github.com/influxdata/telegraf@v1.30.3/testutil/pki/tls-certs.sh (about) 1 #!/bin/sh 2 set -eux 3 4 mkdir certs certs_by_serial private && 5 chmod 700 private && 6 echo 01 > ./serial && 7 touch ./index.txt && 8 echo 'unique_subject = no' > index.txt.attr 9 cat >./openssl.conf <<EOF 10 [ ca ] 11 default_ca = telegraf_ca 12 13 [ telegraf_ca ] 14 certificate = ./certs/cacert.pem 15 database = ./index.txt 16 new_certs_dir = ./certs_by_serial 17 private_key = ./private/cakey.pem 18 serial = ./serial 19 20 default_crl_days = 3650 21 default_days = 3650 22 default_md = sha256 23 24 policy = telegraf_ca_policy 25 x509_extensions = certificate_extensions 26 27 [ telegraf_ca_policy ] 28 commonName = supplied 29 30 [ certificate_extensions ] 31 basicConstraints = CA:false 32 33 [ req ] 34 default_bits = 2048 35 default_keyfile = ./private/cakey.pem 36 default_md = sha256 37 prompt = yes 38 distinguished_name = root_ca_distinguished_name 39 x509_extensions = root_ca_extensions 40 41 [ root_ca_distinguished_name ] 42 commonName = hostname 43 44 [ root_ca_extensions ] 45 basicConstraints = CA:true 46 keyUsage = keyCertSign, cRLSign 47 48 [ client_ca_extensions ] 49 basicConstraints = CA:false 50 keyUsage = digitalSignature 51 subjectAltName = @client_alt_names 52 extendedKeyUsage = 1.3.6.1.5.5.7.3.2 53 54 [ client_alt_names ] 55 DNS.1 = localhost 56 IP.1 = 127.0.0.1 57 58 [ server_ca_extensions ] 59 basicConstraints = CA:false 60 subjectAltName = @server_alt_names 61 keyUsage = keyEncipherment, digitalSignature 62 extendedKeyUsage = 1.3.6.1.5.5.7.3.1 63 64 [ server_alt_names ] 65 DNS.1 = localhost 66 IP.1 = 127.0.0.1 67 EOF 68 openssl req -x509 -config ./openssl.conf -days 3650 -newkey rsa:2048 -out ./certs/cacert.pem -keyout ./private/cakey.pem -subj "/CN=Telegraf Test CA/" -nodes && 69 70 # Create server and soon to expire keypair 71 openssl genrsa -out ./private/serverkey.pem 2048 && 72 openssl req -new -key ./private/serverkey.pem -out ./certs/servercsr.pem -outform PEM -subj "/CN=$(cat /proc/sys/kernel/hostname)/O=server/" && 73 openssl ca -config ./openssl.conf -in ./certs/servercsr.pem -out ./certs/servercert.pem -notext -batch -extensions server_ca_extensions && 74 openssl ca -config ./openssl.conf -in ./certs/servercsr.pem -out ./certs/servercertexp.pem -startdate "$(date +%y%m%d%H%M00 --date='-5 minutes')Z" -enddate "$(date +%y%m%d%H%M00 --date='5 minutes')Z" -notext -batch -extensions server_ca_extensions && 75 76 # Create client and client encrypted keypair 77 openssl genrsa -out ./private/clientkey.pem 2048 && 78 openssl req -new -key ./private/clientkey.pem -out ./certs/clientcsr.pem -outform PEM -subj "/CN=$(cat /proc/sys/kernel/hostname)/O=client/" && 79 openssl ca -config ./openssl.conf -in ./certs/clientcsr.pem -out ./certs/clientcert.pem -notext -batch -extensions client_ca_extensions && 80 cp ./private/clientkey.pem ./private/clientenckey.pem && 81 ssh-keygen -p -f ./private/clientenckey.pem -m PEM -N 'changeme' && 82 # Generate a pkcs#8 encrypted private key using pkcs#5 v2.0 algorithm 83 openssl pkcs8 -topk8 -v2 des3 -in ./private/clientkey.pem -out ./private/clientenckey.pkcs8.pem -passout pass:changeme && 84 openssl pkcs8 -topk8 -in clientenckey.pem -passin pass:changeme -nocrypt -out clientkey.pkcs8.pem && 85 86 # Combine crt and key to create pem formatted keyfile 87 cat ./certs/clientcert.pem ./private/clientkey.pem > ./private/client.pem && 88 cat ./certs/clientcert.pem ./private/clientkeyenc.pem > ./private/clientenc.pem && 89 cat ./certs/servercert.pem ./private/serverkey.pem > ./private/server.pem && 90 cat ./certs/servercertexp.pem ./private/serverkey.pem > ./private/serverexp.pem