particle-os/debian-forge-composer
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

makefile: clean up certificate targets

Browse source 
1) generating a private key and signing request was merged into one command
2) -sha256 was dropped, let openssl decide which digest should be used
3) signing request is deleted after the it's signed
This commit is contained in:
Ondřej Budai 2020-09-23 10:04:12 +02:00 committed by Tom Gundersen
parent c6b5dd8977
commit fbaaf31a34
1 changed files with 38 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

48
Makefile
View file

@ -137,28 +137,56 @@ install:
cp distribution/*.socket /etc/systemd/system/
systemctl daemon-reload
CERT_DIR=/etc/osbuild-composer
.PHONY: ca
ca:
ifneq (/etc/osbuild-composer/ca-key.pem/etc/osbuild-composer/ca-crt.pem,$(wildcard /etc/osbuild-composer/ca-key.pem)$(wildcard /etc/osbuild-composer/ca-crt.pem))
ifneq (${CERT_DIR}/ca-key.pem${CERT_DIR}/ca-crt.pem,$(wildcard ${CERT_DIR}/ca-key.pem)$(wildcard ${CERT_DIR}/ca-crt.pem))
@echo CA key or certificate file is missing, generating a new pair...
- mkdir -p /etc/osbuild-composer
openssl req -new -nodes -x509 -days 365 -keyout /etc/osbuild-composer/ca-key.pem -out /etc/osbuild-composer/ca-crt.pem -subj "/CN=osbuild.org"
- mkdir -p ${CERT_DIR}
openssl req -new -nodes -x509 -days 365 -keyout ${CERT_DIR}/ca-key.pem -out ${CERT_DIR}/ca-crt.pem -subj "/CN=osbuild.org"
else
@echo CA key and certificate files already exist, skipping...
endif
.PHONY: composer-key-pair
composer-key-pair: ca
openssl genrsa -out /etc/osbuild-composer/composer-key.pem 2048
openssl req -new -sha256 -key /etc/osbuild-composer/composer-key.pem -out /etc/osbuild-composer/composer-csr.pem -subj "/CN=localhost" # TODO: we need to generate certificates with another hostname
openssl x509 -req -in /etc/osbuild-composer/composer-csr.pem -CA /etc/osbuild-composer/ca-crt.pem -CAkey /etc/osbuild-composer/ca-key.pem -CAcreateserial -out /etc/osbuild-composer/composer-crt.pem
chown _osbuild-composer:_osbuild-composer /etc/osbuild-composer/composer-key.pem /etc/osbuild-composer/composer-csr.pem /etc/osbuild-composer/composer-crt.pem
# generate a private key and a certificate request
openssl req -new -nodes \
-subj "/CN=localhost" \
-keyout ${CERT_DIR}/composer-key.pem \
-out ${CERT_DIR}/composer-csr.pem
# sign the certificate
openssl x509 -req \
-in ${CERT_DIR}/composer-csr.pem \
-CA ${CERT_DIR}/ca-crt.pem \
-CAkey ${CERT_DIR}/ca-key.pem \
-CAcreateserial \
-out ${CERT_DIR}/composer-crt.pem
# delete the request and set _osbuild-composer as the owner
rm ${CERT_DIR}/composer-csr.pem
chown _osbuild-composer:_osbuild-composer ${CERT_DIR}/composer-key.pem ${CERT_DIR}/composer-crt.pem
.PHONY: worker-key-pair
worker-key-pair: ca
openssl genrsa -out /etc/osbuild-composer/worker-key.pem 2048
openssl req -new -sha256 -key /etc/osbuild-composer/worker-key.pem -out /etc/osbuild-composer/worker-csr.pem -subj "/CN=localhost"
openssl x509 -req -in /etc/osbuild-composer/worker-csr.pem -CA /etc/osbuild-composer/ca-crt.pem -CAkey /etc/osbuild-composer/ca-key.pem -CAcreateserial -out /etc/osbuild-composer/worker-crt.pem
# generate a private key and a certificate request
openssl req -new -nodes \
-subj "/CN=localhost" \
-keyout ${CERT_DIR}/worker-key.pem \
-out ${CERT_DIR}/worker-csr.pem
# sign the certificate
openssl x509 -req \
-in ${CERT_DIR}/worker-csr.pem \
-CA ${CERT_DIR}/ca-crt.pem \
-CAkey ${CERT_DIR}/ca-key.pem \
-CAcreateserial \
-out ${CERT_DIR}/worker-crt.pem
# delete the request
rm /etc/osbuild-composer/worker-csr.pem
#