This container is designed to test for the presence of and generate SSL certificates and keys using OpenSSL when needed. It's built on the Alpine Linux image and will create a certificate and key in the /certs
volume if they don't already exist.
The Docker image is based on the latest Alpine Linux image. OpenSSL is installed in the container to handle the creation of the certificates and keys. A script named entrypoint.sh
is used to generate the certificates and keys if they are not present in the /certs
volume.
To use this container, you need to build the Docker image and then run the container while specifying the necessary environment variables and volume.
First, build the image using the provided Dockerfile:
docker build -t build-certs .
To run the container, use the following command:
docker run -v /path/to/certs:/certs build-certs
Replace /path/to/certs
with the path where you want to store the certificates and keys on your host machine.
The script within the container supports several environment variables to customize the generated certificates:
CA_CN
: Common Name for the Certificate Authority. Default is "CertificateCA".CERTIFICATE_CN
: Common Name for the certificate. Default is "certificate".CERTIFICATE_SAN
: Subject Alternative Names for the certificate. Should be a comma-separated list. Default is "certificate".DAYS_VALID
: Number of days the certificate is valid. Default is 365.KEYSTORE_PASSWORD
: Password for the Java Keystore. Default is "password".
You can set these environment variables using the -e
flag in the docker run
command. For example:
docker run -v /path/to/certs:/certs -e CA_CN="MyCustomCACN" -e CERTIFICATE_CN="mydomain.com" -e CERTIFICATE_SAN="mydomain.com,www.mydomain.com" build-certs
The /certs
volume is used to store the generated certificate (certificate.crt
), key (certificate.key
), and CA certificate (ca.crt
). If these files already exist in the volume (for example if it is bind mounted), the script will not generate new ones. This allows the container to run as a build in workflows that support testing and production deployments.
You can also use the container within a Docker Compose setup. Below is an example docker-compose.yml
file that demonstrates how to use the generator in conjunction with another service that depends on it.
version: '3.8'
services:
build-certs:
build: .
volumes:
- ./certs:/certs
webserver:
image: nginx
volumes:
- ./certs:/etc/nginx/certs:ro
depends_on:
- build-certs
In this docker-compose.yml
:
- The
build-certs
service is responsible for generating the SSL certificates. - The
webserver
service (using the NGINX image as an example) depends on thebuild-certs
. It mounts the same volume to read the certificates. - The
depends_on
directive ensures that thewebserver
service starts only after thebuild-certs
service has completed its execution.
Ensure that the certificates directory (./certs
) exists on your host machine or is created by the SSL Certificate Generator service.
The script generates the following files in the /certs
volume:
ca.crt
: The self-signed CA certificate.ca.key
: The private key for the CA certificate.certificate.crt
: The signed certificate.certificate.key
: The private key for the signed certificate.certificate.csr
: The Certificate Signing Request (CSR) used to generate the signed certificate.keystore.jks
: The certificate, key, and CA certificate bundled into a Java Keystore.