{"id":26836615,"url":"https://github.com/yagikota/docker-https-with-self-ca","last_synced_at":"2026-05-15T20:04:22.431Z","repository":{"id":167236961,"uuid":"641454608","full_name":"yagikota/docker-https-with-self-CA","owner":"yagikota","description":"docker-https-with-self-CA enables https communication between client and server.","archived":false,"fork":false,"pushed_at":"2023-05-23T15:15:55.000Z","size":854,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-07-23T16:56:29.789Z","etag":null,"topics":["certificate-authority","docker-compose","go","mkcert","openssl"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/yagikota.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2023-05-16T13:57:44.000Z","updated_at":"2023-12-27T18:41:28.000Z","dependencies_parsed_at":null,"dependency_job_id":"08048a75-474a-4872-b430-7d78d57b8d5f","html_url":"https://github.com/yagikota/docker-https-with-self-CA","commit_stats":null,"previous_names":["yagikota/docker-https-with-self-ca"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/yagikota/docker-https-with-self-CA","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yagikota%2Fdocker-https-with-self-CA","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yagikota%2Fdocker-https-with-self-CA/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yagikota%2Fdocker-https-with-self-CA/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yagikota%2Fdocker-https-with-self-CA/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/yagikota","download_url":"https://codeload.github.com/yagikota/docker-https-with-self-CA/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yagikota%2Fdocker-https-with-self-CA/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33077988,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-15T11:35:32.926Z","status":"ssl_error","status_checked_at":"2026-05-15T11:35:31.362Z","response_time":103,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certificate-authority","docker-compose","go","mkcert","openssl"],"created_at":"2025-03-30T16:20:32.180Z","updated_at":"2026-05-15T20:04:22.425Z","avatar_url":"https://github.com/yagikota.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# docker-https-with-self-CA\n\n## šŸ—„ About docker-https-with-self-CA\n\ndocker-https-with-self-CA enables https communication between client and server.\n\n- Using Docker compose\n- Using self certification authority(CA) with [mkcert](https://github.com/FiloSottile/mkcert)\n\n## šŸ‘Ÿ Set Up\n\n![diagram of https communication](./docs/docs-fix.png)\n\n- Certificate Authority(CA)\n - `rootCA-key.pem`: private key of CA\n - `rootCA.pem`: root certificate of CA\n- Server\n - `server-key.pem`: private key of Server\n - `server-req.pem`: certificate signing request(CSR) of Server\n - `server.pem`: certificate valid for Server\n\nFor https communication between Client and Server, a server certificate is required on the Server side and a root certificate of the CA is required on the Client side.\n\n### Step1. Create secret key and CSR at server\n\n- Create private key(`server-key.pem`) and CSR(`server-req.pem`) of Server on Local. These files are mounted with the server container after the server is launched with docker compose.\n\n ``` shell\n cd server/cert\n openssl req -nodes -newkey rsa:4096 -keyout server-key.pem -out server-req.pem -subj \"/C=JP/ST=Osaka/CN=server\"\n ```\n\n Note: Common Name(CN) must be match container name of server.\n\n### Step2. Create self CA using mkcert\n\n- Run CA\n\n ``` shell\n make up-CA\n ```\n\n- In `myca`, create self CA using `mkcert -install` command.\n\n ``` shell\n docker compose exec myca /bin/bash\n\n root@myca:/# cd ~\n root@myca:~# pwd\n /root\n root@myca:~# mkcert -install\n Created a new local CA šŸ’„\n The local CA is now installed in the system trust store! āš”ļø\n ```\n\n- Then, CA private key(`rootCA-key.pem`) and root CA certificate(`rootCA.pem`) are generated.\n\n ``` shell\n root@myca:~# ls .local/share/mkcert/\n rootCA-key.pem\trootCA.pem\n ```\n\n### Step3. Upload CSR to CA\n\n- Copy the CSR(`server-req.pem`) to the `mkcert` directory mounted inside the CA container(`myca`). In this way, the CSR file can be uploaded inside `myca` in a pseudo-style.\n\n ``` shell\n cp server/cert/server-req.pem mkcert/\n ```\n\n### Step4. Create a new certificate from CSR valid for server\n\n- `server.pem` file is server certificate.\n\n ``` shell\n root@myca:~# mkcert -csr server-req.pem\n\n Created a new certificate valid for the following names šŸ“œ\n - \"server\"\n\n The certificate is at \"./server.pem\" āœ…\n\n It will expire on 16 August 2025 šŸ—“\n ```\n\n### Step5. Send the certificate to server\n\n- Copy the server certificate(`server.pem`) to the `server/cert` directory mounted inside the server container(`server`). In this way, the certificate file can be send to `server` by CA(`myca`) in a pseudo-style.\n\n ``` shell\n cp mkcert/server.pem server/cert\n ```\n\n- Run server.\n\n ``` shell\n make up-server\n ```\n\n### Step6. Add rootCA certificate to Client\n\n- Run client.\n\n ``` shell\n make up-client\n ```\n\n- Copy the root CA certificate(`rootCA.pem`) to the `client/cert/` directory mounted inside the Client container(`client`). In this way, the certificate can be send to `client` by CA(`myca`) in a pseudo-style.\n\n ``` shell\n cp mkcert/.local/share/mkcert/rootCA.pem client/cert/\n ```\n\n- In the Client container, place the root certificate in the appropriate directory.\n\n ``` shell\n docker compose exec client sh -c \"cp client/cert/rootCA.pem /etc/ssl/certs/\"\n ```\n\nThrow https request from client to server.\n\n``` shell\ncurl localhost:8081\n{\"message\":\"Hello, World!, Current Time:2023/05/22 16:54:25\"}\n```\n\n\n## šŸ¦ˆ Packet Capture\n\n``` shell\nmake start-server-packet-capture\n```\n\n- This command allows packet capture in the server container for 3 minutes.\n- During the 3 minutes, throw a request from the client to the server(`curl localhost:8081`).\n- The resulting pcap file will be output under the captured/server directory.\n- You can analyzed pcap files using [WireShark](https://www.wireshark.org/) or similar.\n ![WireShark](./docs/wireshark.png)\n\n## šŸ€ Reference\n- https://www.openssl.org/docs/man3.0/man1/openssl.html\n- https://github.com/FiloSottile/mkcert\n- https://dev.to/techschoolguru/how-to-create-sign-ssl-tls-certificates-2aai\n- https://github.com/luizhlelis/go-lang-https-self-signed\n\n\n\nšŸ¶ I hope this repository helps you studying self signed CA.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyagikota%2Fdocker-https-with-self-ca","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fyagikota%2Fdocker-https-with-self-ca","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyagikota%2Fdocker-https-with-self-ca/lists"}