Docker TLS - How to create key on local machine

Question

Pre knowledge:

So I started using docker myself and installed it on my server and enabled TLS. I followed this tutorial: https://docs.docker.com/engine/security/https/

This tutorial will eventually give you 6 files:

-r-------- ca-key.pem
-r--r--r-- ca.pem
-r--r--r-- cert.pem
-r-------- key.pem
-r--r--r-- server-cert.pem
-r-------- server-key.pem

The owner of these files is root. I copied the ca.pem, cert.pem and key.pem, I used them to connect from my local portainer instance. (Actually I only use cert.pem and key.pem since I only have client verification on)

DOCKER HOST:

{
  "hosts": [
    "unix:///var/run/docker.sock",
    "tcp://0.0.0.0:2376"
  ],
  "storage-driver": "overlay2",
  "tls": true,
  "tlscacert": "/etc/docker/certs/ca.pem",
  "tlscert": "/etc/docker/certs/server-cert.pem",
  "tlskey": "/etc/docker/certs/server-key.pem",
  "tlsverify": true
}

My problem:

The company where I work installed docker for me and enabled TLS, put all the pem files in a directory which I can access... Problem is, I cannot download the key.pem since the owner is root and I won't get access to it.

I can download the next files:

ca.pem
cert.pem
server-cert.pem

Is is possible for me; with access to those files ONLY, not changing anything on the server, to access docker over TLS? How can I create my own key.pem, or is there another way?

Sorry if this is common knowledge, I just could not find my answer anywhere, or I did not know what I was exactly searching for...

runefist · Accepted Answer

Private keys create the certificates, you can't create a key from a cert. If your docker wants a 2 way authentication you will need access to the private key. It cannot be done without.

You'll need the following files (for client-server authentication):

ca.pem
cert.pem
key.pem

Docker TLS - How to create key on local machine

Answers (2)

Related Questions