diff options
| author | Alex Auvolat <alex@adnab.me> | 2021-12-30 19:27:32 +0100 |
|---|---|---|
| committer | Alex Auvolat <alex@adnab.me> | 2021-12-30 19:27:32 +0100 |
| commit | b00a8358b20ac99912bacafd8fee5466da257e67 (patch) | |
| tree | df81c06567cbae31098ac77f41c9c11d67b9cc79 /genpki.sh | |
| parent | 230c1d727b951e032603a5c776f540003829bff6 (diff) | |
| download | nixcfg-b00a8358b20ac99912bacafd8fee5466da257e67.tar.gz nixcfg-b00a8358b20ac99912bacafd8fee5466da257e67.zip | |
Add TLS to Nomad
Diffstat (limited to 'genpki.sh')
| -rwxr-xr-x | genpki.sh | 104 |
1 files changed, 104 insertions, 0 deletions
diff --git a/genpki.sh b/genpki.sh new file mode 100755 index 0000000..be10f6f --- /dev/null +++ b/genpki.sh @@ -0,0 +1,104 @@ +#!/bin/bash + +set -xe + +cd $(dirname $0) + +mkdir -p secrets/pki +cd secrets/pki + +YEAR=$(date +%Y) +for APP in consul nomad; do + # 1. Create certificate authority + if [ ! -f $APP-ca.key ]; then + echo "Generating $APP CA keys..." + #openssl genpkey -algorithm ED25519 -out $APP-ca.key + openssl genrsa -out $APP-ca.key 4096 + + openssl req -x509 -new -nodes -key $APP-ca.key -sha256 -days 3650 -out $APP-ca.crt -subj "/C=FR/O=Deuxfleurs/CN=$APP" + fi + + CERT="${APP}${YEAR}" + + # 2. Create and sign certificates for inter-node communication + if [ ! -f $CERT.crt ]; then + echo "Generating $CERT agent keys..." + if [ ! -f $CERT.key ]; then + #openssl genpkey -algorithm ED25519 -out $CERT.key + openssl genrsa -out $CERT.key 4096 + fi + openssl req -new -sha256 -key $CERT.key \ + -subj "/C=FR/O=Deuxfleurs/CN=$APP" \ + -out $CERT.csr + openssl req -in $CERT.csr -noout -text + openssl x509 -req -in $CERT.csr \ + -extensions v3_req \ + -extfile <(cat <<EOF +[req] +distinguished_name = req_distinguished_name +req_extensions = v3_req +prompt = no + +[req_distinguished_name] +C = FR +O = Deuxfleurs +CN = $APP + +[v3_req] +keyUsage = keyEncipherment, keyCertSign, dataEncipherment, serverAuth, clientAuth +subjectAltName = @alt_names + +[alt_names] +DNS.1 = server.staging.$APP +DNS.2 = client.staging.$APP +DNS.3 = localhost +DNS.4 = 127.0.0.1 +EOF + ) \ + -CA $APP-ca.crt -CAkey $APP-ca.key -CAcreateserial \ + -out $CERT.crt -days 700 + rm $CERT.csr + fi + + # 3. Create client-only certificate used for the CLI + if [ ! -f $CERT-client.crt ]; then + echo "Generating $CERT client keys..." + if [ ! -f $CERT-client.key ]; then + #openssl genpkey -algorithm ED25519 -out $CERT-client.key + openssl genrsa -out $CERT-client.key 4096 + fi + openssl req -new -sha256 -key $CERT-client.key \ + -subj "/C=FR/O=Deuxfleurs/CN=$APP-client" \ + -out $CERT-client.csr + openssl req -in $CERT-client.csr -noout -text + openssl x509 -req -in $CERT-client.csr \ + -extensions v3_req \ + -extfile <(cat <<EOF +[req] +distinguished_name = req_distinguished_name +req_extensions = v3_req +prompt = no + +[req_distinguished_name] +C = FR +O = Deuxfleurs +CN = $APP-client + +[v3_req] +keyUsage = keyEncipherment, keyCertSign, dataEncipherment, clientAuth +subjectAltName = @alt_names + +[alt_names] +DNS.1 = client.staging.$APP +EOF + ) \ + -CA $APP-ca.crt -CAkey $APP-ca.key -CAcreateserial \ + -out $CERT-client.crt -days 700 + rm $CERT-client.csr + fi + + if [ ! -f $CERT-client.p12 ]; then + openssl pkcs12 -export -out $CERT-client.p12 \ + -in $APP-ca.pem -in $CERT-client.crt -inkey $CERT-client.key + fi +done |