petrosagg/generate-certs.sh

## generate-certs.sh
export SSL_SECRET=mzmzmz

mkdir secrets tmp

# Create CA
openssl req \
    -x509 \
    -days 36500 \
    -newkey rsa:4096 \
    -keyout secrets/ca.key \
    -out secrets/ca.crt \
    -sha256 \
    -batch \
    -subj "/CN=MZ RSA CA" \
    -passin pass:$SSL_SECRET \
    -passout pass:$SSL_SECRET

# Generate two certificates, one for the server and one for the client
for i in server.example.com materialize
do
    # Create key & csr
    openssl req -nodes \
        -newkey rsa:2048 \
        -keyout secrets/$i.key \
        -out tmp/$i.csr \
        -sha256 \
        -batch \
        -subj "/CN=$i" \
        -passin pass:$SSL_SECRET \
        -passout pass:$SSL_SECRET \

    # Sign the CSR.
    openssl x509 -req \
        -CA secrets/ca.crt \
        -CAkey secrets/ca.key \
        -in tmp/$i.csr \
        -out secrets/$i.crt \
        -sha256 \
        -days 36500 \
        -CAcreateserial \
        -passin pass:$SSL_SECRET
done

rm -rf tmp

## psql-connect.sh
#!/bin/bash

# You can use sslmode=verifyfull here if the server certificate's CN matches its hostname
# In this example localhost != server.example.com so verify-ca is the best we can have
psql "port=6875 host=localhost user=materialize sslcert=secrets/materialize.crt sslkey=secrets/materialize.key sslrootcert=secrets/ca.crt sslmode=verify-ca"

## run-materialized.sh
#!/bin/bash

materialized \
    --tls-mode verify-full \
    --tls-ca secrets/ca.crt \
    --tls-cert secrets/server.example.com.crt \
    --tls-key secrets/server.example.com.key
	export SSL_SECRET=mzmzmz

	mkdir secrets tmp

	# Create CA
	openssl req \
	-x509 \
	-days 36500 \
	-newkey rsa:4096 \
	-keyout secrets/ca.key \
	-out secrets/ca.crt \
	-sha256 \
	-batch \
	-subj "/CN=MZ RSA CA" \
	-passin pass:$SSL_SECRET \
	-passout pass:$SSL_SECRET

	# Generate two certificates, one for the server and one for the client
	for i in server.example.com materialize
	do
	# Create key & csr
	openssl req -nodes \
	-newkey rsa:2048 \
	-keyout secrets/$i.key \
	-out tmp/$i.csr \
	-sha256 \
	-batch \
	-subj "/CN=$i" \
	-passin pass:$SSL_SECRET \
	-passout pass:$SSL_SECRET \

	# Sign the CSR.
	openssl x509 -req \
	-CA secrets/ca.crt \
	-CAkey secrets/ca.key \
	-in tmp/$i.csr \
	-out secrets/$i.crt \
	-sha256 \
	-days 36500 \
	-CAcreateserial \
	-passin pass:$SSL_SECRET
	done

	rm -rf tmp
	#!/bin/bash

	# You can use sslmode=verifyfull here if the server certificate's CN matches its hostname
	# In this example localhost != server.example.com so verify-ca is the best we can have
	psql "port=6875 host=localhost user=materialize sslcert=secrets/materialize.crt sslkey=secrets/materialize.key sslrootcert=secrets/ca.crt sslmode=verify-ca"
	#!/bin/bash

	materialized \
	--tls-mode verify-full \
	--tls-ca secrets/ca.crt \
	--tls-cert secrets/server.example.com.crt \
	--tls-key secrets/server.example.com.key