v1k0d3n/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Overview

This is just a simple script that I use to generate self-signed certificates. It's suited for general use of course, however it also includes v3 extensions which are required for container registries like Quay. This is my "easy button" for PoCs that can use temporary self-signed certificates.
Useage


Download the script
curl -L https://gist.githubusercontent.com/v1k0d3n/08b9a1d37a06e90ff39646e1b09417d8/raw/certgen.sh -o certgen.sh


Make it executable
chmod +x certgen.sh


Edit the variables at the top of the file (look for the STOP notation)
Run the script
./certgen.sh


NOTE: Be sure that the openssl and tree packages are installed on your system first.
Example:

When you run the script, your output should look like the following:
[bjozsa@testing .local]$ ./certgen.sh
Certificate request self-signature ok
subject=C = US, ST = NC, L = Charlotte, O = RedHat, OU = IT, CN = vm-ocp-node59.ztp.dfw.ocp.run
Certificate Path: /home/bjozsa/.local/opt/demos/certs/vm-ocp-node59/etc/certs
/home/bjozsa/.local/opt/demos/certs/vm-ocp-node59
├── bin
│   ├── build-certs.sh
│   └── hosts-prep.sh
└── etc
    └── certs
        ├── ca.crt
        ├── ca.key
        ├── ca.srl
        ├── v3.ext
        ├── vm-ocp-node59.ztp.dfw.ocp.run.crt
        ├── vm-ocp-node59.ztp.dfw.ocp.run.csr
        └── vm-ocp-node59.ztp.dfw.ocp.run.key

3 directories, 9 files
[bjozsa@testing .local]$

You can modify the extensions that you want to add by modifying the v3.ext artifact which is generated with the createCertificates function. By default I include the following (for hosting OCP images on a Quay registry):
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=host01.example.com
DNS.2=host01
IP.1=192.168.1.80
IP.2=127.0.0.1

Obvious Disclaimer:

This is for demonstration purposes only! You should be using a real certificate management solution. Don't run this in productioon, and don't always trust what you find on the internet.

  
## certgen.sh
#!/bin/bash
set -a

# NOTICE: EDIT FOLLOWING VARIABLES BELOW
ENDPOINT_HOSTNAME="vm-ocp-node59"
ENDPOINT_BASE_DNS_NAME=ztp.dfw.ocp.run
ENDPOINT_HOST_IP="192.168.3.59"

PATH_DEMO="$HOME/.local/opt/demos/certs/$ENDPOINT_HOSTNAME"
REGCERT_COUNTY="US"
REGCERT_STATE="NC"
REGCERT_CITY="Charlotte"
REGCERT_ORG="RedHat"
REGCERT_OU="IT"

#######################################################
# STOP: DO NOT EDIT BELOW (UNLESS REQUIRED)
function createDirectories() {
    mkdir -p {$PATH_DEMO/bin,$PATH_DEMO/etc/certs}
}

function installReqs() {
    sudo dnf install openssl tree -yy
}

function createHostsPrep() {
    sed 's/^ *//' > $PATH_DEMO/bin/hosts-prep.sh <<EOF_HOSTS
#!/bin/bash
cat <<- EOF >> /etc/hosts
## Automated Certificates: $ENDPOINT_HOSTNAME.$ENDPOINT_BASE_DNS_NAME
$ENDPOINT_HOST_IP    $ENDPOINT_HOSTNAME $ENDPOINT_HOSTNAME.$ENDPOINT_BASE_DNS_NAME
EOF
EOF_HOSTS

    chmod +x $PATH_DEMO/bin/hosts-prep.sh
}

function createCertificates() {
cat > $PATH_DEMO/etc/certs/v3.ext <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=$ENDPOINT_HOSTNAME.$ENDPOINT_BASE_DNS_NAME
DNS.2=$ENDPOINT_HOSTNAME
IP.1=$ENDPOINT_HOST_IP
IP.2=127.0.0.1
EOF

cat <<EOF > $PATH_DEMO/bin/build-certs.sh
#!/bin/bash
openssl genrsa -out $PATH_DEMO/etc/certs/ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 365 \
-subj "/C=$REGCERT_COUNTY/ST=$REGCERT_STATE/L=$REGCERT_CITY/O=$REGCERT_ORG/OU=$REGCERT_OU/CN=$ENDPOINT_HOSTNAME.$ENDPOINT_BASE_DNS_NAME" \
-key $PATH_DEMO/etc/certs/ca.key \
-out $PATH_DEMO/etc/certs/ca.crt
openssl genrsa -out $PATH_DEMO/etc/certs/$ENDPOINT_HOSTNAME.$ENDPOINT_BASE_DNS_NAME.key 4096
openssl req -sha512 -new \
    -subj "/C=$REGCERT_COUNTY/ST=$REGCERT_STATE/L=$REGCERT_CITY/O=$REGCERT_ORG/OU=$REGCERT_OU/CN=$ENDPOINT_HOSTNAME.$ENDPOINT_BASE_DNS_NAME" \
    -key $PATH_DEMO/etc/certs/$ENDPOINT_HOSTNAME.$ENDPOINT_BASE_DNS_NAME.key \
    -out $PATH_DEMO/etc/certs/$ENDPOINT_HOSTNAME.$ENDPOINT_BASE_DNS_NAME.csr
openssl x509 -req -sha512 -days 365 \
    -extfile $PATH_DEMO/etc/certs/v3.ext \
    -CA $PATH_DEMO/etc/certs/ca.crt -CAkey $PATH_DEMO/etc/certs/ca.key -CAcreateserial \
    -in  $PATH_DEMO/etc/certs/$ENDPOINT_HOSTNAME.$ENDPOINT_BASE_DNS_NAME.csr \
    -out $PATH_DEMO/etc/certs/$ENDPOINT_HOSTNAME.$ENDPOINT_BASE_DNS_NAME.crt
EOF

    chmod +x $PATH_DEMO/bin/build-certs.sh
    $PATH_DEMO/bin/build-certs.sh
}

function resultsPrint() {
    printf "Certificate Path: $PATH_DEMO/etc/certs\n"
    tree $PATH_DEMO
}

# Run it:
createDirectories
createHostsPrep
createCertificates
resultsPrint
	#!/bin/bash
	set -a

	# NOTICE: EDIT FOLLOWING VARIABLES BELOW
	ENDPOINT_HOSTNAME="vm-ocp-node59"
	ENDPOINT_BASE_DNS_NAME=ztp.dfw.ocp.run
	ENDPOINT_HOST_IP="192.168.3.59"

	PATH_DEMO="$HOME/.local/opt/demos/certs/$ENDPOINT_HOSTNAME"
	REGCERT_COUNTY="US"
	REGCERT_STATE="NC"
	REGCERT_CITY="Charlotte"
	REGCERT_ORG="RedHat"
	REGCERT_OU="IT"

	#######################################################
	# STOP: DO NOT EDIT BELOW (UNLESS REQUIRED)
	function createDirectories() {
	mkdir -p {$PATH_DEMO/bin,$PATH_DEMO/etc/certs}
	}

	function installReqs() {
	sudo dnf install openssl tree -yy
	}

	function createHostsPrep() {
	sed 's/^ *//' > $PATH_DEMO/bin/hosts-prep.sh <<EOF_HOSTS
	#!/bin/bash
	cat <<- EOF >> /etc/hosts
	## Automated Certificates: $ENDPOINT_HOSTNAME.$ENDPOINT_BASE_DNS_NAME
	$ENDPOINT_HOST_IP $ENDPOINT_HOSTNAME $ENDPOINT_HOSTNAME.$ENDPOINT_BASE_DNS_NAME
	EOF
	EOF_HOSTS

	chmod +x $PATH_DEMO/bin/hosts-prep.sh
	}

	function createCertificates() {
	cat > $PATH_DEMO/etc/certs/v3.ext <<EOF
	authorityKeyIdentifier=keyid,issuer
	basicConstraints=CA:FALSE
	keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
	extendedKeyUsage = serverAuth
	subjectAltName = @alt_names
	[alt_names]
	DNS.1=$ENDPOINT_HOSTNAME.$ENDPOINT_BASE_DNS_NAME
	DNS.2=$ENDPOINT_HOSTNAME
	IP.1=$ENDPOINT_HOST_IP
	IP.2=127.0.0.1
	EOF

	cat <<EOF > $PATH_DEMO/bin/build-certs.sh
	#!/bin/bash
	openssl genrsa -out $PATH_DEMO/etc/certs/ca.key 4096
	openssl req -x509 -new -nodes -sha512 -days 365 \
	-subj "/C=$REGCERT_COUNTY/ST=$REGCERT_STATE/L=$REGCERT_CITY/O=$REGCERT_ORG/OU=$REGCERT_OU/CN=$ENDPOINT_HOSTNAME.$ENDPOINT_BASE_DNS_NAME" \
	-key $PATH_DEMO/etc/certs/ca.key \
	-out $PATH_DEMO/etc/certs/ca.crt
	openssl genrsa -out $PATH_DEMO/etc/certs/$ENDPOINT_HOSTNAME.$ENDPOINT_BASE_DNS_NAME.key 4096
	openssl req -sha512 -new \
	-subj "/C=$REGCERT_COUNTY/ST=$REGCERT_STATE/L=$REGCERT_CITY/O=$REGCERT_ORG/OU=$REGCERT_OU/CN=$ENDPOINT_HOSTNAME.$ENDPOINT_BASE_DNS_NAME" \
	-key $PATH_DEMO/etc/certs/$ENDPOINT_HOSTNAME.$ENDPOINT_BASE_DNS_NAME.key \
	-out $PATH_DEMO/etc/certs/$ENDPOINT_HOSTNAME.$ENDPOINT_BASE_DNS_NAME.csr
	openssl x509 -req -sha512 -days 365 \
	-extfile $PATH_DEMO/etc/certs/v3.ext \
	-CA $PATH_DEMO/etc/certs/ca.crt -CAkey $PATH_DEMO/etc/certs/ca.key -CAcreateserial \
	-in $PATH_DEMO/etc/certs/$ENDPOINT_HOSTNAME.$ENDPOINT_BASE_DNS_NAME.csr \
	-out $PATH_DEMO/etc/certs/$ENDPOINT_HOSTNAME.$ENDPOINT_BASE_DNS_NAME.crt
	EOF

	chmod +x $PATH_DEMO/bin/build-certs.sh
	$PATH_DEMO/bin/build-certs.sh
	}

	function resultsPrint() {
	printf "Certificate Path: $PATH_DEMO/etc/certs\n"
	tree $PATH_DEMO
	}

	# Run it:
	createDirectories
	createHostsPrep
	createCertificates
	resultsPrint