Sign the private cert we created with our key.

We'll allow connections only from particular IP addresses

echo subjectAltName = IP:[[HOST_IP]],IP:127.0.0.1 > extfile.cnf

Generate key. Re-enter the key used to generate the server cert.

openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem

Make sure the Common Name is set to the DNS entry for your host, in this case host01.

openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \ -CAcreateserial -out server-cert.pem -extfile extfile.cnf

This generates the public key, this will be used by clients to connect to the server.

openssl genrsa -out key.pem 4096

openssl req -subj '/CN=client' -new -key key.pem -out client.csr

To make the key suitable for client authentication we extended the key usage via a configuration file:

echo extendedKeyUsage = clientAuth > extfile.cnf

We now sign the public key we created. The file ca.pem will be used by clients to connect to our server.

openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \ -CAcreateserial -out cert.pem -extfile extfile.cnf

To connect to the server, the client requires key.pem, ca.pem and the target cert.pem files.

sudo nohup docker daemon --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H=0.0.0.0:2376 </dev/null &>/dev/null &

docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=$HOST:2376 version

cp -v {ca,cert,key}.pem ~/.docker

export DOCKER_HOST=tcp://docker:2376 DOCKER_TLS_VERIFY=1

docker ps

curl -k https://docker:2376/ping

curl https://docker:2376/ping \ --cacert ca.pem \ --cert cert.pem \ --key key.pem