Skip to content

Commit 2f85728

Browse files
Tom BarlowJoao Fernandes
Tom Barlow
authored and
Joao Fernandes
committed
Allow user to add their own public keys to client bundles
This allows a user to add an existing public key to client bundles, this is used where the CA is externally managed (e.g. verisign) and we do not have the authority to sign certs. Fixes docker#367 Signed-off-by: Tom Barlow <[email protected]>
1 parent a5b6216 commit 2f85728

File tree

1 file changed

+36
-0
lines changed

1 file changed

+36
-0
lines changed

installation.md

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -456,6 +456,42 @@ Once you download the bundle, you can install and use it.
456456
com.docker.ucp.license_max_engines=0
457457
com.docker.ucp.license_expires=EXPIRED
458458

459+
### Client Bundles on Externally Managed CA Configuration
460+
461+
If UCP is configured with an external CA, it will be unable to sign client bundles for non-admin users automatically. It is still possible to manually issue certificates signed by the CA that UCP users can use to interact with UCP via the CLI.
462+
463+
Generate an 2048-bit RSA private key.
464+
465+
```
466+
openssl genrsa -out key.pem 2048
467+
```
468+
469+
Generate a Certificate Signing Request (CSR). The output `cert.csr` should be provided to your organization's CA owner to be signed, with a minimum of client authentication usage.
470+
471+
```
472+
openssl req -new -sha256 -key key.pem -out cert.csr
473+
```
474+
475+
Your CA owner will sign the CSR, and provide `cert.pem` and `ca.pem` files.
476+
477+
Extract the public key from the signed certificate:
478+
479+
```
480+
openssl x509 -pubkey -noout -in cert.pem > cert.pub
481+
```
482+
483+
The contents of cert.pub will then need to be added to your profile. You can add this in the UI by clicking the User Menu in the top right corner, and select profile.
484+
485+
Once you are on the User Profile screen, click the "Add an Existing Public Key" button and provide the contents of cert.pub, along with a memorable label for this bundle.
486+
487+
Now that you have linked the public key to you account, the next step is to configure your CLI. To configure your CLI to use the certificate bundle that you have generated, you will need to export the following environment variables:
488+
489+
```
490+
export DOCKER_TLS_VERIFY=1
491+
export DOCKER_CERT_PATH=$(pwd)
492+
export DOCKER_HOST=tcp://<ucp-hostname>:443
493+
```
494+
459495
## Uninstall
460496

461497
The bootstrapper can also uninstall UCP from the controller and the nodes. To see the uninstall options before you uninstall, use the following:

0 commit comments

Comments
 (0)