Ape in Progress

This is a conceptual guide on how to setup TLS authentication between server and client(s). The steps are closely based on this Docker guide, but with a focus on the process rather than the technical details, which are more than covered in the linked guide.

The steps, unless specified otherwise should be undertaken on the server/host to which you want to authenticate connections to (in the case above, the Docker host).

The terms key and private key are used interchangeably in this document; the term certificate refers to a public key (X.509).

Certificate Authority (CA) Setup

  1. Generate a private key that will be used to self-sign the root certificate for the CA.
  2. Create a self-signed root certificate (public key) which will be used in the CA role to authenticate other keys.

Server Certificates

  1. Generate a private key for the host you’re on.
  2. Create a certificate signing request (CSR) based on the host’s private key.
  3. Resolve the CSR and generate server certificate (sign server key wth root certificate).

Client Certificates

  1. Generate a private key for a client from which you wish to connect to the host from.
  2. Create a CSR based on the client’s private key.
  3. Resolve the CSR and generate client certificate (sign client key wth root certificate).

Final Steps

  1. Clear down any remnant CSR files and configs.
  2. Change key and certificate file permissions (chmod 0400 and 0444, respectively).
  3. Copy the following certificates to client machine:
    • CA certificate
    • server certificate
    • client certificate

#tls #openssl #security