moby--moby/docs/articles/certificates.md

<!--[metadata]>
+++
title = "Using certificates for repository client verification"
description = "How to set up and use certificates with a registry to verify access"
keywords = ["Usage, registry, repository, client, root, certificate, docker, apache, ssl, tls, documentation, examples, articles,  tutorials"]
[menu.main]
parent = "mn_docker_hub"
weight = 7
+++
<![end-metadata]-->

# Using certificates for repository client verification

The original content was deprecated. For information about configuring
certificates, see  [deploying a registry
server](http://docs.docker.com/registry/deploying). To reach an older version
of this content, refer to an older version of the documentation.
retooling for hugo Tweaking for Hugo Updating the Dockerfile with new sed; fix broken link on Kitematic Fixing image pull for Dockerfile Removing docs targets Signed-off-by: Mary Anthony <mary@docker.com> 2015-06-08 03:07:20 +00:00			`<!--[metadata]>`
			`+++`
			`title = "Using certificates for repository client verification"`
			`description = "How to set up and use certificates with a registry to verify access"`
			`keywords = ["Usage, registry, repository, client, root, certificate, docker, apache, ssl, tls, documentation, examples, articles, tutorials"]`
			`[menu.main]`
Fixing seds, deleting old stuff Signed-off-by: Mary Anthony <mary@docker.com> Upding sed, adding script to avoid redirects, remove mkdos Signed-off-by: Mary Anthony <mary@docker.com> Ignoring graphics with sed Signed-off-by: Mary Anthony <mary@docker.com> Fixing kitematic image Signed-off-by: Mary Anthony <mary@docker.com> Removing draft Signed-off-by: Mary Anthony <mary@docker.com> Fixing link Signed-off-by: Mary Anthony <mary@docker.com> removing from the menu Signed-off-by: Mary Anthony <mary@docker.com> Updatiing order of project material Signed-off-by: Mary Anthony <mary@docker.com> Removing from Regsitry v2 content per Olivier Signed-off-by: Mary Anthony <mary@docker.com> tweaking the touchup Signed-off-by: Mary Anthony <mary@docker.com> Removing include; only used four places; hugo global var replace Signed-off-by: Mary Anthony <mary@docker.com> Entering fixes from page-by-page Signed-off-by: Mary Anthony <mary@docker.com> 2015-06-16 13:04:13 +00:00			`parent = "mn_docker_hub"`
			`weight = 7`
retooling for hugo Tweaking for Hugo Updating the Dockerfile with new sed; fix broken link on Kitematic Fixing image pull for Dockerfile Removing docs targets Signed-off-by: Mary Anthony <mary@docker.com> 2015-06-08 03:07:20 +00:00			`+++`
			`<![end-metadata]-->`
Add support for client certificates for registries This lets you specify custom client TLS certificates and CA root for a specific registry hostname. Docker will then verify the registry against the CA and present the client cert when talking to that registry. This allows the registry to verify that the client has a proper key, indicating that the client is allowed to access the images. A custom cert is configured by creating a directory in /etc/docker/certs.d with the same name as the registry hostname. Inside this directory all .crt files are added as CA Roots (if none exists, the system default is used) and pair of files <filename>.key and <filename>.cert indicate a custom certificate to present to the registry. If there are multiple certificates each one will be tried in alphabetical order, proceeding to the next if we get a 403 of 5xx response. So, an example setup would be: /etc/docker/certs.d/ └── localhost ├── client.cert ├── client.key └── localhost.crt A simple way to test this setup is to use an apache server to host a registry. Just copy a registry tree into the apache root, here is an example one containing the busybox image: http://people.gnome.org/~alexl/v1.tar.gz Then add this conf file as /etc/httpd/conf.d/registry.conf: # This must be in the root context, otherwise it causes a re-negotiation # which is not supported by the tls implementation in go SSLVerifyClient optional_no_ca <Location /v1> Action cert-protected /cgi-bin/cert.cgi SetHandler cert-protected Header set x-docker-registry-version "0.6.2" SetEnvIf Host (.) custom_host=$1 Header set X-Docker-Endpoints "%{custom_host}e" </Location> And this as /var/www/cgi-bin/cert.cgi #!/bin/bash if [ "$HTTPS" != "on" ]; then echo "Status: 403 Not using SSL" echo "x-docker-registry-version: 0.6.2" echo exit 0 fi if [ "$SSL_CLIENT_VERIFY" == "NONE" ]; then echo "Status: 403 Client certificate invalid" echo "x-docker-registry-version: 0.6.2" echo exit 0 fi echo "Content-length: $(stat --printf='%s' $PATH_TRANSLATED)" echo "x-docker-registry-version: 0.6.2" echo "X-Docker-Endpoints: $SERVER_NAME" echo "X-Docker-Size: 0" echo cat $PATH_TRANSLATED This will return 403 for all accessed to /v1 unless any client cert is presented. Obviously a real implementation would verify more details about the certificate. Example client certs can be generated with: openssl genrsa -out client.key 1024 openssl req -new -x509 -text -key client.key -out client.cert Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson) 2013-12-04 14:03:51 +00:00
			`# Using certificates for repository client verification`

Copy edits for typos Signed-off-by: Ed Costello <epc@epcostello.com> 2015-08-25 03:02:44 +00:00			`The original content was deprecated. For information about configuring`
			`certificates, see [deploying a registry`
Enabled GitHub Flavored Markdown GitHub flavored markdown is now supported for links and images. Also, ran LinkChecker and FileResolver. Yay! Fixes from Spider check Output for docker/docker now goes into engine directory Signed-off-by: Mary Anthony <mary@docker.com> 2015-10-09 23:50:41 +00:00			`server](http://docs.docker.com/registry/deploying). To reach an older version`
Initial work Removing references to regsitry 1.0, pointing to distribution Updating links and title Adding in comments Signed-off-by: Mary Anthony <mary@docker.com> 2015-08-10 18:02:35 +00:00			`of this content, refer to an older version of the documentation.`