#/bin/bashdomain="sebfia.net"ipAddress=""years=1days=365printip="127.0.0.1"

1. #/bin/bash
2. domain="sebfia.net"
3. ipAddress=""
4. years=1
5. days=365
6. printip="127.0.0.1"
7. writeip="IP:127.0.0.1"
8. pwd=""
9. read -p "Enter the domain for your server certificate: [$domain] >" response
10. if [[ $response != "" ]]; then
11. domain=$response
12. fi
13. clientName=$(echo $domain | tr '.' '_')
14. read -p "Enter a forward facing ip-address besides loopback or leave empty: [$ipAddress] >" response
15. if [[ $response != "" ]]; then
16. ipAddress=$response
17. printip="127.0.0.1 and "$ipAddress
18. writeip="IP:127.0.0.1,IP:"$ipAddress
19. fi
20. read -p "Enter the number of years your certificates should be valid for: [$years] >" response
21. if [[ $response != "" ]]; then
22. years=$response
23. let days=$days*$years
24. fi
25. read -s -p "Enter the password for your Certificate Authority: " pwd
26. response="yes"
27. printf "Creating certificates for '$domain' and ip-address(es): $printip with a validity of $days days.\n"
28. read -p "Continue (yes|no)? [$response]" response
29. if [[ $response != "no" ]]; then
30. #create server certificate
31. openssl genrsa -out ./certs/server-key.pem 4096
32. openssl req -subj "/CN=$domain" -sha256 -new -key ./certs/server-key.pem -out ./certs/server.csr
33. echo subjectAltName = $writeip > ./certs/extfile.cnf
34. openssl x509 -req -days $days -sha256 -in ./certs/server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ./certs/server-cert.pem -extfile ./certs/extfile.cnf -passin pass:$pwd
35. printf "Server certificate has been generated. Creating client certificate..."
36. #create client certificate
37. openssl genrsa -out ./certs/$clientName-key.pem 4096
38. openssl req -subj '/CN=client' -new -key ./certs/$clientName-key.pem -out ./certs/client.csr
39. echo extendedKeyUsage = clientAuth > ./certs/extfile.cnf
40. openssl x509 -req -days $days -sha256 -in ./certs/client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out ./certs/$clientName-cert.pem -extfile ./certs/extfile.cnf -passin pass:$pwd
41. #clean up
42. rm -v ./certs/{client.csr,server.csr,extfile.cnf}
43. chmod -v 0400 ./certs/{$clientName-key.pem,server-key.pem}
44. chmod -v 0444 ./certs/{server-cert.pem,$clientName-cert.pem}
45. response="no"
46. printf "Done creating certificates!\n"
47. read -p "Would you like to move the authentication certificate to your local .docker directory (yes|no)? [$response] >" response
48. if [[ $response != "no" ]]; then
49. mv -v ./certs/{$clientName-key.pem,$clientName-cert.pem} ~/.docker/
50. printf "Client certificates have been moved.\n"
51. fi
52. response="no"
53. read -p "Would you like to transfer your server certificates to a remote machine (yes|no)? [$response] >" response
54. if [[ $response != "no" ]]; then
55. domain="192.168.1.10"
56. read -p "Enter the address of your remote machine (can be IP or domain): [$domain] >" response
57. if [[ $response != "" ]]; then
58. domain=$response
59. fi
60. user="root"
61. read -p "Enter the user on your remote machine (you will need the user's password or ssh-key): [$user] >" response
62. if [[ $response != "" ]]; then
63. user=$response
64. fi
65. destDir="/tmp/"
66. read -p "Enter the directory on your remote machine where you would like to put the certificates: [$destDir] >" response
67. if [[ $response != "" ]]; then
68. destDir=$response
69. fi
70. scp -v {ca.pem,./certs/server-*.*} $user@$domain:$destDir
71. response="yes"
72. read -p "Done copying! Remove server certs?: [$response] >" response
73. if [[ $response != "no" ]]; then
74. rm -v ./certs/*.*
75. fi
76. fi
77. fi
78. printf "OK, we're done. Don't forget to change the DOCKER_OPTS on your remote machine's /etc/default/docker file!"