#!/usr/bin/env nix-shell #! nix-shell -i bash --pure #! nix-shell -p bash cfssl openssl #! nix-shell -I nixpkgs=https://github.com/NixOS/nixpkgs/archive/4ecab3273592f27479a583fb6d975d4aba3486fe.tar.gz TMPDIR=$(mktemp -d) OUTDIR="./.certs" ca="ca" ca_csr="${TMPDIR}/ca.json" ca_config="${TMPDIR}/ca-config.json" key_algo=rsa key_size=2048 cert_expire=43800 # = 5 years * 365 days * 24 hours C="US" L="PA" O="Equinix Metal Development" OU="Nautilus" ST="Philadelphia" cat <<-EOFCACONFIG > ${ca_config} { "signing": { "default": { "expiry": "${cert_expire}h" }, "profiles": { "server": { "expiry": "${cert_expire}h", "usages": [ "signing", "key encipherment", "server auth" ] }, "client": { "expiry": "${cert_expire}h", "usages": [ "signing", "key encipherment", "client auth" ] }, "client-server": { "expiry": "${cert_expire}h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOFCACONFIG function generate_ca { echo "==================== generating self-signed CA key pair" cat <<-EOFCACSR > ${ca_csr} { "CN": "Nautilus Local CA", "key": { "algo": "${key_algo}", "size": ${key_size} }, "names": [ { "C": "${C}", "L": "${L}", "O": "${O}", "ST": "${ST}", "OU": "${OU}" } ] } EOFCACSR cfssl gencert -initca "${ca_csr}" | cfssljson -bare ${ca} mv "${ca}.pem" "${OUTDIR}/${ca}.pem" mv "${ca}-key.pem" "${OUTDIR}/${ca}-key.pem" } function generate_server_certificate { echo "=================== generating server certificate" server_csr="${TMPDIR}/server-csr.json" cat < ${server_csr} { "CN": "Nautilus Hub", "hosts": [ "localhost", "hub.example.net" ], "key": { "algo": "${key_algo}", "size": ${key_size} } } EOF cfssl gencert -ca="${OUTDIR}/${ca}.pem" -ca-key="${OUTDIR}/${ca}-key.pem" -config="${ca_config}" -profile=client-server ${server_csr} | cfssljson -bare server } function generate_client_certificate { echo "================== generating client certificate" client_csr="${TMPDIR}/client-csr.json" cat < ${client_csr} { "CN": "Nautilus Spoke 1", "hosts": [ "localhost", "spoke1.example.net" ], "key": { "algo": "${key_algo}", "size": ${key_size} } } EOF cfssl gencert -ca="${OUTDIR}/${ca}.pem" -ca-key="${OUTDIR}/${ca}-key.pem" -config="${ca_config}" -profile=client ${client_csr} | cfssljson -bare client } function generate_admin_certificate { echo "================= generating admin certificate" admin_csr="${TMPDIR}/admin-csr.json" cat < ${admin_csr} { "CN": "Nautilus Admin - Adam", "key": { "algo": "${key_algo}", "size": ${key_size} }, "names": [ { "C": "${C}", "L": "${L}", "O": "${O}", "ST": "${ST}", "OU": "Nautilus Admins" } ] } EOF cfssl gencert -ca="${OUTDIR}/${ca}.pem" -ca-key="${OUTDIR}/${ca}-key.pem" -config="${ca_config}" -profile=client ${admin_csr} | cfssljson -bare admin } function move_certs { echo "================ copying certificates to ${OUTDIR}" for c in server client admin; do [[ -f "${c}-key.pem" ]] && mv "${c}-key.pem" "${OUTDIR}/${c}-key.pem" || echo "${c}-key.pem not regenerated" [[ -f "${c}.pem" ]] && mv "${c}.pem" "${OUTDIR}/${c}.pem" || echo "${c}.pem not regenerated" done } function main { mkdir -p "${OUTDIR}" [[ -f "${OUTDIR}/ca.pem" ]] || generate_ca [[ -f "${OUTDIR}/server.pem" ]] || generate_server_certificate [[ -f "${OUTDIR}/client.pem" ]] || generate_client_certificate [[ -f "${OUTDIR}/admin.pem" ]] || generate_admin_certificate move_certs rm {ca,server,admin,client}.csr 2>/dev/null chmod 600 ${OUTDIR}/*-key.pem } main