diff options
| author | Alex Auvolat <alex@adnab.me> | 2020-04-12 19:00:30 +0200 |
|---|---|---|
| committer | Alex Auvolat <alex@adnab.me> | 2020-04-12 19:00:30 +0200 |
| commit | d2814b5c3374f8b99a81dbb9fa3614c875cfc5e6 (patch) | |
| tree | 08309e6d85dea5c28f4c12df151ed1b3bdb6bec9 /genkeys.sh | |
| parent | d1e8f78b2cd28f4514ad6f7d54aae6aaa4ef3f15 (diff) | |
| download | garage-d2814b5c3374f8b99a81dbb9fa3614c875cfc5e6.tar.gz garage-d2814b5c3374f8b99a81dbb9fa3614c875cfc5e6.zip | |
TLS works \o/
So, the issues were:
- webpki does not support IP addresses as DNS names in URLs,
so I hacked the HttpsConnector to always provide a fixed string
as the DNS name for server certificate validation
- the certificate requied a SAN section which was complicated to build
but eventually the solution is there in genkeys.sh
Diffstat (limited to 'genkeys.sh')
| -rwxr-xr-x | genkeys.sh | 46 |
1 files changed, 29 insertions, 17 deletions
@@ -10,27 +10,39 @@ cd pki if [ ! -f garage-ca.key ]; then echo "Generating Garage CA keys..." openssl genrsa -out garage-ca.key 4096 - openssl req -x509 -new -key garage-ca.key -subj "/C=FR/O=Garage" -days 3650 -out garage-ca.crt + openssl req -x509 -new -nodes -key garage-ca.key -sha256 -days 3650 -out garage-ca.crt -subj "/C=FR/O=Garage" fi -if [ ! -f garage.key ]; then - echo "Generating Garage agent keys..." - openssl genrsa -out garage.key 4096 - openssl req -new -sha256 -key garage.key -subj "/C=FR/O=Garage/CN=*" -out garage.csr + +if [ ! -f garage.crt ]; then + echo "Generating Garage agent keys..." + if [ ! -f garage.key ]; then + openssl genrsa -out garage.key 4096 + fi + openssl req -new -sha256 -key garage.key -subj "/C=FR/O=Garage/CN=garage" \ + -out garage.csr openssl req -in garage.csr -noout -text openssl x509 -req -in garage.csr \ - -CA garage-ca.crt -CAkey garage-ca.key -CAcreateserial \ - -out garage.crt -days 365 -sha256 - rm garage.csr -fi + -extensions v3_req \ + -extfile <(cat <<EOF +[req] +distinguished_name = req_distinguished_name +req_extensions = v3_req +prompt = no + +[req_distinguished_name] +C = FR +O = Garage +CN = garage -if [ ! -f garage-client.key ]; then - echo "Generating Garage client key..." - openssl genrsa -out garage-client.key 4096 - openssl req -new -sha256 -key garage-client.key -subj "/C=FR/O=Garage" -out garage-client.csr - openssl req -in garage-client.csr -noout -text - openssl x509 -req -in garage-client.csr \ +[v3_req] +keyUsage = keyEncipherment, dataEncipherment +extendedKeyUsage = serverAuth, clientAuth +subjectAltName = @alt_names +[alt_names] +DNS.1 = garage +EOF +) \ -CA garage-ca.crt -CAkey garage-ca.key -CAcreateserial \ - -out garage-client.crt -days 365 -sha256 - rm garage-client.csr + -out garage.crt -days 365 fi |