Public | Automated Build

Last pushed: 2 months ago
Short Description
Docker container for creating self signed TLS certificates using the Cloudflare TLS toolkit
Full Description

cfssl-certs

Overview

A docker container that generates a self signed certificate authority
then issues host certificates from it.

Environment Variables

  • HOSTNAMES List of space separated names for the host
    • Default: None
    • Used to generate a host certificate
    • The first hostname provided will be the primary name all others are
      alternative names
    • localhost 127.0.0.1 are always added as the last two alternative names
  • AUTHORITY_NAME Certificate authority name
    • Default: Automated
    • Used to generate the certificate authority
  • AUTHORITY_EXPIRY Certificate authority expiry in hours
    • Default: 43800h
    • Used to generate the certificate authority
  • AUTHORITY_KEY_ALGORITHM Certificate authority key algorithm
    • Default: rsa
    • Used to generate the certificate authority
    • Possible values are rsa or ecdsa
  • AUTHORITY_KEY_SIZE Certificate authority key size
    • Default: 4096
    • Used to generate the certificate authority
    • Possible values for the 'rsa' algorithm are 2048 or 4096
    • Possible values for the 'ecdsa' algorithm are 256
  • COMPANY Company name
    • Default: Company
    • Used to generate the certificate authority and host certificates
  • DEPARTMENT Department name
    • Default: Department
    • Used to generate the certificate authority and host certificates
  • CITY City name
    • Default: City
    • Used to generate the certificate authority and host certificates
  • STATE State name
    • Default: State
    • Used to generate the certificate authority and host certificates
  • COUNTRY_CODE Country code
    • Default: US
    • Used to generate the certificate authority and host certificates

Usage

Generate a certificate authority

With full details set:

docker run \
  -v `pwd`/certs:/certs \
  -e AUTHORITY_NAME='My CA' \
  -e AUTHORITY_EXPIRY=43800h \
  -e AUTHORITY_KEY_ALGORITHM=rsa \
  -e AUTHORITY_KEY_SIZE=4096 \
  -e COMPANY='My Company' \
  -e DEPARTMENT='Some Department' \
  -e CITY='My City' \
  -e STATE='My State' \
  -e COUNTRY_CODE=US \
  troywilson/cfssl-certs

but if you are willing to accept the defaults, it can be as simple as:

docker run -v `pwd`/certs:/certs troywilson/cfssl-certs

Both of these will output three files:

  • ca-key.pem The certificate authority's private key
  • ca.csr The certificate authority's certificate sign request
  • ca.pem The certificate authority's public certificate

NOTE: The container will check if a ca.pem file is already present in
the /certs directory. If it finds one it will not generate another
certificate. If you need to create a new authority just delete the three
files listed as output above.

WARNING: The private key generated is NOT password protected.

Generate a host certificate

With full details set:

docker run \
  -v `pwd`/certs:/certs \
  -e HOSTNAMES='example.com www.example.com' \
  -e COMPANY='My Company' \
  -e DEPARTMENT='Some Department' \
  -e CITY='My City' \
  -e STATE='My State' \
  -e COUNTRY_CODE=US \
  troywilson/cfssl-certs

but again, if you are willing to accept the defaults, it can be as simple as:

docker run \
  -v `pwd`/certs:/certs \
  -e HOSTNAMES='example.com www.example.com' \
  troywilson/cfssl-certs

Both of these will output three files:

  • {primary_hostname}-key.pem The host's private key
  • {primary_hostname}.csr The host's certificate sign request
  • {primary_hostname}.pem The host's public certificate

Where {primary_hostname} is the first hostname in the list of hostnames
passed in from the environment.

This can be called as many times as needed. As long as the certificate
authority's certificates are in the /certs directory.

NOTE: HOSTNAMES must contain at least one domain name or IP address
not including the two default local addresses or no host certificate will
be issued.

All together now!

A certificate authority can be created and a host certificate issued in
one command.

With full details set:

docker run \
  -v `pwd`/certs:/certs \
  -e HOSTNAMES='example.com www.example.com' \
  -e AUTHORITY_NAME=Automated \
  -e AUTHORITY_EXPIRY=43800h \
  -e AUTHORITY_KEY_ALGORITHM=rsa \
  -e AUTHORITY_KEY_SIZE=4096 \
  -e COMPANY='My Company' \
  -e DEPARTMENT='Some Department' \
  -e CITY='My City' \
  -e STATE='My State' \
  -e COUNTRY_CODE=US \
  troywilson/cfssl-certs

but again, if you are willing to accept the defaults, it can be as simple as:

docker run \
  -v `pwd`/certs:/certs \
  -e HOSTNAMES='example.com www.example.com' \
  troywilson/cfssl-certs

Both of these will output six files:

  • ca-key.pem The certificate authority's private key
  • ca.csr The certificate authority's certificate sign request
  • ca.pem The certificate authority's public certificate
  • {primary_hostname}-key.pem The host's private key
  • {primary_hostname}.csr The host's certificate sign request
  • {primary_hostname}.pem The host's public certificate

Docker Compose

See the included example docker-compose.yml file.

Credits

Docker Pull Command
Owner
troywilson
Source Repository

Comments (0)