github.com/lfch/etcd-io/tests/v3@v3.0.0-20221004140520-eac99acd3e9d/fixtures/gencerts.sh

github.com/lfch/etcd-io/tests/v3@v3.0.0-20221004140520-eac99acd3e9d/fixtures/gencerts.sh (about)

     1  #!/bin/bash
     2  
     3  set -e
     4  
     5  if ! [[ "$0" =~ "./gencerts.sh" ]]; then
     6    echo "must be run from 'fixtures'"
     7    exit 255
     8  fi
     9  
    10  if ! which cfssl; then
    11    echo "cfssl is not installed"
    12    echo "use: go install -mod mod github.com/cloudflare/cfssl/cmd/cfssl github.com/cloudflare/cfssl/cmd/cfssljson"
    13    exit 255
    14  fi
    15  
    16  cfssl gencert --initca=true ./ca-csr.json | cfssljson --bare ./ca
    17  mv ca.pem ca.crt
    18  
    19  if which openssl >/dev/null; then
    20    openssl x509 -in ca.crt -noout -text
    21  fi
    22  
    23  # gencert [config_file.json] [cert-name]
    24  function gencert {
    25    cfssl gencert \
    26      --ca ./ca.crt \
    27      --ca-key ./ca-key.pem \
    28      --config ./gencert.json \
    29      $1 | cfssljson --bare ./$2
    30    mv $2.pem $2.crt
    31    mv $2-key.pem $2.key.insecure
    32  }
    33  
    34  # generate DNS: localhost, IP: 127.0.0.1, CN: example.com certificates, with dual usage
    35  gencert ./server-ca-csr.json server
    36  
    37  #generates certificate that only has the 'server auth' usage
    38  gencert "--profile=server-only ./server-ca-csr.json" server-serverusage
    39  
    40  #generates certificate that only has the 'client auth' usage
    41  gencert "--profile=client-only ./server-ca-csr.json" client-clientusage
    42  
    43  #generates certificate that does not contain CN, to be used for proxy -> server connections.
    44  gencert ./client-ca-csr-nocn.json client-nocn
    45  
    46  # generate DNS: localhost, IP: 127.0.0.1, CN: example.com certificates (ECDSA)
    47  gencert ./server-ca-csr-ecdsa.json server-ecdsa
    48  
    49  # generate IP: 127.0.0.1, CN: example.com certificates
    50  gencert ./server-ca-csr-ip.json server-ip
    51  
    52  # generate IPv6: [::1], CN: example.com certificates
    53  gencert ./server-ca-csr-ipv6.json server-ipv6
    54  
    55  # generate DNS: localhost, IP: 127.0.0.1, CN: example2.com certificates
    56  gencert ./server-ca-csr2.json server2
    57  
    58  # generate DNS: localhost, IP: 127.0.0.1, CN: "" certificates
    59  gencert ./server-ca-csr3.json server3
    60  
    61  # generate wildcard certificates DNS: *.etcd.local
    62  gencert ./server-ca-csr-wildcard.json server-wildcard
    63  
    64  # generate revoked certificates and crl
    65  cfssl gencert --ca ./ca.crt \
    66    --ca-key ./ca-key.pem \
    67    --config ./gencert.json \
    68    ./server-ca-csr.json 2>revoked.stderr | cfssljson --bare ./server-revoked
    69  mv server-revoked.pem server-revoked.crt
    70  mv server-revoked-key.pem server-revoked.key.insecure
    71  grep serial revoked.stderr | awk ' { print $9 } ' >revoke.txt
    72  cfssl gencrl revoke.txt ca.crt ca-key.pem | base64 --decode >revoke.crl
    73  
    74  rm -f *.csr *.pem *.stderr *.txt