12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455 |
- #!/bin/bash
- if ! [[ "$0" =~ "./gencerts.sh" ]]; then
- echo "must be run from 'fixtures'"
- exit 255
- fi
- if ! which cfssl; then
- echo "cfssl is not installed"
- exit 255
- fi
- cfssl gencert --initca=true ./ca-csr.json | cfssljson --bare ./ca
- mv ca.pem ca.crt
- openssl x509 -in ca.crt -noout -text
- # generate DNS: localhost, IP: 127.0.0.1, CN: example.com certificates
- cfssl gencert \
- --ca ./ca.crt \
- --ca-key ./ca-key.pem \
- --config ./gencert.json \
- ./server-ca-csr.json | cfssljson --bare ./server
- mv server.pem server.crt
- mv server-key.pem server.key.insecure
- # generate DNS: localhost, IP: 127.0.0.1, CN: example2.com certificates
- cfssl gencert \
- --ca ./ca.crt \
- --ca-key ./ca-key.pem \
- --config ./gencert.json \
- ./server-ca-csr2.json | cfssljson --bare ./server2
- mv server2.pem server2.crt
- mv server2-key.pem server2.key.insecure
- # generate revoked certificates and crl
- cfssl gencert --ca ./ca.crt \
- --ca-key ./ca-key.pem \
- --config ./gencert.json \
- ./server-ca-csr.json 2>revoked.stderr | cfssljson --bare ./server-revoked
- mv server-revoked.pem server-revoked.crt
- mv server-revoked-key.pem server-revoked.key.insecure
- grep serial revoked.stderr | awk ' { print $9 } ' >revoke.txt
- cfssl gencrl revoke.txt ca.crt ca-key.pem | base64 --decode >revoke.crl
- # generate wildcard certificates DNS: *.etcd.local
- cfssl gencert \
- --ca ./ca.crt \
- --ca-key ./ca-key.pem \
- --config ./gencert.json \
- ./server-ca-csr-wildcard.json | cfssljson --bare ./server-wildcard
- mv server-wildcard.pem server-wildcard.crt
- mv server-wildcard-key.pem server-wildcard.key.insecure
- rm -f *.csr *.pem *.stderr *.txt
|