~damien/infrastructure

infrastructure/scripts/issue-cert.sh -rwxr-xr-x 1.7 KiB
b481ba41 — Damien Radtke Suppress cluster env output if non-interactive 2 months ago
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
#!/usr/bin/env bash
#
# Examples:
# 
# Create a Consul CA-backed cert for the Consul service:
#
#   $ issue-cert.sh --user consul --ca consul --name consul
#
# Create a Consul CA-backed cert for the CLI:
#
#   $ issue-cert.sh --user consul --ca consul --name cli
#
# Create a Nomad CA-backed cert for the Nomad service, with additional hostnames:
#
#   $ issue-cert.sh --user nomad --ca nomad --name nomad  --hostnames nomad.service.consul,server.global.nomad
#
# Create a Consul CA-backed cert for the Nomad service:
#
#   $ issue-cert.sh --user nomad --ca consul --name consul
#

set -o errexit
set -o pipefail

HOSTNAMES="localhost"

while (( "$#" )); do
	case "$1" in
		-u|--user) USER="$2"; shift 2;;
		-c|--ca) CERTIFICATE_AUTHORITY="$2"; shift 2;;
		-n|--name) CERT_NAME="$2"; shift 2;;
		-h|--hostnames) HOSTNAMES="${HOSTNAMES},$2"; shift 2;;
		*) echo "unsupported argument: $1"; exit 1;;
	esac
done

if [[ -z "${USER}" || -z "${CERTIFICATE_AUTHORITY}" || -z "${CERT_NAME}" ]]; then
	echo "usage: $0 --user <user> --ca <ca> --name <cert_name>"
	exit 2
fi

echo "Issuing new certificate for CA: ${CERTIFICATE_AUTHORITY}"
echo "Hostnames: ${HOSTNAMES}"
echo ""

COMMON_NAME="damienradtke.com"
COUNTRY="US"
STATE="Illinois"
CITY="Chicago"

CSR="$(cfssl print-defaults csr \
	| jq --arg common_name "${COMMON_NAME}" --arg country "${COUNTRY}" --arg state "${STATE}" --arg city "${CITY}" \
	'.CN = $common_name | .hosts = [] | .names[0].C = $country | .names[0].L = $state | .names[0].ST = $city')"

pushd "/etc/ssl/${USER}"
	echo "${CSR}" \
		| cfssl gencert -config /etc/ssl/cfssl.json -hostname "${HOSTNAMES}" -label "${CERTIFICATE_AUTHORITY}" - \
		| cfssljson -bare "${CERT_NAME}"
	chmod a-w *.pem
	chown "${USER}:${USER}" *.pem
popd