Right now it is very complicated and problematic for a user to create all of the certificates required to secure Docker.
@discordianfish wrote a Dockerfile to show the entire process: https://gist.github.com/discordianfish/1d2bbc5bf2d94fee147b
It turns out that repeatability is a big deal. If I make certs on my mac and import them into boot2docker, for instance, there are "Bad Certificate" errors on the client side.
We need to provide built-in tooling for generating keys for basic security out-of-the-box, while still allowing users the flexibility to generate their own keys.
@discordianfish @huslage does this need to be ubuntu? or can you re-do using a minimal debian:jessie (or even smaller) ?
@SvenDowideit Why not just try it?
I ask in case you guys already know a reason - ie, to make sure I'm not replicating a known waste of time :) or in case someone has succeeded somewhere else (like with busybox)
Well i'm also facing this problem. What i do is using a Makefile that deal with all the certificates management.
I do not think a complete tooling is needed since organizations already manage this process (internal or external). But we need a better documentation and support for the various revocation implementations such as CRL, OCSP and SCVP. At the moment i do not think any of those implementations are supported in docker (even CRL and OCSP that are already suported in golang net/http).
It would be nice if CRL at the very least was supported. I don't feel OCSP really applies here because it's typical the certificate authority is internal.
Without recovation, how is the current TLS implementation any better than static keys?
FYI, I think supporting a set of scripts would be easy to do. I wrote up repeatable scripts that I could probably open source with permission from my company.