-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathcreate-self-signed-certs.sh
executable file
·199 lines (165 loc) · 6.71 KB
/
create-self-signed-certs.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
#!/usr/bin/env bash
# Define where to store the generated certs and metadata.
DIR="$(pwd)/.certs"
SERVICES_NAMES=account,mhealth,ds-agent,timeseries,notification,ehr,analytics
rm -rf $DIR
mkdir -p $DIR
# Create the openssl configuration file. This is used for both generating
# the certificate as well as for specifying the extensions. It aims in favor
# of automation, so the DN is encoding and not prompted.
cat >"${DIR}/openssl.cnf" <<EOF
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
default_md = sha256 # use public key default MD
preserve = no # keep passed DN ordering
x509_extensions = ca_extensions # The extensions to add to the cert
email_in_dn = no # Don't concat the email in the DN
copy_extensions = copy # Required to copy SANs from CSR to cert
####################################################################
[ req ]
default_bits = 2048
default_keyfile = tmp/external.key
distinguished_name = ca_distinguished_name
x509_extensions = ca_extensions
string_mask = utf8only
####################################################################
[ ca_distinguished_name ]
countryName = BR
stateOrProvinceName = PB
localityName = Campina Grande
organizationName = HANIoT
organizationalUnitName = HANIoT
commonName = HANIoT CA
####################################################################
[ ca_extensions ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, nonRepudiation, keyCertSign, cRLSign
####################################################################
[ client_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
subjectAltName = @alt_names
####################################################################
[ server_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
####################################################################
[ client_server_extensions ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
subjectKeyIdentifier = hash
subjectAltName = @alt_names
####################################################################
[ alt_names ]
IP.1 = 127.0.0.1
DNS.1 = localhost
EOF
# Create the certificate authority (CA). This will be a self-signed CA, and this
# command generates both the private key and the certificate. You may want to
# adjust the number of bits (4096 is a bit more secure, but not supported in all
# places at the time of this publication).
#
# To put a password on the key, remove the -nodes option.
#
# Be sure to update the subject to match your organization.
#
# Generate your CA certificate
openssl req -x509 \
-config "$DIR/openssl.cnf" \
-nodes -days 3650 \
-subj "/O=HANIoT,CN=HANIoT CA" \
-keyout "$DIR/ca.key" \
-out "$DIR/ca.pem" 2>/dev/null
# Params:
# type (server, client) $1, CN $2, Alt Names $3, filename $4, output $5
generateCerts() {
# Create destination directory
mkdir -p $5
ORG="$2"
TYPE="server_extensions"
if [ "$1" = "client" ]; then
TYPE="client_extensions"
elif [ "$1" = "client/server" ]; then
TYPE="client_server_extensions"
fi
# Add Subject Alternative Names
DNS_LIST=$(echo $3 | sed "s/,/ /g")
NUMBER=2
for DNS in ${DNS_LIST}; do
echo "DNS.${NUMBER} = ${DNS}" >>$DIR/openssl.cnf
NUMBER=$((NUMBER + 1))
done
# Generate the private key
openssl genrsa -out "$5/$4_key.pem" 2>/dev/null
# Generate a CSR using the configuration and the key just generated. We will
# give this CSR to our CA to sign.
openssl req \
-new -nodes \
-key "$5/$4_key.pem" \
-subj "/O=$ORG/CN=HANIoT" \
-out "$5/$4.csr" 2>/dev/null
# Sign the CSR with our CA. This will generate a new certificate that is signed
# by our CA.
openssl x509 \
-req -days 3650 -in "$5/$4.csr" \
-CA "$DIR/ca.pem" -CAkey "$DIR/ca.key" -CAcreateserial \
-out "$5/$4_cert.pem" -extfile "$DIR/openssl.cnf" \
-extensions $TYPE 2>/dev/null
# Copy CA file to the destination directory
cp "$DIR/ca.pem" "$5/ca.pem"
chmod 0644 "$DIR/ca.pem" "$5/$4_key.pem" "$5/$4_cert.pem"
# Remove unused files
rm -f $5/*.csr
}
# type (server, client) $1, CN $2, Alt Names $3, filename $4, output $5
generateCertsMongo() {
generateCerts $1 $2 $3 $4 $5
cat "$5/$4_cert.pem" "$5/$4_key.pem" >"$5/$4.pem"
rm -f "$5/$4_cert.pem" "$5/$4_key.pem"
}
# Certificates for microservices
SERVICES_ALT_NAMES_MONGO="mongo"
SERVICES=$(echo $SERVICES_NAMES | tr "," "\n")
COUNT=${#SERVICES[@]}
for service in ${SERVICES[@]}; do
SERVICES_ALT_NAMES_MONGO+=",mongo-${service}"
echo "$COUNT - Generating certificates for the \"${service^^}\" Service..."
generateCerts "server" "$service" "localhost" "server" "$DIR/$service" # Server
generateCerts "client" "$service" "rabbitmq" "rabbitmq" "$DIR/$service" # Client RabbitMQ
if [ "$service" = "timeseries" ]; then
generateCerts "client" "$service" "influxdb" "influxdb" "$DIR/$service" # Client InfluxDB
else
generateCertsMongo "client" "$service" "mongo,${service}" "mongodb" "$DIR/$service" # Client MongoDB
fi
if [ "$service" = "account" ]; then
# Create JWT certs
ssh-keygen -t rsa -P "" -b 2048 -m PEM -f "$DIR/$service/jwt.key"
ssh-keygen -e -m PEM -f "$DIR/$service/jwt.key" >"$DIR/$service/jwt.key.pub"
fi
COUNT=$((COUNT + 1))
done
## Generate certificates for API Gateway
echo "$((COUNT + 1)) - Generating certificates for the \"API Gateway\"..."
generateCerts "server" "localhost" "localhost" "server" "$DIR/api-gtw" # Server
cp "$DIR/account/jwt.key.pub" "$DIR/api-gtw/jwt.key.pub"
# Generate certificates for MongoDB
echo "$COUNT - Generating certificates for the \"MongoDB Server\"..."
generateCertsMongo "server" "mongo" $SERVICES_ALT_NAMES_MONGO "server" "$DIR/mongodb" # Server MongoDB
# Generate certificates for RabbiMQ
echo "$((COUNT + 2)) - Generating certificates for the \"RabbitMQ Server\"..."
generateCerts "server" "rabbitmq" "rabbitmq" "server" "$DIR/rabbitmq" # Server RabbitMQ
## Generate certificates for InfluxDB
echo "$((COUNT + 3)) - Generating certificates for the \"InfluxDB Server\"..."
generateCerts "server" "influxdb" "influxdb,influxdb-timeseries" "server" "$DIR/influxdb" # Server InfluxDB
# (Optional) Remove unused files at the moment
rm -rf $DIR/ca.* $DIR/*.srl $DIR/*.csr $DIR/*.cnf