kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity

doc: Do not encrypt private keys

Browse source 
Do not encrypt private keys in the first place, if the encryption
is stripped anyway.

Signed-off-by: Lorenz Leutgeb <lorenz.leutgeb@gmail.com>
This commit is contained in:
Lorenz Leutgeb 2015-01-04 20:57:20 +01:00
parent 7eb5262d1b
commit f957f258d7
1 changed files with 6 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
docs/sources/articles/https.md
View file

@ -58,15 +58,12 @@ Now that we have a CA, you can create a server key and certificate
signing request (CSR). Make sure that "Common Name" (i.e. server FQDN or YOUR signing request (CSR). Make sure that "Common Name" (i.e. server FQDN or YOUR
name) matches the hostname you will use to connect to Docker: name) matches the hostname you will use to connect to Docker:
$ openssl genrsa -des3 -out server-key.pem 2048 $ openssl genrsa -out server-key.pem 2048
Generating RSA private key, 2048 bit long modulus Generating RSA private key, 2048 bit long modulus
......................................................+++ ......................................................+++
............................................+++ ............................................+++
e is 65537 (0x10001) e is 65537 (0x10001)
Enter pass phrase for server-key.pem:
Verifying - Enter pass phrase for server-key.pem:
$ openssl req -subj '/CN=<Your Hostname Here>' -new -key server-key.pem -out server.csr $ openssl req -subj '/CN=<Your Hostname Here>' -new -key server-key.pem -out server.csr
Enter pass phrase for server-key.pem:
Next, we're going to sign the key with our CA: Next, we're going to sign the key with our CA:
@ -80,15 +77,12 @@ Next, we're going to sign the key with our CA:
For client authentication, create a client key and certificate signing For client authentication, create a client key and certificate signing
request: request:
$ openssl genrsa -des3 -out key.pem 2048 $ openssl genrsa -out key.pem 2048
Generating RSA private key, 2048 bit long modulus Generating RSA private key, 2048 bit long modulus
...............................................+++ ...............................................+++
...............................................................+++ ...............................................................+++
e is 65537 (0x10001) e is 65537 (0x10001)
Enter pass phrase for key.pem:
Verifying - Enter pass phrase for key.pem:
$ openssl req -subj '/CN=client' -new -key key.pem -out client.csr $ openssl req -subj '/CN=client' -new -key key.pem -out client.csr
Enter pass phrase for key.pem:
To make the key suitable for client authentication, create an extensions To make the key suitable for client authentication, create an extensions
config file: config file:
@ -104,15 +98,6 @@ Now sign the key:
Getting CA Private Key Getting CA Private Key
Enter pass phrase for ca-key.pem: Enter pass phrase for ca-key.pem:
Finally, you need to remove the passphrase from the client and server key:
$ openssl rsa -in server-key.pem -out server-key.pem
Enter pass phrase for server-key.pem:
writing RSA key
$ openssl rsa -in key.pem -out key.pem
Enter pass phrase for key.pem:
writing RSA key
Now you can make the Docker daemon only accept connections from clients Now you can make the Docker daemon only accept connections from clients
providing a certificate trusted by our CA: providing a certificate trusted by our CA: