sslcertificatessl-certificatedocker-registrycfssl

What kind of certificates do I need for configuring an image registry?

I'm working on creating a local image registry for an OKD installation by following along with this Medium article which assumes the creation of

the self-sign CA, server certificate with both the short and fully qualified hostname of this VM

It calls for

the CA cert, server cert, server key saved as myca.pem, registry.pem, registry-key.pem

I'm pretty new to certs so I was following the guidance of this article and using cfssl (as recommended by the former article) for generating those. I've gotten through generating and signing the "Intermediate CA". I'm a little unclear on where and how to generate the specific certs the former article requires. I'd really appreciate some clarifications or guidance, if possible, on the following issues.

  1. I believe the ca.pem generated in the first "CA Authority" process in the latter article is the equivalent of the myca.pem file mentioned in the former article, but with a different name. Is this the case?

  2. I am unclear where exactly the registry.pem and registry-key.pem files are generated. Are these just certificates generated using the "server" profile and assigned the name "registry"? Are they a completely separate profile I should be adding to the cfssl.json file? Are they neither?

  3. In whichever case, are there any additional usages I need in the cfssl.json file or additional config files I need to create in order for it to be suitable for an image registry? Do I still need to create the additional "host certificate config file" mentioned in the latter article?

I have tried absorbing as much information about ssl certificates as I could but so far I am unfortunately not finding anything that clears up the specific questions I have. I am sure this is probably simpler than I realize, so any help clarifying what's needed here would be profoundly appreciated. Thanks very much.

Solution

  • I was able to figure this all out. Here are the answers to my three questions:

    1. This was the correct assumption.

    2. These are generated using the "server" profile and given whichever name I choose.

    3. I had to create the additional host certificate config file and point the CN in that file to my local fully qualified domain name. This config file was then used as an argument for generating the certificates.