From b98fefea48298c0f95201cb253e9f57b93eee89a Mon Sep 17 00:00:00 2001 From: Torsten Egenolf Date: Thu, 16 May 2024 17:52:48 +0200 Subject: [PATCH] feat(os): certificate generation for windows (#17) * feat(os): add certgen script for windows * Create gen_all_certs_win.ps1 (#16) Updated code of gen_all_certs.ps1 to run it on Windows machine Co-authored-by: shreybansod <168091682+shreybansod@users.noreply.github.com> * Delete scripts/certgen/gen_all_certs.ps1 * Rename gen_all_certs_win.ps1 to gen_all_certs.ps1 --------- Co-authored-by: Torsten Egenolf Co-authored-by: shreybansod <168091682+shreybansod@users.noreply.github.com> --- README.md | 2 +- scripts/certgen/README.md | 2 ++ scripts/certgen/gen_all_certs.ps1 | 27 +++++++++++++++++++++++++++ 3 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 scripts/certgen/gen_all_certs.ps1 diff --git a/README.md b/README.md index 0943da6..9ab970b 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ Collect this information and transfer it for each environment: - [tng-bot-dev](https://github.com/tng-bot-dev) for development (DEV) and user acceptance testing (UAT) environments. - Create GPG Keys for responsible persons for each environment (see below) 3) Fill in content for your country: - - for DEV and UAT environments you may use the conf files and the [certgen bash script](scripts/certgen/gen_all_certs.sh) as a guideline + - for DEV and UAT environments you may use the conf files and the [certgen bash script](scripts/certgen/gen_all_certs.sh) as a guideline (see [README](scripts/certgen/README.md)) 4) Send an onboarding/participation request to tng-support@who.int diff --git a/scripts/certgen/README.md b/scripts/certgen/README.md index 26d5d2a..ebdce7b 100644 --- a/scripts/certgen/README.md +++ b/scripts/certgen/README.md @@ -21,6 +21,8 @@ cd scripts/certgen ./gen_all_certs.sh ``` +Windows plattform you may use gen_all_certs.ps1 instead. Please note that you need to have OpenSSL installed and added to your PATH environment variable. + Note: keep your private keys safe and secure. Do not share them with anyone. Copy the generated certificates to the respective folders and change the file names to match the naming convention. diff --git a/scripts/certgen/gen_all_certs.ps1 b/scripts/certgen/gen_all_certs.ps1 new file mode 100644 index 0000000..4b5b7fb --- /dev/null +++ b/scripts/certgen/gen_all_certs.ps1 @@ -0,0 +1,27 @@ +# valid for 4 years +$DAYS_CA=1461 +# valid for 1 year +$DAYS_TLS=365 +# valid for 1 year +$DAYS_UPLOAD=365 + +# configure the DN +$env:OSSL_COUNTRY_NAME="XA" +$env:OSSL_STATE_NAME="Test State" +$env:OSSL_LOCALITY_NAME="Geneva" +$env:OSSL_ORGANIZATION_NAME="WHO" +$env:OSSL_ORGANIZATIONAL_UNIT_NAME="R&D" +# $env:OSSL_COMMON_NAME="WHO International" # default entry of the corresponding config file will be used + +# generate a new directory for each run +$subdir = Get-Date -Format "yyyyMMddHHmmss" +New-Item -ItemType Directory -Force -Path $subdir + +# generate the certificates and keys for the SCA, TLS, and upload +openssl ecparam -name prime256v1 -out ecparam.pem +openssl req -x509 -new -days $DAYS_CA -newkey ec:ecparam.pem -extensions ext -keyout $subdir/SCA.key -nodes -out $subdir/SCA.pem -config sca.conf +openssl req -x509 -new -days $DAYS_TLS -newkey ec:ecparam.pem -extensions ext -keyout $subdir/TLS.key -nodes -out $subdir/TLS.pem -config TLSClient.conf +openssl req -x509 -new -days $DAYS_UPLOAD -newkey ec:ecparam.pem -extensions ext -keyout $subdir/UP.key -nodes -out $subdir/UP.pem -config uploadCert.conf +rm ecparam.pem +# special case to only place CA.pem file for self-signed TLS cert as a copy +Copy-Item -Path $subdir/TLS.pem -Destination $subdir/CA.pem