Add tools/make_cert.sh

This allows use of either the DevStack CA or creating another CA independent of stack.sh. Change-Id: I055679b5fd06e830c8e6d7d7331c52dd8782d0b6
2013-01-09 19:08:02 -06:00
parent db89a8189e
commit ca80217123
3 changed files with 61 additions and 1 deletions
--- a/lib/tls
+++ b/lib/tls
@@ -189,7 +189,7 @@ subjectAltName          = \$ENV::SUBJECT_ALT_NAME
 " >$ca_dir/signing.conf
 }

-# Create root and intermediate CAs and an initial server cert
+# Create root and intermediate CAs
 # init_CA
 function init_CA {
    # Ensure CAs are built
@@ -198,7 +198,11 @@ function init_CA {

    # Create the CA bundle
    cat $ROOT_CA_DIR/cacert.pem $INT_CA_DIR/cacert.pem >>$INT_CA_DIR/ca-chain.pem
+}

+# Create an initial server cert
+# init_cert
+function init_cert {
    if [[ ! -r $DEVSTACK_CERT ]]; then
        if [[ -n "$TLS_IP" ]]; then
            # Lie to let incomplete match routines work
--- a/stack.sh
+++ b/stack.sh
@@ -838,6 +838,7 @@ fi
 if is_service_enabled tls-proxy; then
    configure_CA
    init_CA
+    init_cert
    # Add name to /etc/hosts
    # don't be naive and add to existing line!
 fi
--- a/tools/make_cert.sh
+++ b/tools/make_cert.sh
@@ -0,0 +1,55 @@
+#!/bin/bash
+
+# **make_cert.sh**
+
+# Create a CA hierarchy (if necessary) and server certificate
+#
+# This mimics the CA structure that DevStack sets up when ``tls_proxy`` is enabled
+# but in the curent directory unless ``DATA_DIR`` is set
+
+ENABLE_TLS=True
+DATA_DIR=${DATA_DIR:-`pwd`/ca-data}
+
+ROOT_CA_DIR=$DATA_DIR/root
+INT_CA_DIR=$DATA_DIR/int
+
+# Import common functions
+source $TOP_DIR/functions
+
+# Import TLS functions
+source lib/tls
+
+function usage {
+    echo "$0 - Create CA and/or certs"
+    echo ""
+    echo "Usage: $0 commonName [orgUnit]"
+    exit 1
+}
+
+CN=$1
+if [ -z "$CN" ]]; then
+    usage
+fi
+ORG_UNIT_NAME=${2:-$ORG_UNIT_NAME}
+
+# Useful on OS/X
+if [[ `uname -s` == 'Darwin' && -d /usr/local/Cellar/openssl ]]; then
+    # set up for brew-installed modern OpenSSL
+    OPENSSL_CONF=/usr/local/etc/openssl/openssl.cnf
+    OPENSSL=/usr/local/Cellar/openssl/*/bin/openssl
+fi
+
+DEVSTACK_CERT_NAME=$CN
+DEVSTACK_HOSTNAME=$CN
+DEVSTACK_CERT=$DATA_DIR/$DEVSTACK_CERT_NAME.pem
+
+# Make sure the CA is set up
+configure_CA
+init_CA
+
+# Create the server cert
+make_cert $INT_CA_DIR $DEVSTACK_CERT_NAME $DEVSTACK_HOSTNAME
+
+# Create a cert bundle
+cat $INT_CA_DIR/private/$DEVSTACK_CERT_NAME.key $INT_CA_DIR/$DEVSTACK_CERT_NAME.crt $INT_CA_DIR/cacert.pem >$DEVSTACK_CERT
+