Self-Signed TLS Cert Using IP Address
How to Create Self-Signed Certificate for a Private Docker Registry
I am working on setting up a Kubernetes cluster using Rancher on a set of VirtualBox VMs managed by Vagrant to run applications in Docker containers. Woah — that’s a mouthful! While this is one somewhat complicated case, there are lots of other reasons you may want to create a self-signed certificate. Obviously, you never want to run with a self-signed cert in production, but you can use them to run and test Apache web servers, Express.js servers, and many more.
With my setup, one of the fun things to do is to set up the private Docker registry on one of the VM nodes that all the other VM nodes can pull images from. I am setting up a test environment, so I could configure it as an insecure Docker registry, however, since I will need to set up the registry in production with a real cert at some point, I decided to get the registry working using a self-signed cert instead. To do this we will use openssl.
To get the self signed cert to work with just an IP (not a domain name), we need it to specify a subject alternative name (SAN) for the IP.
- Create a request configuration file as follows (this is just a plain text file — and you can name it whatever you like):
default_bits = 4096
default_md = sha256
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no[req_distinguished_name]
C = US
ST = VA
L = SomeCity
O = MyCompany
OU = MyDivision
CN = 192.168.13.10[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names[alt_names]
IP.1 = 192.168.13.10
The two key things you need to be concerned about are the CN field and the alt_names section at the bottom.
- The CN field needs to be the IP address of the server, in my case the VM running the private Docker registry.
- The alt_names section must have only one entry, and it must start with IP. Some tutorials out there on self signed certs will have entries that start with DNS. These entries may make the cert not work.