Use external certificates

docker

Classification:

compliance

Framework:

cis-docker

Control:

8.1.2

Set up the docker integration.

Description

When you install the Universal Control Plane without providing your own TLS certificates, it will, by default, configure self-signed certificates. You should instead use certificates signed by an external, trusted certified authority as these mitigate the overhead of having to distribute certificate authority certificates to all of the nodes in a Universal Control Plane cluster and additionally are in line with good security practice.

Rationale

By default, UCP is configured to use untrusted, self-signed certificates. Using UCP with externally trusted certificate authorities is a more streamlined and secure option.

Audit

Use the openssl utility to validate your UCP cluster’s certificate chain:

openssl s_client -showcerts -connect <UCP_FQDN:443>

The result should be indicative of your externally-signed certificate chain.

Remediation

You can configure your own certificates for UCP either during installation or after installation via the UCP “Admin Settings” user interface. Customize certificates during installation:

  1. Create a volume named ucp-controller-server-certs on your primary UCP Manager installation node: docker volume create ucp-controller-server-certs

  2. Copy your external certificate authority’s public certificate file (ca.pem) and your signed certificate (cert.pem) and key (key.pem) files to the root directory of the volume cp ca.pem cert.pem key.pem $(docker volume inspect --format '{{ .Mountpoint }}' ucp-controller-server-certs)/

  3. Run the UCP installation command with the --external-server-cert flag. Customize certificates post-installation via the “Admin Settings” UI: Refer to the instructions at https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-your-own-tls-certificates/#configure-ucp-to-use-your-own-tls-certificates-and-keys for configuring your own certificates via the UCP UI.

Impact

None

Default value

Self-signed certificates are configured by default.

References

  1. https://docs.docker.com/datacenter/ucp/2.2/guides/admin/install/plan-installation/#use-an-external-certificate-authority
  2. https://docs.docker.com/datacenter/ucp/2.2/reference/cli/install/#description
  3. https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/use-your-own-tls-certificates/

CIS controls

None