diff --git a/integration/fixtures/client-ca-csr-nocn.json b/integration/fixtures/client-ca-csr-nocn.json new file mode 100644 index 000000000..344255139 --- /dev/null +++ b/integration/fixtures/client-ca-csr-nocn.json @@ -0,0 +1,20 @@ +{ + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "O": "etcd", + "OU": "etcd Security", + "L": "San Francisco", + "ST": "California", + "C": "USA" + } + ], + "CN": "", + "hosts": [ + "127.0.0.1", + "localhost" + ] +} diff --git a/integration/fixtures/gencerts.sh b/integration/fixtures/gencerts.sh index 76e853e77..a800b8058 100755 --- a/integration/fixtures/gencerts.sh +++ b/integration/fixtures/gencerts.sh @@ -1,5 +1,7 @@ #!/bin/bash +set -e + if ! [[ "$0" =~ "./gencerts.sh" ]]; then echo "must be run from 'fixtures'" exit 255 @@ -7,68 +9,51 @@ fi if ! which cfssl; then echo "cfssl is not installed" + echo "use: go install -mod mod github.com/cloudflare/cfssl/cmd/cfssl github.com/cloudflare/cfssl/cmd/cfssljson" exit 255 fi cfssl gencert --initca=true ./ca-csr.json | cfssljson --bare ./ca mv ca.pem ca.crt + if which openssl >/dev/null; then openssl x509 -in ca.crt -noout -text fi +# gencert [config_file.json] [cert-name] +function gencert { + cfssl gencert \ + --ca ./ca.crt \ + --ca-key ./ca-key.pem \ + --config ./gencert.json \ + $1 | cfssljson --bare ./$2 + mv $2.pem $2.crt + mv $2-key.pem $2.key.insecure +} + # generate DNS: localhost, IP: 127.0.0.1, CN: example.com certificates -cfssl gencert \ - --ca ./ca.crt \ - --ca-key ./ca-key.pem \ - --config ./gencert.json \ - ./server-ca-csr.json | cfssljson --bare ./server -mv server.pem server.crt -mv server-key.pem server.key.insecure +gencert ./server-ca-csr.json server + +#generates certificate that does not contain CN, to be used for proxy -> server connections. +gencert ./client-ca-csr-nocn.json client-nocn # generate DNS: localhost, IP: 127.0.0.1, CN: example.com certificates (ECDSA) -cfssl gencert \ - --ca ./ca.crt \ - --ca-key ./ca-key.pem \ - --config ./gencert.json \ - ./server-ca-csr-ecdsa.json | cfssljson --bare ./server-ecdsa -mv server-ecdsa.pem server-ecdsa.crt -mv server-ecdsa-key.pem server-ecdsa.key.insecure +gencert ./server-ca-csr-ecdsa.json server-ecdsa # generate IP: 127.0.0.1, CN: example.com certificates -cfssl gencert \ - --ca ./ca.crt \ - --ca-key ./ca-key.pem \ - --config ./gencert.json \ - ./server-ca-csr-ip.json | cfssljson --bare ./server-ip -mv server-ip.pem server-ip.crt -mv server-ip-key.pem server-ip.key.insecure +gencert ./server-ca-csr-ip.json server-ip # generate IPv6: [::1], CN: example.com certificates -cfssl gencert \ - --ca ./ca.crt \ - --ca-key ./ca-key.pem \ - --config ./gencert.json \ - ./server-ca-csr-ipv6.json | cfssljson --bare ./server-ip -mv server-ip.pem server-ipv6.crt -mv server-ip-key.pem server-ipv6.key.insecure +gencert ./server-ca-csr-ipv6.json server-ipv6 # generate DNS: localhost, IP: 127.0.0.1, CN: example2.com certificates -cfssl gencert \ - --ca ./ca.crt \ - --ca-key ./ca-key.pem \ - --config ./gencert.json \ - ./server-ca-csr2.json | cfssljson --bare ./server2 -mv server2.pem server2.crt -mv server2-key.pem server2.key.insecure +gencert ./server-ca-csr2.json server2 # generate DNS: localhost, IP: 127.0.0.1, CN: "" certificates -cfssl gencert \ - --ca ./ca.crt \ - --ca-key ./ca-key.pem \ - --config ./gencert.json \ - ./server-ca-csr3.json | cfssljson --bare ./server3 -mv server3.pem server3.crt -mv server3-key.pem server3.key.insecure +gencert ./server-ca-csr3.json server3 + +# generate wildcard certificates DNS: *.etcd.local +gencert ./server-ca-csr-wildcard.json server-wildcard # generate revoked certificates and crl cfssl gencert --ca ./ca.crt \ @@ -80,14 +65,4 @@ mv server-revoked-key.pem server-revoked.key.insecure grep serial revoked.stderr | awk ' { print $9 } ' >revoke.txt cfssl gencrl revoke.txt ca.crt ca-key.pem | base64 --decode >revoke.crl -# generate wildcard certificates DNS: *.etcd.local -cfssl gencert \ - --ca ./ca.crt \ - --ca-key ./ca-key.pem \ - --config ./gencert.json \ - ./server-ca-csr-wildcard.json | cfssljson --bare ./server-wildcard -mv server-wildcard.pem server-wildcard.crt -mv server-wildcard-key.pem server-wildcard.key.insecure - - rm -f *.csr *.pem *.stderr *.txt