@@ -3,6 +3,7 @@ package api

 import (

 	"bufio"

 	"bytes"

+	"crypto/tls"

 	"encoding/base64"

 	"encoding/json"

 	"errors"

@@ -57,8 +58,8 @@ func (cli *DockerCli) getMethod(name string) (func(...string) error, bool) {

 	return method.Interface().(func(...string) error), true

 }

-func ParseCommands(proto, addr string, args ...string) error {

-	cli := NewDockerCli(os.Stdin, os.Stdout, os.Stderr, proto, addr)

+func ParseCommands(proto, addr string, tlsConfig *tls.Config, args ...string) error {

+	cli := NewDockerCli(os.Stdin, os.Stdout, os.Stderr, proto, addr, tlsConfig)

 	if len(args) > 0 {

 		method, exists := cli.getMethod(args[0])

@@ -2026,6 +2027,13 @@ func (cli *DockerCli) CmdLoad(args ...string) error {

 	return nil

 }

+func (cli *DockerCli) dial() (net.Conn, error) {

+	if cli.tlsConfig != nil && cli.proto != "unix" {

+		return tls.Dial(cli.proto, cli.addr, cli.tlsConfig)

+	}

+	return net.Dial(cli.proto, cli.addr)

+}

+

 func (cli *DockerCli) call(method, path string, data interface{}, passAuthInfo bool) (io.ReadCloser, int, error) {

 	params := bytes.NewBuffer(nil)

 	if data != nil {

@@ -2078,7 +2086,7 @@ func (cli *DockerCli) call(method, path string, data interface{}, passAuthInfo b

 	} else if method == "POST" {

 		req.Header.Set("Content-Type", "plain/text")

 	}

-	dial, err := net.Dial(cli.proto, cli.addr)

+	dial, err := cli.dial()

 	if err != nil {

 		if strings.Contains(err.Error(), "connection refused") {

 			return nil, -1, ErrConnectionRefused

@@ -2140,7 +2148,7 @@ func (cli *DockerCli) stream(method, path string, in io.Reader, out io.Writer, h

 		}

 	}

-	dial, err := net.Dial(cli.proto, cli.addr)

+	dial, err := cli.dial()

 	if err != nil {

 		if strings.Contains(err.Error(), "connection refused") {

 			return fmt.Errorf("Cannot connect to the Docker daemon. Is 'docker -d' running on this host?")

@@ -2196,7 +2204,7 @@ func (cli *DockerCli) hijack(method, path string, setRawTerminal bool, in io.Rea

 	req.Header.Set("Content-Type", "plain/text")

 	req.Host = cli.addr

-	dial, err := net.Dial(cli.proto, cli.addr)

+	dial, err := cli.dial()

 	if err != nil {

 		if strings.Contains(err.Error(), "connection refused") {

 			return fmt.Errorf("Cannot connect to the Docker daemon. Is 'docker -d' running on this host?")

@@ -2388,7 +2396,7 @@ func readBody(stream io.ReadCloser, statusCode int, err error) ([]byte, int, err

 	return body, statusCode, nil

 }

-func NewDockerCli(in io.ReadCloser, out, err io.Writer, proto, addr string) *DockerCli {

+func NewDockerCli(in io.ReadCloser, out, err io.Writer, proto, addr string, tlsConfig *tls.Config) *DockerCli {

 	var (

 		isTerminal = false

 		terminalFd uintptr

@@ -2412,6 +2420,7 @@ func NewDockerCli(in io.ReadCloser, out, err io.Writer, proto, addr string) *Doc

 		err:        err,

 		isTerminal: isTerminal,

 		terminalFd: terminalFd,

+		tlsConfig:  tlsConfig,

 	}

 }

@@ -2424,4 +2433,5 @@ type DockerCli struct {

 	err        io.Writer

 	isTerminal bool

 	terminalFd uintptr

+	tlsConfig  *tls.Config

 }

@@ -4,6 +4,8 @@ import (

 	"bufio"

 	"bytes"

 	"code.google.com/p/go.net/websocket"

+	"crypto/tls"

+	"crypto/x509"

 	"encoding/base64"

 	"encoding/json"

 	"expvar"

@@ -1129,9 +1131,8 @@ func changeGroup(addr string, nameOrGid string) error {

 // ListenAndServe sets up the required http.Server and gets it listening for

 // each addr passed in and does protocol specific checking.

-func ListenAndServe(proto, addr string, eng *engine.Engine, logging, enableCors bool, dockerVersion string, socketGroup string) error {

-	r, err := createRouter(eng, logging, enableCors, dockerVersion)

-

+func ListenAndServe(proto, addr string, job *engine.Job) error {

+	r, err := createRouter(job.Eng, job.GetenvBool("Logging"), job.GetenvBool("EnableCors"), job.Getenv("Version"))

 	if err != nil {

 		return err

 	}

@@ -1151,17 +1152,43 @@ func ListenAndServe(proto, addr string, eng *engine.Engine, logging, enableCors

 		return err

 	}

+	if proto != "unix" && (job.GetenvBool("Tls") || job.GetenvBool("TlsVerify")) {

+		tlsCert := job.Getenv("TlsCert")

+		tlsKey := job.Getenv("TlsKey")

+		cert, err := tls.LoadX509KeyPair(tlsCert, tlsKey)

+		if err != nil {

+			return fmt.Errorf("Couldn't load X509 key pair (%s, %s): %s. Key encrypted?",

+				tlsCert, tlsKey, err)

+		}

+		tlsConfig := &tls.Config{

+			NextProtos:   []string{"http/1.1"},

+			Certificates: []tls.Certificate{cert},

+		}

+		if job.GetenvBool("TlsVerify") {

+			certPool := x509.NewCertPool()

+			file, err := ioutil.ReadFile(job.Getenv("TlsCa"))

+			if err != nil {

+				return fmt.Errorf("Couldn't read CA certificate: %s", err)

+			}

+			certPool.AppendCertsFromPEM(file)

+

+			tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert

+			tlsConfig.ClientCAs = certPool

+		}

+		l = tls.NewListener(l, tlsConfig)

+	}

+

 	// Basic error and sanity checking

 	switch proto {

 	case "tcp":

-		if !strings.HasPrefix(addr, "127.0.0.1") {

+		if !strings.HasPrefix(addr, "127.0.0.1") && !job.GetenvBool("TlsVerify") {

 			log.Println("/!\\ DON'T BIND ON ANOTHER IP ADDRESS THAN 127.0.0.1 IF YOU DON'T KNOW WHAT YOU'RE DOING /!\\")

 		}

 	case "unix":

 		if err := os.Chmod(addr, 0660); err != nil {

 			return err

 		}

-

+		socketGroup := job.Getenv("SocketGroup")

 		if socketGroup != "" {

 			if err := changeGroup(addr, socketGroup); err != nil {

 				if socketGroup == "docker" {

@@ -1197,7 +1224,7 @@ func ServeApi(job *engine.Job) engine.Status {

 		protoAddrParts := strings.SplitN(protoAddr, "://", 2)

 		go func() {

 			log.Printf("Listening for HTTP on %s (%s)\n", protoAddrParts[0], protoAddrParts[1])

-			chErrors <- ListenAndServe(protoAddrParts[0], protoAddrParts[1], job.Eng, job.GetenvBool("Logging"), job.GetenvBool("EnableCors"), job.Getenv("Version"), job.Getenv("SocketGroup"))

+			chErrors <- ListenAndServe(protoAddrParts[0], protoAddrParts[1], job)

 		}()

 	}

@@ -70,7 +70,7 @@ func main() {

 	bufErr := bytes.NewBuffer(nil)

 	// Instanciate the Docker CLI

-	cli := docker.NewDockerCli(nil, bufOut, bufErr, "unix", "/var/run/docker.sock")

+	cli := docker.NewDockerCli(nil, bufOut, bufErr, "unix", "/var/run/docker.sock", false, nil)

 	// Retrieve the container info

 	if err := cli.CmdInspect(flag.Arg(0)); err != nil {

 		// As of docker v0.6.3, CmdInspect always returns nil

@@ -1,7 +1,10 @@

 package main

 import (

+	"crypto/tls"

+	"crypto/x509"

 	"fmt"

+	"io/ioutil"

 	"log"

 	"os"

 	"strings"

@@ -16,6 +19,16 @@ import (

 	"github.com/dotcloud/docker/utils"

 )

+const (

+	defaultCaFile   = "ca.pem"

+	defaultKeyFile  = "key.pem"

+	defaultCertFile = "cert.pem"

+)

+

+var (

+	dockerConfDir = os.Getenv("HOME") + "/.docker/"

+)

+

 func main() {

 	if selfPath := utils.SelfPath(); strings.Contains(selfPath, ".dockerinit") {

 		// Running in init mode

@@ -43,6 +56,11 @@ func main() {

 		flExecDriver         = flag.String([]string{"e", "-exec-driver"}, "native", "Force the docker runtime to use a specific exec driver")

 		flHosts              = opts.NewListOpts(api.ValidateHost)

 		flMtu                = flag.Int([]string{"#mtu", "-mtu"}, 0, "Set the containers network MTU; if no value is provided: default to the default route MTU or 1500 if no default route is available")

+		flTls                = flag.Bool([]string{"-tls"}, false, "Use TLS; implied by tls-verify flags")

+		flTlsVerify          = flag.Bool([]string{"-tlsverify"}, false, "Use TLS and verify the remote (daemon: verify client, client: verify daemon)")

+		flCa                 = flag.String([]string{"-tlscacert"}, dockerConfDir+defaultCaFile, "Trust only remotes providing a certificate signed by the CA given here")

+		flCert               = flag.String([]string{"-tlscert"}, dockerConfDir+defaultCertFile, "Path to TLS certificate file")

+		flKey                = flag.String([]string{"-tlskey"}, dockerConfDir+defaultKeyFile, "Path to TLS key file")

 	)

 	flag.Var(&flDns, []string{"#dns", "-dns"}, "Force docker to use specific DNS servers")

 	flag.Var(&flHosts, []string{"H", "-host"}, "tcp://host:port, unix://path/to/socket, fd://* or fd://socketfd to use in daemon mode. Multiple sockets can be specified")

@@ -73,6 +91,7 @@ func main() {

 	if *flDebug {

 		os.Setenv("DEBUG", "1")

 	}

+

 	if *flDaemon {

 		if flag.NArg() != 0 {

 			flag.Usage()

@@ -140,6 +159,12 @@ func main() {

 		job.SetenvBool("EnableCors", *flEnableCors)

 		job.Setenv("Version", dockerversion.VERSION)

 		job.Setenv("SocketGroup", *flSocketGroup)

+

+		job.SetenvBool("Tls", *flTls)

+		job.SetenvBool("TlsVerify", *flTlsVerify)

+		job.Setenv("TlsCa", *flCa)

+		job.Setenv("TlsCert", *flCert)

+		job.Setenv("TlsKey", *flKey)

 		if err := job.Run(); err != nil {

 			log.Fatal(err)

 		}

@@ -148,14 +173,53 @@ func main() {

 			log.Fatal("Please specify only one -H")

 		}

 		protoAddrParts := strings.SplitN(flHosts.GetAll()[0], "://", 2)

-		if err := api.ParseCommands(protoAddrParts[0], protoAddrParts[1], flag.Args()...); err != nil {

-			if sterr, ok := err.(*utils.StatusError); ok {

+

+		var (

+			errc      error

+			tlsConfig tls.Config

+		)

+		tlsConfig.InsecureSkipVerify = true

+

+		// If we should verify the server, we need to load a trusted ca

+		if *flTlsVerify {

+			*flTls = true

+			certPool := x509.NewCertPool()

+			file, err := ioutil.ReadFile(*flCa)

+			if err != nil {

+				log.Fatalf("Couldn't read ca cert %s: %s", *flCa, err)

+			}

+			certPool.AppendCertsFromPEM(file)

+			tlsConfig.RootCAs = certPool

+			tlsConfig.InsecureSkipVerify = false

+		}

+

+		// If tls is enabled, try to load and send client certificates

+		if *flTls || *flTlsVerify {

+			_, errCert := os.Stat(*flCert)

+			_, errKey := os.Stat(*flKey)

+			if errCert == nil && errKey == nil {

+				*flTls = true

+				cert, err := tls.LoadX509KeyPair(*flCert, *flKey)

+				if err != nil {

+					log.Fatalf("Couldn't load X509 key pair: %s. Key encrypted?", err)

+				}

+				tlsConfig.Certificates = []tls.Certificate{cert}

+			}

+		}

+

+		if *flTls || *flTlsVerify {

+			errc = api.ParseCommands(protoAddrParts[0], protoAddrParts[1], &tlsConfig, flag.Args()...)

+		} else {

+			errc = api.ParseCommands(protoAddrParts[0], protoAddrParts[1], nil, flag.Args()...)

+		}

+		if errc != nil {

+			if sterr, ok := errc.(*utils.StatusError); ok {

 				if sterr.Status != "" {

 					log.Println(sterr.Status)

 				}

 				os.Exit(sterr.StatusCode)

 			}

-			log.Fatal(err)

+			log.Fatal(errc)

 		}

 	}

 }

new file mode 100644

@@ -0,0 +1,126 @@

+:title: Docker HTTPS Setup

+:description: How to setup docker with https

+:keywords: docker, example, https, daemon

+

+.. _running_docker_https:

+

+Running Docker with https

+=========================

+

+By default, Docker runs via a non-networked Unix socket. It can also optionally

+communicate using a HTTP socket.

+

+If you need Docker reachable via the network in a safe manner, you can enable

+TLS by specifying the `tlsverify` flag and pointing Docker's `tlscacert` flag to a

+trusted CA certificate.

+

+In daemon mode, it will only allow connections from clients authenticated by a

+certificate signed by that CA. In client mode, it will only connect to servers

+with a certificate signed by that CA.

+

+.. warning::

+

+  Using TLS and managing a CA is an advanced topic. Please make you self familiar

+  with openssl, x509 and tls before using it in production.

+

+Create a CA, server and client keys with OpenSSL

+------------------------------------------------

+

+First, initialize the CA serial file and generate CA private and public keys:

+

+.. code-block:: bash

+

+    $ echo 01 > ca.srl

+    $ openssl genrsa -des3 -out ca-key.pem

+    $ openssl req -new -x509 -days 365 -key ca-key.pem -out ca.pem

+

+Now that we have a CA, you can create a server key and certificate signing request.

+Make sure that `"Common Name (e.g. server FQDN or YOUR name)"` matches the hostname you will use

+to connect to Docker or just use '*' for a certificate valid for any hostname:

+

+.. code-block:: bash

+

+    $ openssl genrsa -des3 -out server-key.pem

+    $ openssl req -new -key server-key.pem -out server.csr

+

+Next we're going to sign the key with our CA:

+

+.. code-block:: bash

+

+    $ openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem \

+      -out server-cert.pem

+

+For client authentication, create a client key and certificate signing request:

+

+.. code-block:: bash

+

+    $ openssl genrsa -des3 -out client-key.pem

+    $ openssl req -new -key client-key.pem -out client.csr

+

+

+To make the key suitable for client authentication, create a extensions config file:

+

+.. code-block:: bash

+

+    $ echo extendedKeyUsage = clientAuth > extfile.cnf

+

+Now sign the key:

+

+.. code-block:: bash

+

+    $ openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem \

+      -out client-cert.pem -extfile extfile.cnf

+

+Finally you need to remove the passphrase from the client and server key:

+

+.. code-block:: bash

+

+    $ openssl rsa -in server-key.pem -out server-key.pem

+    $ openssl rsa -in client-key.pem -out client-key.pem

+  

+Now you can make the Docker daemon only accept connections from clients providing

+a certificate trusted by our CA:

+

+.. code-block:: bash

+

+    $ sudo docker -d --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem \

+      -H=0.0.0.0:4243

+

+To be able to connect to Docker and validate its certificate, you now need to provide your client keys,

+certificates and trusted CA:

+

+.. code-block:: bash

+

+   $ docker --tlsverify --tlscacert=ca.pem --tlscert=client-cert.pem --tlskey=client-key.pem \

+     -H=dns-name-of-docker-host:4243

+

+.. warning::

+

+  As shown in the example above, you don't have to run the ``docker``

+  client  with ``sudo`` or the ``docker`` group when you use

+  certificate authentication. That means anyone with the keys can

+  give any instructions to your Docker daemon, giving them root

+  access to the machine hosting the daemon. Guard these keys as you

+  would a root password!

+

+Other modes

+-----------

+If you don't want to have complete two-way authentication, you can run Docker in

+various other modes by mixing the flags.

+

+Daemon modes

+~~~~~~~~~~~~

+- tlsverify, tlscacert, tlscert, tlskey set: Authenticate clients

+- tls, tlscert, tlskey: Do not authenticate clients

+

+Client modes

+~~~~~~~~~~~~

+- tls: Authenticate server based on public/default CA pool

+- tlsverify, tlscacert: Authenticate server based on given CA

+- tls, tlscert, tlskey: Authenticate with client certificate, do not authenticate

+  server based on given CA

+- tlsverify, tlscacert, tlscert, tlskey: Authenticate with client certificate,

+  authenticate server based on given CA

+

+The client will send its client certificate if found, so you just need to drop

+your keys into `~/.docker/<ca, cert or key>.pem`

@@ -26,3 +26,4 @@ to more substantial services like those which you might find in production.

    using_supervisord

    cfengine_process_management

    python_web_app

+   https

@@ -86,6 +86,11 @@ Commands

       -s, --storage-driver="": Force the docker runtime to use a specific storage driver

       -e, --exec-driver="native": Force the docker runtime to use a specific exec driver

       -v, --version=false: Print version information and quit

+      --tls=false: Use TLS; implied by tls-verify flags

+      --tlscacert="~/.docker/ca.pem": Trust only remotes providing a certificate signed by the CA given here

+      --tlscert="~/.docker/cert.pem": Path to TLS certificate file

+      --tlskey="~/.docker/key.pem": Path to TLS key file

+      --tlsverify=false: Use TLS and verify the remote (daemon: verify client, client: verify daemon)

       --mtu=0: Set the containers network MTU; if no value is provided: default to the default route MTU or 1500 if no default route is available

 The Docker daemon is the persistent process that manages containers.  Docker uses the same binary for both the 

@@ -120,7 +120,7 @@ func assertPipe(input, output string, r io.Reader, w io.Writer, count int) error

 func TestRunHostname(t *testing.T) {

 	stdout, stdoutPipe := io.Pipe()

-	cli := api.NewDockerCli(nil, stdoutPipe, ioutil.Discard, testDaemonProto, testDaemonAddr)

+	cli := api.NewDockerCli(nil, stdoutPipe, ioutil.Discard, testDaemonProto, testDaemonAddr, nil)

 	defer cleanup(globalEngine, t)

 	c := make(chan struct{})

@@ -165,7 +165,7 @@ func TestRunHostname(t *testing.T) {

 func TestRunWorkdir(t *testing.T) {

 	stdout, stdoutPipe := io.Pipe()

-	cli := api.NewDockerCli(nil, stdoutPipe, ioutil.Discard, testDaemonProto, testDaemonAddr)

+	cli := api.NewDockerCli(nil, stdoutPipe, ioutil.Discard, testDaemonProto, testDaemonAddr, nil)

 	defer cleanup(globalEngine, t)

 	c := make(chan struct{})

@@ -210,7 +210,7 @@ func TestRunWorkdir(t *testing.T) {

 func TestRunWorkdirExists(t *testing.T) {

 	stdout, stdoutPipe := io.Pipe()

-	cli := api.NewDockerCli(nil, stdoutPipe, ioutil.Discard, testDaemonProto, testDaemonAddr)

+	cli := api.NewDockerCli(nil, stdoutPipe, ioutil.Discard, testDaemonProto, testDaemonAddr, nil)

 	defer cleanup(globalEngine, t)

 	c := make(chan struct{})

@@ -255,7 +255,7 @@ func TestRunExit(t *testing.T) {

 	stdin, stdinPipe := io.Pipe()

 	stdout, stdoutPipe := io.Pipe()

-	cli := api.NewDockerCli(stdin, stdoutPipe, ioutil.Discard, testDaemonProto, testDaemonAddr)

+	cli := api.NewDockerCli(stdin, stdoutPipe, ioutil.Discard, testDaemonProto, testDaemonAddr, nil)

 	defer cleanup(globalEngine, t)

 	c1 := make(chan struct{})

@@ -308,7 +308,7 @@ func TestRunDisconnect(t *testing.T) {

 	stdin, stdinPipe := io.Pipe()

 	stdout, stdoutPipe := io.Pipe()

-	cli := api.NewDockerCli(stdin, stdoutPipe, ioutil.Discard, testDaemonProto, testDaemonAddr)

+	cli := api.NewDockerCli(stdin, stdoutPipe, ioutil.Discard, testDaemonProto, testDaemonAddr, nil)

 	defer cleanup(globalEngine, t)

 	c1 := make(chan struct{})

@@ -354,7 +354,7 @@ func TestRunDisconnectTty(t *testing.T) {

 	stdin, stdinPipe := io.Pipe()

 	stdout, stdoutPipe := io.Pipe()

-	cli := api.NewDockerCli(stdin, stdoutPipe, ioutil.Discard, testDaemonProto, testDaemonAddr)

+	cli := api.NewDockerCli(stdin, stdoutPipe, ioutil.Discard, testDaemonProto, testDaemonAddr, nil)

 	defer cleanup(globalEngine, t)

 	c1 := make(chan struct{})

@@ -406,7 +406,7 @@ func TestRunAttachStdin(t *testing.T) {

 	stdin, stdinPipe := io.Pipe()

 	stdout, stdoutPipe := io.Pipe()

-	cli := api.NewDockerCli(stdin, stdoutPipe, ioutil.Discard, testDaemonProto, testDaemonAddr)

+	cli := api.NewDockerCli(stdin, stdoutPipe, ioutil.Discard, testDaemonProto, testDaemonAddr, nil)

 	defer cleanup(globalEngine, t)

 	ch := make(chan struct{})

@@ -470,7 +470,7 @@ func TestRunDetach(t *testing.T) {

 	stdin, stdinPipe := io.Pipe()

 	stdout, stdoutPipe := io.Pipe()

-	cli := api.NewDockerCli(stdin, stdoutPipe, ioutil.Discard, testDaemonProto, testDaemonAddr)

+	cli := api.NewDockerCli(stdin, stdoutPipe, ioutil.Discard, testDaemonProto, testDaemonAddr, nil)

 	defer cleanup(globalEngine, t)

 	ch := make(chan struct{})

@@ -517,7 +517,7 @@ func TestAttachDetach(t *testing.T) {

 	stdin, stdinPipe := io.Pipe()

 	stdout, stdoutPipe := io.Pipe()

-	cli := api.NewDockerCli(stdin, stdoutPipe, ioutil.Discard, testDaemonProto, testDaemonAddr)

+	cli := api.NewDockerCli(stdin, stdoutPipe, ioutil.Discard, testDaemonProto, testDaemonAddr, nil)

 	defer cleanup(globalEngine, t)

 	ch := make(chan struct{})

@@ -550,7 +550,7 @@ func TestAttachDetach(t *testing.T) {

 	stdin, stdinPipe = io.Pipe()

 	stdout, stdoutPipe = io.Pipe()

-	cli = api.NewDockerCli(stdin, stdoutPipe, ioutil.Discard, testDaemonProto, testDaemonAddr)

+	cli = api.NewDockerCli(stdin, stdoutPipe, ioutil.Discard, testDaemonProto, testDaemonAddr, nil)

 	ch = make(chan struct{})

 	go func() {

@@ -598,7 +598,7 @@ func TestAttachDetachTruncatedID(t *testing.T) {

 	stdin, stdinPipe := io.Pipe()

 	stdout, stdoutPipe := io.Pipe()

-	cli := api.NewDockerCli(stdin, stdoutPipe, ioutil.Discard, testDaemonProto, testDaemonAddr)

+	cli := api.NewDockerCli(stdin, stdoutPipe, ioutil.Discard, testDaemonProto, testDaemonAddr, nil)

 	defer cleanup(globalEngine, t)

 	// Discard the CmdRun output

@@ -616,7 +616,7 @@ func TestAttachDetachTruncatedID(t *testing.T) {

 	stdin, stdinPipe = io.Pipe()

 	stdout, stdoutPipe = io.Pipe()

-	cli = api.NewDockerCli(stdin, stdoutPipe, ioutil.Discard, testDaemonProto, testDaemonAddr)

+	cli = api.NewDockerCli(stdin, stdoutPipe, ioutil.Discard, testDaemonProto, testDaemonAddr, nil)

 	ch := make(chan struct{})

 	go func() {

@@ -663,7 +663,7 @@ func TestAttachDisconnect(t *testing.T) {

 	stdin, stdinPipe := io.Pipe()

 	stdout, stdoutPipe := io.Pipe()

-	cli := api.NewDockerCli(stdin, stdoutPipe, ioutil.Discard, testDaemonProto, testDaemonAddr)

+	cli := api.NewDockerCli(stdin, stdoutPipe, ioutil.Discard, testDaemonProto, testDaemonAddr, nil)

 	defer cleanup(globalEngine, t)

 	go func() {

@@ -732,7 +732,7 @@ func TestAttachDisconnect(t *testing.T) {

 func TestRunAutoRemove(t *testing.T) {

 	t.Skip("Fixme. Skipping test for now, race condition")

 	stdout, stdoutPipe := io.Pipe()

-	cli := api.NewDockerCli(nil, stdoutPipe, ioutil.Discard, testDaemonProto, testDaemonAddr)

+	cli := api.NewDockerCli(nil, stdoutPipe, ioutil.Discard, testDaemonProto, testDaemonAddr, nil)

 	defer cleanup(globalEngine, t)

 	c := make(chan struct{})

@@ -768,7 +768,7 @@ func TestRunAutoRemove(t *testing.T) {

 func TestCmdLogs(t *testing.T) {

 	t.Skip("Test not impemented")

-	cli := api.NewDockerCli(nil, ioutil.Discard, ioutil.Discard, testDaemonProto, testDaemonAddr)

+	cli := api.NewDockerCli(nil, ioutil.Discard, ioutil.Discard, testDaemonProto, testDaemonAddr, nil)

 	defer cleanup(globalEngine, t)

 	if err := cli.CmdRun(unitTestImageID, "sh", "-c", "ls -l"); err != nil {

@@ -786,7 +786,7 @@ func TestCmdLogs(t *testing.T) {

 // Expected behaviour: error out when attempting to bind mount non-existing source paths

 func TestRunErrorBindNonExistingSource(t *testing.T) {

-	cli := api.NewDockerCli(nil, nil, ioutil.Discard, testDaemonProto, testDaemonAddr)

+	cli := api.NewDockerCli(nil, nil, ioutil.Discard, testDaemonProto, testDaemonAddr, nil)

 	defer cleanup(globalEngine, t)

 	c := make(chan struct{})

@@ -806,7 +806,7 @@ func TestRunErrorBindNonExistingSource(t *testing.T) {

 func TestImagesViz(t *testing.T) {

 	stdout, stdoutPipe := io.Pipe()

-	cli := api.NewDockerCli(nil, stdoutPipe, ioutil.Discard, testDaemonProto, testDaemonAddr)

+	cli := api.NewDockerCli(nil, stdoutPipe, ioutil.Discard, testDaemonProto, testDaemonAddr, nil)

 	defer cleanup(globalEngine, t)

 	image := buildTestImages(t, globalEngine)

@@ -856,7 +856,7 @@ func TestImagesViz(t *testing.T) {

 func TestImagesTree(t *testing.T) {

 	stdout, stdoutPipe := io.Pipe()

-	cli := api.NewDockerCli(nil, stdoutPipe, ioutil.Discard, testDaemonProto, testDaemonAddr)

+	cli := api.NewDockerCli(nil, stdoutPipe, ioutil.Discard, testDaemonProto, testDaemonAddr, nil)

 	defer cleanup(globalEngine, t)

 	image := buildTestImages(t, globalEngine)

@@ -939,7 +939,7 @@ func TestRunCidFile(t *testing.T) {

 	}

 	tmpCidFile := path.Join(tmpDir, "cid")

-	cli := api.NewDockerCli(nil, stdoutPipe, ioutil.Discard, testDaemonProto, testDaemonAddr)

+	cli := api.NewDockerCli(nil, stdoutPipe, ioutil.Discard, testDaemonProto, testDaemonAddr, nil)

 	defer cleanup(globalEngine, t)

 	c := make(chan struct{})

@@ -989,7 +989,7 @@ func TestContainerOrphaning(t *testing.T) {

 	defer os.RemoveAll(tmpDir)

 	// setup a CLI and server

-	cli := api.NewDockerCli(nil, ioutil.Discard, ioutil.Discard, testDaemonProto, testDaemonAddr)

+	cli := api.NewDockerCli(nil, ioutil.Discard, ioutil.Discard, testDaemonProto, testDaemonAddr, nil)

 	defer cleanup(globalEngine, t)

 	srv := mkServerFromEngine(globalEngine, t)

@@ -1049,8 +1049,8 @@ func TestCmdKill(t *testing.T) {

 	var (

 		stdin, stdinPipe   = io.Pipe()

 		stdout, stdoutPipe = io.Pipe()

-		cli                = api.NewDockerCli(stdin, stdoutPipe, ioutil.Discard, testDaemonProto, testDaemonAddr)

-		cli2               = api.NewDockerCli(nil, ioutil.Discard, ioutil.Discard, testDaemonProto, testDaemonAddr)

+		cli                = api.NewDockerCli(stdin, stdoutPipe, ioutil.Discard, testDaemonProto, testDaemonAddr, nil)

+		cli2               = api.NewDockerCli(nil, ioutil.Discard, ioutil.Discard, testDaemonProto, testDaemonAddr, nil)

 	)

 	defer cleanup(globalEngine, t)

new file mode 100644

@@ -0,0 +1,23 @@

+-----BEGIN CERTIFICATE-----

+MIID0TCCAzqgAwIBAgIJAP2r7GqEJwSnMA0GCSqGSIb3DQEBBQUAMIGiMQswCQYD

+VQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMG

+A1UEChMMRm9ydC1GdW5zdG9uMREwDwYDVQQLEwhjaGFuZ2VtZTERMA8GA1UEAxMI

+Y2hhbmdlbWUxETAPBgNVBCkTCGNoYW5nZW1lMR8wHQYJKoZIhvcNAQkBFhBtYWls

+QGhvc3QuZG9tYWluMB4XDTEzMTIwMzE2NTYzMFoXDTIzMTIwMTE2NTYzMFowgaIx

+CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMMU2FuRnJhbmNpc2Nv

+MRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24xETAPBgNVBAsTCGNoYW5nZW1lMREwDwYD

+VQQDEwhjaGFuZ2VtZTERMA8GA1UEKRMIY2hhbmdlbWUxHzAdBgkqhkiG9w0BCQEW

+EG1haWxAaG9zdC5kb21haW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALAn

+0xDw+5y7ZptQacq66pUhRu82JP2WU6IDgo5QUtNU6/CX5PwQATe/OnYTZQFbksxp

+AU9boG0FCkgxfsgPYXEuZxVEGKI2fxfKHOZZI8mrkWmj6eWU/0cvCjGVc9rTITP5

+sNQvg+hORyVDdNp2IdsbMJayiB3AQYMFx3vSDOMTAgMBAAGjggELMIIBBzAdBgNV

+HQ4EFgQUZu7DFz09q0QBa2+ymRm9qgK1NPswgdcGA1UdIwSBzzCBzIAUZu7DFz09

+q0QBa2+ymRm9qgK1NPuhgaikgaUwgaIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJD

+QTEVMBMGA1UEBxMMU2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24x

+ETAPBgNVBAsTCGNoYW5nZW1lMREwDwYDVQQDEwhjaGFuZ2VtZTERMA8GA1UEKRMI

+Y2hhbmdlbWUxHzAdBgkqhkiG9w0BCQEWEG1haWxAaG9zdC5kb21haW6CCQD9q+xq

+hCcEpzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAF8fJKKM+/oOdnNi

+zEd0M1+PmZOyqvjYQn/2ZR8UHH6Imgc/OPQKZXf0bVE1Txc/DaUNn9Isd1SuCuaE

+ic3vAIYYU7PmgeNN6vwec48V96T7jr+GAi6AVMhQEc2hHCfVtx11Xx+x6aHDZzJt

+Zxtf5lL6KSO9Y+EFwM+rju6hm5hW

+-----END CERTIFICATE-----

new file mode 100644

@@ -0,0 +1,73 @@

+Certificate:

+    Data:

+        Version: 3 (0x2)

+        Serial Number: 3 (0x3)

+    Signature Algorithm: sha1WithRSAEncryption

+        Issuer: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme/name=changeme/emailAddress=mail@host.domain

+        Validity

+            Not Before: Dec  4 14:17:54 2013 GMT

+            Not After : Dec  2 14:17:54 2023 GMT

+        Subject: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=client/name=changeme/emailAddress=mail@host.domain

+        Subject Public Key Info:

+            Public Key Algorithm: rsaEncryption

+                Public-Key: (1024 bit)

+                Modulus:

+                    00:ca:c9:05:d0:09:4e:3e:a4:fc:d5:14:f4:a5:e8:

+                    34:d3:6b:51:e3:f3:62:ea:a1:f0:e8:ed:c4:2a:bc:

+                    f0:4f:ca:07:df:e3:88:fa:f4:21:99:35:0e:3d:ea:

+                    b0:86:e7:c4:d2:8a:83:2b:42:b8:ec:a3:99:62:70:

+                    81:46:cc:fc:a5:1d:d2:63:e8:eb:07:25:9a:e2:25:

+                    6d:11:56:f2:1a:51:a1:b6:3e:1c:57:32:e9:7b:2c:

+                    aa:1b:cc:97:2d:89:2d:b1:c9:5e:35:28:4d:7c:fa:

+                    65:31:3e:f7:70:dd:6e:0b:3c:58:af:a8:2e:24:c0:

+                    7e:4e:78:7d:0a:9e:8f:42:43

+                Exponent: 65537 (0x10001)

+        X509v3 extensions:

+            X509v3 Basic Constraints: 

+                CA:FALSE

+            Netscape Comment: 

+                Easy-RSA Generated Certificate

+            X509v3 Subject Key Identifier: 

+                DE:42:EF:2D:98:A3:6C:A8:AA:E0:8C:71:2C:9D:64:23:A9:E2:7E:81

+            X509v3 Authority Key Identifier: 

+                keyid:66:EE:C3:17:3D:3D:AB:44:01:6B:6F:B2:99:19:BD:AA:02:B5:34:FB

+                DirName:/C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=changeme/CN=changeme/name=changeme/emailAddress=mail@host.domain

+                serial:FD:AB:EC:6A:84:27:04:A7

+

+            X509v3 Extended Key Usage: 

+                TLS Web Client Authentication

+            X509v3 Key Usage: 

+                Digital Signature

+    Signature Algorithm: sha1WithRSAEncryption

+         1c:44:26:ea:e1:66:25:cb:e4:8e:57:1c:f6:b9:17:22:62:40:

+         12:90:8f:3b:b2:61:7a:54:94:8f:b1:20:0b:bf:a3:51:e3:fa:

+         1c:a1:be:92:3a:d0:76:44:c0:57:83:ab:6a:e4:1a:45:49:a4:

+         af:39:0d:60:32:fc:3a:be:d7:fb:5d:99:7a:1f:87:e7:d5:ab:

+         84:a2:5e:90:d8:bf:fa:89:6d:32:26:02:5e:31:35:68:7f:31:

+         f5:6b:51:46:bc:af:70:ed:5a:09:7d:ec:b2:48:4f:fe:c5:2f:

+         56:04:ad:f6:c1:d2:2a:e4:6a:c4:87:fe:08:35:c5:38:cb:5e:

+         4a:c4

+-----BEGIN CERTIFICATE-----

+MIIEFTCCA36gAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBojELMAkGA1UEBhMCVVMx

+CzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xFTATBgNVBAoTDEZv

+cnQtRnVuc3RvbjERMA8GA1UECxMIY2hhbmdlbWUxETAPBgNVBAMTCGNoYW5nZW1l

+MREwDwYDVQQpEwhjaGFuZ2VtZTEfMB0GCSqGSIb3DQEJARYQbWFpbEBob3N0LmRv

+bWFpbjAeFw0xMzEyMDQxNDE3NTRaFw0yMzEyMDIxNDE3NTRaMIGgMQswCQYDVQQG

+EwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMGA1UE

+ChMMRm9ydC1GdW5zdG9uMREwDwYDVQQLEwhjaGFuZ2VtZTEPMA0GA1UEAxMGY2xp

+ZW50MREwDwYDVQQpEwhjaGFuZ2VtZTEfMB0GCSqGSIb3DQEJARYQbWFpbEBob3N0

+LmRvbWFpbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyskF0AlOPqT81RT0

+peg002tR4/Ni6qHw6O3EKrzwT8oH3+OI+vQhmTUOPeqwhufE0oqDK0K47KOZYnCB

+Rsz8pR3SY+jrByWa4iVtEVbyGlGhtj4cVzLpeyyqG8yXLYktscleNShNfPplMT73

+cN1uCzxYr6guJMB+Tnh9Cp6PQkMCAwEAAaOCAVkwggFVMAkGA1UdEwQCMAAwLQYJ

+YIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV

+HQ4EFgQU3kLvLZijbKiq4IxxLJ1kI6nifoEwgdcGA1UdIwSBzzCBzIAUZu7DFz09

+q0QBa2+ymRm9qgK1NPuhgaikgaUwgaIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJD

+QTEVMBMGA1UEBxMMU2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24x

+ETAPBgNVBAsTCGNoYW5nZW1lMREwDwYDVQQDEwhjaGFuZ2VtZTERMA8GA1UEKRMI

+Y2hhbmdlbWUxHzAdBgkqhkiG9w0BCQEWEG1haWxAaG9zdC5kb21haW6CCQD9q+xq

+hCcEpzATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwDQYJKoZIhvcN

+AQEFBQADgYEAHEQm6uFmJcvkjlcc9rkXImJAEpCPO7JhelSUj7EgC7+jUeP6HKG+

+kjrQdkTAV4OrauQaRUmkrzkNYDL8Or7X+12Zeh+H59WrhKJekNi/+oltMiYCXjE1

+aH8x9WtRRryvcO1aCX3sskhP/sUvVgSt9sHSKuRqxIf+CDXFOMteSsQ=

+-----END CERTIFICATE-----

new file mode 100644

@@ -0,0 +1,16 @@

+-----BEGIN PRIVATE KEY-----

+MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAMrJBdAJTj6k/NUU

+9KXoNNNrUePzYuqh8OjtxCq88E/KB9/jiPr0IZk1Dj3qsIbnxNKKgytCuOyjmWJw

+gUbM/KUd0mPo6wclmuIlbRFW8hpRobY+HFcy6XssqhvMly2JLbHJXjUoTXz6ZTE+

+93Ddbgs8WK+oLiTAfk54fQqej0JDAgMBAAECgYBOFEzKp2qbMEexe9ofL2N3rDDh

+xkrl8OijpzkLA6i78BxMFn4dsnZlWUpciMrjhsYAExkiRRSS+QMMJimAq1jzQqc3

+FAQV2XGYwkd0cUn7iZGvfNnEPysjsfyYQM+m+sT0ATj4BZjVShC6kkSjTdm1leLN

+OSvcHdcu3Xxg9ufF0QJBAPYdnNt5sIndt2WECePuRVi+uF4mlxTobFY0fjn26yhC

+4RsnhhD3Vldygo9gvnkwrAZYaALGSPBewes2InxvjA8CQQDS7erKiNXpwoqz5XiU

+SVEsIIVTdWzBjGbIqMOu/hUwM5FK4j6JTBks0aTGMyh0YV9L1EzM0X79J29JahCe

+iQKNAkBKNMOGqTpBV0hko1sYDk96YobUXG5RL4L6uvkUIQ7mJMQam+AgXXL7Ctuy

+v0iu4a38e8tgisiTMP7nHHtpaXihAkAOiN54/lzfMsykANgCP9scE1GcoqbP34Dl

+qttxH4kOPT9xzY1JoLjLYdbc4YGUI3GRpBt2sajygNkmUey7P+2xAkBBsVCZFvTw

+qHvOpPS2kX5ml5xoc/QAHK9N7kR+X7XFYx82RTVSqJEK4lPb+aEWn+CjiIewO4Q5

+ksDFuNxAzbhl

+-----END PRIVATE KEY-----

new file mode 100644

@@ -0,0 +1,73 @@

+Certificate:

+    Data:

+        Version: 3 (0x2)

+        Serial Number: 2 (0x2)

+    Signature Algorithm: sha1WithRSAEncryption

+        Issuer: C=US, ST=CA, L=SanFrancisco, O=Evil Inc, OU=changeme, CN=changeme/name=changeme/emailAddress=mail@host.domain

+        Validity

+            Not Before: Feb 24 17:54:59 2014 GMT

+            Not After : Feb 22 17:54:59 2024 GMT

+        Subject: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=client/name=changeme/emailAddress=mail@host.domain

+        Subject Public Key Info:

+            Public Key Algorithm: rsaEncryption

+                Public-Key: (1024 bit)

+                Modulus:

+                    00:e8:e2:2c:b8:d4:db:89:50:4f:47:1e:68:db:f7:

+                    e4:cc:47:41:63:75:03:37:50:7a:a8:4d:27:36:d5:

+                    15:01:08:b6:cf:56:f7:56:6d:3d:f9:e2:8d:1a:5d:

+                    bf:a0:24:5e:07:55:8e:d0:dc:f1:fa:19:87:1d:d6:

+                    b6:58:82:2e:ba:69:6d:e9:d9:c8:16:0d:1d:59:7f:

+                    f4:8e:58:10:01:3d:21:14:16:3c:ec:cd:8c:b7:0e:

+                    e6:7b:77:b4:f9:90:a5:17:01:bb:84:c6:b2:12:87:

+                    70:eb:9f:6d:4f:d0:68:8b:96:c0:e7:0b:51:b4:9d:

+                    1d:7b:6c:7b:be:89:6b:88:8b

+                Exponent: 65537 (0x10001)

+        X509v3 extensions:

+            X509v3 Basic Constraints: 

+                CA:FALSE

+            Netscape Comment: 

+                Easy-RSA Generated Certificate

+            X509v3 Subject Key Identifier: 

+                9E:F8:49:D0:A2:76:30:5C:AB:2B:8A:B5:8D:C6:45:1F:A7:F8:CF:85

+            X509v3 Authority Key Identifier: 

+                keyid:DC:A5:F1:76:DB:4E:CD:8E:EF:B1:23:56:1D:92:80:99:74:3B:EA:6F

+                DirName:/C=US/ST=CA/L=SanFrancisco/O=Evil Inc/OU=changeme/CN=changeme/name=changeme/emailAddress=mail@host.domain

+                serial:E7:21:1E:18:41:1B:96:83

+

+            X509v3 Extended Key Usage: 

+                TLS Web Client Authentication

+            X509v3 Key Usage: 

+                Digital Signature

+    Signature Algorithm: sha1WithRSAEncryption

+         48:76:c0:18:fa:0a:ee:4e:1a:ec:02:9d:d4:83:ca:94:54:a1:

+         3f:51:2f:3e:4b:95:c3:42:9b:71:a0:4b:d9:af:47:23:b9:1c:

+         fb:85:ba:76:e2:09:cb:65:bb:d2:7d:44:3d:4b:67:ba:80:83:

+         be:a8:ed:c4:b9:ea:1a:1b:c7:59:3b:d9:5c:0d:46:d8:c9:92:

+         cb:10:c5:f2:1a:38:a4:aa:07:2c:e3:84:16:79:c7:95:09:e3:

+         01:d2:15:a2:77:0b:8b:bf:94:04:e9:7f:c0:cd:e6:2e:64:cd:

+         1e:a3:32:ec:11:cc:62:ce:c7:4e:cd:ad:48:5c:b1:b8:e9:76:

+         b3:f9

+-----BEGIN CERTIFICATE-----

+MIIEDTCCA3agAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBnjELMAkGA1UEBhMCVVMx

+CzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xETAPBgNVBAoTCEV2

+aWwgSW5jMREwDwYDVQQLEwhjaGFuZ2VtZTERMA8GA1UEAxMIY2hhbmdlbWUxETAP

+BgNVBCkTCGNoYW5nZW1lMR8wHQYJKoZIhvcNAQkBFhBtYWlsQGhvc3QuZG9tYWlu

+MB4XDTE0MDIyNDE3NTQ1OVoXDTI0MDIyMjE3NTQ1OVowgaAxCzAJBgNVBAYTAlVT

+MQswCQYDVQQIEwJDQTEVMBMGA1UEBxMMU2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxG

+b3J0LUZ1bnN0b24xETAPBgNVBAsTCGNoYW5nZW1lMQ8wDQYDVQQDEwZjbGllbnQx

+ETAPBgNVBCkTCGNoYW5nZW1lMR8wHQYJKoZIhvcNAQkBFhBtYWlsQGhvc3QuZG9t

+YWluMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDo4iy41NuJUE9HHmjb9+TM

+R0FjdQM3UHqoTSc21RUBCLbPVvdWbT354o0aXb+gJF4HVY7Q3PH6GYcd1rZYgi66

+aW3p2cgWDR1Zf/SOWBABPSEUFjzszYy3DuZ7d7T5kKUXAbuExrISh3Drn21P0GiL

+lsDnC1G0nR17bHu+iWuIiwIDAQABo4IBVTCCAVEwCQYDVR0TBAIwADAtBglghkgB

+hvhCAQ0EIBYeRWFzeS1SU0EgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQW

+BBSe+EnQonYwXKsrirWNxkUfp/jPhTCB0wYDVR0jBIHLMIHIgBTcpfF2207Nju+x

+I1YdkoCZdDvqb6GBpKSBoTCBnjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRUw

+EwYDVQQHEwxTYW5GcmFuY2lzY28xETAPBgNVBAoTCEV2aWwgSW5jMREwDwYDVQQL

+EwhjaGFuZ2VtZTERMA8GA1UEAxMIY2hhbmdlbWUxETAPBgNVBCkTCGNoYW5nZW1l

+MR8wHQYJKoZIhvcNAQkBFhBtYWlsQGhvc3QuZG9tYWluggkA5yEeGEEbloMwEwYD

+VR0lBAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeAMA0GCSqGSIb3DQEBBQUAA4GB

+AEh2wBj6Cu5OGuwCndSDypRUoT9RLz5LlcNCm3GgS9mvRyO5HPuFunbiCctlu9J9

+RD1LZ7qAg76o7cS56hobx1k72VwNRtjJkssQxfIaOKSqByzjhBZ5x5UJ4wHSFaJ3

+C4u/lATpf8DN5i5kzR6jMuwRzGLOx07NrUhcsbjpdrP5

+-----END CERTIFICATE-----

new file mode 100644

@@ -0,0 +1,16 @@

+-----BEGIN PRIVATE KEY-----

+MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAOjiLLjU24lQT0ce

+aNv35MxHQWN1AzdQeqhNJzbVFQEIts9W91ZtPfnijRpdv6AkXgdVjtDc8foZhx3W

+tliCLrppbenZyBYNHVl/9I5YEAE9IRQWPOzNjLcO5nt3tPmQpRcBu4TGshKHcOuf

+bU/QaIuWwOcLUbSdHXtse76Ja4iLAgMBAAECgYADs+TmI2xCKKa6CL++D5jxrohZ

+nnionnz0xBVFh+nHlG3jqgxQsXf0yydXLfpn/2wHTdLxezHVuiYt0UYg7iD0CglW

++IjcgMebzyjLeYqYOE5llPlMvhp2HoEMYJNb+7bRrZ1WCITbu+Su0w1cgA7Cs+Ej

+VlfvGzN+qqnDThRUYQJBAPY0sMWZJKly8QhUmUvmcXdPczzSOf6Mm7gc5LR6wzxd

+vW7syuqk50qjqVqFpN81vCV7GoDxRUWbTM9ftf7JGFkCQQDyJc/1RMygE2o+enU1

+6UBxJyclXITEYtDn8aoEpLNc7RakP1WoPUKjZOnjkcoKcIkFNkSPeCfQujrb5f3F

+MkuDAkByAI/hzzmkpK5rFxEsjfX4Mve/L/DepyjrpaVY1IdWimlO1aJX6CeY7hNa

+8QsYt/74s/nfvtg+lNyKIV1aLq9xAkB+WSSNgfyTeg3x08vc+Xxajmdqoz/TiQwg

+OoTQL3A3iK5LvZBgXLasszcnOycFE3srcQmNItEDpGiZ3QPxJTEpAkEA45EE9NMJ

+SA7EGWSFlbz4f4u4oBeiDiJRJbGGfAyVxZlpCWUjPpg9+swsWoFEOjnGYaChAMk5

+nrOdMf15T6QF7Q==

+-----END PRIVATE KEY-----

new file mode 100644

@@ -0,0 +1,76 @@

+Certificate:

+    Data:

+        Version: 3 (0x2)

+        Serial Number: 4 (0x4)

+    Signature Algorithm: sha1WithRSAEncryption

+        Issuer: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme/name=changeme/emailAddress=mail@host.domain

+        Validity

+            Not Before: Dec  4 15:01:20 2013 GMT

+            Not After : Dec  2 15:01:20 2023 GMT

+        Subject: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=*/name=changeme/emailAddress=mail@host.domain

+        Subject Public Key Info:

+            Public Key Algorithm: rsaEncryption

+                Public-Key: (1024 bit)

+                Modulus:

+                    00:c1:ff:7d:30:6f:64:4a:b1:92:b1:71:d1:c1:74:

+                    e2:1d:db:2d:11:24:e1:00:d4:00:ae:6f:c8:9e:ae:

+                    67:b3:4a:bd:f7:e6:9e:57:6d:19:4c:3c:23:94:2d:

+                    3d:d6:63:84:d8:fa:76:2b:38:12:c1:ed:20:9d:32:

+                    e0:e8:c2:bf:9a:77:70:04:3f:7f:ca:8c:2c:82:d6:

+                    3d:25:5c:02:1a:4f:64:93:03:dd:9c:42:97:5e:09:

+                    49:af:f0:c2:e1:30:08:0e:21:46:95:d1:13:59:c0:

+                    c8:76:be:94:0d:8b:43:67:21:33:b2:08:60:9d:76:

+                    a8:05:32:1e:f9:95:09:14:75

+                Exponent: 65537 (0x10001)

+        X509v3 extensions:

+            X509v3 Basic Constraints: 

+                CA:FALSE

+            Netscape Cert Type: 

+                SSL Server

+            Netscape Comment: 

+                Easy-RSA Generated Server Certificate

+            X509v3 Subject Key Identifier: 

+                14:02:FD:FD:DD:13:38:E0:71:EA:D1:BE:C0:0E:89:1A:2D:B6:19:06

+            X509v3 Authority Key Identifier: 

+                keyid:66:EE:C3:17:3D:3D:AB:44:01:6B:6F:B2:99:19:BD:AA:02:B5:34:FB

+                DirName:/C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=changeme/CN=changeme/name=changeme/emailAddress=mail@host.domain

+                serial:FD:AB:EC:6A:84:27:04:A7

+

+            X509v3 Extended Key Usage: 

+                TLS Web Server Authentication

+            X509v3 Key Usage: 

+                Digital Signature, Key Encipherment