Skip to content

Instantly share code, notes, and snippets.

@choestelus

choestelus/gen_postgres_cert.sh

Created January 17, 2020 11:24
Show Gist options
  • Save choestelus/0c42a39319fad48db93f4676519c8f59 to your computer and use it in GitHub Desktop.
Save choestelus/0c42a39319fad48db93f4676519c8f59 to your computer and use it in GitHub Desktop.
Download ZIP
helper script for PostgreSQL certificate generation
Raw
gen_postgres_cert.sh
#!/usr/bin/env /bin/bash
set -e
PREFIX=$1
DOMAIN=$2
CA_PREFIX=$3
SERVER_PREFIX=$4
CLIENT_CN=$5
MODE=$6
CA_FILE=$1_ca
SERVER_FILE=$1_server
CLIENT_FILE=$1_client
if [[ -z $1 ]]
then
CA_FILE=ca
SERVER_FILE=server
CLIENT_FILE=client
fi
if [[ -z $2 ]] || [[ -z $3 ]] || [[ -z $4 ]] || [[ -z $5 ]] || [[ -z $6 ]]
then
printf 'missing one or more parameters\n'
printf 'got: DOMAIN=[%s] CA_PREFIX=[%s] SERVER_PREFIX=[%s] CLIENT_CN=[%s]\n' $2 $3 $4 $5
printf 'mode: [%s]\n' $6
exit 1
fi
printf 'certificates will be generated with following parameters:\n'
printf 'Filename -> CA: [%s], SERVER: [%s], CLIENT: [%s]\n' $CA_FILE $SERVER_FILE $CLIENT_FILE
printf 'CA Canonical Name -> [%s.%s]\n' ${CA_PREFIX} ${DOMAIN}
printf 'SERVER Canonical Name -> [%s.%s]\n' ${SERVER_PREFIX} ${DOMAIN}
printf 'CLIENT Canonical Name -> [%s]\n' ${CLIENT_CN}
case $MODE in
generate)
echo 'generating certificates'
;;
*)
printf 'mode %s\n' $MODE
printf 'this is preview of generated result\n'
printf 'to generate certificate, set this parameter to "generate"\n'
exit 1
esac
printf 'generating %s.key %s.crt\n' $CA_FILE $CA_FILE
openssl genrsa -out ${CA_FILE}.key 4096
openssl req -new -key ${CA_FILE}.key -x509 -days 3650 -out ${CA_FILE}.crt -subj /CN="${CA_PREFIX}.${DOMAIN}"
printf 'generating %s.key %s.csr %s.crt\n' $SERVER_FILE $SERVER_FILE $SERVER_FILE
openssl genrsa -out ${SERVER_FILE}.key 4096
openssl req -new -nodes -key ${SERVER_FILE}.key -out ${SERVER_FILE}.csr -subj /CN="${SERVER_PREFIX}.${DOMAIN}"
openssl x509 -req -in ${SERVER_FILE}.csr -days 3650 -CA ${CA_FILE}.crt -CAkey ${CA_FILE}.key -CAcreateserial -out ${SERVER_FILE}.crt
printf 'generating %s.key %s.csr %s.crt\n' $CLIENT_FILE $CLIENT_FILE $CLIENT_FILE
openssl genrsa -out ${CLIENT_FILE}.key 4096
openssl req -new -nodes -key ${CLIENT_FILE}.key -out ${CLIENT_FILE}.csr -subj /CN="${CLIENT_CN}"
openssl x509 -req -in ${CLIENT_FILE}.csr -days 3650 -CA ${CA_FILE}.crt -CAkey ${CA_FILE}.key -CAcreateserial -out ${CLIENT_FILE}.crt
printf 'certificates generation is done\n'
@choestelus
Copy link
Author

Certificate generation scripts

Simple set of scripts to generate SSL/TLS certificates chain, includes

  • root CA certificate
  • server certificate, signed with root CA
  • client certificate, signed with root CA

general certificate generation script

Use gen_cert.sh, see example below

./gen_cert.sh service 'domain.tld' 'ca.service' 'api.service' 'client.service' generate 2>&1 | tee gen_connector.log

certificates will be generated with following parameters:
Filename -> CA: [service_ca], SERVER: [service_server], CLIENT: [service_client]
CA     Canonical Name -> [ca.service.domain.tld]
SERVER Canonical Name -> [api.service.domain.tld]
CLIENT Canonical Name -> [client.service.domain.tld]
generating certificates
generating service_ca.key service_ca.crt
Generating RSA private key, 4096 bit long modulus (2 primes)
............................................................++++
....................++++
e is 65537 (0x010001)
generating service_server.key service_server.csr service_server.crt
Generating RSA private key, 4096 bit long modulus (2 primes)
.....................++++
.....................................................................................................................................++++
e is 65537 (0x010001)
Signature ok
subject=CN = api.service.domain.tld
Getting CA Private Key
generating service_client.key service_client.csr service_client.crt
Generating RSA private key, 4096 bit long modulus (2 primes)
.....................................................................................................................................++++
.........++++
e is 65537 (0x010001)
Signature ok
subject=CN = client.service.domain.tld
Getting CA Private Key
certificates generation is done

certificate generation for postgresql script

Use gen_postgres_cert.sh, see example below

./gen_postgres_cert.sh pg localdomain root db postgres generate 2>&1 | tee gen_pg.log

certificates will be generated with following parameters:
Filename -> CA: [pg_ca], SERVER: [pg_server], CLIENT: [pg_client]
CA     Canonical Name -> [root.localdomain]
SERVER Canonical Name -> [db.localdomain]
CLIENT Canonical Name -> [postgres]
generating certificates
generating pg_ca.key pg_ca.crt
Generating RSA private key, 4096 bit long modulus (2 primes)
......................................................................................................................................................................................................................................++++
.......................................................................................++++
e is 65537 (0x010001)
generating pg_server.key pg_server.csr pg_server.crt
Generating RSA private key, 4096 bit long modulus (2 primes)
.......................................++++
..........................++++
e is 65537 (0x010001)
Signature ok
subject=CN = db.localdomain
Getting CA Private Key
generating pg_client.key pg_client.csr pg_client.crt
Generating RSA private key, 4096 bit long modulus (2 primes)
...................................................................................................................++++
.........................................................................................................++++
e is 65537 (0x010001)
Signature ok
subject=CN = postgres
Getting CA Private Key
certificates generation is done

Positional parameter list

./gen_cert.sh [FILENAME_PREFIX] [CERT_DOMAIN_NAME] [CA_SUBDOMAIN] [SERVER_SUBDOMAIN] [CLIENT_SUBDOMAIN|CLIENT_CANONICAL_NAME] [*|generate]
  • FILENAME_PREFIX: prefix of certificate file that will be generated. for example, using pg as argument will produce following files.
    • pg_ca.crt
    • pg_ca.key
    • pg_ca.srl
    • pg_client.crt
    • pg_client.csr
    • pg_client.key
    • pg_server.crt
    • pg_server.csr
    • pg_server.key
  • CERT_DOMAIN_NAME: certificate domain name that will used in canonical name of server, CA, client certificate, which will be append to server, client, root CA canonical name.
  • CA_SUBDOMAIN: subdomain of root CA, will be append with CERT_DOMAIN_NAME.
  • SERVER_SUBDOMAIN: subdomain of server certificate, will be append with CERT_DOMAIN_NAME.
  • CLIENT_SUBDOMAIN: (gen_cert.sh only) subdomain of client certificate, will be append with CERT_DOMAIN_NAME.
  • CLIENT_CANONICAL_NAME: (gen_postgres_cert.sh only) client canonical name for client certificate, normally it is the same as DB user that will connect to postgresql database. e.g. user postgres will be verified if certificate CN is postgres or not when using certificate authentication method.
  • [*|generate]: can be anything, unless it is generate it will be a dry run mode for script.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment