Use dual intermediate CAs for devstack

This patch updates the devstack plugin to use a dual Certificate
Authority (CA) with intermediate CAs for the Octavia controller
deployment.
This is a more realistic deployment model for testing.
Note: This change uses weak security to save gate resources. Please
refer to the Octavia Certificate Configuration Guide for production
instructions.

Change-Id: I3ec135766c9a1ddb7ac6655c0ee1ccb1e78ead5c
changes/23/678923/6
Michael Johnson 3 years ago
parent 9ec9859bbf
commit 950faea6e9
  1. 103
      bin/create_certificates.sh
  2. 161
      bin/create_dual_intermediate_CA.sh
  3. 116
      bin/create_single_CA_intermediate_CA.sh
  4. 144
      bin/openssl.cnf
  5. 28
      devstack/plugin.sh
  6. 28
      devstack/pregenerated/certs/client.key
  7. 0
      devstack/pregenerated/certs/client_ca.cert.pem
  8. 30
      devstack/pregenerated/certs/private/cakey.pem
  9. 0
      devstack/pregenerated/certs/private/client.cert-and-key.pem
  10. 30
      devstack/pregenerated/certs/private/server_ca.key.pem
  11. 22
      devstack/pregenerated/certs/server_ca-chain.cert.pem
  12. 22
      devstack/pregenerated/certs/server_ca.cert.pem

@ -1,103 +0,0 @@
#!/bin/bash
# NOTE: This script should not be used for creating certificates in a
# deployment. It is only used for some testing jobs.
# Please follow the Octavia Certificate Configuration Guide when setting
# up a deployment. See:
# https://docs.openstack.org/octavia/latest/admin/guides/certificates.html
# USAGE: <certificate directory> <openssl.cnf (example in etc/certificate)
#Those are certificates for testing will be generated
#
#* ca_01.pem is a certificate authority file
#* server.pem combines a key and a cert from this certificate authority
#* client.key the client key
#* client.pem the client certificate
#
#You will need to copy them to places the agent_api server/client can find and
#specify it in the config.
#
#Example for client use:
#
#curl -k -v --key client.key --cacert ca_01.pem --cert client.pem https://0.0.0.0:9443/
#
#
#Notes:
#For production use the ca issuing the client certificate and the ca issuing the server cetrificate
#need to be different so a hacker can't just use the server certificate from a compromised amphora
#to control all the others.
#
#Sources:
#* https://communities.bmc.com/community/bmcdn/bmc_atrium_and_foundation_technologies/
#discovery/blog/2014/09/03/the-pulse-create-your-own-personal-ca-with-openssl
# This describes how to create a CA and sign requests
#* https://www.digitalocean.com/community/tutorials/
#openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs -
#how to issue csr and much more
## Create CA
# Create directories
CERT_DIR=$1
OPEN_SSL_CONF=$2 # etc/certificates/openssl.cnf
VALIDITY_DAYS=${3:-18250} # defaults to 50 years
echo "!!!!!!!!!!!!!!!Do not use this script for deployments!!!!!!!!!!!!!"
echo "Please use the Octavia Certificate Configuration guide:"
echo "https://docs.openstack.org/octavia/latest/admin/guides/certificates.html"
echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
echo $CERT_DIR
mkdir -p $CERT_DIR
cd $CERT_DIR
if [[ $? -ne 0 ]]; then
echo "Failed to change to $CERT_DIR. Check the existence and permission"
exit 1
fi
mkdir newcerts private
if [[ $? -ne 0 ]]; then
echo "Failed to create directories. Check the permission"
exit 1
fi
chmod 700 private
# prepare files
touch index.txt
echo 01 > serial
echo "Create the CA's private and public keypair (2k long)"
openssl genrsa -passout pass:foobar -des3 -out private/cakey.pem 2048
echo "You will be asked to enter some information about the certificate."
openssl req -x509 -passin pass:foobar -new -nodes -key private/cakey.pem \
-config $OPEN_SSL_CONF \
-subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
-days $VALIDITY_DAYS \
-out ca_01.pem
echo "Here is the certificate"
openssl x509 -in ca_01.pem -text -noout
## Create Server/Client CSR
echo "Generate a server key and a CSR"
openssl req \
-newkey rsa:2048 -nodes -keyout client.key \
-subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
-out client.csr
echo "Sign request"
openssl ca -passin pass:foobar -config $OPEN_SSL_CONF -in client.csr \
-days $VALIDITY_DAYS -out client-.pem -batch
echo "Generate single pem client.pem"
cat client-.pem client.key > client.pem
echo "Note: For production use the ca issuing the client certificate and the ca issuing the server"
echo "certificate need to be different so a hacker can't just use the server certificate from a"
echo "compromised amphora to control all the others."
echo "To use the certificates copy them to the directory specified in the octavia.conf"

@ -0,0 +1,161 @@
#!/bin/bash
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
echo "!!!!!!!!!!!!!!!Do not use this script for deployments!!!!!!!!!!!!!"
echo "Please use the Octavia Certificate Configuration guide:"
echo "https://docs.openstack.org/octavia/latest/admin/guides/certificates.html"
echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
# This script produces weak security PKI to save resources in the test gates.
# It should be modified to use stronger encryption (aes256), better pass
# phrases, and longer keys (4096).
# Please see the Octavia Certificate Configuration guide:
# https://docs.openstack.org/octavia/latest/admin/guides/certificates.html
set -x -e
CA_PATH=dual_ca
mkdir $CA_PATH
chmod 700 $CA_PATH
cd $CA_PATH
mkdir -p etc/octavia/certs
chmod 700 etc/octavia/certs
###### Client Root CA
mkdir client_ca
cd client_ca
mkdir certs crl newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial
# Create the client CA private key
# Note: This uses short key lengths to save entropy in the test gates.
# This is not recommended for deployment use!
openssl genrsa -aes128 -out private/ca.key.pem -passout pass:not-secure-passphrase 1024
chmod 400 private/ca.key.pem
# Create the client CA root certificate
openssl req -config ../../openssl.cnf -key private/ca.key.pem -new -x509 -sha256 -extensions v3_ca -days 7300 -out certs/ca.cert.pem -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=ClientRootCA" -passin pass:not-secure-passphrase
###### Client Intermediate CA
mkdir intermediate_ca
mkdir intermediate_ca/certs intermediate_ca/crl intermediate_ca/newcerts intermediate_ca/private
chmod 700 intermediate_ca/private
touch intermediate_ca/index.txt
echo 1000 > intermediate_ca/serial
# Create the client intermediate CA private key
# Note: This uses short key lengths to save entropy in the test gates.
# This is not recommended for deployment use!
openssl genrsa -aes128 -out intermediate_ca/private/intermediate.ca.key.pem -passout pass:not-secure-passphrase 1024
chmod 400 intermediate_ca/private/intermediate.ca.key.pem
# Create the client intermediate CA certificate signing request
openssl req -config ../../openssl.cnf -key intermediate_ca/private/intermediate.ca.key.pem -new -sha256 -out intermediate_ca/client_intermediate.csr -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=ClientIntermediateCA" -passin pass:not-secure-passphrase
# Create the client intermediate CA certificate
openssl ca -config ../../openssl.cnf -name CA_intermediate -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in intermediate_ca/client_intermediate.csr -out intermediate_ca/certs/intermediate.cert.pem -passin pass:not-secure-passphrase -batch
# Create the client CA certificate chain
cat intermediate_ca/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate_ca/ca-chain.cert.pem
###### Create the client key and certificate
# Note: This uses short key lengths to save entropy in the test gates.
# This is not recommended for deployment use!
openssl genrsa -aes128 -out intermediate_ca/private/controller.key.pem -passout pass:not-secure-passphrase 1024
chmod 400 intermediate_ca/private/controller.key.pem
# Create the client controller certificate signing request
openssl req -config ../../openssl.cnf -key intermediate_ca/private/controller.key.pem -new -sha256 -out intermediate_ca/controller.csr -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=OctaviaController" -passin pass:not-secure-passphrase
# Create the client controller certificate
openssl ca -config ../../openssl.cnf -name CA_intermediate -extensions usr_cert -days 1825 -notext -md sha256 -in intermediate_ca/controller.csr -out intermediate_ca/certs/controller.cert.pem -passin pass:not-secure-passphrase -batch
# Build the cancatenated client cert and key
openssl rsa -in intermediate_ca/private/controller.key.pem -out intermediate_ca/private/client.cert-and-key.pem -passin pass:not-secure-passphrase
cat intermediate_ca/certs/controller.cert.pem >> intermediate_ca/private/client.cert-and-key.pem
# We are done with the client CA
cd ..
###### Stash the octavia default client CA cert files
cp client_ca/intermediate_ca/ca-chain.cert.pem etc/octavia/certs/client_ca.cert.pem
chmod 444 etc/octavia/certs/client_ca.cert.pem
cp client_ca/intermediate_ca/private/client.cert-and-key.pem etc/octavia/certs/client.cert-and-key.pem
chmod 600 etc/octavia/certs/client.cert-and-key.pem
###### Server Root CA
mkdir server_ca
cd server_ca
mkdir certs crl newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial
# Create the server CA private key
# Note: This uses short key lengths to save entropy in the test gates.
# This is not recommended for deployment use!
openssl genrsa -aes128 -out private/ca.key.pem -passout pass:not-secure-passphrase 1024
chmod 400 private/ca.key.pem
# Create the server CA root certificate
openssl req -config ../../openssl.cnf -key private/ca.key.pem -new -x509 -sha256 -extensions v3_ca -days 7300 -out certs/ca.cert.pem -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=ServerRootCA" -passin pass:not-secure-passphrase
###### Server Intermediate CA
mkdir intermediate_ca
mkdir intermediate_ca/certs intermediate_ca/crl intermediate_ca/newcerts intermediate_ca/private
chmod 700 intermediate_ca/private
touch intermediate_ca/index.txt
echo 1000 > intermediate_ca/serial
# Create the server intermediate CA private key
# Note: This uses short key lengths to save entropy in the test gates.
# This is not recommended for deployment use!
openssl genrsa -aes128 -out intermediate_ca/private/intermediate.ca.key.pem -passout pass:not-secure-passphrase 1024
chmod 400 intermediate_ca/private/intermediate.ca.key.pem
# Create the server intermediate CA certificate signing request
openssl req -config ../../openssl.cnf -key intermediate_ca/private/intermediate.ca.key.pem -new -sha256 -out intermediate_ca/server_intermediate.csr -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=ServerIntermediateCA" -passin pass:not-secure-passphrase
# Create the server intermediate CA certificate
openssl ca -config ../../openssl.cnf -name CA_intermediate -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in intermediate_ca/server_intermediate.csr -out intermediate_ca/certs/intermediate.cert.pem -passin pass:not-secure-passphrase -batch
# Create the server CA certificate chain
cat intermediate_ca/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate_ca/ca-chain.cert.pem
# We are done with the server CA
cd ..
###### Stash the octavia default server CA cert files
cp server_ca/intermediate_ca/ca-chain.cert.pem etc/octavia/certs/server_ca-chain.cert.pem
chmod 444 etc/octavia/certs/server_ca-chain.cert.pem
cp server_ca/intermediate_ca/certs/intermediate.cert.pem etc/octavia/certs/server_ca.cert.pem
chmod 400 etc/octavia/certs/server_ca.cert.pem
cp server_ca/intermediate_ca/private/intermediate.ca.key.pem etc/octavia/certs/server_ca.key.pem
chmod 400 etc/octavia/certs/server_ca.key.pem
##### Validate the Octavia PKI files
set +x
echo "################# Verifying the Octavia files ###########################"
openssl verify -CAfile etc/octavia/certs/client_ca.cert.pem etc/octavia/certs/client.cert-and-key.pem
openssl verify -CAfile etc/octavia/certs/server_ca-chain.cert.pem etc/octavia/certs/server_ca.cert.pem
echo "!!!!!!!!!!!!!!!Do not use this script for deployments!!!!!!!!!!!!!"
echo "Please use the Octavia Certificate Configuration guide:"
echo "https://docs.openstack.org/octavia/latest/admin/guides/certificates.html"
echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"

@ -0,0 +1,116 @@
#!/bin/bash
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
echo "!!!!!!!!!!!!!!!Do not use this script for deployments!!!!!!!!!!!!!"
echo "Single CA mode is insecure, do not use this! It is for testing only."
echo "Please use the Octavia Certificate Configuration guide:"
echo "https://docs.openstack.org/octavia/latest/admin/guides/certificates.html"
echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
# This script produces weak security PKI to save resources in the test gates.
# A single CA should never be used in a production deployment. This script
# exists purely to test legacy migrations / deployments where someone
# acidently used a single CA.
set -x -e
CA_PATH=single_ca
mkdir $CA_PATH
chmod 700 $CA_PATH
cd $CA_PATH
mkdir -p etc/octavia/certs
chmod 700 etc/octavia/certs
###### Client Root CA
mkdir client_ca
cd client_ca
mkdir certs crl newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial
# Create the client CA private key
# Note: This uses short key lengths to save entropy in the test gates.
# This is not recommended for deployment use!
openssl genrsa -aes128 -out private/ca.key.pem -passout pass:not-secure-passphrase 1024
chmod 400 private/ca.key.pem
# Create the client CA root certificate
openssl req -config ../../openssl.cnf -key private/ca.key.pem -new -x509 -sha256 -extensions v3_ca -days 7300 -out certs/ca.cert.pem -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=ClientRootCA" -passin pass:not-secure-passphrase
###### Client Intermediate CA
mkdir intermediate_ca
mkdir intermediate_ca/certs intermediate_ca/crl intermediate_ca/newcerts intermediate_ca/private
chmod 700 intermediate_ca/private
touch intermediate_ca/index.txt
echo 1000 > intermediate_ca/serial
# Create the client intermediate CA private key
# Note: This uses short key lengths to save entropy in the test gates.
# This is not recommended for deployment use!
openssl genrsa -aes128 -out intermediate_ca/private/intermediate.ca.key.pem -passout pass:not-secure-passphrase 1024
chmod 400 intermediate_ca/private/intermediate.ca.key.pem
# Create the client intermediate CA certificate signing request
openssl req -config ../../openssl.cnf -key intermediate_ca/private/intermediate.ca.key.pem -new -sha256 -out intermediate_ca/client_intermediate.csr -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=ClientIntermediateCA" -passin pass:not-secure-passphrase
# Create the client intermediate CA certificate
openssl ca -config ../../openssl.cnf -name CA_intermediate -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in intermediate_ca/client_intermediate.csr -out intermediate_ca/certs/intermediate.cert.pem -passin pass:not-secure-passphrase -batch
# Create the client CA certificate chain
cat intermediate_ca/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate_ca/ca-chain.cert.pem
###### Create the client key and certificate
# Note: This uses short key lengths to save entropy in the test gates.
# This is not recommended for deployment use!
openssl genrsa -aes128 -out intermediate_ca/private/controller.key.pem -passout pass:not-secure-passphrase 1024
chmod 400 intermediate_ca/private/controller.key.pem
# Create the client controller certificate signing request
openssl req -config ../../openssl.cnf -key intermediate_ca/private/controller.key.pem -new -sha256 -out intermediate_ca/controller.csr -subj "/C=US/ST=Oregon/L=Corvallis/O=OpenStack/OU=Octavia/CN=OctaviaController" -passin pass:not-secure-passphrase
# Create the controller client certificate
openssl ca -config ../../openssl.cnf -name CA_intermediate -extensions usr_cert -days 1825 -notext -md sha256 -in intermediate_ca/controller.csr -out intermediate_ca/certs/controller.cert.pem -passin pass:not-secure-passphrase -batch
# Build the cancatenated client cert and key
openssl rsa -in intermediate_ca/private/controller.key.pem -out intermediate_ca/private/client.cert-and-key.pem -passin pass:not-secure-passphrase
cat intermediate_ca/certs/controller.cert.pem >> intermediate_ca/private/client.cert-and-key.pem
# We are done with the client CA
cd ..
###### Stash the octavia default cert files
cp client_ca/intermediate_ca/ca-chain.cert.pem etc/octavia/certs/client_ca.cert.pem
chmod 444 etc/octavia/certs/client_ca.cert.pem
cp client_ca/intermediate_ca/private/client.cert-and-key.pem etc/octavia/certs/client.cert-and-key.pem
chmod 600 etc/octavia/certs/client.cert-and-key.pem
cp client_ca/intermediate_ca/ca-chain.cert.pem etc/octavia/certs/server_ca.cert.pem
chmod 444 etc/octavia/certs/server_ca.cert.pem
cp client_ca/intermediate_ca/private/intermediate.ca.key.pem etc/octavia/certs/server_ca.key.pem
chmod 600 etc/octavia/certs/server_ca.key.pem
##### Validate the Octavia PKI files
set +x
echo "################# Verifying the Octavia files ###########################"
openssl verify -CAfile etc/octavia/certs/client_ca.cert.pem etc/octavia/certs/client.cert-and-key.pem
openssl verify -CAfile etc/octavia/certs/server_ca.cert.pem etc/octavia/certs/server_ca.cert.pem
echo "!!!!!!!!!!!!!!!Do not use this script for deployments!!!!!!!!!!!!!"
echo "Single CA mode is insecure, do not use this! It is for testing only."
echo "Please use the Octavia Certificate Configuration guide:"
echo "https://docs.openstack.org/octavia/latest/admin/guides/certificates.html"
echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"

@ -0,0 +1,144 @@
# OpenSSL root CA configuration file.
[ ca ]
# `man ca`
default_ca = CA_default
[ CA_default ]
# Directory and file locations.
dir = ./
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
# The root key and root certificate.
private_key = $dir/private/ca.key.pem
certificate = $dir/certs/ca.cert.pem
# For certificate revocation lists.
crlnumber = $dir/crlnumber
crl = $dir/crl/ca.crl.pem
crl_extensions = crl_ext
default_crl_days = 30
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
# 10 years
default_days = 7300
preserve = no
policy = policy_strict
[ CA_intermediate ]
# Directory and file locations.
dir = ./intermediate_ca
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
# The root key and root certificate.
private_key = ./private/ca.key.pem
certificate = ./certs/ca.cert.pem
# For certificate revocation lists.
crlnumber = $dir/crlnumber
crl = $dir/crl/ca.crl.pem
crl_extensions = crl_ext
default_crl_days = 30
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
# 5 years
default_days = 3650
preserve = no
policy = policy_strict
[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
# Options for the `req` tool (`man req`).
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
# Extension to add when the -x509 option is used.
x509_extensions = v3_ca
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
# Optionally, specify some defaults.
countryName_default = US
stateOrProvinceName_default = Oregon
localityName_default = Corvallis
0.organizationName_default = OpenStack
organizationalUnitName_default = Octavia
emailAddress_default =
commonName_default = example.org
[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always

@ -335,14 +335,26 @@ function octavia_configure {
if [[ "$(trueorfalse False OCTAVIA_USE_PREGENERATED_CERTS)" == "True" ]]; then
cp -rfp ${OCTAVIA_PREGENERATED_CERTS_DIR} ${OCTAVIA_CERTS_DIR}
else
source $OCTAVIA_DIR/bin/create_certificates.sh $OCTAVIA_CERTS_DIR $OCTAVIA_DIR/etc/certificates/openssl.cnf
fi
iniset $OCTAVIA_CONF haproxy_amphora client_cert ${OCTAVIA_CERTS_DIR}/client.pem
iniset $OCTAVIA_CONF haproxy_amphora server_ca ${OCTAVIA_CERTS_DIR}/ca_01.pem
iniset $OCTAVIA_CONF certificates ca_certificate ${OCTAVIA_CERTS_DIR}/ca_01.pem
iniset $OCTAVIA_CONF certificates ca_private_key ${OCTAVIA_CERTS_DIR}/private/cakey.pem
iniset $OCTAVIA_CONF certificates ca_private_key_passphrase foobar
pushd $OCTAVIA_DIR/bin
source create_dual_intermediate_CA.sh
mkdir -p ${OCTAVIA_CERTS_DIR}/private
chmod 700 ${OCTAVIA_CERTS_DIR}/private
cp -p etc/octavia/certs/server_ca.cert.pem ${OCTAVIA_CERTS_DIR}/
cp -p etc/octavia/certs/server_ca-chain.cert.pem ${OCTAVIA_CERTS_DIR}/
cp -p etc/octavia/certs/server_ca.key.pem ${OCTAVIA_CERTS_DIR}/private/
cp -p etc/octavia/certs/client_ca.cert.pem ${OCTAVIA_CERTS_DIR}/
cp -p etc/octavia/certs/client.cert-and-key.pem ${OCTAVIA_CERTS_DIR}/private/
popd
fi
iniset $OCTAVIA_CONF certificates ca_certificate ${OCTAVIA_CERTS_DIR}/server_ca.cert.pem
iniset $OCTAVIA_CONF certificates ca_private_key ${OCTAVIA_CERTS_DIR}/private/server_ca.key.pem
iniset $OCTAVIA_CONF certificates ca_private_key_passphrase not-secure-passphrase
iniset $OCTAVIA_CONF controller_worker client_ca ${OCTAVIA_CERTS_DIR}/client_ca.cert.pem
iniset $OCTAVIA_CONF haproxy_amphora client_cert ${OCTAVIA_CERTS_DIR}/private/client.cert-and-key.pem
iniset $OCTAVIA_CONF haproxy_amphora server_ca ${OCTAVIA_CERTS_DIR}/server_ca-chain.cert.pem
# Controller side symmetric encryption, not used for PKI
iniset $OCTAVIA_CONF certificates server_certs_key_passphrase insecure-key-do-not-use-this-key
if [[ "$OCTAVIA_USE_LEGACY_RBAC" == "True" ]]; then

@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDTVy+pO8vjce/b
QvCvyFiVOWWTSNfAcdtrEZU8kgH61jLtg1Omtz/x9LplQvC2U2lIlAiuLPWAUyTg
mDEhdOP178h3doCJAlKfnWnwseWDVW/s3arnkgnRoRfkzEJpE4JCPHHi1OgiX7F0
ySwxCnBcQvd30eF2g4/xogYgVePq+mVcg4l+MiCLRSpRCzTx9XcVe/zwbeQ0fVSO
ivMKpvF/1mUrs++CFzGX9HFfZ9eAEdVDgi8PTjlJRQyojhopek6/lMivQi+fu+lD
GPOmmujIrevfLJT+K6dgJ/y4GjwubvNgUecMU3DeiLZtbGohFwoX0+WU/BN5M49t
54m3Zn4pAgMBAAECggEAZu5MwUDlYaZJauHkdci/FBa7WQueQRVzB2et5q06F6Ah
d7qBkG4pz78g1VbQBA0F9xpaS/KLs29LQ7P8Ic5bhJm/aiemHJSsBx9UzKzoGpoP
BC9GILjo3Vd3WrD9G04sH/Ruh0qosK0osbeVNWFfLiBThOEMzXrwLYB7OV57viJI
4YAXGOzOgK3aMHF8cYRRgTDIi2dGAMH1EyIIB8gKYlp1PdMmaTOk2LBhechuImRX
4LgvM1fUdJ7utyQKEXMJEg+wzV9BMlX6nvM3vVWdYZy2Hsu9DDyJUFYQk9cDpXNP
RF4jjLUtz6gEZOlotOQgPWqLANJrt/BdVfyeA97psQKBgQD7SeNlQd2bu8GfH0vB
mjzSWmJ3nDnpeaUR9MIYVQ6zNlvYPjM2BMVQtE5+VWK15YOjD5L9SoresNKubrSv
wzNFeqf6Dvq7zJ+6Rkst7GcRV/P3D4C3ZeKeDNjVm4eMRCa5ttIJlLmfqffeLO9M
RSanNjnjwWENgsXCCvlVBfc9ZQKBgQDXTY8X9ug9xVlqBR4TMfzXBadzP+nDqYd9
MkH3tEltLba0vP4vKyjQa8A9FMzSRr9bv13mNpAbFEDGnhzv1l5OlHTM6tG//Rxq
nnhmFLFWZl8WowP0LiPTafrDjGEX/7iDAJjAtSacBBm6EGaM8igWEQT0WXwsQbTw
rlRolJ5DdQKBgQDgMBJ80x+IAiGC+iPXLOjYbqTsu2d7YfigJXJIzRHZV0Tnjs6X
gfgbwVFKKplvWL1xa8Ki0a9FcBH2Z3QyXv9OHFjiohyWEb/rKy2FYiSt938Dy0P1
2yMsCKAnKqPqwx6dj3qh65sT1Er8X7B6pjMO+TT6ehtBN4uBS9MYRMNIdQKBgQDU
6UztTOzDUSqn7mGcZ916IYxDK1wXcsmapB2aQD4wanl4aEEREiQtX7DednhKJU5N
A4RvCVweezvHbkp9Xscp/CM5FanQqxPz17yGbkYkg93au+BIE2y4P+CMioDlw6uK
WQe14i5JMMDkQB25mirMD46PuQJTnbK6JBsyxG1xlQKBgGtcSY0AyVq00p0kkxNm
KhzI+17T0j0CuczJ/X+NvCUjLsx3NTJatRkJNYHWG7jUqs1vvtZbHVspQeteMlEi
rNE/xz98iG2eC8AdW+TmZvySmIZgoAoPuopUvBzRiyfLQVh4pPuikbTDghEn+CSG
WSyOd/I4JsH4xQFJC89nnm5M
-----END PRIVATE KEY-----

@ -1,30 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,F5D5CAF138266C5C
X7mebmQYgOOgOLi5ec7+kxrDzP5PqD4A2b4dph1qEoVEcwKEcVicrPdDtLeHReO4
W5WpyJxqUIIHZZWmvCy08tX151/BJYzmDbF5gGf0c2Q7V0Mnfvkn4G01apIxXMXB
kD4NIL3UB+4D2xmWv7s+PK+T4uNsO9gotUoABc5s4sNDsl7Jbgozo14T8oZkGVot
GrS1PpTes4GiIwmmlBzrtO+0Y0Yv5tzJrdkz047nXur+1n4YNj87Ui6R3O/crFmI
cf+L8NefqihmW2qR1deTSozg1oMv3RaZdMsxNDYLcF+4o+18buAHCr//NU71eVIZ
/P4XrIQQAyLi8u5W/5dFH9FEnNtBz0AJlBpLpKb7O3ZdQ18/UATbdaRrb4cqocEH
PTEEUTWRf1/5DhT+AXryI3Op0yxEZlVQu/IbEAgiV3wvx5Cof75Hm0m0rtFdnNBc
L2IA+3+75HGRt/zljh7ByGcui0dQA7i6thDc+qxz4WpcUx10Y9Dn2V5DueWunez+
kjwRsahervPoaRRL+MuP43B1w4HPDCPOuTDO35TXivSFHz/mFGJ5GOy+iMPddFMa
RYWlDGkruz4poQ1zXQ2d4Q6wXSFiihU78a/0af8IhjofqAxUA91bC6oBF6OYGXZT
9cKfK1TUPVQITH2VLcJLxRf+Q4Zgc7gYJqEnh8dJ0lpMAgSkgyQDE0p0ttakj0Xv
ombZq+7SDSUYnItcPARLe2FWhsihZfu7W6f9fWQcXAv7dYG/opB5yquXaE+96eCO
1eGc0VttBauW+r87fAJtfm3XgwfrrGwDglcmo5JmaBWRSkxdLn6xPP1pAfGj2jQQ
EhWhIcbFgnGPhPSWpYMpeE8RdgO0R7Hno10scF5j/t3JPE5pfBOAGmyBsOdWW4TT
UfICuZ6UznNYtaWcXSrUNXETMFjrDaHoXZ50bG1FMZKA1YCz6QnoE4w42nBTVLj9
90K+h3mVLqD/5qA8UYZYUuKn+e7w3xY4dRLAXExfB/33kb3A3jjjHYqVTpFXV6Of
0EAa/BDeGpkWElTmIgjN7VN+1rUDXgLMJ62M/fEkICTM1tSYLKFUdntGQ3YfzYX6
LHB5BWsrlPFc2a8OXUCu5tvtm387W8X80eMb97e0A501q5P2Wxv/XcuPgVlx5JQP
37nqFDEtqGJoOE1LC5xZVzisNk7QVh6r0N3tGVeyE/bE0nvOYr/Zw8SVmwqNr8/I
jQspeH48uAudQ/lZ8aFUFpj7bm2Ie8ka2QqZAhPMDHy2Y8zf0obNB/RTG/SHSdMc
j2jdL1cUPcPOG+c2yLsgap+lpFpHZgeiTFY9775F3ODrADOiS2k5XkQCTz/n/Z3z
QOhz2T1RM8aa+xjk33YFJyVfYKQGEXfQwJ/RSJjMglDsJSE+py1ZPj4TzYnXfcjr
f26ReNcqL1/0sTSMf14OIKYEBNN8L4zQHX8BWY8EhPc8qBxspJQzH8imbNYb0x/M
+X0kZJbsEpO5JRD70KOoOM8vmStAglWTbbt9JLDjL98Ks54+Si9fgGql8njyo96V
vwNihqd8kqEk9STXKwJZzmkXvcs8WDuFUuLDtQYjk6GMT17e10TgmA==
-----END RSA PRIVATE KEY-----

@ -0,0 +1,30 @@
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,B6C2D5A9657E9635BE06551CAD6EF969
N90cGt5rEntmiPvIAQwbO9W02blpDRZLJYMJeqttqxttnq6+InYQL3M4nJmR8XVz
/bCjWhMQlh5kEKzBtjhu5xFXqYhF3q9UcA6/13VY4gicrSHwwpoVLP0X2IXFp6ub
t4haSggaH6F2ZxF9DJCVG6+GyqOpuTPlGD4QiEf40NTo7x2H+JCEveLsIaSUljTV
W/XZDk1RSo8hMpr+huqCQOZxfhEuM76gSK8wPW3nCzVoBMCk/1RpMcXq8A7FT9gd
0V+2jwucDPOEVrTLmYjh/Aln6ATdte2l/b9XKPnAoVW6psYw83pu2hXtjgfCI+ey
IbRvzJ9djPvx0qhEu/EQIcKLFfNt/+OExm7rce8+O6NcB1x+bFbvCLamPYQxtcjE
xjqOWD0QT+VtIdqnG631jctN2mocmhVWfmp6le1RlkwfKSsbS1lb6Lcj/TasTlai
5c6hfYB83drlJUw0374PuWn8Tb62HGaROK8JEG07CcgNT1l8KXHrCpLzwEQvRtP+
Bze+mlbjScm21ny280huQz5hiNdDrH9q/YzVHcHEVICAnimEsZeaQCyEt0Um9h56
gvTZ6Udh/SeetBsL77hQ3EwDYs2nNdacaOIu5tASrfdMXWdSiLiNR8zK7y7x4a0b
GrgrerYJPWdb2axy4rrhzzlPRTHCJL1gA/E3CYC5mObk07tCMoQt7Ak3dofto9jG
1CSRLGqbP31k7tXBOLCwNAYekQkDWRQV4u0vf2aWJdLjxLwiX7424E6p/cvaUi5B
Sv+Iit3Zuee7Tq6DK0rv+5oWZmyfC/rzHcqmAMUhnjfBBlcI1N22BrBEBpfX6zq1
DnIwiS9ayJMzaExSS+tBuqoHuoLMo2Fn++NpYxIUrwtQBvAD1Qxqx6QacTGFK025
UpyV/ML+FdENujwU6KYYdciHX3E7nU4UYC/qwT7u9B/k3OiTS37GSlnz4ZkU34cF
UiBcN2gXqYYxsonD37vUX40oTjrQYaQJbWcGgcyNw7Z5U4GV7t1ZFcxNBuE485pE
jqZiDkeP5zmk+r9AB7djUpcowQ0TpPs1SthPsllv/LidusA8DwmeGp063fa1wScv
gH6iJ40HRc7ffwN4ikk409L8awjpSA+HyXC+BsjIaG9uyaoy6XpjjQHrl/kZgeS2
Nm3wvq00OFKYLi8UgmXlrRNMyNc/osTSAesdJeaiNHUM/+nrdTL1SaOvht/6i07B
bG7Vqv3LtpWvd8fDhSPR/1eiBaYBzDJ+jx25oX5Wbv4/AbsG5/BEgfrBJnMddPyv
Y8X6LY3IpUqRx1sf1L3ia3YxWp5r3bfcCQvVL0W6brEKxbw8BTHFrS3qaBOOfLrC
XuiMKEUcSlexxYnYcJr1RnBYQ4HqcAOCbqQAhXqFv5nge+5gSskP8MS/FtGZ0+nm
wi2ak3WmZbpr08mVnjHVhhxnuuVm7esYhNJLwXvSITXfUPPgpjvzYe0ABLdtWVuo
s4NsU/1XG33I4r+gnrHQyFxsgaZ3rr5VpcbTHLzDzBgTRWk06AZB/nxyfAexE67U
VHRL+4FP+ee5CxpWkT8i0/n2PJ/U/42+pglZmxEzIw76PqcT0aqmnpSwsEnnMH0w
-----END RSA PRIVATE KEY-----

@ -0,0 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDjTCCAnWgAwIBAgIJAPJtDNgcwPTZMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV
BAYTAlVTMQ8wDQYDVQQIDAZEZW5pYWwxFDASBgNVBAcMC1NwcmluZ2ZpZWxkMQww
CgYDVQQKDANEaXMxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTAgFw0xNjEwMTQx
MzQzNDJaGA8yMDY2MTAwMjEzNDM0MlowXDELMAkGA1UEBhMCVVMxDzANBgNVBAgM
BkRlbmlhbDEUMBIGA1UEBwwLU3ByaW5nZmllbGQxDDAKBgNVBAoMA0RpczEYMBYG
A1UEAwwPd3d3LmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAxptZMcFHFsCXWUxWNOkXXARCvAkZ7MeXDAyKzadWup9Trzn3qdz1h6+e
VbPBYTiJeuvX7RWpfN3lhFqy9Y+Fu0ip98zZE7ZjbvUx13BQBkXiJpqsYIoD6IK1
Lh4J9Exllzy7bTQ0f/IX1yrRztXkpRM5KvcbfUrGAMEy4SW6Idc6ZI+lwxvVIhqZ
KXAyTBg4f8hMhPO5RYFyaxS2PdNDaTLrvb1aDiuYLqcpDcr4/0YSg0iejklMHovC
oLK/uEFgRGYDSX+Os1CUdtnVzLpkFHZtomtEB0kUug4lZpGQckappLq+dWNTu43O
tJzbEa9lpYT8P/nie94tBQYx5+HgSwIDAQABo1AwTjAdBgNVHQ4EFgQUBpJ+Zoky
aGdQtMu9NzcoqOPc+yMwHwYDVR0jBBgwFoAUBpJ+ZokyaGdQtMu9NzcoqOPc+yMw
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAJe8mlfQ69kyrIuIdbTtg
Kl7ndj7MGQnmNfxytBB5gqUFwswEPKs4VTp3Pp+EStJZxJ8qeeG9B+g3oU3Rhpqc
CDhIyCW8shE2ACKLl0zRRk91LDyXASI4UyvjgN71Ti91VZ3oPVvTIefG6CMeI9oD
Spl6TbPzCOl2rFrTWmdwM3qIVpmhGntdWnA6btga6Fz7dRwUPwycJyhzfLmnjRlQ
3+QxmF2T5iIYw4B1Lsiz1uy27egMuq2M4Hvd2pSGhCB9l/3ZmEXvbF1aFVcnoEHH
/aHqOCx2fQTty1M+qnvofs1dNJlyyxq2LuE4r4wocSTRVfexaichhtsSkjQJ60w1
VA==
-----END CERTIFICATE-----

@ -0,0 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDjTCCAnWgAwIBAgIJAPJtDNgcwPTZMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV
BAYTAlVTMQ8wDQYDVQQIDAZEZW5pYWwxFDASBgNVBAcMC1NwcmluZ2ZpZWxkMQww
CgYDVQQKDANEaXMxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTAgFw0xNjEwMTQx
MzQzNDJaGA8yMDY2MTAwMjEzNDM0MlowXDELMAkGA1UEBhMCVVMxDzANBgNVBAgM
BkRlbmlhbDEUMBIGA1UEBwwLU3ByaW5nZmllbGQxDDAKBgNVBAoMA0RpczEYMBYG
A1UEAwwPd3d3LmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAxptZMcFHFsCXWUxWNOkXXARCvAkZ7MeXDAyKzadWup9Trzn3qdz1h6+e
VbPBYTiJeuvX7RWpfN3lhFqy9Y+Fu0ip98zZE7ZjbvUx13BQBkXiJpqsYIoD6IK1
Lh4J9Exllzy7bTQ0f/IX1yrRztXkpRM5KvcbfUrGAMEy4SW6Idc6ZI+lwxvVIhqZ
KXAyTBg4f8hMhPO5RYFyaxS2PdNDaTLrvb1aDiuYLqcpDcr4/0YSg0iejklMHovC
oLK/uEFgRGYDSX+Os1CUdtnVzLpkFHZtomtEB0kUug4lZpGQckappLq+dWNTu43O
tJzbEa9lpYT8P/nie94tBQYx5+HgSwIDAQABo1AwTjAdBgNVHQ4EFgQUBpJ+Zoky
aGdQtMu9NzcoqOPc+yMwHwYDVR0jBBgwFoAUBpJ+ZokyaGdQtMu9NzcoqOPc+yMw
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAJe8mlfQ69kyrIuIdbTtg
Kl7ndj7MGQnmNfxytBB5gqUFwswEPKs4VTp3Pp+EStJZxJ8qeeG9B+g3oU3Rhpqc
CDhIyCW8shE2ACKLl0zRRk91LDyXASI4UyvjgN71Ti91VZ3oPVvTIefG6CMeI9oD
Spl6TbPzCOl2rFrTWmdwM3qIVpmhGntdWnA6btga6Fz7dRwUPwycJyhzfLmnjRlQ
3+QxmF2T5iIYw4B1Lsiz1uy27egMuq2M4Hvd2pSGhCB9l/3ZmEXvbF1aFVcnoEHH
/aHqOCx2fQTty1M+qnvofs1dNJlyyxq2LuE4r4wocSTRVfexaichhtsSkjQJ60w1
VA==
-----END CERTIFICATE-----
Loading…
Cancel
Save