Public | Automated Build

Last pushed: 3 months ago
Short Description
Create CA and certificates based on it.
Full Description


Create CA and certificates based on it.


Create CA, first execution:

docker run --rm \
  -e \
  -e SSL_DNS=andradaprieto \
  -v $(pwd)/certs:/certs \

Creation of certificates, subsequent executions:

docker run --rm \
  -e \
  -e SSL_DNS=blog \
  -v $(pwd)/certs:/certs \

Generate Wildcard cert

docker run --rm \
  -e SSL_SUBJECT="*" \
  -e SSL_DNS="*" \
  -v $(pwd)/certs:/certs \

Advanced Usage

Customize the certs using the following Environment Variables:

  • DEBUG debug level 0/1/2, default 0
  • CA_KEY CA Key file, default ca-key.pem [1]
  • CA_CERT CA Certificate file, default ca.pem [1]
  • CA_SUBJECT CA Subject, default test-ca
  • CA_EXPIRE CA Expiry, default 60 days
  • SSL_CONFIG SSL Config, default openssl.cnf [1]
  • SSL_KEY SSL Key file, default key.pem
  • SSL_CSR SSL Cert Request file, default key.csr
  • SSL_CERT SSL Cert file, default cert.pem
  • SSL_SIZE SSL Cert size, default 2048 bits
  • SSL_EXPIRE SSL Cert expiry, default 60 days
  • SSL_SUBJECT SSL Subject default
  • SSL_DNS comma seperate list of alternative hostnames, no default [2]
  • SSL_IP comma seperate list of alternative IPs, no default [2]

[1] If file already exists will re-use.
[2] If SSL_DNS or SSL_IP is set will add SSL_SUBJECT to alternative hostname list


Create Certificates for NGINX

Enable SSL in /etc/nginx/sites-enabled/default:

server {
        listen 443;
        root html;
        index index.html index.htm;
        ssl on;
        ssl_certificate /etc/nginx/certs/;
        ssl_certificate_key /etc/nginx/certs/;
        ssl_session_timeout 5m;
        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers         HIGH:!aNULL:!MD5;
        location / {
                try_files $uri $uri/ =404;

Restart NGINX and test:

$ service nginx restart
$ echo '' >> /etc/hosts
$ curl --cacert /etc/nginx/certs/ca.pem
<!DOCTYPE html>

Create keys for docker registry

$ docker run -d \
    --name registry \
    --volumes-from certs \
    -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/cert.pem \
    -e REGISTRY_HTTP_TLS_KEY=/certs/key.pem \
    -p 5000:5000 \

Make sure it works:

$ echo "       test.pruebas.local" >> /etc/hosts
$ docker tag jorgeandrada/ca-certificates test.pruebas.local:5000/jandrada
$ docker push test.pruebas.local:5000/jandrada
The push refers to a repository [test.pruebas.local:5000/jandrada] (len: 1)
xxxxxxxxx: Pushed
Docker Pull Command
Source Repository