Generating thin-edge certificates

thin-edge-gen-certs.sh

#!/bin/sh

set -e

DEVICE=$(tedge config get device.id)

## Signing certificate
openssl req \
    -new \
    -x509 \
    -days 100 \
    -extensions v3_ca \
    -nodes \
    -subj "/O=thin-edge/OU=$DEVICE/CN=tedge-ca" \
    -keyout tedge-local-ca.key \
    -out tedge-local-ca.crt

## c8y mapper certificate

openssl genrsa -out c8y-mapper.key 2048

openssl req -out c8y-mapper.csr -key c8y-mapper.key \
    -subj "/O=thin-edge/OU=$DEVICE/SN=c8y-mapper/CN=localhost" \
    -new

cat > v3.ext << EOF
authorityKeyIdentifier=keyid
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyAgreement
extendedKeyUsage = serverAuth, clientAuth
subjectAltName=DNS:$(hostname),DNS:localhost
EOF

openssl x509 -req \
    -in c8y-mapper.csr \
    -CA tedge-local-ca.crt \
    -CAkey tedge-local-ca.key \
    -extfile v3.ext \
    -CAcreateserial \
    -out c8y-mapper.crt \
    -days 100

## main agent certificate

openssl genrsa -out main-agent.key 2048

openssl req -out main-agent.csr \
    -key main-agent.key \
    -subj "/O=thin-edge/OU=$DEVICE/SN=main-agent/CN=localhost" \
    -new

openssl x509 -req \
    -in main-agent.csr \
    -CA tedge-local-ca.crt \
    -CAkey tedge-local-ca.key \
    -extfile v3.ext \
    -CAcreateserial \
    -out main-agent.crt \
    -days 100

## client certificate

openssl genrsa -out tedge-client.key 2048

openssl req -out tedge-client.csr \
    -key tedge-client.key \
    -subj "/O=thin-edge/OU=$DEVICE/SN=child/CN=tedge-client" \
    -new

cat > client-v3.ext << EOF
basicConstraints=CA:FALSE
extendedKeyUsage = clientAuth
EOF

openssl x509 -req \
    -in tedge-client.csr \
    -CA tedge-local-ca.crt \
    -CAkey tedge-local-ca.key \
    -extfile client-v3.ext \
    -CAcreateserial \
    -out tedge-client.crt \
    -days 100

## Settings

mkdir -p /etc/tedge/device-local-certs/roots

mv tedge-local-ca.* /etc/tedge/device-local-certs/roots
mv c8y-mapper.* /etc/tedge/device-local-certs
mv main-agent.* /etc/tedge/device-local-certs
mv tedge-client.* /etc/tedge/device-local-certs

sudo cp /etc/tedge/device-local-certs/roots/tedge-local-ca.crt /usr/local/share/ca-certificates
sudo update-ca-certificates

### c8y mapper (serving c8y-proxy, file-transfer client)
tedge config set c8y.proxy.client.host localhost
tedge config set c8y.proxy.ca_path /etc/tedge/device-local-certs/roots
tedge config set c8y.proxy.cert_path /etc/tedge/device-local-certs/c8y-mapper.crt
tedge config set c8y.proxy.key_path /etc/tedge/device-local-certs/c8y-mapper.key
tedge config set http.client.host localhost

### main agent (serving file-transfer, c8y-proxy client)
tedge config set c8y.proxy.client.host localhost
tedge config set http.client.auth.cert_file /etc/tedge/device-local-certs/main-agent.crt
tedge config set http.client.auth.key_file /etc/tedge/device-local-certs/main-agent.key
tedge config set http.cert_path /etc/tedge/device-local-certs/main-agent.crt
tedge config set http.key_path /etc/tedge/device-local-certs/main-agent.key
tedge config set http.ca_path /etc/tedge/device-local-certs/roots

### child agent (file-transfer client, c8y-proxy client)
#### This must not be done on the same host as the main agent
exit 0
tedge config set http.client.host $(main device hostname)
tedge config set c8y.proxy.client.host $(main device hostname)
tedge config set http.client.auth.cert_file /etc/tedge/device-local-certs/tedge-client.crt
tedge config set http.client.auth.key_file /etc/tedge/device-local-certs/tedge-client.key

## Client authentication (file-transfer client, c8y-proxy client)

curl --cert /etc/tedge/device-local-certs/tedge-client.crt --key /etc/tedge/device-local-certs/tedge-client.key https://localhost:8001/c8y/inventory/managedObjects
curl --cert /etc/tedge/device-local-certs/tedge-client.crt --key /etc/tedge/device-local-certs/tedge-client.key https://localhost:8000/tedge/file-transfer/foo.txt