github.com/nats-io/nats-server/v2@v2.11.0-preview.2/test/configs/certs/regenerate_top.sh (about) 1 #!/bin/sh 2 set -eu 3 # 4 # regenerate_top: just remake the certs in this top-dir 5 # we don't (currently) handle any sub-dirs 6 # 7 8 progname="$(basename "$0" .sh)" 9 note() { printf >&2 '%s: %s\n' "$progname" "$*"; } 10 warn() { note "$@"; } 11 die() { warn "$@"; exit 1; } 12 13 readonly COMMON_SUB_COUNTRY=US 14 readonly COMMON_SUB_STATE=California 15 readonly COMMON_SUB_ORG=Synadia 16 readonly COMMON_SUB_ORGUNIT=nats.io 17 readonly COMMON_SUBJECT="/C=$COMMON_SUB_COUNTRY/ST=$COMMON_SUB_STATE/O=$COMMON_SUB_ORG/OU=$COMMON_SUB_ORGUNIT" 18 19 readonly TEMP_CONFIG=openssl.cnf 20 readonly TEMP_CA_KEY_REL=ca-key.pem 21 readonly CA_FILE=ca.pem 22 CA_NAME="Certificate Authority $(date +%Y-%m-%d)" 23 readonly CA_NAME 24 readonly RSA_SIZE=2048 25 readonly DIGEST_ALG=sha256 26 readonly CERT_DURATION=$((10 * 365)) 27 28 okay=true 29 for cmd in openssl ; do 30 if command -v "$cmd" >/dev/null 2>&1; then 31 continue 32 fi 33 okay=false 34 warn "missing command: $cmd" 35 done 36 $okay || die "missing necessary commands" 37 38 delete_list="" 39 trap 'if test -n "$delete_list"; then rm -rfv $delete_list; fi' EXIT 40 add_delete() { 41 delete_list="${delete_list:-}${delete_list:+ }$*" 42 } 43 44 # Issuer: C = US, ST = CA, O = Synadia, OU = nats.io, CN = localhost, emailAddress = derek@nats.io 45 46 CA_DIR="$(mktemp -d)" 47 add_delete "$CA_DIR" 48 mkdir "$CA_DIR/copies" 49 touch "$CA_DIR/index.txt" 50 51 readonly CA_DIR 52 readonly CA_KEY="$CA_DIR/$TEMP_CA_KEY_REL" 53 54 COMMON_X509V3=' 55 basicConstraints = CA:FALSE 56 nsComment = "nats.io nats-server test-suite certificate" 57 subjectKeyIdentifier = hash 58 authorityKeyIdentifier = keyid,issuer:always 59 subjectAltName = ${ENV::SUBJECTALTNAME} 60 ' 61 62 cat > "$TEMP_CONFIG" <<EOCONFIG 63 SUBJECTALTNAME = email:copy 64 NSCERTTYPE = server 65 NAME_CONSTRAINTS = 66 67 [ ca ] 68 default_ca = CA_nats 69 70 [ CA_nats ] 71 certificate = $CA_FILE 72 dir = $CA_DIR 73 certs = \$dir/certs 74 new_certs_dir = \$dir/copies 75 crl_dir = \$dir/crl 76 database = \$dir/index.txt 77 private_key = \$dir/$TEMP_CA_KEY_REL 78 rand_serial = yes 79 unique_subject = no 80 # modern TLS is moving towards rejecting longer-lived certs, be prepared to lower this to less than a year and regenerate more often 81 default_days = $CERT_DURATION 82 default_md = $DIGEST_ALG 83 copy_extensions = copy 84 policy = policy_anything 85 x509_extensions = nats_x509_ext 86 87 [ policy_anything ] 88 countryName = optional 89 stateOrProvinceName = optional 90 localityName = optional 91 organizationName = optional 92 organizationalUnitName = optional 93 commonName = optional 94 emailAddress = optional 95 96 [ req ] 97 default_bits = $RSA_SIZE 98 default_md = $DIGEST_ALG 99 utf8 = yes 100 distinguished_name = req_distinguished_name 101 102 [ v3_req ] 103 basicConstraints = CA:FALSE 104 keyUsage = nonRepudiation, digitalSignature, keyEncipherment 105 106 [ v3_ca ] 107 subjectKeyIdentifier=hash 108 authorityKeyIdentifier=keyid:always,issuer:always 109 basicConstraints = CA:true 110 nsComment = "nats.io nats-server test-suite transient CA" 111 112 [ nats_x509_ext ] 113 $COMMON_X509V3 114 115 [ nats_server_nopeer ] 116 $COMMON_X509V3 117 nsCertType = server 118 keyUsage = digitalSignature, keyEncipherment 119 extendedKeyUsage = serverAuth, nsSGC, msSGC 120 121 # NATS server certs are used as clients in peering (cluster, gateways, etc) 122 [ nats_server ] 123 $COMMON_X509V3 124 nsCertType = server, client 125 keyUsage = digitalSignature, keyEncipherment 126 extendedKeyUsage = serverAuth, nsSGC, msSGC, clientAuth 127 128 [ nats_client ] 129 $COMMON_X509V3 130 nsCertType = client 131 keyUsage = digitalSignature, keyEncipherment 132 extendedKeyUsage = clientAuth 133 134 [ req_distinguished_name ] 135 countryName = Country Name (2 letter code) 136 countryName_default = $COMMON_SUB_COUNTRY 137 countryName_min = 2 138 countryName_max = 2 139 stateOrProvinceName = State or Province Name (full name) 140 stateOrProvinceName_default = $COMMON_SUB_STATE 141 0.organizationName = Organization Name (eg, company) 142 0.organizationName_default = $COMMON_SUB_ORG 143 organizationalUnitName = Organizational Unit Name (eg, section) 144 organizationalUnitName_default = $COMMON_SUB_ORGUNIT 145 commonName = Common Name (e.g. server FQDN or YOUR name) 146 commonName_max = 64 147 # no email address for our certs 148 EOCONFIG 149 add_delete "$TEMP_CONFIG" 150 151 make_keyfile() { 152 local keyfile="${1:?need a keyfile to create}" 153 (umask 077; openssl genrsa "$RSA_SIZE" > "$keyfile") 154 } 155 156 ensure_keyfile() { 157 local keyfile="${1:?need a keyfile to create}" 158 local description="${2:?need a description}" 159 if [ -f "$keyfile" ]; then 160 note "reusing EXISTING $description file: $keyfile" 161 return 0 162 fi 163 note "creating NEW $description file: $keyfile" 164 make_keyfile "$keyfile" 165 } 166 167 o_req() { openssl req -config "$TEMP_CONFIG" "$@"; } 168 169 sign_csr() { 170 local san="${1:?need subjectAltName}" 171 shift 172 env SUBJECTALTNAME="$san" openssl ca -config "$TEMP_CONFIG" -policy policy_anything -batch "$@" 173 } 174 175 make_keyfile "$CA_KEY" 176 o_req -x509 -new -key "$CA_KEY" -out "$CA_FILE" -outform PEM -days "$CERT_DURATION" -subj "$COMMON_SUBJECT/CN=$CA_NAME" -extensions v3_ca 177 178 echo 179 readonly CLIENT_KEY=client-key.pem 180 BASE=client-cert 181 ensure_keyfile "$CLIENT_KEY" "client key" 182 o_req -new -key "$CLIENT_KEY" -out "$BASE.csr" -subj "$COMMON_SUBJECT/CN=localhost" 183 add_delete "$BASE.csr" 184 sign_csr "DNS:localhost, IP:127.0.0.1, IP:::1, email:derek@nats.io" -in "$BASE.csr" -out "$BASE.pem" -extensions nats_client 185 186 echo 187 readonly CLIENT_ID_AUTH_KEY=client-id-auth-key.pem 188 BASE=client-id-auth-cert 189 ensure_keyfile "$CLIENT_ID_AUTH_KEY" "client id auth key" 190 o_req -new -key "$CLIENT_ID_AUTH_KEY" -out "$BASE.csr" -subj "$COMMON_SUBJECT/CN=localhost" 191 add_delete "$BASE.csr" 192 sign_csr "DNS:localhost, IP:127.0.0.1, IP:::1, email:derek@nats.io" -in "$BASE.csr" -out "$BASE.pem" -extensions nats_client 193 194 echo 195 readonly SERVER_KEY=server-key.pem 196 BASE=server-cert 197 ensure_keyfile "$SERVER_KEY" "server key" 198 o_req -new -key "$SERVER_KEY" -out "$BASE.csr" -subj "$COMMON_SUBJECT/CN=localhost" 199 add_delete "$BASE.csr" 200 sign_csr "DNS:localhost, IP:127.0.0.1, IP:::1" -in "$BASE.csr" -out "$BASE.pem" -extensions nats_server 201 202 echo 203 readonly SK_IPONLY=server-key-iponly.pem 204 BASE=server-iponly 205 ensure_keyfile "$SK_IPONLY" "server key, IP-only" 206 # Be careful not to put something verifiable that's not an IP into the CN field, for verifiers which check CN 207 o_req -new -key "$SK_IPONLY" -out "$BASE.csr" -subj "$COMMON_SUBJECT/CN=ip-only-localhost" 208 add_delete "$BASE.csr" 209 sign_csr "IP:127.0.0.1, IP:::1" -in "$BASE.csr" -out "$BASE.pem" -extensions nats_server 210 211 echo 212 readonly SK_NOIP=server-key-noip.pem 213 BASE=server-noip 214 ensure_keyfile "$SK_NOIP" "server key, no IPs" 215 o_req -new -key "$SK_NOIP" -out "$BASE.csr" -subj "$COMMON_SUBJECT/CN=localhost" 216 add_delete "$BASE.csr" 217 sign_csr "DNS:localhost" -in "$BASE.csr" -out "$BASE.pem" -extensions nats_server 218 219 for SRV in srva srvb; do 220 echo 221 KEY="${SRV}-key.pem" 222 BASE="${SRV}-cert" 223 ensure_keyfile "$KEY" "server key, variant $SRV" 224 o_req -new -key "$KEY" -out "$BASE.csr" -subj "$COMMON_SUBJECT/CN=localhost" 225 add_delete "$BASE.csr" 226 sign_csr "DNS:localhost, IP:127.0.0.1, IP:::1" -in "$BASE.csr" -out "$BASE.pem" -extensions nats_server 227 done 228