Using Docker to Generate SSL Certificates

When you hear “Docker” and “SSL” you probably assume the conversation is about creating SSL certificates to secure the Docker daemon itself. That’s an important but well-documented task. Or maybe you think we’re talking about creating SSL certificates for use by Dockerized apps. That’s also easy enough if you use various third-party tools (like the ones here and here). But did you know you can also use Docker containers to create SSL certificates for the host?

Using Docker to Generate SSL Certificates

Using Docker to generate SSL certificates is not something that most developers have probably thought of doing. But it’s a neat and handy trick. You may be wondering why you’d ever want to use Docker containers to generate SSL certificates for the host. Couldn’t you just do that on the host itself?

Well, yes. But only if you have the right tools (like OpenSSL) installed on the host. And if you are doing everything you can to keep your Docker server lean, you probably don’t want to add tools like OpenSSL to it, if you don’t have to. Plus, you may not be working from a production Docker server at all, but instead from a Docker test box. If you’re like me, that test box is actually your personal laptop, which probably doesn’t have OpenSSL or other server tools installed on it.

Yes, I could apt-get the openssl package (or apache2-utils) easily enough, but I really don’t want to turn my laptop into a server. Again, I like things to be lean and mean. That’s what makes containers attractive in the first place, after all.

Generating SSL Certificates From Docker Containers

Instead of generating certificates on the host, it’s cool to be able to use Docker containers to create SSL certificates for me. It’s also pretty simple, as the following steps show.

First, of course, you want to pull a container image that supports the creation of SSL certificates using the Docker Hub Nginx image. That image conveniently comes with OpenSSL built-in. (If your image doesn’t contain OpenSSL, you could always add it to the image yourself or, more easily, install it in the container once it starts).

As an example, you’d run:

docker pull nginx

Next, you need to create a private key and certificate signing request with a command like:

docker run -v $PWD:/work -it nginx openssl req -out /work/CSR.csr -new 
-newkey rsa:2048 -nodes -keyout /work/privateKey.key

You’ll now see that the working directory on the host contains the files privateKey.key and CSR.csr. If you want to use them to create a self-signed certificate, you’d run something like:

docker run -v $PWD:/work -it nginx openssl req -x509 -sha256 -nodes 
-days 365 -newkey rsa:2048 -keyout privateKey.key -out 
/work/certificate.crt

And you now have your signed certificate, certificate.crt, in the working directory on the host.

There you have it. You’ve created an SSL certificate using OpenSSL without actually running OpenSSL on the host system.

Going Further

You can do much more using commands like the ones above. In particular, if you want to automate the creation of SSL certificates on Docker for either the Docker host or the container, you could integrate these commands into a Dockerfile, then use that to build SSL certificate generation into the Dockerized app that you create using Codefresh.

So while generating SSL certificates used to be a tedious and repetitive process that required software that you probably don’t have installed on the machine you work from normally, Docker containers make SSL certificate creation fast and easy. In fact, they make it so easy that it’s increasingly hard to have an excuse not to be using SSL certificates for encryption.