github.com/rancher/elemental/tests@v0.0.0-20240517125144-ae048c615b3f/scripts/config-private-ca

github.com/rancher/elemental/tests@v0.0.0-20240517125144-ae048c615b3f/scripts/config-private-ca (about)

     1  #!/bin/bash
     2  
     3  set -e -x
     4  
     5  # Variable(s)
     6  EMAIL=elemental@suse.de
     7  CA_NAME=elementalCA
     8  DOMAIN=${PUBLIC_DOMAIN}
     9  FQDN=${PUBLIC_FQDN}
    10  VALUE=Elemental
    11  
    12  # Generate CA private key
    13  openssl genrsa -des3 -passout pass:${VALUE} -out ${CA_NAME}.key 2048
    14  
    15  # Create CA config file
    16  cat > ${CA_NAME}.config <<EOF
    17  [req]
    18  distinguished_name = dn
    19  prompt = no
    20  
    21  [dn]
    22  CN = ${CA_NAME}
    23  C = DE
    24  L = Nuremberg
    25  O = ${VALUE}
    26  OU = ${VALUE} Team
    27  emailAddress = ${EMAIL}
    28  EOF
    29  
    30  # Generate the Root CA
    31  openssl req -x509 -new -nodes -sha256 -days 1 \
    32    -passin pass:${VALUE} \
    33    -key ${CA_NAME}.key \
    34    -config ${CA_NAME}.config \
    35    -out ${CA_NAME}.pem
    36  
    37  # Generate private key for FQDN certificate
    38  openssl genrsa -out ${FQDN}.key 2048
    39  
    40  # Create FQDN certificate config file
    41  cat > ${FQDN}.config <<EOF
    42  [req]
    43  req_extensions = v3_req
    44  distinguished_name = dn
    45  prompt = no
    46  
    47  [dn]
    48  CN = *.${DOMAIN}
    49  C = DE
    50  L = Nuremberg
    51  O = ${VALUE}
    52  OU = ${VALUE} Team
    53  emailAddress = ${EMAIL}
    54  
    55  [v3_req]
    56  subjectAltName = DNS:${FQDN}
    57  EOF
    58  
    59  # Generate Certificate Signing Request (CSR)
    60  openssl req -new -key ${FQDN}.key -config ${FQDN}.config -out ${FQDN}.csr
    61  
    62  # Create Certificate Extension file
    63  cat > ${FQDN}.ext <<EOF
    64  authorityKeyIdentifier=keyid,issuer
    65  basicConstraints=CA:FALSE
    66  keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
    67  subjectAltName = @alt_names
    68  [alt_names]
    69  DNS.1 = ${FQDN}
    70  EOF
    71  
    72  # Generate the final certificate
    73  openssl x509 -req -sha256 -days 1 -CAcreateserial \
    74    -passin pass:${VALUE} \
    75    -CAkey ${CA_NAME}.key \
    76    -CA ${CA_NAME}.pem \
    77    -extfile ${FQDN}.ext \
    78    -in ${FQDN}.csr \
    79    -out ${FQDN}.crt
    80  
    81  # Check certificate
    82  openssl verify -CAfile ${CA_NAME}.pem ${FQDN}.crt
    83  openssl x509 -noout -subject -issuer -in ${FQDN}.crt
    84  
    85  # Create links
    86  for I in crt key; do
    87    ln -s ${FQDN}.${I} tls.${I}
    88  done
    89  ln -s ${CA_NAME}.pem cacerts.pem