grawert/octavia-certs.mk

## octavia-certs.mk
# Create Octavia PKI keys and certificates
# run: make certs PASSPHRASE=${octavia_ca_password}

PASSPHRASE = foobar
export PASSPHRASE

KEY_LENGTH_CA = 4096
KEY_LENGTH_CLIENT = 2048
DAYS_VALID = 7300

.PHONY: help clean mrproper certs archive

.DEFAULT_GOAL := help

help: ## This help.
	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST)

server_ca.key.pem:
	openssl genrsa -aes256 -passout env:PASSPHRASE -out $@ ${KEY_LENGTH_CA}

server_ca.cert.pem: server_ca.key.pem
	openssl req -config openssl.conf -new -x509 -days ${DAYS_VALID} \
	  -sha256 -extensions v3_ca -passin env:PASSPHRASE -key $< -out $@

client_ca.key.pem:
	openssl genrsa -aes256 -passout env:PASSPHRASE -out $@ ${KEY_LENGTH_CA}

client_ca.cert.pem: client_ca.key.pem
	openssl req -config openssl.conf -new -x509 -days ${DAYS_VALID} \
	  -sha256 -extensions v3_ca -passin env:PASSPHRASE -key $< -out $@

client.key.pem: client_ca.cert.pem
	openssl genrsa -aes256 -passout env:PASSPHRASE -out $@ \
	  ${KEY_LENGTH_CLIENT}

client.csr.pem: client.key.pem
	openssl req -config openssl.conf -new -sha256 -passin env:PASSPHRASE \
	  -key $< -out $@

client.cert.pem: client.csr.pem
	openssl x509 -req -CA client_ca.cert.pem -CAkey client_ca.key.pem \
	  -sha256 -extfile openssl.conf -extensions usr_cert -set_serial 1000 \
	  -days ${DAYS_VALID} -passin env:PASSPHRASE -in $< -out $@

client.cert-and-key.pem: client.key.pem client.cert.pem
	openssl rsa -passin env:PASSPHRASE -in $< -out $@
	cat client.cert.pem >> $@

certs: server_ca.cert.pem client.cert-and-key.pem ## Create Octavia certificates

archive: certs ## Create an archive with all necessary certificates for Octavia
	tar --create --file certs.tar \
	  server_ca.key.pem server_ca.cert.pem \
	  client_ca.cert.pem client.cert-and-key.pem

clean: ## Remove openssl files but leave files needed for Octavia PKI
	rm -f client_ca.key.pem client.cert.pem \
	  client.csr.pem client.key.pem serial* index.txt*

mrproper: ## Remove openssl files and Octavia PKI files
	rm -f *.pem serial* index.txt*
	# Create Octavia PKI keys and certificates
	# run: make certs PASSPHRASE=${octavia_ca_password}

	PASSPHRASE = foobar
	export PASSPHRASE

	KEY_LENGTH_CA = 4096
	KEY_LENGTH_CLIENT = 2048
	DAYS_VALID = 7300

	.PHONY: help clean mrproper certs archive

	.DEFAULT_GOAL := help

	help: ## This help.
	@awk 'BEGIN {FS = ":.?## "} /^[a-zA-Z_-]+:.?## / {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST)

	server_ca.key.pem:
	openssl genrsa -aes256 -passout env:PASSPHRASE -out $@ ${KEY_LENGTH_CA}

	server_ca.cert.pem: server_ca.key.pem
	openssl req -config openssl.conf -new -x509 -days ${DAYS_VALID} \
	-sha256 -extensions v3_ca -passin env:PASSPHRASE -key $< -out $@

	client_ca.key.pem:
	openssl genrsa -aes256 -passout env:PASSPHRASE -out $@ ${KEY_LENGTH_CA}

	client_ca.cert.pem: client_ca.key.pem
	openssl req -config openssl.conf -new -x509 -days ${DAYS_VALID} \
	-sha256 -extensions v3_ca -passin env:PASSPHRASE -key $< -out $@

	client.key.pem: client_ca.cert.pem
	openssl genrsa -aes256 -passout env:PASSPHRASE -out $@ \
	${KEY_LENGTH_CLIENT}

	client.csr.pem: client.key.pem
	openssl req -config openssl.conf -new -sha256 -passin env:PASSPHRASE \
	-key $< -out $@

	client.cert.pem: client.csr.pem
	openssl x509 -req -CA client_ca.cert.pem -CAkey client_ca.key.pem \
	-sha256 -extfile openssl.conf -extensions usr_cert -set_serial 1000 \
	-days ${DAYS_VALID} -passin env:PASSPHRASE -in $< -out $@

	client.cert-and-key.pem: client.key.pem client.cert.pem
	openssl rsa -passin env:PASSPHRASE -in $< -out $@
	cat client.cert.pem >> $@

	certs: server_ca.cert.pem client.cert-and-key.pem ## Create Octavia certificates

	archive: certs ## Create an archive with all necessary certificates for Octavia
	tar --create --file certs.tar \
	server_ca.key.pem server_ca.cert.pem \
	client_ca.cert.pem client.cert-and-key.pem

	clean: ## Remove openssl files but leave files needed for Octavia PKI
	rm -f client_ca.key.pem client.cert.pem \
	client.csr.pem client.key.pem serial* index.txt*

	mrproper: ## Remove openssl files and Octavia PKI files
	rm -f .pem serial index.txt*