-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathcreds_setup.sh
executable file
·93 lines (84 loc) · 3.07 KB
/
creds_setup.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
#!/bin/bash
# Script to setup keys for fence as well as ssl credentials
# make directories for temporary credentials
timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
mkdir -p temp_creds
mkdir -p temp_keys
mkdir -p temp_keys/${timestamp}
# generate private and public key for fence
openssl genpkey -algorithm RSA -out temp_keys/${timestamp}/jwt_private_key.pem \
-pkeyopt rsa_keygen_bits:2048
openssl rsa -pubout -in temp_keys/${timestamp}/jwt_private_key.pem \
-out temp_keys/${timestamp}/jwt_public_key.pem
OS=$(uname)
OPTS=""
if [[ $OS == "Darwin" ]]; then
cp /etc/ssl/openssl.cnf openssl-with-ca.cnf
__v3_ca="
[ v3_ca ]
basicConstraints = critical,CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
"
echo "$__v3_ca" >> openssl-with-ca.cnf
OPTS=" -extensions v3_ca -config openssl-with-ca.cnf"
fi
# generate certs for nginx ssl
commonName=${1:-localhost}
SUBJ="/countryName=US/stateOrProvinceName=IL/localityName=Chicago/organizationName=CDIS/organizationalUnitName=PlanX/commonName=$commonName/[email protected]"
openssl req -new -x509 -nodes -extensions v3_ca -keyout temp_creds/ca-key.pem \
-out temp_creds/ca.pem -days 365 -subj $SUBJ $OPTS
if [[ $? -eq 1 ]]; then
echo "problem with creds_setup.sh script, refer to compose-services wiki"
rm -rf temp*
exit 1
fi
(
cd temp_creds
mkdir -p CA/newcerts
touch CA/index.txt
echo 1000 > CA/serial
cat > openssl.cnf <<EOM
[ ca ]
# man ca
default_ca = CA_default
[ CA_default ]
# Directory and file locations.
dir = temp_creds # Where everything is kept
new_certs_dir = \$dir/CA/newcerts
database = \$dir/CA/index.txt # database index file.
certificate = \$dir/ca.pem # The CA certificate
serial = \$dir/CA/serial # The current serial number
private_key = \$dir/ca-key.pem # The private key
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
preserve = no
policy = policy_strict
[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of 'man ca'.
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ server_cert ]
# Extensions for server certificates ('man x509v3_config').
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[ crl_ext ]
# Extension for CRLs ('man x509v3_config').
authorityKeyIdentifier=keyid:always
EOM
)
openssl genrsa -out "temp_creds/service.key" 2048
openssl req -new -key "temp_creds/service.key" \
-out "temp_creds/service.csr" -subj $SUBJ
openssl ca -batch -in "temp_creds/service.csr" -config temp_creds/openssl.cnf \
-extensions server_cert -days 365 -notext -out "temp_creds/service.crt"