Self Signed SSL Certificate Generator

About

Origin: https://github.com/paulczar/omgwtfssl

Sick of googling every time you need a self signed certificate?

This is a small docker image based off alpine linux which makes creating self signed SSL certs easier:

$ docker run -v /tmp/certs:/certs stakater/ssl-certs-generator:1.0
----------------------------
| SSL Cert Generator |
----------------------------
--> Certificate Authority
====> Generating new CA key ca-key.pem
Generating RSA private key, 2048 bit long modulus
..................................+++
..................................+++
e is 65537 (0x10001)
====> Generating new CA Certificate ca.pem
====> Generating new config file openssl.cnf
====> Generating new SSL KEY key.pem
Generating RSA private key, 2048 bit long modulus
....................................................................+++
........................+++
e is 65537 (0x10001)
====> Generating new SSL CSR key.csr
====> Generating new SSL CERT cert.pem
Signature ok
subject=/CN=test
Getting CA Private Key
$ ls /tmp/certs 
ca-key.pem  ca.pem  ca.srl  cert.pem  key.csr  key.pem  openssl.cnf
$ openssl verify -CAfile /tmp/certs/ca.pem /tmp/certs/cert.pem 
/tmp/certs/cert.pem: OK

Advanced Usage

Customize the certs using the following Environment Variables:

• CA_KEY CA Key file, default ca-key.pem [1]
• CA_CERT CA Certificate file, default ca.pem [1]
• CA_SUBJECT CA Subject, default test-ca
• CA_EXPIRE CA Expiry, default 60 days
• SSL_CONFIG SSL Config, default openssl.cnf [1]
• SSL_KEY SSL Key file, default key.pem
• SSL_CSR SSL Cert Request file, default key.csr
• SSL_CERT SSL Cert file, default cert.pem
• SSL_SIZE SSL Cert size, default 2048 bits
• SSL_EXPIRE SSL Cert expiry, default 60 days
• SSL_SUBJECT SSL Subject default example.com
• SSL_DNS comma seperate list of alternative hostnames, no default [2]
• SSL_IP comma seperate list of alternative IPs, no default [2]

[1] If file already exists will re-use.
[2] If SSL_DNS or SSL_IP is set will add SSL_SUBJECT to alternative hostname list

Examples

Create Certificates for NGINX

Creating web certs for testing SSL just got a hell of a lot easier…

Create Certificate:

$ docker run -v /tmp/certs:/certs \
  -e SSL_SUBJECT=test.example.com   stakater/ssl-certs-generator:1.0

Enable SSL in /etc/nginx/sites-enabled/default:

server {
        listen 443;
        server_name test.example.com;
        root html;
        index index.html index.htm;
        ssl on;
        ssl_certificate /tmp/certs/cert.pem;
        ssl_certificate_key /tmp/certs/key.pem;
        ssl_session_timeout 5m;
        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers         HIGH:!aNULL:!MD5;
        location / {
                try_files $uri $uri/ =404;
        }
}

Restart NGINX and test:

$ service nginx restart
$ echo '127.0.2.1       test.example.com' >> /etc/hosts
$ curl --cacert /tmp/certs/ca.pem https://test.example.com
<!DOCTYPE html>
<html>
<head>
...

Create keys for docker registry

Slightly more interesting example of using stakater/ssl-certs-generator as a volume container to build and host SSL certs for the Docker Registry image

Create the volume container for the registry from stakater/ssl-certs-generator:

$ docker run \
  --name certs \
  -e SSL_SUBJECT=test.example.com \
  stakater/ssl-certs-generator
----------------------------
| SSL Cert Generator |
----------------------------
--> Certificate Authority
====> Generating new CA key ca-key.pem
Generating RSA private key, 2048 bit long modulus
..........+++
.......................................................+++
e is 65537 (0x10001)
====> Generating new CA Certificate ca.pem
====> Generating new config file openssl.cnf
====> Generating new SSL KEY key.pem
Generating RSA private key, 2048 bit long modulus
........................................................................................................................................................+++
...+++
e is 65537 (0x10001)
====> Generating new SSL CSR key.csr
====> Generating new SSL CERT cert.pem
Signature ok
subject=/CN=test.example.com
Getting CA Private Key

Run the registry using --volumes-from to use the volume container created above:

$ docker run -d \
    --name registry \
    --volumes-from certs \
    -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/cert.pem \
    -e REGISTRY_HTTP_TLS_KEY=/certs/key.pem \
    -p 5000:5000 \
    registry:2

Make sure it works:

$ echo "127.0.2.1       test.example.com" >> /etc/hosts
$ docker tag paulczar/omgwtfssl test.example.com:5000/omgwtfbbq
$ docker push test.example.com:5000/omgwtfbbq
The push refers to a repository [test.example.com:5000/omgwtfbbq] (len: 1)
e34964fe7cfa: Pushed 
d52b82eb9ff3: Pushed 
6b030e7d76a6: Pushed 
8a648f689ddb: Pushed 
latest: digest: sha256:8a97202b0ad9b375ff478d84ed948ae7ddd298196fd3b341fc8391a0fe71345a size: 7617