Skip to content

Instantly share code, notes, and snippets.

@esemeniuc

esemeniuc/rotate_cert_redis.md

Last active June 26, 2023 13:07
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save esemeniuc/aa18df82c2757f57aa7892e5434937de to your computer and use it in GitHub Desktop.
Save esemeniuc/aa18df82c2757f57aa7892e5434937de to your computer and use it in GitHub Desktop.
Download ZIP
Rotate certificate in redis without restarting
Raw
rotate_cert_redis.md

Generate expiring certs

#!/bin/bash

# Generate some test certificates which are used by the regression test suite:
#
#   tests/tls/ca.{crt,key}          Self signed CA certificate.
#   tests/tls/redis.{crt,key}       A certificate with no key usage/policy restrictions.
#   tests/tls/client.{crt,key}      A certificate restricted for SSL client usage.
#   tests/tls/server.{crt,key}      A certificate restricted for SSL server usage.
#   tests/tls/redis.dh              DH Params file.

generate_cert() {
    local name=$1
    local cn="$2"
    local opts="$3"

    local keyfile=tests/tls/${name}.key
    local certfile=tests/tls/${name}.crt

    [ -f $keyfile ] || openssl genrsa -out $keyfile 2048
    openssl req -x509 \
        -new -sha256 \
        -subj "/O=Redis Test/CN=$cn" \
        -addext "subjectAltName=DNS:example.com,DNS:*.example.com,IP:127.0.0.1,IP:192.168.1.2,IP:0.0.0.0" \
        -key $keyfile \
            -CA tests/tls/ca.crt \
            -CAkey tests/tls/ca.key \
            -days 1 \
            -out $certfile
}

mkdir -p tests/tls
[ -f tests/tls/ca.key ] || openssl genrsa -out tests/tls/ca.key 4096
openssl req \
    -x509 -new -nodes -sha256 \
    -key tests/tls/ca.key \
    -days 3650 \
    -subj '/O=Redis Test/CN=Certificate Authority' \
    -out tests/tls/ca.crt

cat > tests/tls/openssl.cnf <<_END_
[ server_cert ]
keyUsage = digitalSignature, keyEncipherment
nsCertType = server

[ client_cert ]
keyUsage = digitalSignature, keyEncipherment
nsCertType = client

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
IP.1 = 0.0.0.0
IP.2 = 192.168.1.2
IP.3 = 127.0.0.1
DNS.1 = localhost
_END_

generate_cert server "Server-only" "-extfile tests/tls/openssl.cnf -extensions server_cert"
generate_cert client "Client-only" "-extfile tests/tls/openssl.cnf -extensions client_cert"
generate_cert redis "Generic-cert"

[ -f tests/tls/redis.dh ] || openssl dhparam -out tests/tls/redis.dh 2048

Run with faked time

faketime 'Jun 22 16:54:12Z' bash ./gen-test-certs.sh

Start redis server

redis-server --tls-port 6379 --port 16379 \
    --tls-cert-file ./tests/tls/redis.crt \
    --tls-key-file ./tests/tls/redis.key \
    --tls-ca-cert-file ./tests/tls/ca.crt --loglevel debug --tls-auth-clients no

Check certs

redis-cli CONFIG GET tls-key-file
redis-cli CONFIG GET tls-cert-file

Rotate/refresh certificate

redis-cli CONFIG SET tls-key-file ./tests/tls/redis.key
redis-cli CONFIG SET tls-cert-file ./tests/tls/redis.crt
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment