From 00052793dd520da6e958fdd0a4a501588abece9b Mon Sep 17 00:00:00 2001 From: Tin Lam Date: Tue, 22 Jun 2021 09:29:24 -0500 Subject: [PATCH] chore(openssl): updates cert generation This patch removes the dependency on cfssl to generate certificates and removes unused constructs in the script. Change-Id: Ia933420157f456bf99a6ec5416e6dbb63bfa5258 Signed-off-by: Tin Lam --- tools/gate/tls-ca-boostrapper/01-setup.sh | 54 ++--------------------- 1 file changed, 4 insertions(+), 50 deletions(-) diff --git a/tools/gate/tls-ca-boostrapper/01-setup.sh b/tools/gate/tls-ca-boostrapper/01-setup.sh index 68dff1bf1..008ca0f34 100644 --- a/tools/gate/tls-ca-boostrapper/01-setup.sh +++ b/tools/gate/tls-ca-boostrapper/01-setup.sh @@ -13,63 +13,16 @@ # under the License. set -xe -CFSSLURL=https://pkg.cfssl.org/R1.2 -for CFSSL_BIN in cfssl cfssljson; do - if ! type -p "${CFSSL_BIN}"; then - sudo curl -sSL -o "/usr/local/bin/${CFSSL_BIN}" "${CFSSLURL}/${CFSSL_BIN}_linux-amd64" - sudo chmod +x "/usr/local/bin/${CFSSL_BIN}" - ls "/usr/local/bin/${CFSSL_BIN}" - fi -done - OSH_CONFIG_ROOT="/etc/openstack-helm" OSH_CA_ROOT="${OSH_CONFIG_ROOT}/certs/ca" -OSH_SERVER_TLS_ROOT="${OSH_CONFIG_ROOT}/certs/server" sudo mkdir -p ${OSH_CONFIG_ROOT} sudo chown $(whoami): -R ${OSH_CONFIG_ROOT} mkdir -p "${OSH_CA_ROOT}" -tee ${OSH_CA_ROOT}/ca-config.json << EOF -{ - "signing": { - "default": { - "expiry": "1y" - }, - "profiles": { - "server": { - "expiry": "1y", - "usages": [ - "signing", - "key encipherment", - "server auth" - ] - } - } - } -} -EOF - -tee ${OSH_CA_ROOT}/ca-csr.json << EOF -{ - "CN": "ACME Company", - "key": { - "algo": "rsa", - "size": 2048 - }, - "names": [ - { - "C": "US", - "L": "SomeState", - "ST": "SomeCity", - "O": "SomeOrg", - "OU": "SomeUnit" - } - ] -} -EOF - -cfssl gencert -initca ${OSH_CA_ROOT}/ca-csr.json | cfssljson -bare ${OSH_CA_ROOT}/ca - +openssl req -x509 -nodes -sha256 -days 1 -newkey rsa:2048 \ + -keyout ${OSH_CA_ROOT}/ca-key.pem -out ${OSH_CA_ROOT}/ca.pem \ + -subj "/C=US/L=SomeState/ST=SomeCity/O=SomeOrg/OU=SomeUnit/CN=ACME Company" function check_cert_and_key () { TLS_CERT=$1 @@ -86,4 +39,5 @@ function check_cert_and_key () { echo "Pass: ${TLS_CERT} is valid with ${TLS_KEY}" fi } + check_cert_and_key ${OSH_CA_ROOT}/ca.pem ${OSH_CA_ROOT}/ca-key.pem