tripleo-quickstart-extras/roles/overcloud-ssl/templates/overcloud-create-ssl-cert.s...

55 lines
1.5 KiB
Django/Jinja
Executable File

#!/bin/bash
set -eux
### --start_docs
## Generating the overcloud SSL Certificates
## =========================================
## * Generate a private key
## ::
openssl genrsa 2048 > {{ working_dir }}/overcloud-ca-privkey.pem 2> /dev/null
## * Generate a self-signed CA certificate
## ::
openssl req -new -x509 -key {{ working_dir }}/overcloud-ca-privkey.pem \
-out {{ working_dir }}/overcloud-cacert.pem -days 365 \
-subj "/C=US/ST=NC/L=Raleigh/O=Red Hat/OU=OOOQ/CN=overcloud"
## * Add the self-signed CA certificate to the undercloud's trusted certificate
## store.
## ::
sudo cp {{ working_dir }}/overcloud-cacert.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust extract
## * Generate the leaf certificate request and key that will be used for the
## public VIP
## ::
{% set _vip = overcloud_public_vip if not overcloud_ipv6|bool else overcloud_public_vip6 %}
openssl req -newkey rsa:2048 -days 365 \
-nodes -keyout {{ working_dir }}/server-key.pem \
-out {{ working_dir }}/server-req.pem \
-subj "/C=US/ST=NC/L=Raleigh/O=Red Hat/OU=OOOQ/CN={{_vip}}"
## * Process the server RSA key
## ::
openssl rsa -in {{ working_dir }}/server-key.pem \
-out {{ working_dir }}/server-key.pem
## * Sign the leaf certificate with the CA certificate and generate
## the certificate
## ::
openssl x509 -req -in server-req.pem -days 365 \
-CA {{ working_dir }}/overcloud-cacert.pem \
-CAkey {{ working_dir }}/overcloud-ca-privkey.pem \
-set_serial 01 -out {{ working_dir }}/server-cert.pem
## --stop_docs