Skip to content

dblane-digicatapult/docker-easyrsa

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
docker-entrypoint.sh
docker-entrypoint.sh
 
 
vars.default
vars.default
 
 

Repository files navigation

docker-easyrsa

Container to abstract and containerize easy-rsa.

Keep clutter out of your filesystem, not have to deal with dependency nonsense on non-debian distros, and allowing you to keep the root CA database filesystem encrypted, unmounted, and wherever you want it (e.g. a flashdrive, an encrypted AWS EBS volume that's mostly detached, etc).

Mount a volume (or don't if you choose) to /pki and execute easy-rsa commands like so:

alias easy-rsa="docker run --rm -it -v /a/safe/location:/pki tonymke/easy-rsa"

#create a new root CA
easy-rsa build-ca

#create a server cert (do not give a password)
easy-rsa build-key-server server.domain.name

#build Diffie-Hellman
easy-rsa build-dh

#export cert to local machine's web server
easy-rsa cat keys/server.domain.name.crt > /etc/nginx/ssl/some.domain.name.crt
easy-rsa cat keys/server.domain.name.key > /etc/nginx/ssl/some.domain.name.key

#export CA's public key for clients' trusted CA stores
easy-rsa cat keys/ca.crt > ~/myCa.crt

If there is no actual database on the mounted /pki directory, the container's entrypoint script will create one lazily at runtime before running your requested command.

Intermediary CAs

There is a dedicated script for creating an intermediary CA's database from a root CA.

Mount the original DB, plus a folder to serve as the new one.

# create an initial CA
docker run --rm -it \
  -v /a/safe/location/root:/pki \
  tonymke/easy-rsa build-ca

# create an intermediate CA within the root DB
docker run --rm -it \
  -v /a/safe/location/root:/pki \
  tonymke/easy-rsa build-inter ourIntermediateCa

# split off the intermediate CA into its own PKI
docker run --rm -it \
  -v /a/safe/location/root:/rootpki \
  -v /a/safe/location/ourIntermediateCa:/pki \
  tonymke/easy-rsa inherit-inter /rootpki/db/keys ourIntermediateCa

You can now treat the intermediate CA as a separate PKI DB entirely

Status

Working.

Added to public docker hub

VARS

easy-rsa uses a file to define its operating environment. This defines values that go into your certificates. You need to customize this before generating any certificates.

If no DB is detected, the entryscript will move a vars file from the root of your mounted directory - if it exists - into the new database. Otherwise, it will use a sane default one.

The default vars file is included in this repo - vars.default.

Author

Tony Lechner

License

MIT. See LICENSE for full text.

About

Abstract away easy-rsa via docker.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

4 tags

Packages

No packages published

Languages