Skip to content

Instantly share code, notes, and snippets.

@suru-dissanaike

suru-dissanaike/make-keys-docker-compose.sh

Created May 29, 2021 17:01
Show Gist options
  • Star 12 You must be signed in to star a gist
  • Fork 5 You must be signed in to fork a gist
  • Save suru-dissanaike/fbb01a23cf9a138973732e76999c0d48 to your computer and use it in GitHub Desktop.
Save suru-dissanaike/fbb01a23cf9a138973732e76999c0d48 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
make-keys-docker-compose.sh
#!/bin/bash
IP="192.168.1.22"
SUBJECT_CA="/C=SE/ST=Stockholm/L=Stockholm/O=himinds/OU=CA/CN=$IP"
SUBJECT_SERVER="/C=SE/ST=Stockholm/L=Stockholm/O=himinds/OU=Server/CN=$IP"
SUBJECT_CLIENT="/C=SE/ST=Stockholm/L=Stockholm/O=himinds/OU=Client/CN=$IP"
function generate_CA () {
echo "$SUBJECT_CA"
openssl req -x509 -nodes -sha256 -newkey rsa:2048 -subj "$SUBJECT_CA" -days 365 -keyout ca.key -out ca.crt
}
function generate_server () {
echo "$SUBJECT_SERVER"
openssl req -nodes -sha256 -new -subj "$SUBJECT_SERVER" -keyout server.key -out server.csr
openssl x509 -req -sha256 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365
}
function generate_client () {
echo "$SUBJECT_CLIENT"
openssl req -new -nodes -sha256 -subj "$SUBJECT_CLIENT" -out client.csr -keyout client.key
openssl x509 -req -sha256 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365
}
generate_CA
generate_server
generate_client
@MonkiyPython
Copy link

CA CN Should be different from Server and Client otherwise TLS Error will be Generated.

@suru-dissanaike
Copy link
Author

suru-dissanaike commented Mar 23, 2022
edited

@MonkiyPython
Thank you for your feedback; can you please add your reference for this feedback?
Please note that this is for self-signed certificates, we are using an IP as the CN.

@gilillo32
Copy link

Does these keys follow PKI infrastructure?

@suru-dissanaike
Copy link
Author

@gilillo32
Sorry, I am unsure how to answer your question; please elaborate a bit more on your question.

@gilillo32
Copy link

Sorry, it has been a very quick question and I haven't had the time to express myself. The question is: I have been asked to rise a MQTT broker with certificate authentication following the PKI infrastructure and I have found this gist to create keys for the MQTT broker. Do these keys follow that infrastructure?

@suru-dissanaike
Copy link
Author

@gilillo32
Thanks for the clarification. The example creates self-signed certificates. I think you are looking for a solution with CA-signed certificates.
I have something similar here (maybe you can use some of it): https://medium.com/himinds/mqtt-broker-with-secure-websocket-using-traefik-docker-compose-and-lets-encrypt-2b8e32207555

Kind regards,
Suru

@Hoempi
Copy link

Hoempi commented Apr 22, 2024

Hi,

I took your script and adopted it to a batch script for use in Windows Powershell/Terminal. It worked very well, thank you for that!

I'm trying to use this for my Mosquitto installation and this works well, too. But I would like to have one or two FQDN alongside the IP address, so that it will be easier to adapt to changing IPs. Do you have some pointers for me?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment