chore(openssl): updates cert generation
This patch removes the dependency on cfssl to generate certificates and removes unused constructs in the script. Change-Id: Ia933420157f456bf99a6ec5416e6dbb63bfa5258 Signed-off-by: Tin Lam <t@lam.wtf>
This commit is contained in:
Tin Lam
Tin Lam
parent
d067a0bb7a
commit
00052793dd
@ -13,63 +13,16 @@
|
|||||||
# under the License.
|
# under the License.
|
||||||
set -xe
|
set -xe
|
||||||
|
|
||||||
CFSSLURL=https://pkg.cfssl.org/R1.2
|
|
||||||
for CFSSL_BIN in cfssl cfssljson; do
|
|
||||||
if ! type -p "${CFSSL_BIN}"; then
|
|
||||||
sudo curl -sSL -o "/usr/local/bin/${CFSSL_BIN}" "${CFSSLURL}/${CFSSL_BIN}_linux-amd64"
|
|
||||||
sudo chmod +x "/usr/local/bin/${CFSSL_BIN}"
|
|
||||||
ls "/usr/local/bin/${CFSSL_BIN}"
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
OSH_CONFIG_ROOT="/etc/openstack-helm"
|
OSH_CONFIG_ROOT="/etc/openstack-helm"
|
||||||
OSH_CA_ROOT="${OSH_CONFIG_ROOT}/certs/ca"
|
OSH_CA_ROOT="${OSH_CONFIG_ROOT}/certs/ca"
|
||||||
OSH_SERVER_TLS_ROOT="${OSH_CONFIG_ROOT}/certs/server"
|
|
||||||
|
|
||||||
sudo mkdir -p ${OSH_CONFIG_ROOT}
|
sudo mkdir -p ${OSH_CONFIG_ROOT}
|
||||||
sudo chown $(whoami): -R ${OSH_CONFIG_ROOT}
|
sudo chown $(whoami): -R ${OSH_CONFIG_ROOT}
|
||||||
|
|
||||||
mkdir -p "${OSH_CA_ROOT}"
|
mkdir -p "${OSH_CA_ROOT}"
|
||||||
tee ${OSH_CA_ROOT}/ca-config.json << EOF
|
openssl req -x509 -nodes -sha256 -days 1 -newkey rsa:2048 \
|
||||||
{
|
-keyout ${OSH_CA_ROOT}/ca-key.pem -out ${OSH_CA_ROOT}/ca.pem \
|
||||||
"signing": {
|
-subj "/C=US/L=SomeState/ST=SomeCity/O=SomeOrg/OU=SomeUnit/CN=ACME Company"
|
||||||
"default": {
|
|
||||||
"expiry": "1y"
|
|
||||||
},
|
|
||||||
"profiles": {
|
|
||||||
"server": {
|
|
||||||
"expiry": "1y",
|
|
||||||
"usages": [
|
|
||||||
"signing",
|
|
||||||
"key encipherment",
|
|
||||||
"server auth"
|
|
||||||
]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
EOF
|
|
||||||
|
|
||||||
tee ${OSH_CA_ROOT}/ca-csr.json << EOF
|
|
||||||
{
|
|
||||||
"CN": "ACME Company",
|
|
||||||
"key": {
|
|
||||||
"algo": "rsa",
|
|
||||||
"size": 2048
|
|
||||||
},
|
|
||||||
"names": [
|
|
||||||
{
|
|
||||||
"C": "US",
|
|
||||||
"L": "SomeState",
|
|
||||||
"ST": "SomeCity",
|
|
||||||
"O": "SomeOrg",
|
|
||||||
"OU": "SomeUnit"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
||||||
EOF
|
|
||||||
|
|
||||||
cfssl gencert -initca ${OSH_CA_ROOT}/ca-csr.json | cfssljson -bare ${OSH_CA_ROOT}/ca -
|
|
||||||
|
|
||||||
function check_cert_and_key () {
|
function check_cert_and_key () {
|
||||||
TLS_CERT=$1
|
TLS_CERT=$1
|
||||||
@ -86,4 +39,5 @@ function check_cert_and_key () {
|
|||||||
echo "Pass: ${TLS_CERT} is valid with ${TLS_KEY}"
|
echo "Pass: ${TLS_CERT} is valid with ${TLS_KEY}"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
check_cert_and_key ${OSH_CA_ROOT}/ca.pem ${OSH_CA_ROOT}/ca-key.pem
|
check_cert_and_key ${OSH_CA_ROOT}/ca.pem ${OSH_CA_ROOT}/ca-key.pem
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user