-
Notifications
You must be signed in to change notification settings - Fork 2
/
init-ssl
executable file
·70 lines (53 loc) · 1.63 KB
/
init-ssl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
#!/usr/bin/env bash
set -e
# define location of openssl binary manually since running this
# script under Vagrant fails on some systems without it
OPENSSL=/usr/bin/openssl
function usage {
echo "USAGE: $0 <output-dir> <cert-base-name> <CN> [SAN,SAN,SAN]"
echo " example: $0 ./ssl/ worker kube-worker IP.1=127.0.0.1,IP.2=10.0.0.1"
}
if [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ]; then
usage
exit 1
fi
OUTDIR="$1"
CERTBASE="$2"
CN="$3"
SANS="$4"
if [ ! -d $OUTDIR ]; then
echo "ERROR: output directory does not exist: $OUTDIR"
exit 1
fi
OUTFILE="$OUTDIR/$CN.tar"
if [ -f "$OUTFILE" ];then
exit 0
fi
CNF_TEMPLATE="
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster.local
"
echo "Generating SSL artifacts in $OUTDIR"
CONFIGFILE="$OUTDIR/$CERTBASE-req.cnf"
CAFILE="$OUTDIR/ca.pem"
CAKEYFILE="$OUTDIR/ca-key.pem"
KEYFILE="$OUTDIR/$CERTBASE-key.pem"
CSRFILE="$OUTDIR/$CERTBASE.csr"
PEMFILE="$OUTDIR/$CERTBASE.pem"
CONTENTS="${CAFILE} ${KEYFILE} ${PEMFILE}"
# Add SANs to openssl config
echo "$CNF_TEMPLATE$(echo $SANS | tr ',' '\n')" > "$CONFIGFILE"
$OPENSSL genrsa -out "$KEYFILE" 2048
$OPENSSL req -new -key "$KEYFILE" -out "$CSRFILE" -subj "/CN=$CN" -config "$CONFIGFILE"
$OPENSSL x509 -req -in "$CSRFILE" -CA "$CAFILE" -CAkey "$CAKEYFILE" -CAcreateserial -out "$PEMFILE" -days 365 -extensions v3_req -extfile "$CONFIGFILE"