Docker Community Forums

Share and learn in the Docker community.

Make Docker swarm use custom certificate rather than ca cert

Currently docker has its own ca certificate.
Is there a way to let swarm know to use a custom certificate rather than using ca cert generated by docker init step
Below is what we tried:
Tried to detach and re-attach
Below is the blog url tried

Below is the error message
server name]# docker swarm ca --rotate --ca-cert custom.crt --ca-key custom.key
Error response from daemon: rpc error: code = Internal desc = unable to generate a cross-signed certificate for root rotation

You mean custom self generated certificate vs. docker self generated certificate?

The certificates are used on swarm cluster level and only used for mtls and control traffic between the swarm cluster nodes.

What advantage do you see in preparing self created certificates and useing them in favor of the certificates docker generates itself?

Thank you for your response. Yes that is correct. Security team has deemed this as a security vulnerability and want to replace with actual certified certificates.

Could you elaborate on how the attack vector would look like and how a self created CA would mitigate that potential problem? You should definitly challenge your Security Team in this regards!!

Anyway, did you see the details on the swarm pki?

A self signed cert with the hostname doesn’t match the CN = swarm or swarm manager. CN is not the hostname so the scanner is reporting that we are using an “invalid cert”.

I am trying to follow steps from https://github.com/docker/docker.github.io/blob/master/swarm/configure-tls.md

Valid point for https traffic exposed to the internet.

Though, the port for swarm managment traffic is purely technical and by no means to be exposed to the internet. I consider this problem to be pureley cosmetic.

I have seen plenty of Docker Entprise installations and didn’t encouter anyone so far that felt the need to act on what your security team asks you to do.

Are you using the buildin Docker Swarm mode? Or are you using the old standalone Docker Swarm? The content addresses the second and will not work for the first.

Good luck!

Thanks for your response!
In our Current setup we installed Docker on multiple VMs and then ran docker swarm init to switch to Swarm Mode and docker swarm join to add more nodes to the cluster.

This is a docker document which mentions use of rotate to push Server certificate with cn names which could be run when initializing docke https://docs.docker.com/engine/swarm/how-swarm-mode-works/pki/
Question: is this documentation applicable to our current set up. If not Can you please help us with a docker official document which mentions this is not applicable and we need to use the default ca.

Please let us know your thoughts.