aboutsummaryrefslogtreecommitdiff
path: root/genpki.sh
diff options
context:
space:
mode:
authorAlex Auvolat <alex@adnab.me>2021-12-30 19:27:32 +0100
committerAlex Auvolat <alex@adnab.me>2021-12-30 19:27:32 +0100
commitb00a8358b20ac99912bacafd8fee5466da257e67 (patch)
treedf81c06567cbae31098ac77f41c9c11d67b9cc79 /genpki.sh
parent230c1d727b951e032603a5c776f540003829bff6 (diff)
downloadnixcfg-b00a8358b20ac99912bacafd8fee5466da257e67.tar.gz
nixcfg-b00a8358b20ac99912bacafd8fee5466da257e67.zip
Add TLS to Nomad
Diffstat (limited to 'genpki.sh')
-rwxr-xr-xgenpki.sh104
1 files changed, 104 insertions, 0 deletions
diff --git a/genpki.sh b/genpki.sh
new file mode 100755
index 0000000..be10f6f
--- /dev/null
+++ b/genpki.sh
@@ -0,0 +1,104 @@
+#!/bin/bash
+
+set -xe
+
+cd $(dirname $0)
+
+mkdir -p secrets/pki
+cd secrets/pki
+
+YEAR=$(date +%Y)
+for APP in consul nomad; do
+ # 1. Create certificate authority
+ if [ ! -f $APP-ca.key ]; then
+ echo "Generating $APP CA keys..."
+ #openssl genpkey -algorithm ED25519 -out $APP-ca.key
+ openssl genrsa -out $APP-ca.key 4096
+
+ openssl req -x509 -new -nodes -key $APP-ca.key -sha256 -days 3650 -out $APP-ca.crt -subj "/C=FR/O=Deuxfleurs/CN=$APP"
+ fi
+
+ CERT="${APP}${YEAR}"
+
+ # 2. Create and sign certificates for inter-node communication
+ if [ ! -f $CERT.crt ]; then
+ echo "Generating $CERT agent keys..."
+ if [ ! -f $CERT.key ]; then
+ #openssl genpkey -algorithm ED25519 -out $CERT.key
+ openssl genrsa -out $CERT.key 4096
+ fi
+ openssl req -new -sha256 -key $CERT.key \
+ -subj "/C=FR/O=Deuxfleurs/CN=$APP" \
+ -out $CERT.csr
+ openssl req -in $CERT.csr -noout -text
+ openssl x509 -req -in $CERT.csr \
+ -extensions v3_req \
+ -extfile <(cat <<EOF
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+
+[req_distinguished_name]
+C = FR
+O = Deuxfleurs
+CN = $APP
+
+[v3_req]
+keyUsage = keyEncipherment, keyCertSign, dataEncipherment, serverAuth, clientAuth
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = server.staging.$APP
+DNS.2 = client.staging.$APP
+DNS.3 = localhost
+DNS.4 = 127.0.0.1
+EOF
+ ) \
+ -CA $APP-ca.crt -CAkey $APP-ca.key -CAcreateserial \
+ -out $CERT.crt -days 700
+ rm $CERT.csr
+ fi
+
+ # 3. Create client-only certificate used for the CLI
+ if [ ! -f $CERT-client.crt ]; then
+ echo "Generating $CERT client keys..."
+ if [ ! -f $CERT-client.key ]; then
+ #openssl genpkey -algorithm ED25519 -out $CERT-client.key
+ openssl genrsa -out $CERT-client.key 4096
+ fi
+ openssl req -new -sha256 -key $CERT-client.key \
+ -subj "/C=FR/O=Deuxfleurs/CN=$APP-client" \
+ -out $CERT-client.csr
+ openssl req -in $CERT-client.csr -noout -text
+ openssl x509 -req -in $CERT-client.csr \
+ -extensions v3_req \
+ -extfile <(cat <<EOF
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+
+[req_distinguished_name]
+C = FR
+O = Deuxfleurs
+CN = $APP-client
+
+[v3_req]
+keyUsage = keyEncipherment, keyCertSign, dataEncipherment, clientAuth
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = client.staging.$APP
+EOF
+ ) \
+ -CA $APP-ca.crt -CAkey $APP-ca.key -CAcreateserial \
+ -out $CERT-client.crt -days 700
+ rm $CERT-client.csr
+ fi
+
+ if [ ! -f $CERT-client.p12 ]; then
+ openssl pkcs12 -export -out $CERT-client.p12 \
+ -in $APP-ca.pem -in $CERT-client.crt -inkey $CERT-client.key
+ fi
+done