tripleo-quickstart-extras/roles/overcloud-ssl/templates/overcloud-create-ssl-cert.sh.j2

#!/bin/bash

set -eux

### --start_docs
## Generating the overcloud SSL Certificates
## =========================================

## * Generate a private key
## ::

openssl genrsa 2048 > {{ working_dir }}/overcloud-ca-privkey.pem 2> /dev/null

## * Generate a self-signed CA certificate
## ::

openssl req -new -x509 -key {{ working_dir }}/overcloud-ca-privkey.pem \
    -out {{ working_dir }}/overcloud-cacert.pem -days 365 \
    -subj "/C=US/ST=NC/L=Raleigh/O=Red Hat/OU=OOOQ/CN=overcloud"

## * Add the self-signed CA certificate to the undercloud's trusted certificate
##   store.
## ::

sudo cp {{ working_dir }}/overcloud-cacert.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust extract

## * Generate the leaf certificate request and key that will be used for the
##   public VIP
## ::

{% set _vip = overcloud_public_vip %}

openssl req -newkey rsa:2048 -days 365 \
    -nodes -keyout {{ working_dir }}/server-key.pem \
    -out {{ working_dir }}/server-req.pem \
    -subj "/C=US/ST=NC/L=Raleigh/O=Red Hat/OU=OOOQ/CN={{_vip}}" \
    -reqexts subjectAltName \
    -config <(printf "[subjectAltName]\nsubjectAltName=IP:{{_vip}}\n[req]req_extensions = v3_req\ndistinguished_name=req_distinguished_name\n[req_distinguished_name]")

## * Process the server RSA key
## ::

openssl rsa -in {{ working_dir }}/server-key.pem \
    -out {{ working_dir }}/server-key.pem

## * Sign the leaf certificate with the CA certificate and generate
##   the certificate
## ::

openssl x509 -req -in server-req.pem -days 365 \
    -CA {{ working_dir }}/overcloud-cacert.pem \
    -CAkey {{ working_dir }}/overcloud-ca-privkey.pem \
    -set_serial 01 -out {{ working_dir }}/server-cert.pem \
    -extensions subjectAltName \
    -extfile <(printf "[subjectAltName]\nsubjectAltName=IP:{{_vip}}\n[req]req_extensions = v3_req\ndistinguished_name=req_distinguished_name\n[req_distinguished_name]")

## --stop_docs