There is a pitfall—people tend to set up a plain HTTP (disable TLS) registry without authentication in the beginning. Then it also needs to configure a Docker client (Kubernetes node) to allow an insecure registry and so on. It is a bad practice that requires many steps to set up an insecure environment.
The best practice is always using the official SSL certificate that is issued by the certificate authority. However, a self-signed certificate is always handy, especially in the testing phase. An official certificate can wait until we have FQDN defined. Therefore, this recipe will show you how to use OpenSSL to create a self-signed SSL certificate via the following steps:
- Create a secrets directory:
$ mkdir secrets
- Run the openssl command to specify the options to generate a certificate (domain.crt) and a private key (domain.key) under the secrets directory. Note that you may type . to skip to input location and email info:
$ openssl req -newkey rsa:4096 -nodes -sha256 -keyout secrets/domain.key -x509 -days 365 -out secrets/domain.crt
Generating a 4096 bit RSA private key
.............................................++
...........................................................++
writing new private key to 'secrets/domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:us
State or Province Name (full name) []:California
Locality Name (eg, city) []:Cupertino
Organization Name (eg, company) []:packtpub
Organizational Unit Name (eg, section) []:chapter5
Common Name (eg, fully qualified host name) []:.
Email Address []:.
- Check whether both certificate and private keys are generated under the secrets directory:
$ ls secrets/
domain.crt domain.key