#!/bin/bash # NOTE: This script should not be used for creating certificates in a # deployment. It is only used for some testing jobs. # Please follow the Octavia Certificate Configuration Guide when setting # up a deployment. See: # https://docs.openstack.org/octavia/latest/admin/guides/certificates.html # USAGE: serial echo "Create the CA's private and public keypair (2k long)" openssl genrsa -passout pass:foobar -des3 -out private/cakey.pem 2048 echo "You will be asked to enter some information about the certificate." openssl req -x509 -passin pass:foobar -new -nodes -key private/cakey.pem \ -config $OPEN_SSL_CONF \ -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \ -days $VALIDITY_DAYS \ -out ca_01.pem echo "Here is the certificate" openssl x509 -in ca_01.pem -text -noout ## Create Server/Client CSR echo "Generate a server key and a CSR" openssl req \ -newkey rsa:2048 -nodes -keyout client.key \ -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \ -out client.csr echo "Sign request" openssl ca -passin pass:foobar -config $OPEN_SSL_CONF -in client.csr \ -days $VALIDITY_DAYS -out client-.pem -batch echo "Generate single pem client.pem" cat client-.pem client.key > client.pem echo "Note: For production use the ca issuing the client certificate and the ca issuing the server" echo "certificate need to be different so a hacker can't just use the server certificate from a" echo "compromised amphora to control all the others." echo "To use the certificates copy them to the directory specified in the octavia.conf"