kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity

doc: Do not encrypt private keys

Browse source 
Do not encrypt private keys in the first place, if the encryption
is stripped anyway.

Signed-off-by: Lorenz Leutgeb <lorenz.leutgeb@gmail.com>
This commit is contained in:
Lorenz Leutgeb 2015-01-04 20:57:20 +01:00
parent 7eb5262d1b
commit f957f258d7
1 changed files with 6 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
docs/sources/articles/https.md
View file

@ -58,15 +58,12 @@ Now that we have a CA, you can create a server key and certificate
signing request (CSR). Make sure that "Common Name" (i.e. server FQDN or YOUR
name) matches the hostname you will use to connect to Docker:
$ openssl genrsa -des3 -out server-key.pem 2048
$ openssl genrsa -out server-key.pem 2048
Generating RSA private key, 2048 bit long modulus
......................................................+++
............................................+++
e is 65537 (0x10001)
Enter pass phrase for server-key.pem:
Verifying - Enter pass phrase for server-key.pem:
$ openssl req -subj '/CN=<Your Hostname Here>' -new -key server-key.pem -out server.csr
Enter pass phrase for server-key.pem:
Next, we're going to sign the key with our CA:
@ -80,15 +77,12 @@ Next, we're going to sign the key with our CA:
For client authentication, create a client key and certificate signing
request:
$ openssl genrsa -des3 -out key.pem 2048
$ openssl genrsa -out key.pem 2048
Generating RSA private key, 2048 bit long modulus
...............................................+++
...............................................................+++
e is 65537 (0x10001)
Enter pass phrase for key.pem:
Verifying - Enter pass phrase for key.pem:
$ openssl req -subj '/CN=client' -new -key key.pem -out client.csr
Enter pass phrase for key.pem:
To make the key suitable for client authentication, create an extensions
config file:
@ -104,15 +98,6 @@ Now sign the key:
Getting CA Private Key
Enter pass phrase for ca-key.pem:
Finally, you need to remove the passphrase from the client and server key:
$ openssl rsa -in server-key.pem -out server-key.pem
Enter pass phrase for server-key.pem:
writing RSA key
$ openssl rsa -in key.pem -out key.pem
Enter pass phrase for key.pem:
writing RSA key
Now you can make the Docker daemon only accept connections from clients
providing a certificate trusted by our CA: