Created
May 25, 2021 01:03
-
-
Save swamibluedata/0cc2bbf89ab232a6bd51046d5ef2805c to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#! /bin/bash | |
mkdir test | |
cd test | |
# Path where etcd ca files are stored | |
CA_CRT_FILE="/etc/etcd/pki/ca.crt" | |
CA_KEY_FILE="/etc/etcd/pki/ca.key" | |
# Client name, should be same as username and rolename? | |
K8S_CLUSTER_NAME="k8s-1" | |
# Temporary csr.conf that will be used for generating openssl certs | |
CSR_CONF_FILE="/tmp/csr.conf" | |
# Output files | |
CLIENT_KEY_FILE="./client.key" | |
CLIENT_CRT_FILE="./client.crt" | |
TMP_CSR_FILE="/tmp/client.csr" | |
openssl genrsa -out $CLIENT_KEY_FILE 2048 | |
cat > $CSR_CONF_FILE <<EOF | |
[ req ] | |
default_bits = 2048 | |
prompt = no | |
default_md = sha256 | |
req_extensions = req_ext | |
distinguished_name = dn | |
[ dn ] | |
O = system:masters | |
CN = $K8S_CLUSTER_NAME | |
[ req_ext ]x | |
[ v3_ext ] | |
keyUsage=digitalSignature,keyEncipherment | |
extendedKeyUsage=clientAuth | |
authorityKeyIdentifier=keyid | |
EOF | |
openssl req -new -key $CLIENT_KEY_FILE -out $TMP_CSR_FILE \ | |
-config $CSR_CONF_FILE | |
openssl x509 -req -in $TMP_CSR_FILE -CA $CA_CRT_FILE \ | |
-CAkey $CA_KEY_FILE -CAcreateserial -out $CLIENT_CRT_FILE -days 730 \ | |
-extensions v3_ext -extfile $CSR_CONF_FILE | |
# Verify | |
openssl x509 -in $CLIENT_CRT_FILE -text -noout |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment