To use Docker over a VPN it is necessary to use a certificate with a number of different host names (SANs, or Subject Alternate Names). Rather than pay hundreds for a wildcard or SAN cert from a certificate authority, I use EasyRSA to issue these types of certificates.
To issue a SAN server certificate, follow the usual steps for issuing a cert, but set the
EASYRSA_EXTRA_EXTS variable first:
window 0 brad@catbert:~/EasyRSA-3.0.1$ export EASYRSA_EXTRA_EXTS="subjectAltName=DNS.1:floyd,DNS.2:floyd.lan.teched-creations.com,IP.1:192.168.0.12"
I was reissuing an existing cert, so I had to revoke the old one before issuing a new one.
window 0 brad@catbert:~/EasyRSA-3.0.1$ ./easyrsa revoke floyd Please confirm you wish to revoke the certificate with the following subject: subject= commonName = floyd Type the word 'yes' to continue, or any other input to abort. Continue with revocation: yes Using configuration from /home/brad/EasyRSA-3.0.1/openssl-1.0.cnf Revoking Certificate 04. Data Base Updated IMPORTANT!!! Revocation was successful. You must run gen-crl and upload a CRL to your infrastructure in order to prevent the revoked cert from being accepted.
Then I created a new key and CSR.
window 0 brad@catbert:~/EasyRSA-3.0.1$ ./easyrsa gen-req floyd nopass WARNING!!! An existing private key was found at /home/brad/EasyRSA-3.0.1/pki/private/floyd.key Continuing with key generation will replace this key. Type the word 'yes' to continue, or any other input to abort. Confirm key overwrite: yes Generating a 2048 bit RSA private key ..........................................................+++ ..................................................+++ writing new private key to '/home/brad/EasyRSA-3.0.1/pki/private/floyd.key.h4Vdbfzhn3' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [floyd]: Keypair and certificate request completed. Your files are: req: /home/brad/EasyRSA-3.0.1/pki/reqs/floyd.req key: /home/brad/EasyRSA-3.0.1/pki/private/floyd.key
And finally created the new cert.
window 0 brad@catbert:~/EasyRSA-3.0.1$ ./easyrsa sign-req server floyd You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 3650 days: subject= commonName = floyd Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /home/brad/EasyRSA-3.0.1/openssl-1.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'floyd' Certificate is to be certified until Aug 11 12:55:59 2026 GMT (3650 days) Write out database with 1 new entries Data Base Updated Certificate created at: /home/brad/EasyRSA-3.0.1/pki/issued/floyd.crt
The key and cert then get copied to where they're needed. As it's my network and I'm not worried about the old cert having been compromised I didn't bother with copying the CRL to the clients.