adam/servicedemon
1
0
Fork 0
Code Issues 5 Pull Requests Packages Projects Releases Wiki Activity
Files
a40fc162ffc5c620acfa460fb586bbb658870b03
servicedemon/cmd/hub/gencerts.sh

175 lines
4.2 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env nix-shell
#! nix-shell -i bash --pure
#! nix-shell -p bash cfssl openssl
#! nix-shell -I nixpkgs=https://github.com/NixOS/nixpkgs/archive/4ecab3273592f27479a583fb6d975d4aba3486fe.tar.gz
TMPDIR=$(mktemp -d)
OUTDIR="./.certs"
ca="ca"
ca_csr="${TMPDIR}/ca.json"
ca_config="${TMPDIR}/ca-config.json"
key_algo=rsa
key_size=2048
cert_expire=43800 # = 5 years * 365 days * 24 hours
C="US"
L="PA"
O="Equinix Metal Development"
OU="Nautilus"
ST="Philadelphia"
cat <<-EOFCACONFIG > ${ca_config}
{
"signing": {
"default": {
"expiry": "${cert_expire}h"
},
"profiles": {
"server": {
"expiry": "${cert_expire}h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "${cert_expire}h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"client-server": {
"expiry": "${cert_expire}h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOFCACONFIG
function generate_ca {
echo "==================== generating self-signed CA key pair"
cat <<-EOFCACSR > ${ca_csr}
{
"CN": "Nautilus Local CA",
"key": {
"algo": "${key_algo}",
"size": ${key_size}
},
"names": [
{
"C": "${C}",
"L": "${L}",
"O": "${O}",
"ST": "${ST}",
"OU": "${OU}"
}
]
}
EOFCACSR
cfssl gencert -initca "${ca_csr}" | cfssljson -bare ${ca}
mv "${ca}.pem" "${OUTDIR}/${ca}.pem"
mv "${ca}-key.pem" "${OUTDIR}/${ca}-key.pem"
}
function generate_server_certificate {
echo "=================== generating server certificate"
server_csr="${TMPDIR}/server-csr.json"
cat <<EOF > ${server_csr}
{
"CN": "Nautilus Hub",
"hosts": [ "localhost", "hub.example.net" ],
"key": {
"algo": "${key_algo}",
"size": ${key_size}
}
}
EOF
cfssl gencert -ca="${OUTDIR}/${ca}.pem" -ca-key="${OUTDIR}/${ca}-key.pem" -config="${ca_config}" -profile=client-server ${server_csr} | cfssljson -bare server
}
function generate_client_certificate {
echo "================== generating client certificate"
client_csr="${TMPDIR}/client-csr.json"
cat <<EOF > ${client_csr}
{
"CN": "Nautilus Spoke 1",
"hosts": [ "localhost", "spoke1.example.net" ],
"key": {
"algo": "${key_algo}",
"size": ${key_size}
}
}
EOF
cfssl gencert -ca="${OUTDIR}/${ca}.pem" -ca-key="${OUTDIR}/${ca}-key.pem" -config="${ca_config}" -profile=client ${client_csr} | cfssljson -bare client
}
function generate_admin_certificate {
echo "================= generating admin certificate"
admin_csr="${TMPDIR}/admin-csr.json"
cat <<EOF > ${admin_csr}
{
"CN": "Nautilus Admin - Adam",
"key": {
"algo": "${key_algo}",
"size": ${key_size}
},
"names": [
{
"C": "${C}",
"L": "${L}",
"O": "${O}",
"ST": "${ST}",
"OU": "Nautilus Admins"
}
]
}
EOF
cfssl gencert -ca="${OUTDIR}/${ca}.pem" -ca-key="${OUTDIR}/${ca}-key.pem" -config="${ca_config}" -profile=client ${admin_csr} | cfssljson -bare admin
}
function move_certs {
echo "================ copying certificates to ${OUTDIR}"
for c in server client admin; do
[[ -f "${c}-key.pem" ]] && mv "${c}-key.pem" "${OUTDIR}/${c}-key.pem" || echo "${c}-key.pem not regenerated"
[[ -f "${c}.pem" ]] && mv "${c}.pem" "${OUTDIR}/${c}.pem" || echo "${c}.pem not regenerated"
done
}
function main {
mkdir -p "${OUTDIR}"
[[ -f "${OUTDIR}/ca.pem" ]] || generate_ca
[[ -f "${OUTDIR}/server.pem" ]] || generate_server_certificate
[[ -f "${OUTDIR}/client.pem" ]] || generate_client_certificate
[[ -f "${OUTDIR}/admin.pem" ]] || generate_admin_certificate
move_certs
rm {ca,server,admin,client}.csr 2>/dev/null
chmod 600 ${OUTDIR}/*-key.pem
}
main
Reference in New Issue View Git Blame Copy Permalink