105 lines
2.5 KiB
Bash
105 lines
2.5 KiB
Bash
|
#!/bin/bash
|
||
|
|
||
|
set -xe
|
||
|
|
||
|
cd $(dirname $0)
|
||
|
|
||
|
mkdir -p secrets/pki
|
||
|
cd secrets/pki
|
||
|
|
||
|
YEAR=$(date +%Y)
|
||
|
for APP in consul nomad; do
|
||
|
# 1. Create certificate authority
|
||
|
if [ ! -f $APP-ca.key ]; then
|
||
|
echo "Generating $APP CA keys..."
|
||
|
#openssl genpkey -algorithm ED25519 -out $APP-ca.key
|
||
|
openssl genrsa -out $APP-ca.key 4096
|
||
|
|
||
|
openssl req -x509 -new -nodes -key $APP-ca.key -sha256 -days 3650 -out $APP-ca.crt -subj "/C=FR/O=Deuxfleurs/CN=$APP"
|
||
|
fi
|
||
|
|
||
|
CERT="${APP}${YEAR}"
|
||
|
|
||
|
# 2. Create and sign certificates for inter-node communication
|
||
|
if [ ! -f $CERT.crt ]; then
|
||
|
echo "Generating $CERT agent keys..."
|
||
|
if [ ! -f $CERT.key ]; then
|
||
|
#openssl genpkey -algorithm ED25519 -out $CERT.key
|
||
|
openssl genrsa -out $CERT.key 4096
|
||
|
fi
|
||
|
openssl req -new -sha256 -key $CERT.key \
|
||
|
-subj "/C=FR/O=Deuxfleurs/CN=$APP" \
|
||
|
-out $CERT.csr
|
||
|
openssl req -in $CERT.csr -noout -text
|
||
|
openssl x509 -req -in $CERT.csr \
|
||
|
-extensions v3_req \
|
||
|
-extfile <(cat <<EOF
|
||
|
[req]
|
||
|
distinguished_name = req_distinguished_name
|
||
|
req_extensions = v3_req
|
||
|
prompt = no
|
||
|
|
||
|
[req_distinguished_name]
|
||
|
C = FR
|
||
|
O = Deuxfleurs
|
||
|
CN = $APP
|
||
|
|
||
|
[v3_req]
|
||
|
keyUsage = keyEncipherment, keyCertSign, dataEncipherment, serverAuth, clientAuth
|
||
|
subjectAltName = @alt_names
|
||
|
|
||
|
[alt_names]
|
||
|
DNS.1 = server.staging.$APP
|
||
|
DNS.2 = client.staging.$APP
|
||
|
DNS.3 = localhost
|
||
|
DNS.4 = 127.0.0.1
|
||
|
EOF
|
||
|
) \
|
||
|
-CA $APP-ca.crt -CAkey $APP-ca.key -CAcreateserial \
|
||
|
-out $CERT.crt -days 700
|
||
|
rm $CERT.csr
|
||
|
fi
|
||
|
|
||
|
# 3. Create client-only certificate used for the CLI
|
||
|
if [ ! -f $CERT-client.crt ]; then
|
||
|
echo "Generating $CERT client keys..."
|
||
|
if [ ! -f $CERT-client.key ]; then
|
||
|
#openssl genpkey -algorithm ED25519 -out $CERT-client.key
|
||
|
openssl genrsa -out $CERT-client.key 4096
|
||
|
fi
|
||
|
openssl req -new -sha256 -key $CERT-client.key \
|
||
|
-subj "/C=FR/O=Deuxfleurs/CN=$APP-client" \
|
||
|
-out $CERT-client.csr
|
||
|
openssl req -in $CERT-client.csr -noout -text
|
||
|
openssl x509 -req -in $CERT-client.csr \
|
||
|
-extensions v3_req \
|
||
|
-extfile <(cat <<EOF
|
||
|
[req]
|
||
|
distinguished_name = req_distinguished_name
|
||
|
req_extensions = v3_req
|
||
|
prompt = no
|
||
|
|
||
|
[req_distinguished_name]
|
||
|
C = FR
|
||
|
O = Deuxfleurs
|
||
|
CN = $APP-client
|
||
|
|
||
|
[v3_req]
|
||
|
keyUsage = keyEncipherment, keyCertSign, dataEncipherment, clientAuth
|
||
|
subjectAltName = @alt_names
|
||
|
|
||
|
[alt_names]
|
||
|
DNS.1 = client.staging.$APP
|
||
|
EOF
|
||
|
) \
|
||
|
-CA $APP-ca.crt -CAkey $APP-ca.key -CAcreateserial \
|
||
|
-out $CERT-client.crt -days 700
|
||
|
rm $CERT-client.csr
|
||
|
fi
|
||
|
|
||
|
if [ ! -f $CERT-client.p12 ]; then
|
||
|
openssl pkcs12 -export -out $CERT-client.p12 \
|
||
|
-in $APP-ca.pem -in $CERT-client.crt -inkey $CERT-client.key
|
||
|
fi
|
||
|
done
|