octavia/bin/create_certificates.sh
Michael Johnson d3c3f148f4 Clarify that the certificate guide should be used
The quick start guide was pointing users to the old create_certificate.sh
script. This patch clarifies that the "Octavia Certificate Configuration
Guide" should be used when configurting certificates for the Octavia
controllers.
It also adds a warning to the create_certificate.sh script.

Change-Id: I7a87430be5a1553ff760e31c26ca52090399d00a
2019-05-31 09:13:07 -07:00

104 lines
3.5 KiB
Bash
Executable File

#!/bin/bash
# NOTE: This script should not be used for creating certificates in a
# deployment. It is only used for some testing jobs.
# Please follow the Octavia Certificate Configuration Guide when setting
# up a deployment. See:
# https://docs.openstack.org/octavia/latest/admin/guides/certificates.html
# USAGE: <certificate directory> <openssl.cnf (example in etc/certificate)
#Those are certificates for testing will be generated
#
#* ca_01.pem is a certificate authority file
#* server.pem combines a key and a cert from this certificate authority
#* client.key the client key
#* client.pem the client certificate
#
#You will need to copy them to places the agent_api server/client can find and
#specify it in the config.
#
#Example for client use:
#
#curl -k -v --key client.key --cacert ca_01.pem --cert client.pem https://0.0.0.0:9443/
#
#
#Notes:
#For production use the ca issuing the client certificate and the ca issuing the server cetrificate
#need to be different so a hacker can't just use the server certificate from a compromised amphora
#to control all the others.
#
#Sources:
#* https://communities.bmc.com/community/bmcdn/bmc_atrium_and_foundation_technologies/
#discovery/blog/2014/09/03/the-pulse-create-your-own-personal-ca-with-openssl
# This describes how to create a CA and sign requests
#* https://www.digitalocean.com/community/tutorials/
#openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs -
#how to issue csr and much more
## Create CA
# Create directories
CERT_DIR=$1
OPEN_SSL_CONF=$2 # etc/certificates/openssl.cnf
VALIDITY_DAYS=${3:-18250} # defaults to 50 years
echo "!!!!!!!!!!!!!!!Do not use this script for deployments!!!!!!!!!!!!!"
echo "Please use the Octavia Certificate Configuration guide:"
echo "https://docs.openstack.org/octavia/latest/admin/guides/certificates.html"
echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
echo $CERT_DIR
mkdir -p $CERT_DIR
cd $CERT_DIR
if [[ $? -ne 0 ]]; then
echo "Failed to change to $CERT_DIR. Check the existence and permission"
exit 1
fi
mkdir newcerts private
if [[ $? -ne 0 ]]; then
echo "Failed to create directories. Check the permission"
exit 1
fi
chmod 700 private
# prepare files
touch index.txt
echo 01 > serial
echo "Create the CA's private and public keypair (2k long)"
openssl genrsa -passout pass:foobar -des3 -out private/cakey.pem 2048
echo "You will be asked to enter some information about the certificate."
openssl req -x509 -passin pass:foobar -new -nodes -key private/cakey.pem \
-config $OPEN_SSL_CONF \
-subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
-days $VALIDITY_DAYS \
-out ca_01.pem
echo "Here is the certificate"
openssl x509 -in ca_01.pem -text -noout
## Create Server/Client CSR
echo "Generate a server key and a CSR"
openssl req \
-newkey rsa:2048 -nodes -keyout client.key \
-subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
-out client.csr
echo "Sign request"
openssl ca -passin pass:foobar -config $OPEN_SSL_CONF -in client.csr \
-days $VALIDITY_DAYS -out client-.pem -batch
echo "Generate single pem client.pem"
cat client-.pem client.key > client.pem
echo "Note: For production use the ca issuing the client certificate and the ca issuing the server"
echo "certificate need to be different so a hacker can't just use the server certificate from a"
echo "compromised amphora to control all the others."
echo "To use the certificates copy them to the directory specified in the octavia.conf"