github.com/replicatedhq/ship@v0.55.0/integration/init/forgeops/expected/.ship/upstream/cfssl.sh

github.com/replicatedhq/ship@v0.55.0/integration/init/forgeops/expected/.ship/upstream/cfssl.sh (about)

     1  #!/usr/bin/env bash
     2  # Sample script to create a self signed CA using cfssl, and create
     3  # server certs for DS that are signed by this CA.
     4  # Used cfssl https://github.com/cloudflare/cfssl
     5  # On Mac OS you can install using brew install cfssl.
     6  
     7  
     8  # Where we store the CA certificates. If you retain this CA you can generate
     9  # future DS certs signed by the same CA.
    10  CA_HOME=~/etc/ca
    11  
    12  SSL_CERT_ALIAS=opendj-ssl
    13  
    14  
    15  SECRETS_DIR=./secrets
    16  
    17  # Where to store intermediate files
    18  TMPDIR=./out
    19  
    20  # Clean up any old files...
    21  rm -fr ${TMPDIR}
    22  
    23  mkdir -p ${TMPDIR}
    24  
    25  KEYSTORE_PIN=`cat ${SECRETS_DIR}/keystore.pin`
    26  
    27  # First create a CA if it does not already exist.
    28  if [ ! -f "$CA_HOME"/ca.pem ];
    29  then
    30    echo "CA cert not found, creating it in ${CA_HOME}"
    31    mkdir -p ${CA_HOME}
    32  
    33    # Edit this template for your own needs
    34    cat > ${TMPDIR}/csr_ca.json <<EOF
    35    {
    36      "CN": "ForgeRock Stack CA",
    37      "key": {
    38        "algo": "rsa",
    39        "size": 2048
    40      },
    41        "names": [
    42           {
    43             "C": "US",
    44             "L": "San Francisco",
    45             "O": "ForgeRock",
    46             "OU": "ForgeRock",
    47             "ST": "California"
    48           }
    49        ]
    50    }
    51  EOF
    52  
    53  cfssl gencert -initca  ${TMPDIR}/csr_ca.json  | \
    54      (cd ${CA_HOME};  cfssljson -bare ca)
    55  fi
    56  
    57  # Now generate a server certificate for OpenDSs SSL requirements.
    58  # Edit this template for your environment.
    59  
    60  cat >${TMPDIR}/csr_opendj.json <<EOF
    61  {
    62    "hosts": [
    63          "opendj.example.com",
    64          "localhost",
    65          "opendj"
    66    ],
    67    "key": {
    68      "algo": "rsa",
    69      "size": 2048
    70    },
    71    "names": [
    72      {
    73        "CN": "localhost",
    74        "C": "US",
    75        "L": "San Francisco",
    76        "O": "ForgeRock",
    77        "OU": "ForgeRock",
    78        "ST": "California"
    79      }
    80    ]
    81  }
    82  EOF
    83  
    84  # todo: We need to find a way to set the subject alternative name on instance boot.
    85  hostnames="opendj,localhost,ds-0,userstore-0"
    86  # This create a server private key 	opendj-key.pem and a public cert opendj.pem
    87  # The cert is signed by the CA we created above.
    88  cfssl gencert -ca=${CA_HOME}/ca.pem  -ca-key=${CA_HOME}/ca-key.pem -hostname="$hostnames" \
    89    ${TMPDIR}/csr_opendj.json \
    90    | cfssljson -bare ${TMPDIR}/opendj
    91  
    92  # Concact the PEM files together to import into pkcs12.
    93  (cd ${TMPDIR};  cat opendj*pem  > opendj-all.pem )
    94  
    95  # Create a pkcs12 file
    96  openssl pkcs12 -export -in ${TMPDIR}/opendj-all.pem -out  ${SECRETS_DIR}/keystore.pkcs12 -password "pass:${KEYSTORE_PIN}"
    97  
    98  
    99  rm -fr out
   100  
   101  
   102  cd $SECRETS_DIR
   103  
   104  
   105  # The pkcs12 keystore does not have an alias they Java needs. keytool sets it.
   106  echo "Setting the alias with keytool"
   107  keytool -changealias -alias 1 -destalias $SSL_CERT_ALIAS -storepass `cat keystore.pin`  -keystore ./keystore.pkcs12 -v -storetype pkcs12
   108  
   109  keytool -list -keystore  keystore.pkcs12 -storepass `cat keystore.pin` -storetype pkcs12