gencerts.sh 1.6 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455
  1. #!/bin/bash
  2. if ! [[ "$0" =~ "./gencerts.sh" ]]; then
  3. echo "must be run from 'fixtures'"
  4. exit 255
  5. fi
  6. if ! which cfssl; then
  7. echo "cfssl is not installed"
  8. exit 255
  9. fi
  10. cfssl gencert --initca=true ./ca-csr.json | cfssljson --bare ./ca
  11. mv ca.pem ca.crt
  12. openssl x509 -in ca.crt -noout -text
  13. # generate DNS: localhost, IP: 127.0.0.1, CN: example.com certificates
  14. cfssl gencert \
  15. --ca ./ca.crt \
  16. --ca-key ./ca-key.pem \
  17. --config ./gencert.json \
  18. ./server-ca-csr.json | cfssljson --bare ./server
  19. mv server.pem server.crt
  20. mv server-key.pem server.key.insecure
  21. # generate DNS: localhost, IP: 127.0.0.1, CN: example2.com certificates
  22. cfssl gencert \
  23. --ca ./ca.crt \
  24. --ca-key ./ca-key.pem \
  25. --config ./gencert.json \
  26. ./server-ca-csr2.json | cfssljson --bare ./server2
  27. mv server2.pem server2.crt
  28. mv server2-key.pem server2.key.insecure
  29. # generate revoked certificates and crl
  30. cfssl gencert --ca ./ca.crt \
  31. --ca-key ./ca-key.pem \
  32. --config ./gencert.json \
  33. ./server-ca-csr.json 2>revoked.stderr | cfssljson --bare ./server-revoked
  34. mv server-revoked.pem server-revoked.crt
  35. mv server-revoked-key.pem server-revoked.key.insecure
  36. grep serial revoked.stderr | awk ' { print $9 } ' >revoke.txt
  37. cfssl gencrl revoke.txt ca.crt ca-key.pem | base64 --decode >revoke.crl
  38. # generate wildcard certificates DNS: *.etcd.local
  39. cfssl gencert \
  40. --ca ./ca.crt \
  41. --ca-key ./ca-key.pem \
  42. --config ./gencert.json \
  43. ./server-ca-csr-wildcard.json | cfssljson --bare ./server-wildcard
  44. mv server-wildcard.pem server-wildcard.crt
  45. mv server-wildcard-key.pem server-wildcard.key.insecure
  46. rm -f *.csr *.pem *.stderr *.txt