QuickTLS generates server and client TLS certificates along with the CA certificate use to sign them. The private key to the CA is never saved, allowing for safely importing the CA into a certificate chain without fear of compromise of the CA. If any server or client key is compromised, the entire CA should be thrown out and new server, client, and CA certificates should be generated.
$ quicktls -h
Usage of quicktls:
-clients=0: Number of client certificates to generate
-exp=25920h0m0s: Time until Certificate expiration
-o="": Output directory
-org="QuickTLS": Organization in the certificate
-rsa=4096: Number of RSA bits
Generate client certificate and server certificate for example.com
$ quicktls -clients=1 example.com
$ ls
ca.pem client-0.cert client-0.key example.com.cert example.com.key
This utility can be used to easily create TLS certificates for a Docker registry, including for TLS client authentication. The client certificates and server certificate do not need to use the same CA, but it is faster to set up for basic use cases with only a few clients or when sharing a private key might be considered appropriate.
$ quicktls -clients 1 registry.example.com
$ ls
ca.pem client-0.cert client-0.key registry.example.com.cert registry.example.com.key
$ sudo cp ca.pem /etc/docker/certs.d/registry.example.com/ca.crt
$ sudo cp client-0.cert /etc/docker/certs.d/registry.example.com/client.cert
$ sudo cp client-0.key /etc/docker/certs.d/registry.example.com/client.key
with nginx
Copy files to nginx machine
$ cp registry.example.com.cert cert-registry.example.com.pem
$ cp registry.example.com.key key-registry.example.com.pem
$ cp ca.pem client-registry.example.com.pem
Update server section of nginx config
server {
listen 443;
server_name registry.example.com;
ssl on;
ssl_certificate /etc/nginx/ssl/cert-registry.example.com.pem;
ssl_certificate_key /etc/nginx/ssl/key-registry.example.com.pem;
ssl_client_certificate /etc/nginx/ssl/client-registry.example.com.pem;
ssl_verify_client on;
...
}