aboutsummaryrefslogblamecommitdiff
path: root/genpki.sh
blob: 0ee633182184d450e499cc5518c8ff2a09aff5b7 (plain) (tree) 
b00a835















































143683e


b00a835







































143683e


b00a835











143683e




b00a835

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

48
49

50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88

89
90

91
92
93
94
95
96
97
98
99
100
101

102
103
104
105

106















































                                                                                                                                     

                                                         






































                                                                                 

                                                         










                                                                            



                                                                                    
    
#!/bin/bash

set -xe

cd $(dirname $0)

mkdir -p secrets/pki
cd secrets/pki

YEAR=$(date +%Y)
for APP in consul nomad; do
	# 1. Create certificate authority
	if [ ! -f $APP-ca.key ]; then
		echo "Generating $APP CA keys..."
		#openssl genpkey -algorithm ED25519 -out $APP-ca.key
		openssl genrsa -out $APP-ca.key 4096

		openssl req -x509 -new -nodes -key $APP-ca.key -sha256 -days 3650 -out $APP-ca.crt -subj "/C=FR/O=Deuxfleurs/CN=$APP"
	fi

	CERT="${APP}${YEAR}"

	# 2. Create and sign certificates for inter-node communication
	if [ ! -f $CERT.crt ]; then
		echo "Generating $CERT agent keys..."
		if [ ! -f $CERT.key ]; then
			#openssl genpkey -algorithm ED25519 -out $CERT.key
			openssl genrsa -out $CERT.key 4096
		fi
		openssl req -new -sha256 -key $CERT.key \
			-subj "/C=FR/O=Deuxfleurs/CN=$APP" \
			-out $CERT.csr
		openssl req -in $CERT.csr -noout -text
		openssl x509 -req -in $CERT.csr \
			-extensions v3_req \
			-extfile <(cat <<EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
C = FR
O = Deuxfleurs
CN = $APP

[v3_req]
keyUsage = keyEncipherment, keyCertSign, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = server.staging.$APP
DNS.2 = client.staging.$APP
DNS.3 = localhost
DNS.4 = 127.0.0.1
EOF
	) \
			-CA $APP-ca.crt -CAkey $APP-ca.key -CAcreateserial \
			-out $CERT.crt -days 700
		rm $CERT.csr
	fi

	# 3. Create client-only certificate used for the CLI
	if [ ! -f $CERT-client.crt ]; then
		echo "Generating $CERT client keys..."
		if [ ! -f $CERT-client.key ]; then
			#openssl genpkey -algorithm ED25519 -out $CERT-client.key
			openssl genrsa -out $CERT-client.key 4096
		fi
		openssl req -new -sha256 -key $CERT-client.key \
			-subj "/C=FR/O=Deuxfleurs/CN=$APP-client" \
			-out $CERT-client.csr
		openssl req -in $CERT-client.csr -noout -text
		openssl x509 -req -in $CERT-client.csr \
			-extensions v3_req \
			-extfile <(cat <<EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
C = FR
O = Deuxfleurs
CN = $APP-client

[v3_req]
keyUsage = keyEncipherment, keyCertSign, dataEncipherment
extendedKeyUsage = clientAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = client.staging.$APP
EOF
	) \
			-CA $APP-ca.crt -CAkey $APP-ca.key -CAcreateserial \
			-out $CERT-client.crt -days 700
		rm $CERT-client.csr
	fi

	#if [ ! -f $CERT-client.p12 ]; then
	#	openssl pkcs12 -export -out $CERT-client.p12 \
	#		-in $APP-ca.pem -in $CERT-client.crt -inkey $CERT-client.key
	#fi
done
generated by cgit v1.2.3 (git 2.25.1) at 2024-10-19 19:45:08 +0000