particle-os/debian-koji-osbuild
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
debian-koji-osbuild/test/make-certs.sh
Christian Kellner 630d09f6c4 ci: generate koji certs with SAN in make-certs.sh 
Generate the certificate to be used for koji in make-certs.sh by
the same CA that also generates the composer and client certs.
Create a single certificate that uses the SubjectAltName (SAN)
extension to cover two domains: localhost, org.osbuild.koji.koji,
which previously was done via two separate certificates; this is
the legacy usage which stopped working with go 1.15 (see previous
commit). As a consequence the apache config is modified to use
only one virtual host with a ServerAlias directive.
2020-11-12 13:13:55 +01:00

80 lines
2.2 KiB
Bash
Executable file
Raw Blame History

#!/bin/bash
set -euo pipefail
# this script must be run as root
if [ $UID != 0 ]; then
echo This script must be run as root.
exit 1
fi
TEST_DATA=${TEST_DATA:-test/data}
CA_DIR="/etc/osbuild-composer"
echo "Generating certificates"
mkdir -p ${CA_DIR}
CONFIG="${TEST_DATA}/openssl.conf"
# The CA
echo "-=[ CA"
touch "${CA_DIR}/index.txt"
openssl req -new -nodes -x509 \
-config "${CONFIG}" \
-extensions osbuild_ca_ext \
-keyout "${CA_DIR}/ca-key.pem" \
-out "${CA_DIR}/ca-crt.pem" \
-subj "/CN=osbuild.org"
# composer
echo "-=[ composer"
openssl genrsa -out ${CA_DIR}/composer-key.pem 2048
openssl req -new -sha256 \
-config "${CONFIG}" \
-key ${CA_DIR}/composer-key.pem \
-out ${CA_DIR}/composer-csr.pem \
-subj "/CN=composer" \
-addext "subjectAltName=DNS.1:localhost,DNS.2:composer"
openssl ca -config "$CONFIG" -batch \
-extensions osbuild_server_ext \
-in "${CA_DIR}/composer-csr.pem" \
-out "${CA_DIR}/composer-crt.pem"
# koji
echo "-=[ koji"
openssl genrsa -out ${CA_DIR}/koji-key.pem 2048
openssl req -new -sha256 \
-config "${CONFIG}" \
-key ${CA_DIR}/koji-key.pem \
-out ${CA_DIR}/koji-csr.pem \
-subj "/CN=localhost" \
-addext "subjectAltName=DNS.1:localhost,DNS.2:org.osbuild.koji.koji"
openssl ca -config "$CONFIG" -batch \
-extensions osbuild_server_ext \
-in "${CA_DIR}/koji-csr.pem" \
-out "${CA_DIR}/koji-crt.pem"
# client
echo "-=[ client"
openssl genrsa -out ${CA_DIR}/client-key.pem 2048
openssl req -new -sha256 \
-config "${CONFIG}" \
-key ${CA_DIR}/client-key.pem \
-out ${CA_DIR}/client-csr.pem \
-subj "/CN=client.osbuild.local" \
-addext "subjectAltName=DNS:client.osbuild.local"
openssl ca -config "$CONFIG" -batch \
-extensions osbuild_client_ext \
-in "${CA_DIR}/client-csr.pem" \
-out "${CA_DIR}/client-crt.pem"
# fix permissions for composer
chown _osbuild-composer:_osbuild-composer ${CA_DIR}/composer-*
echo "-=[ Updating system trust chain"
cp ${CA_DIR}/ca-crt.pem \
/etc/pki/ca-trust/source/anchors/osbuild-ca-crt.pem
update-ca-trust
Reference in a new issue View git blame Copy permalink