mirror of
https://github.com/etcd-io/etcd.git
synced 2024-09-27 06:25:44 +00:00
integration: gencerts.sh cleanup and supports no-CN certs
integration/fixtures/gencerts.sh:
- refactored common logic to a helper function
- added definition for client-nocn certificate
(used for grpc-proxy -> etcd-server) communication.
This commit is contained in:
Piotr Tabor
parent
c20cc05fc5
commit
966e8cecf0
20
integration/fixtures/client-ca-csr-nocn.json
Normal file
20
integration/fixtures/client-ca-csr-nocn.json
Normal file
@ -0,0 +1,20 @@
|
||||
{
|
||||
"key": {
|
||||
"algo": "rsa",
|
||||
"size": 2048
|
||||
},
|
||||
"names": [
|
||||
{
|
||||
"O": "etcd",
|
||||
"OU": "etcd Security",
|
||||
"L": "San Francisco",
|
||||
"ST": "California",
|
||||
"C": "USA"
|
||||
}
|
||||
],
|
||||
"CN": "",
|
||||
"hosts": [
|
||||
"127.0.0.1",
|
||||
"localhost"
|
||||
]
|
||||
}
|
||||
@ -1,5 +1,7 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -e
|
||||
|
||||
if ! [[ "$0" =~ "./gencerts.sh" ]]; then
|
||||
echo "must be run from 'fixtures'"
|
||||
exit 255
|
||||
@ -7,68 +9,51 @@ fi
|
||||
|
||||
if ! which cfssl; then
|
||||
echo "cfssl is not installed"
|
||||
echo "use: go install -mod mod github.com/cloudflare/cfssl/cmd/cfssl github.com/cloudflare/cfssl/cmd/cfssljson"
|
||||
exit 255
|
||||
fi
|
||||
|
||||
cfssl gencert --initca=true ./ca-csr.json | cfssljson --bare ./ca
|
||||
mv ca.pem ca.crt
|
||||
|
||||
if which openssl >/dev/null; then
|
||||
openssl x509 -in ca.crt -noout -text
|
||||
fi
|
||||
|
||||
# gencert [config_file.json] [cert-name]
|
||||
function gencert {
|
||||
cfssl gencert \
|
||||
--ca ./ca.crt \
|
||||
--ca-key ./ca-key.pem \
|
||||
--config ./gencert.json \
|
||||
$1 | cfssljson --bare ./$2
|
||||
mv $2.pem $2.crt
|
||||
mv $2-key.pem $2.key.insecure
|
||||
}
|
||||
|
||||
# generate DNS: localhost, IP: 127.0.0.1, CN: example.com certificates
|
||||
cfssl gencert \
|
||||
--ca ./ca.crt \
|
||||
--ca-key ./ca-key.pem \
|
||||
--config ./gencert.json \
|
||||
./server-ca-csr.json | cfssljson --bare ./server
|
||||
mv server.pem server.crt
|
||||
mv server-key.pem server.key.insecure
|
||||
gencert ./server-ca-csr.json server
|
||||
|
||||
#generates certificate that does not contain CN, to be used for proxy -> server connections.
|
||||
gencert ./client-ca-csr-nocn.json client-nocn
|
||||
|
||||
# generate DNS: localhost, IP: 127.0.0.1, CN: example.com certificates (ECDSA)
|
||||
cfssl gencert \
|
||||
--ca ./ca.crt \
|
||||
--ca-key ./ca-key.pem \
|
||||
--config ./gencert.json \
|
||||
./server-ca-csr-ecdsa.json | cfssljson --bare ./server-ecdsa
|
||||
mv server-ecdsa.pem server-ecdsa.crt
|
||||
mv server-ecdsa-key.pem server-ecdsa.key.insecure
|
||||
gencert ./server-ca-csr-ecdsa.json server-ecdsa
|
||||
|
||||
# generate IP: 127.0.0.1, CN: example.com certificates
|
||||
cfssl gencert \
|
||||
--ca ./ca.crt \
|
||||
--ca-key ./ca-key.pem \
|
||||
--config ./gencert.json \
|
||||
./server-ca-csr-ip.json | cfssljson --bare ./server-ip
|
||||
mv server-ip.pem server-ip.crt
|
||||
mv server-ip-key.pem server-ip.key.insecure
|
||||
gencert ./server-ca-csr-ip.json server-ip
|
||||
|
||||
# generate IPv6: [::1], CN: example.com certificates
|
||||
cfssl gencert \
|
||||
--ca ./ca.crt \
|
||||
--ca-key ./ca-key.pem \
|
||||
--config ./gencert.json \
|
||||
./server-ca-csr-ipv6.json | cfssljson --bare ./server-ip
|
||||
mv server-ip.pem server-ipv6.crt
|
||||
mv server-ip-key.pem server-ipv6.key.insecure
|
||||
gencert ./server-ca-csr-ipv6.json server-ipv6
|
||||
|
||||
# generate DNS: localhost, IP: 127.0.0.1, CN: example2.com certificates
|
||||
cfssl gencert \
|
||||
--ca ./ca.crt \
|
||||
--ca-key ./ca-key.pem \
|
||||
--config ./gencert.json \
|
||||
./server-ca-csr2.json | cfssljson --bare ./server2
|
||||
mv server2.pem server2.crt
|
||||
mv server2-key.pem server2.key.insecure
|
||||
gencert ./server-ca-csr2.json server2
|
||||
|
||||
# generate DNS: localhost, IP: 127.0.0.1, CN: "" certificates
|
||||
cfssl gencert \
|
||||
--ca ./ca.crt \
|
||||
--ca-key ./ca-key.pem \
|
||||
--config ./gencert.json \
|
||||
./server-ca-csr3.json | cfssljson --bare ./server3
|
||||
mv server3.pem server3.crt
|
||||
mv server3-key.pem server3.key.insecure
|
||||
gencert ./server-ca-csr3.json server3
|
||||
|
||||
# generate wildcard certificates DNS: *.etcd.local
|
||||
gencert ./server-ca-csr-wildcard.json server-wildcard
|
||||
|
||||
# generate revoked certificates and crl
|
||||
cfssl gencert --ca ./ca.crt \
|
||||
@ -80,14 +65,4 @@ mv server-revoked-key.pem server-revoked.key.insecure
|
||||
grep serial revoked.stderr | awk ' { print $9 } ' >revoke.txt
|
||||
cfssl gencrl revoke.txt ca.crt ca-key.pem | base64 --decode >revoke.crl
|
||||
|
||||
# generate wildcard certificates DNS: *.etcd.local
|
||||
cfssl gencert \
|
||||
--ca ./ca.crt \
|
||||
--ca-key ./ca-key.pem \
|
||||
--config ./gencert.json \
|
||||
./server-ca-csr-wildcard.json | cfssljson --bare ./server-wildcard
|
||||
mv server-wildcard.pem server-wildcard.crt
|
||||
mv server-wildcard-key.pem server-wildcard.key.insecure
|
||||
|
||||
|
||||
rm -f *.csr *.pem *.stderr *.txt
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user