Skip to content

Instantly share code, notes, and snippets.

@didier-wenzek
Last active November 24, 2023 16:12
Show Gist options
  • Save didier-wenzek/110b618eda6866814dc02fe4f168ff2d to your computer and use it in GitHub Desktop.
Save didier-wenzek/110b618eda6866814dc02fe4f168ff2d to your computer and use it in GitHub Desktop.
Generating thin-edge certificates
#!/bin/sh
set -e
DEVICE=$(tedge config get device.id)
## Signing certificate
openssl req \
-new \
-x509 \
-days 100 \
-extensions v3_ca \
-nodes \
-subj "/O=thin-edge/OU=$DEVICE/CN=tedge-ca" \
-keyout tedge-local-ca.key \
-out tedge-local-ca.crt
## c8y mapper certificate
openssl genrsa -out c8y-mapper.key 2048
openssl req -out c8y-mapper.csr -key c8y-mapper.key \
-subj "/O=thin-edge/OU=$DEVICE/SN=c8y-mapper/CN=localhost" \
-new
cat > v3.ext << EOF
authorityKeyIdentifier=keyid
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyAgreement
extendedKeyUsage = serverAuth, clientAuth
subjectAltName=DNS:$(hostname),DNS:localhost
EOF
openssl x509 -req \
-in c8y-mapper.csr \
-CA tedge-local-ca.crt \
-CAkey tedge-local-ca.key \
-extfile v3.ext \
-CAcreateserial \
-out c8y-mapper.crt \
-days 100
## main agent certificate
openssl genrsa -out main-agent.key 2048
openssl req -out main-agent.csr \
-key main-agent.key \
-subj "/O=thin-edge/OU=$DEVICE/SN=main-agent/CN=localhost" \
-new
openssl x509 -req \
-in main-agent.csr \
-CA tedge-local-ca.crt \
-CAkey tedge-local-ca.key \
-extfile v3.ext \
-CAcreateserial \
-out main-agent.crt \
-days 100
## client certificate
openssl genrsa -out tedge-client.key 2048
openssl req -out tedge-client.csr \
-key tedge-client.key \
-subj "/O=thin-edge/OU=$DEVICE/SN=child/CN=tedge-client" \
-new
cat > client-v3.ext << EOF
basicConstraints=CA:FALSE
extendedKeyUsage = clientAuth
EOF
openssl x509 -req \
-in tedge-client.csr \
-CA tedge-local-ca.crt \
-CAkey tedge-local-ca.key \
-extfile client-v3.ext \
-CAcreateserial \
-out tedge-client.crt \
-days 100
## Settings
mkdir -p /etc/tedge/device-local-certs/roots
mv tedge-local-ca.* /etc/tedge/device-local-certs/roots
mv c8y-mapper.* /etc/tedge/device-local-certs
mv main-agent.* /etc/tedge/device-local-certs
mv tedge-client.* /etc/tedge/device-local-certs
sudo cp /etc/tedge/device-local-certs/roots/tedge-local-ca.crt /usr/local/share/ca-certificates
sudo update-ca-certificates
### c8y mapper (serving c8y-proxy, file-transfer client)
tedge config set c8y.proxy.client.host localhost
tedge config set c8y.proxy.ca_path /etc/tedge/device-local-certs/roots
tedge config set c8y.proxy.cert_path /etc/tedge/device-local-certs/c8y-mapper.crt
tedge config set c8y.proxy.key_path /etc/tedge/device-local-certs/c8y-mapper.key
tedge config set http.client.host localhost
### main agent (serving file-transfer, c8y-proxy client)
tedge config set c8y.proxy.client.host localhost
tedge config set http.client.auth.cert_file /etc/tedge/device-local-certs/main-agent.crt
tedge config set http.client.auth.key_file /etc/tedge/device-local-certs/main-agent.key
tedge config set http.cert_path /etc/tedge/device-local-certs/main-agent.crt
tedge config set http.key_path /etc/tedge/device-local-certs/main-agent.key
tedge config set http.ca_path /etc/tedge/device-local-certs/roots
### child agent (file-transfer client, c8y-proxy client)
#### This must not be done on the same host as the main agent
exit 0
tedge config set http.client.host $(main device hostname)
tedge config set c8y.proxy.client.host $(main device hostname)
tedge config set http.client.auth.cert_file /etc/tedge/device-local-certs/tedge-client.crt
tedge config set http.client.auth.key_file /etc/tedge/device-local-certs/tedge-client.key
## Client authentication (file-transfer client, c8y-proxy client)
curl --cert /etc/tedge/device-local-certs/tedge-client.crt --key /etc/tedge/device-local-certs/tedge-client.key https://localhost:8001/c8y/inventory/managedObjects
curl --cert /etc/tedge/device-local-certs/tedge-client.crt --key /etc/tedge/device-local-certs/tedge-client.key https://localhost:8000/tedge/file-transfer/foo.txt
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment