This repository has been archived by the owner on Jan 21, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 17
/
Copy pathgenerate-certs
executable file
·41 lines (33 loc) · 2.03 KB
/
generate-certs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
#!/bin/sh
set -e -x
# Install certstrap
go get -u github.com/square/certstrap
# Place keys and certificates here
depot_path="etcd-certs"
mkdir -p ${depot_path}
# CA to distribute to etcd clients and servers
certstrap --depot-path ${depot_path} init --passphrase '' --common-name etcdCA
mv -f ${depot_path}/etcdCA.crt ${depot_path}/etcd-ca.crt
mv -f ${depot_path}/etcdCA.key ${depot_path}/etcd-ca.key
# Server certificate to share across the etcd cluster
certstrap --depot-path ${depot_path} request-cert --passphrase '' --common-name etcd.service.cf.internal --domain '*.etcd.service.cf.internal,etcd.service.cf.internal'
certstrap --depot-path ${depot_path} sign etcd.service.cf.internal --CA etcd-ca
mv -f ${depot_path}/etcd.service.cf.internal.key ${depot_path}/server.key
mv -f ${depot_path}/etcd.service.cf.internal.csr ${depot_path}/server.csr
mv -f ${depot_path}/etcd.service.cf.internal.crt ${depot_path}/server.crt
# Client certificate to distribute to jobs that access etcd
certstrap --depot-path ${depot_path} request-cert --passphrase '' --common-name 'clientName'
certstrap --depot-path ${depot_path} sign clientName --CA etcd-ca
mv -f ${depot_path}/clientName.key ${depot_path}/client.key
mv -f ${depot_path}/clientName.csr ${depot_path}/client.csr
mv -f ${depot_path}/clientName.crt ${depot_path}/client.crt
# CA to distribute across etcd peers
certstrap --depot-path ${depot_path} init --passphrase '' --common-name peerCA
mv -f ${depot_path}/peerCA.crt ${depot_path}/peer-ca.crt
mv -f ${depot_path}/peerCA.key ${depot_path}/peer-ca.key
# Client certificate to distribute across etcd peers
certstrap --depot-path ${depot_path} request-cert --passphrase '' --common-name etcd.service.cf.internal --domain '*.etcd.service.cf.internal,etcd.service.cf.internal'
certstrap --depot-path ${depot_path} sign etcd.service.cf.internal --CA peer-ca
mv -f ${depot_path}/etcd.service.cf.internal.key ${depot_path}/peer.key
mv -f ${depot_path}/etcd.service.cf.internal.csr ${depot_path}/peer.csr
mv -f ${depot_path}/etcd.service.cf.internal.crt ${depot_path}/peer.crt