to encrypt the socket traffic using CAcert.org and authenticate our users using our own CA (pki). But you can also use your own managed CA to accomplish both.

EasyRSA PKI initialization¶

Initialize an EasyRSA PKI.¶

# Obtain EasyRSA
#
$ wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.3/EasyRSA-3.0.3.tgz
$ tar xf EasyRSA-3.0.3.tgz
$ cd EasyRSA-3.0.3


# Configure EasyRSA
#
$ cp vars.example vars
# Edit `vars` file and adapt to your need. You probably need to
# uncomment EASYRSA_REQ_* directives ;)
$ vim vars


# Initialize the pki
#
$ ./easyrsa init-pki
$ ./easyrsa build-ca

# Copy the CA public key to a central path
$ cp pki/ca.crt /etc/pki/CA/certs/our.company.ca.to.authenticate.users.crt


# If you choose to use your managed CA to encrypt the socket,
# then let's generate a certificate for it. Please replace
# `full.name.of.your.host` with the value you plan to use
# for accessing the docker socket (aka DOCKER_HOST envvar).
#
$ ./easyrsa build-server-full full.name.of.your.host nopass

# Place the generated certificates in a know directory and
# use them in your `/etc/docker/daemon.json` file
# (`tlskey` / `tlscert`)
#
$ cp pki/issued/full.name.of.your.host.crt /etc/pki/tls/certs/full.name.of.your.host.crt
$ cp pki/private/full.name.of.your.host.key /etc/pki/tls/certs/full.name.of.your.host.key

Generate client certificat for user¶

Generate a client certificate for username1.¶

# Generate a client certificate
#
$ ./easyrsa build-client-full username1 nopass

# Place generated files in user's home directory
#
$ mkdir /home/username1/.docker/
$ install -o username1 -g username1 -m 0444 pki/issued/username1.crt /home/username1/.docker/cert.pem
$ install -o username1 -g username1 -m 0400 pki/private/username1.key /home/username1/.docker/key.pem
$ install -o username1 -g username1 -m 0444 pki/ca.crt /home/username1/.docker/ca.pem

# Check everything is working
$ docker --tlsverify -H=full.name.of.your.host:2376 version
# or
$ DOCKER_HOST=tcp://full.name.of.your.host:2376 DOCKER_TLS_VERIFY=1 docker version