Created
August 2, 2019 16:27
-
-
Save thomascate/fa9ab979a0795a596c739a413577e556 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
set -x | |
mkdir -p /tmp/certificates | |
RANDFILE=/tmp/certificates/.rnd | |
#First, create a private key for the CA: | |
openssl genrsa -out /tmp/certificates/MyRootCA.key 2048 | |
#Create the CA and enter the Organization details: | |
openssl req -x509 -new -key /tmp/certificates/MyRootCA.key -sha256 -out /tmp/certificates/MyRootCA.pem -subj '/C=US/ST=Washington/L=Seattle/O=Chef Software Inc/CN=chefrootca' | |
#the rsa keys | |
openssl genrsa -out /tmp/certificates/odfe-node-pkcs12.key 2048 | |
openssl genrsa -out /tmp/certificates/odfe-admin-pkcs12.key 2048 | |
#IMPORTANT: Convert these to PKCS#5 v1.5 to work correctly with the JDK. | |
openssl pkcs8 -v1 "PBE-SHA1-3DES" -in "/tmp/certificates/odfe-node-pkcs12.key" -topk8 -out "/tmp/certificates/odfe-node.key" -nocrypt | |
openssl pkcs8 -v1 "PBE-SHA1-3DES" -in "/tmp/certificates/odfe-admin-pkcs12.key" -topk8 -out "/tmp/certificates/odfe-admin.key" -nocrypt | |
#Create the CSR and enter the organization and server details for the node key | |
openssl req -new -key /tmp/certificates/odfe-node.key -out /tmp/certificates/odfe-node.csr -subj '/C=US/ST=Washington/L=Seattle/O=Chef Software Inc/CN=chefnode' | |
#Create the CSR and enter the organization and server details for the admin key | |
openssl req -new -key /tmp/certificates/odfe-admin.key -out /tmp/certificates/odfe-admin.csr -subj '/C=US/ST=Washington/L=Seattle/O=Chef Software Inc/CN=chefadmin' | |
#Use the CSR to generate the signed node Certificate: | |
openssl x509 -req -in /tmp/certificates/odfe-node.csr -CA /tmp/certificates/MyRootCA.pem -CAkey /tmp/certificates/MyRootCA.key -CAcreateserial -out /tmp/certificates/odfe-node.pem -sha256 | |
#Use the CSR to generate the signed admin Certificate: | |
openssl x509 -req -in /tmp/certificates/odfe-admin.csr -CA /tmp/certificates/MyRootCA.pem -CAkey /tmp/certificates/MyRootCA.key -CAcreateserial -out /tmp/certificates/odfe-admin.pem -sha256 | |
cat > /tmp/es_config.toml << BASE_CONFIG | |
[es_yaml] | |
[es_yaml.http] | |
port = 9200 | |
[es_yaml.discovery.zen] | |
minimum_master_nodes = 2 | |
[es_yaml.discovery.zen.ping.unicast] | |
hosts = [ "IP1", "IP2", "IP3" ] | |
[es_yaml.transport] | |
host = "0.0.0.0" | |
tcp.port = 9300 | |
BASE_CONFIG | |
cat >> /tmp/es_config.toml << CERTIFICATE | |
[opendistro_ssl] | |
# root pem cert that signed the two cert/key pairs below | |
rootCA = """ | |
CERTIFICATE | |
cat /tmp/certificates/MyRootCA.pem >> /tmp/es_config.toml | |
cat >> /tmp/es_config.toml << CERTIFICATE | |
""" | |
# Certificate used for admin actions against https://9200 | |
admin_cert = """ | |
CERTIFICATE | |
cat /tmp/certificates/odfe-admin.pem >> /tmp/es_config.toml | |
cat >> /tmp/es_config.toml << CERTIFICATE | |
""" | |
admin_key = """ | |
CERTIFICATE | |
cat /tmp/certificates/odfe-admin.key >> /tmp/es_config.toml | |
cat >> /tmp/es_config.toml << CERTIFICATE | |
""" | |
# Certificate used for intracluster ssl on port 9300, also used by securityadmin.sh | |
node_cert = """ | |
CERTIFICATE | |
cat /tmp/certificates/odfe-node.pem >> /tmp/es_config.toml | |
cat >> /tmp/es_config.toml << CERTIFICATE | |
""" | |
node_key = """ | |
CERTIFICATE | |
cat /tmp/certificates/odfe-node.key >> /tmp/es_config.toml | |
cat >> /tmp/es_config.toml << CERTIFICATE | |
""" | |
CERTIFICATE |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment