diff --git a/cmd/hub/gencerts.sh b/cmd/hub/gencerts.sh new file mode 100755 index 0000000..1960a93 --- /dev/null +++ b/cmd/hub/gencerts.sh @@ -0,0 +1,174 @@ +#!/usr/bin/env nix-shell +#! nix-shell -i bash --pure +#! nix-shell -p bash cfssl openssl +#! nix-shell -I nixpkgs=https://github.com/NixOS/nixpkgs/archive/4ecab3273592f27479a583fb6d975d4aba3486fe.tar.gz + + +TMPDIR=$(mktemp -d) +OUTDIR="./.certs" +ca="ca" +ca_csr="${TMPDIR}/ca.json" +ca_config="${TMPDIR}/ca-config.json" + + +key_algo=rsa +key_size=2048 +cert_expire=43800 # = 5 years * 365 days * 24 hours + +C="US" +L="PA" +O="Equinix Metal Development" +OU="Nautilus" +ST="Philadelphia" + +cat <<-EOFCACONFIG > ${ca_config} +{ + "signing": { + "default": { + "expiry": "${cert_expire}h" + }, + "profiles": { + "server": { + "expiry": "${cert_expire}h", + "usages": [ + "signing", + "key encipherment", + "server auth" + ] + }, + "client": { + "expiry": "${cert_expire}h", + "usages": [ + "signing", + "key encipherment", + "client auth" + ] + }, + "client-server": { + "expiry": "${cert_expire}h", + "usages": [ + "signing", + "key encipherment", + "server auth", + "client auth" + ] + } + } + } +} +EOFCACONFIG + +function generate_ca { + echo "==================== generating self-signed CA key pair" + + cat <<-EOFCACSR > ${ca_csr} +{ + "CN": "Nautilus Local CA", + "key": { + "algo": "${key_algo}", + "size": ${key_size} + }, + "names": [ + { + "C": "${C}", + "L": "${L}", + "O": "${O}", + "ST": "${ST}", + "OU": "${OU}" + } + ] +} +EOFCACSR + + cfssl gencert -initca "${ca_csr}" | cfssljson -bare ${ca} + mv "${ca}.pem" "${OUTDIR}/${ca}.pem" + mv "${ca}-key.pem" "${OUTDIR}/${ca}-key.pem" +} + +function generate_server_certificate { + echo "=================== generating server certificate" + + server_csr="${TMPDIR}/server-csr.json" + cat < ${server_csr} +{ + "CN": "Nautilus Hub", + "hosts": [ "localhost", "hub.example.net" ], + "key": { + "algo": "${key_algo}", + "size": ${key_size} + } +} +EOF + + cfssl gencert -ca="${OUTDIR}/${ca}.pem" -ca-key="${OUTDIR}/${ca}-key.pem" -config="${ca_config}" -profile=client-server ${server_csr} | cfssljson -bare server +} + +function generate_client_certificate { + echo "================== generating client certificate" + + client_csr="${TMPDIR}/client-csr.json" + cat < ${client_csr} +{ + "CN": "Nautilus Spoke 1", + "hosts": [ "localhost", "spoke1.example.net" ], + "key": { + "algo": "${key_algo}", + "size": ${key_size} + } +} +EOF + + cfssl gencert -ca="${OUTDIR}/${ca}.pem" -ca-key="${OUTDIR}/${ca}-key.pem" -config="${ca_config}" -profile=client ${client_csr} | cfssljson -bare client +} + + +function generate_admin_certificate { + echo "================= generating admin certificate" + + admin_csr="${TMPDIR}/admin-csr.json" + cat < ${admin_csr} +{ + "CN": "Nautilus Admin - Adam", + "key": { + "algo": "${key_algo}", + "size": ${key_size} + }, + "names": [ + { + "C": "${C}", + "L": "${L}", + "O": "${O}", + "ST": "${ST}", + "OU": "Nautilus Admins" + } + ] +} +EOF + cfssl gencert -ca="${OUTDIR}/${ca}.pem" -ca-key="${OUTDIR}/${ca}-key.pem" -config="${ca_config}" -profile=client ${admin_csr} | cfssljson -bare admin +} + + +function move_certs { + echo "================ copying certificates to ${OUTDIR}" + for c in server client admin; do + [[ -f "${c}-key.pem" ]] && mv "${c}-key.pem" "${OUTDIR}/${c}-key.pem" || echo "${c}-key.pem not regenerated" + [[ -f "${c}.pem" ]] && mv "${c}.pem" "${OUTDIR}/${c}.pem" || echo "${c}.pem not regenerated" + done +} + + +function main { + mkdir -p "${OUTDIR}" + + [[ -f "${OUTDIR}/ca.pem" ]] || generate_ca + [[ -f "${OUTDIR}/server.pem" ]] || generate_server_certificate + [[ -f "${OUTDIR}/client.pem" ]] || generate_client_certificate + [[ -f "${OUTDIR}/admin.pem" ]] || generate_admin_certificate + move_certs + + rm {ca,server,admin,client}.csr 2>/dev/null + + chmod 600 ${OUTDIR}/*-key.pem +} + +main