~damien/infrastructure

22f2edc027a482b34db056f79f8a89629a3963b6 — Damien Radtke 9 months ago 59ce17b
Use cfssljson and start trying to specify CSR details
3 files changed, 26 insertions(+), 7 deletions(-)

M scripts/issue-cert.sh
M stackscripts/cluster-member.sh
M tools/issue-cert
M scripts/issue-cert.sh => scripts/issue-cert.sh +4 -4
@@ 44,9 44,9 @@ echo "Hostnames: ${HOSTNAMES}"
echo ""

pushd "/etc/ssl/${USER}"
	RESPONSE=$(echo '{}' | cfssl gencert -config /etc/ssl/cfssl.json -hostname "${HOSTNAMES}" -label "${CERTIFICATE_AUTHORITY}" -)
	echo "${RESPONSE}" | jq --raw-output .cert > "${CERT_NAME}.pem"
	echo "${RESPONSE}" | jq --raw-output .key > "${CERT_NAME}-key.pem"
	chmod 0400 "${CERT_NAME}-key.pem"
	echo '{}' \
		| cfssl gencert -config /etc/ssl/cfssl.json -hostname "${HOSTNAMES}" -label "${CERTIFICATE_AUTHORITY}" - \
		| cfssljson -bare "${CERT_NAME}"
	chmod a-w *.pem
	chown "${USER}:${USER}" *.pem
popd

M stackscripts/cluster-member.sh => stackscripts/cluster-member.sh +3 -0
@@ 50,6 50,9 @@ function install_cfssl () {
  echo "[Installing CFSSL]"
  wget --quiet -O /usr/local/bin/cfssl "https://pkg.cfssl.org/R1.2/cfssl_linux-amd64"
  chmod +x /usr/local/bin/cfssl

  wget --quiet -O /usr/local/bin/cfssljson "https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64"
  chmod +x /usr/local/bin/cfssljson
}
# }}}


M tools/issue-cert => tools/issue-cert +19 -3
@@ 15,6 15,22 @@ fi
CA="$1"
NAME="$2"

RESPONSE=$(echo '{}' | sudo `which cfssl` gencert -config /etc/ssl/cfssl.json -ca "/etc/ssl/${CA}/ca.pem" -ca-key "/etc/ssl/${CA}/ca-key.pem" -)
echo "${RESPONSE}" | jq -r .cert > "${NAME}.pem"; chmod 0444 "${NAME}.pem"
echo "${RESPONSE}" | jq -r .key > "${NAME}-key.pem"; chmod 0400 "${NAME}-key.pem"
# TODO: this doesn't seem to work if the CA wasn't already given these names?
CSRJSON="$(cat <<EOF
{
	"key": {"algo": "rsa", "size": 2048},
	"CN": "damienradtke.com",
	"names": [{
		"C": "US",
		"ST": "IL",
		"L": "Chicago"
	}]
}
EOF
)"

echo "${CSRJSON}" \
	| sudo `which cfssl` gencert -config /etc/ssl/cfssl.json -ca "/etc/ssl/${CA}/ca.pem" -ca-key "/etc/ssl/${CA}/ca-key.pem" - \
	| cfssljson -bare "${NAME}"

chmod a-w *.pem