Add tools/make_cert.sh
This allows use of either the DevStack CA or creating another CA independent of stack.sh. Change-Id: I055679b5fd06e830c8e6d7d7331c52dd8782d0b6
This commit is contained in:
Dean Troyer
parent
db89a8189e
commit
ca80217123
6
lib/tls
6
lib/tls
@ -189,7 +189,7 @@ subjectAltName = \$ENV::SUBJECT_ALT_NAME
|
|||||||
" >$ca_dir/signing.conf
|
" >$ca_dir/signing.conf
|
||||||
}
|
}
|
||||||
|
|
||||||
# Create root and intermediate CAs and an initial server cert
|
# Create root and intermediate CAs
|
||||||
# init_CA
|
# init_CA
|
||||||
function init_CA {
|
function init_CA {
|
||||||
# Ensure CAs are built
|
# Ensure CAs are built
|
||||||
@ -198,7 +198,11 @@ function init_CA {
|
|||||||
|
|
||||||
# Create the CA bundle
|
# Create the CA bundle
|
||||||
cat $ROOT_CA_DIR/cacert.pem $INT_CA_DIR/cacert.pem >>$INT_CA_DIR/ca-chain.pem
|
cat $ROOT_CA_DIR/cacert.pem $INT_CA_DIR/cacert.pem >>$INT_CA_DIR/ca-chain.pem
|
||||||
|
}
|
||||||
|
|
||||||
|
# Create an initial server cert
|
||||||
|
# init_cert
|
||||||
|
function init_cert {
|
||||||
if [[ ! -r $DEVSTACK_CERT ]]; then
|
if [[ ! -r $DEVSTACK_CERT ]]; then
|
||||||
if [[ -n "$TLS_IP" ]]; then
|
if [[ -n "$TLS_IP" ]]; then
|
||||||
# Lie to let incomplete match routines work
|
# Lie to let incomplete match routines work
|
||||||
|
|||||||
1
stack.sh
1
stack.sh
@ -838,6 +838,7 @@ fi
|
|||||||
if is_service_enabled tls-proxy; then
|
if is_service_enabled tls-proxy; then
|
||||||
configure_CA
|
configure_CA
|
||||||
init_CA
|
init_CA
|
||||||
|
init_cert
|
||||||
# Add name to /etc/hosts
|
# Add name to /etc/hosts
|
||||||
# don't be naive and add to existing line!
|
# don't be naive and add to existing line!
|
||||||
fi
|
fi
|
||||||
|
|||||||
55
tools/make_cert.sh
Executable file
55
tools/make_cert.sh
Executable file
@ -0,0 +1,55 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# **make_cert.sh**
|
||||||
|
|
||||||
|
# Create a CA hierarchy (if necessary) and server certificate
|
||||||
|
#
|
||||||
|
# This mimics the CA structure that DevStack sets up when ``tls_proxy`` is enabled
|
||||||
|
# but in the curent directory unless ``DATA_DIR`` is set
|
||||||
|
|
||||||
|
ENABLE_TLS=True
|
||||||
|
DATA_DIR=${DATA_DIR:-`pwd`/ca-data}
|
||||||
|
|
||||||
|
ROOT_CA_DIR=$DATA_DIR/root
|
||||||
|
INT_CA_DIR=$DATA_DIR/int
|
||||||
|
|
||||||
|
# Import common functions
|
||||||
|
source $TOP_DIR/functions
|
||||||
|
|
||||||
|
# Import TLS functions
|
||||||
|
source lib/tls
|
||||||
|
|
||||||
|
function usage {
|
||||||
|
echo "$0 - Create CA and/or certs"
|
||||||
|
echo ""
|
||||||
|
echo "Usage: $0 commonName [orgUnit]"
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
CN=$1
|
||||||
|
if [ -z "$CN" ]]; then
|
||||||
|
usage
|
||||||
|
fi
|
||||||
|
ORG_UNIT_NAME=${2:-$ORG_UNIT_NAME}
|
||||||
|
|
||||||
|
# Useful on OS/X
|
||||||
|
if [[ `uname -s` == 'Darwin' && -d /usr/local/Cellar/openssl ]]; then
|
||||||
|
# set up for brew-installed modern OpenSSL
|
||||||
|
OPENSSL_CONF=/usr/local/etc/openssl/openssl.cnf
|
||||||
|
OPENSSL=/usr/local/Cellar/openssl/*/bin/openssl
|
||||||
|
fi
|
||||||
|
|
||||||
|
DEVSTACK_CERT_NAME=$CN
|
||||||
|
DEVSTACK_HOSTNAME=$CN
|
||||||
|
DEVSTACK_CERT=$DATA_DIR/$DEVSTACK_CERT_NAME.pem
|
||||||
|
|
||||||
|
# Make sure the CA is set up
|
||||||
|
configure_CA
|
||||||
|
init_CA
|
||||||
|
|
||||||
|
# Create the server cert
|
||||||
|
make_cert $INT_CA_DIR $DEVSTACK_CERT_NAME $DEVSTACK_HOSTNAME
|
||||||
|
|
||||||
|
# Create a cert bundle
|
||||||
|
cat $INT_CA_DIR/private/$DEVSTACK_CERT_NAME.key $INT_CA_DIR/$DEVSTACK_CERT_NAME.crt $INT_CA_DIR/cacert.pem >$DEVSTACK_CERT
|
||||||
|
|
||||||
Loading…
Reference in New Issue
Block a user