-
Notifications
You must be signed in to change notification settings - Fork 88
/
Copy pathcerts.sh
executable file
·81 lines (67 loc) · 2.17 KB
/
certs.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
#!/bin/bash
set -eu
openssl version -a
REPO_ROOT=$(cd $(dirname $(readlink -f "$0"))/../.. && pwd)
CERT_DIR=${REPO_ROOT}/build/e2e-certs
mkdir -p ${CERT_DIR}
# Create CA
openssl req -x509 \
-sha256 -days 356 \
-nodes \
-newkey rsa:2048 \
-subj "/CN=e2e-test-ca" \
-keyout ${CERT_DIR}/e2e-test-ca.key -out ${CERT_DIR}/e2e-test-ca.crt \
2>/dev/null
# Make encrypted private key
echo -n abcd1234 > ${CERT_DIR}/passphrase
openssl genpkey -algorithm RSA \
-aes-128-cbc \
-pkeyopt rsa_keygen_bits:2048 \
-pass file:${CERT_DIR}/passphrase \
-out ${CERT_DIR}/fleet-server-key \
2>/dev/null
OPENSSL_TOOLKIT="$(openssl version | cut -f1 -d' ')"
OPENSSL_MAJOR="$(openssl version | cut -f2 -d' ' | cut -f1 -d.)"
# Ensure PKCS#1 format is used (https://github.com/elastic/elastic-agent-libs/issues/134)
if [ "$OPENSSL_TOOLKIT" = "OpenSSL" -a "$OPENSSL_MAJOR" -ge 3 ]; then
openssl rsa -aes-128-cbc \
-traditional \
-in ${CERT_DIR}/fleet-server-key \
-out ${CERT_DIR}/fleet-server.key \
-passin pass:abcd1234 \
-passout file:${CERT_DIR}/passphrase \
2>/dev/null
else
openssl rsa -aes-128-cbc \
-in ${CERT_DIR}/fleet-server-key \
-out ${CERT_DIR}/fleet-server.key \
-passin pass:abcd1234 \
-passout file:${CERT_DIR}/passphrase \
2>/dev/null
fi
# Make CSR
openssl req -new \
-key ${CERT_DIR}/fleet-server.key \
-passin file:${CERT_DIR}/passphrase \
-subj "/CN=localhost" \
-addext "subjectAltName=IP:127.0.0.1,DNS:localhost,DNS:fleet-server" \
-out ${CERT_DIR}/fleet-server.csr \
2>/dev/null
# Sign CSR with CA
openssl x509 -req \
-in ${CERT_DIR}/fleet-server.csr \
-days 356 \
-extfile <(printf "subjectAltName=IP:127.0.0.1,DNS:localhost,DNS:fleet-server") \
-CA ${CERT_DIR}/e2e-test-ca.crt \
-CAkey ${CERT_DIR}/e2e-test-ca.key \
-CAcreateserial \
-out ${CERT_DIR}/fleet-server.crt \
2>/dev/null
# Sanity checks
openssl verify -verbose \
-CAfile ${CERT_DIR}/e2e-test-ca.crt \
${CERT_DIR}/fleet-server.crt
openssl rsa -check -noout \
-in ${CERT_DIR}/fleet-server.key \
-passin file:${CERT_DIR}/passphrase
go run ./dev-tools/e2e/validatecerts.go ${CERT_DIR}