Created
May 20, 2021 18:18
-
-
Save melkosoft/3865bec65bc39680baadec6b3d934ada to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[req] | |
prompt = no | |
default_bits = 2048 | |
distinguished_name = req_distinguished_name | |
req_extensions = v3_req | |
[req_distinguished_name] | |
countryName = US | |
stateOrProvinceName = CA | |
localityName = Palo Alto | |
organizationName = VMware Inc | |
organizationalUnitName = IT | |
commonName = admin | |
[v3_req] | |
subjectAltName = @alt_names | |
extendedKeyUsage = serverAuth,clientAuth | |
[alt_names] | |
DNS.1 = localhost | |
DNS.2 = admin | |
IP.1 = 127.0.0.1 | |
IP.2 = 0.0.0.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ ca ] | |
default_ca=hpbp_ca | |
[ hpbp_ca ] | |
default_md = sha256 | |
default_days = 3650 | |
copy_extensions = copy | |
[ req ] | |
prompt = no | |
default_bits = 2048 | |
distinguished_name = req_distinguished_name | |
req_extensions = req_ext | |
[ req_distinguished_name ] | |
countryName = US | |
stateOrProvinceName = CA | |
localityName = Palo Alto | |
organizationName = VMware Inc | |
organizationalUnitName = IT | |
commonName = CA Root Certificate | |
[ req_ext ] | |
keyUsage=digitalSignature | |
basicConstraints=CA:true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cluster.name: "es-cluster" | |
network.host: 0.0.0.0 | |
opendistro_security.advanced_modules_enabled: true | |
opendistro_security.roles_mapping_resolution: BOTH | |
opendistro_security.audit.ignore_users: ['kibanaserver'] | |
# TLS Configuration Transport Layer | |
opendistro_security.ssl.transport.pemcert_filepath: node.pem | |
opendistro_security.ssl.transport.pemkey_filepath: node.key | |
opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem | |
# opendistro_security.ssl.transport.pemkey_password: ${TRANSPORT_TLS_PEM_PASS} | |
opendistro_security.ssl.transport.enforce_hostname_verification: false | |
opendistro_security.ssl.transport.resolve_hostname: false | |
# TLS Configuration REST Layer | |
opendistro_security.ssl.http.enabled: true | |
opendistro_security.ssl.http.pemcert_filepath: node.pem | |
opendistro_security.ssl.http.pemkey_filepath: node.key | |
opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem | |
# Demo Certificate Option Disabled | |
opendistro_security.allow_unsafe_democertificates: true | |
opendistro_security.allow_default_init_securityindex: true | |
opendistro_security.authcz.admin_dn: | |
- 'CN=admin' | |
- 'CN=admin,OU=IT,O=VMware Inc,L=Palo Alto,ST=CA,C=US' | |
opendistro_security.nodes_dn: | |
- 'CN=node1' | |
- 'CN=node1,OU=IT,O=VMware Inc,L=Palo Alto,ST=CA,C=US' | |
opendistro_security.audit.type: internal_elasticsearch | |
opendistro_security.enable_snapshot_restore_privilege: true | |
opendistro_security.check_snapshot_restore_write_privileges: true | |
opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] | |
cluster.routing.allocation.disk.threshold_enabled: false | |
opendistro_security.audit.config.disabled_rest_categories: NONE | |
opendistro_security.audit.config.disabled_transport_categories: NONE |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Root CA | |
openssl genrsa -out root-ca.key 2048 | |
openssl req -new -x509 -sha256 -key root-ca.key -out root-ca.pem -config ca.conf -days 3650 | |
# Admin cert | |
openssl genrsa -out admin-key-temp.pem 2048 | |
openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin.key | |
openssl req -new -key admin.key -out admin.csr -config admin.conf | |
openssl x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca.key -CAcreateserial -sha256 -out admin.pem -days 3650 -extfile admin.conf -extensions v3_req | |
# Node cert | |
openssl genrsa -out node1-key-temp.pem 2048 | |
openssl pkcs8 -inform PEM -outform PEM -in node1-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node1.key | |
openssl req -new -key node1.key -out node1.csr -config node.conf | |
openssl x509 -req -in node1.csr -CA root-ca.pem -CAkey root-ca.key -CAcreateserial -sha256 -out node1.pem -days 3650 -extfile node.conf -extensions v3_req | |
# Kibana cert | |
openssl genrsa -out kibana-key-temp.pem 2048 | |
openssl pkcs8 -inform PEM -outform PEM -in kibana-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out kibana.key | |
openssl req -new -key kibana.key -out kibana.csr -config kibana.conf | |
openssl x509 -req -in kibana.csr -CA root-ca.pem -CAkey root-ca.key -CAcreateserial -sha256 -out kibana.pem -days 3650 -extfile kibana.conf -extensions v3_req | |
# Keycloak | |
openssl genrsa -out keycloak-pkcs12.key 2048 | |
openssl pkcs8 -v1 "PBE-SHA1-3DES" -in "keycloak-pkcs12.key" -topk8 -out "keycloak.key" -nocrypt | |
openssl req -new -key keycloak.key -out keycloak.csr -config keycloak.conf | |
openssl x509 -req -days 3650 -in keycloak.csr -CA root-ca.pem -CAkey root-ca.key -CAcreateserial -out keycloak.pem -sha256 | |
# Cleanup | |
rm admin-key-temp.pem | |
rm admin.csr | |
rm node1-key-temp.pem | |
rm node1.csr | |
rm kibana-key-temp.pem | |
rm kibana.csr | |
rm keycloak-pkcs12.key | |
rm keycloak.csr | |
rm root-ca.srl |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[req] | |
prompt = no | |
default_bits = 2048 | |
distinguished_name = req_distinguished_name | |
req_extensions = v3_req | |
[req_distinguished_name] | |
countryName = US | |
stateOrProvinceName = CA | |
localityName = Palo Alto | |
organizationName = VMware Inc | |
organizationalUnitName = IT | |
commonName = keycloak | |
[v3_req] | |
subjectAltName = @alt_names | |
extendedKeyUsage = serverAuth,clientAuth | |
[alt_names] | |
DNS.1 = localhost | |
DNS.2 = keycloak | |
DNS.3 = keycloak.mylab.io | |
IP.1 = 127.0.0.1 | |
IP.2 = 0.0.0.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[req] | |
prompt = no | |
default_bits = 2048 | |
distinguished_name = req_distinguished_name | |
req_extensions = v3_req | |
[req_distinguished_name] | |
countryName = US | |
stateOrProvinceName = CA | |
localityName = Palo Alto | |
organizationName = VMware Inc | |
organizationalUnitName = IT | |
commonName = kibana | |
[v3_req] | |
subjectAltName = @alt_names | |
extendedKeyUsage = serverAuth,clientAuth | |
[alt_names] | |
DNS.1 = localhost | |
DNS.2 = kibana | |
IP.1 = 127.0.0.1 | |
IP.2 = 0.0.0.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[req] | |
prompt = no | |
default_bits = 2048 | |
distinguished_name = req_distinguished_name | |
req_extensions = v3_req | |
[req_distinguished_name] | |
countryName = US | |
stateOrProvinceName = CA | |
localityName = Palo Alto | |
organizationName = VMware Inc | |
organizationalUnitName = IT | |
commonName = node1 | |
[v3_req] | |
subjectAltName = @alt_names | |
extendedKeyUsage = serverAuth,clientAuth | |
[alt_names] | |
DNS.1 = localhost | |
DNS.2 = node1.mylab.io | |
DNS.3 = node1 | |
IP.1 = 127.0.0.1 | |
IP.2 = 0.0.0.0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment