-
Notifications
You must be signed in to change notification settings - Fork 64
Expand file tree
/
Copy pathgen-certs.sh
More file actions
executable file
·91 lines (80 loc) · 2.91 KB
/
gen-certs.sh
File metadata and controls
executable file
·91 lines (80 loc) · 2.91 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
#!/bin/bash
#
# SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
# SPDX-License-Identifier: Apache-2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
set -euo pipefail
# Generate openssl.cfg for v3 extensions
cat > openssl.cnf <<EOF
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
req_extensions = v3_req
prompt = no
[ req_distinguished_name ]
CN = localhost
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, keyCertSign, cRLSign
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[ v3_ext ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
# host.docker.internal and 192.168.65.254 are docker 'magic' name/ip to communicate with host on macOS.
[ alt_names ]
DNS.1 = localhost
DNS.2 = host.docker.internal
IP.1 = 127.0.0.1
IP.2 = 192.168.65.254
EOF
# Generate CA key and self-signed certificate
test -e ca.key || openssl ecparam -name prime256v1 -genkey -noout -out ca.key
if [[ ! -e ca.crt || ca.key -nt ca.crt ]]
then
openssl req -x509 -new -key ca.key -sha256 -days 3650 -out ca.crt -config openssl.cnf -extensions v3_ca
fi
# Generate localhost.key and CSR
test -e localhost.key || openssl ecparam -name prime256v1 -genkey -noout -out localhost.key
if [[ ! -e localhost.crt || localhost.key -nt localhost.crt ]]
then
openssl req -new -key localhost.key -out tls.csr -subj "/CN=localhost"
# Sign server certificate with CA
openssl x509 -req -in tls.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
-out localhost.crt -days 365 -sha256 \
-extfile openssl.cnf -extensions v3_ext
fi
chmod 600 localhost.key
# Generate client key and CSR
test -e client.key || openssl ecparam -name prime256v1 -genkey -noout -out client.key
if [[ ! -e client.crt || client.key -nt client.crt ]]
then
openssl req -new -key client.key -out client.csr -subj "/CN=Test Client"
# Sign client certificate with CA
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
-out client.crt -days 365 -sha256 \
-extfile openssl.cnf -extensions v3_ext
fi
# Clean up
rm -f *.csr *.srl openssl.cnf
echo "Certificates generated:"
ls -1 *.{crt,key}