Docker Community Forums

Share and learn in the Docker community.

Securing Docker CE implementation with "cheap" SSL from trusted source?

security

(Bruno Banelli) #1

Greetings to all,

I have implemented open source docker to my virtual machines. It all works fine, but I would like to finish the whole procedure following this link:

Since I managed to do it with self signed certificate, the question I have is the following - would a “real” but “cheap” SSL certificate that can be obtained from trusted source (those usually cost ~10$ per year), with the assumption that I have static IP address and domain name tied to that address, be sufficient to secure the registry and Docker access in general?

That is, if I have static IP x.x.x.x and SSL for foo.bar.com that would be machine that Docker is installed on, can I simply buy one of those low cost certificates (and use foo.bar.com domain as CN), or something more expensive has to be purchased?

Thank you in advance for any hint,

Bruno


(Kristian Østergaard Martensen) #2

One could argue that using a self-signed certificate is the most secure, since it implies explicit trust in the certificate you generated yourself, rather than trusting third parties. No matter how much money those third parties charge you for trusting them.

None the less, a cheap certificate will encrypt your traffic just as good as an expensive one, as long as the key length is the same. (I know that sentence is not 100% semantically correct, but you get the point)
I would claim that an RSA key with a length of 2048 bits should be just fine.


(Bruno Banelli) #3

Hi Kristian,

thank you for your reply.

But I am wrong in thinking that with “3rd party trusted” certificate I can also use that one for securing my HTTPS connections towards applications running in Docker? So I basically solved two security concerns with a single (cheap :)) purchase?

With my very best,

Bruno


(Kristian Østergaard Martensen) #4

That would be correct.
I will encourage you to take a look at https://letsencrypt.org however.
But we are getting outside of the Docker scope of this forum, and into generic security and web hosting topics though.