aboutsummaryrefslogtreecommitdiff
path: root/genpki.sh
diff options
context:
space:
mode:
authorAlex Auvolat <alex@adnab.me>2022-04-20 15:03:04 +0200
committerAlex Auvolat <alex@adnab.me>2022-04-20 15:03:04 +0200
commit7c1444b7143710066f5173119a529c3b5e101300 (patch)
treeec5206aa0986e070b2ebae5fdbea8b385fa01875 /genpki.sh
parenta8717f9bf5dbc9b102d872678f4e5d3d2790a408 (diff)
downloadnixcfg-7c1444b7143710066f5173119a529c3b5e101300.tar.gz
nixcfg-7c1444b7143710066f5173119a529c3b5e101300.zip
Move pki to pass
Diffstat (limited to 'genpki.sh')
-rwxr-xr-xgenpki.sh119
1 files changed, 0 insertions, 119 deletions
diff --git a/genpki.sh b/genpki.sh
deleted file mode 100755
index 6afb160..0000000
--- a/genpki.sh
+++ /dev/null
@@ -1,119 +0,0 @@
-#!/bin/bash
-
-set -xe
-
-# Enter proper cluster subdirectory
-
-cd $(dirname $0)
-
-CLUSTER="$1"
-if [ -z "$CLUSTER" ] || [ ! -d "cluster/$CLUSTER" ]; then
- echo "Usage: $0 <cluster name>"
- echo "The cluster name must be the name of a subdirectory of cluster/"
- exit 1
-fi
-
-cd cluster/$CLUSTER
-
-mkdir -p secrets/pki
-cd secrets/pki
-
-# Do actual stuff
-
-YEAR=$(date +%Y)
-for APP in consul nomad; do
- # 1. Create certificate authority
- if [ ! -f $APP-ca.key ]; then
- echo "Generating $APP CA keys..."
- #openssl genpkey -algorithm ED25519 -out $APP-ca.key
- openssl genrsa -out $APP-ca.key 4096
-
- openssl req -x509 -new -nodes -key $APP-ca.key -sha256 -days 3650 -out $APP-ca.crt -subj "/C=FR/O=Deuxfleurs/CN=$APP"
- fi
-
- CERT="${APP}${YEAR}"
-
- # 2. Create and sign certificates for inter-node communication
- if [ ! -f $CERT.crt ]; then
- echo "Generating $CERT agent keys..."
- if [ ! -f $CERT.key ]; then
- #openssl genpkey -algorithm ED25519 -out $CERT.key
- openssl genrsa -out $CERT.key 4096
- fi
- openssl req -new -sha256 -key $CERT.key \
- -subj "/C=FR/O=Deuxfleurs/CN=$APP" \
- -out $CERT.csr
- openssl req -in $CERT.csr -noout -text
- openssl x509 -req -in $CERT.csr \
- -extensions v3_req \
- -extfile <(cat <<EOF
-[req]
-distinguished_name = req_distinguished_name
-req_extensions = v3_req
-prompt = no
-
-[req_distinguished_name]
-C = FR
-O = Deuxfleurs
-CN = $APP
-
-[v3_req]
-keyUsage = keyEncipherment, keyCertSign, dataEncipherment
-extendedKeyUsage = serverAuth, clientAuth
-subjectAltName = @alt_names
-
-[alt_names]
-DNS.1 = server.$CLUSTER.$APP
-DNS.2 = client.$CLUSTER.$APP
-DNS.3 = localhost
-DNS.4 = 127.0.0.1
-EOF
- ) \
- -CA $APP-ca.crt -CAkey $APP-ca.key -CAcreateserial \
- -out $CERT.crt -days 700
- rm $CERT.csr
- fi
-
- # 3. Create client-only certificate used for the CLI
- if [ ! -f $CERT-client.crt ]; then
- echo "Generating $CERT client keys..."
- if [ ! -f $CERT-client.key ]; then
- #openssl genpkey -algorithm ED25519 -out $CERT-client.key
- openssl genrsa -out $CERT-client.key 4096
- fi
- openssl req -new -sha256 -key $CERT-client.key \
- -subj "/C=FR/O=Deuxfleurs/CN=$APP-client" \
- -out $CERT-client.csr
- openssl req -in $CERT-client.csr -noout -text
- openssl x509 -req -in $CERT-client.csr \
- -extensions v3_req \
- -extfile <(cat <<EOF
-[req]
-distinguished_name = req_distinguished_name
-req_extensions = v3_req
-prompt = no
-
-[req_distinguished_name]
-C = FR
-O = Deuxfleurs
-CN = $APP-client
-
-[v3_req]
-keyUsage = keyEncipherment, keyCertSign, dataEncipherment
-extendedKeyUsage = clientAuth
-subjectAltName = @alt_names
-
-[alt_names]
-DNS.1 = client.$CLUSTER.$APP
-EOF
- ) \
- -CA $APP-ca.crt -CAkey $APP-ca.key -CAcreateserial \
- -out $CERT-client.crt -days 700
- rm $CERT-client.csr
- fi
-
- #if [ ! -f $CERT-client.p12 ]; then
- # openssl pkcs12 -export -out $CERT-client.p12 \
- # -in $APP-ca.pem -in $CERT-client.crt -inkey $CERT-client.key
- #fi
-done
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-14 04:37:00 +0000