Creating clients certs using etcd ca

#! /bin/bash

mkdir test
cd test

# Path where etcd ca files are stored
CA_CRT_FILE="/etc/etcd/pki/ca.crt"
CA_KEY_FILE="/etc/etcd/pki/ca.key"


# Client name, should be same as username and rolename?
K8S_CLUSTER_NAME="k8s-1"

# Temporary csr.conf that will be used for generating openssl certs
CSR_CONF_FILE="/tmp/csr.conf"

# Output files
CLIENT_KEY_FILE="./client.key"
CLIENT_CRT_FILE="./client.crt"
TMP_CSR_FILE="/tmp/client.csr"

openssl genrsa -out $CLIENT_KEY_FILE 2048

cat > $CSR_CONF_FILE <<EOF
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
O = system:masters
CN = $K8S_CLUSTER_NAME
[ req_ext ]x
[ v3_ext ]
keyUsage=digitalSignature,keyEncipherment
extendedKeyUsage=clientAuth
authorityKeyIdentifier=keyid
EOF

openssl req -new -key $CLIENT_KEY_FILE -out $TMP_CSR_FILE \
-config $CSR_CONF_FILE

openssl x509 -req -in $TMP_CSR_FILE -CA $CA_CRT_FILE \
-CAkey $CA_KEY_FILE -CAcreateserial -out $CLIENT_CRT_FILE -days 730 \
-extensions v3_ext -extfile $CSR_CONF_FILE

# Verify 
openssl x509 -in $CLIENT_CRT_FILE -text -noout