-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathgenerate-certs.sh
More file actions
executable file
·162 lines (135 loc) · 5.39 KB
/
generate-certs.sh
File metadata and controls
executable file
·162 lines (135 loc) · 5.39 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
#!/bin/sh
# =============================================================================
# Self-signed TLS Certificate Generator
# Runs once as an init container (cert-gen service in docker-compose).
# Produces:
# ca.key — CA private key (keep secret, used only to sign the cert)
# ca.crt — CA certificate (distribute to clients / browsers)
# vault.key — Vault private key
# vault.csr — Vault certificate signing request
# vault.crt — Vault certificate signed by our CA
# extfile.cnf — SAN extension config used during signing
# =============================================================================
set -eu
CERTS_DIR="/certs"
TLS_MODE="${TLS_MODE:-generate}"
HOSTNAME="${VAULT_HOSTNAME:-vault.internal}"
EXTRA_SANS="${TLS_EXTRA_SANS:-}"
VAULT_UID="${VAULT_UID:-100}"
VAULT_GID="${VAULT_GID:-100}"
COUNTRY="${TLS_COUNTRY:-US}"
STATE="${TLS_STATE:-New York}"
CITY="${TLS_CITY:-Albany}"
ORG="${TLS_ORG:-IT Company}"
OU="${TLS_OU:-IT}"
DAYS="${TLS_DAYS:-3650}"
mkdir -p "${CERTS_DIR}"
set_ownership() {
chown "${VAULT_UID}:${VAULT_GID}" "$@" 2>/dev/null || true
}
set_permissions() {
if [ -f "${CERTS_DIR}/ca.key" ]; then
chmod 600 "${CERTS_DIR}/ca.key"
fi
if [ -f "${CERTS_DIR}/vault.key" ]; then
chmod 640 "${CERTS_DIR}/vault.key"
fi
if [ -f "${CERTS_DIR}/ca.crt" ]; then
chmod 644 "${CERTS_DIR}/ca.crt"
fi
if [ -f "${CERTS_DIR}/vault.crt" ]; then
chmod 644 "${CERTS_DIR}/vault.crt"
fi
if [ -f "${CERTS_DIR}/extfile.cnf" ]; then
chmod 644 "${CERTS_DIR}/extfile.cnf"
fi
set_ownership "${CERTS_DIR}" "${CERTS_DIR}"/*
}
validate_external_certs() {
for file in vault.crt vault.key ca.crt; do
if [ ! -f "${CERTS_DIR}/${file}" ]; then
echo "[cert-gen] ERROR: TLS_MODE=external requires ${CERTS_DIR}/${file}"
exit 1
fi
done
echo "[cert-gen] External TLS mode selected. Using existing certificate files."
set_permissions
exit 0
}
# ---------------------------------------------------------------------------
# External TLS mode: do not generate anything, just validate and normalize
# permissions so Vault can read the materials.
# ---------------------------------------------------------------------------
if [ "${TLS_MODE}" = "external" ]; then
validate_external_certs
fi
if [ "${TLS_MODE}" != "generate" ]; then
echo "[cert-gen] ERROR: Unsupported TLS_MODE=${TLS_MODE}. Use generate or external."
exit 1
fi
# ---------------------------------------------------------------------------
# Skip if certs already exist (idempotent — safe to restart the stack)
# ---------------------------------------------------------------------------
if [ -f "${CERTS_DIR}/vault.crt" ] && [ -f "${CERTS_DIR}/vault.key" ] && [ -f "${CERTS_DIR}/ca.crt" ]; then
echo "[cert-gen] Certificates already exist. Skipping generation."
set_permissions
exit 0
fi
echo "[cert-gen] Generating TLS certificates for hostname: ${HOSTNAME}"
# ---------------------------------------------------------------------------
# 1. Generate CA key and self-signed CA certificate
# ---------------------------------------------------------------------------
openssl genrsa -out "${CERTS_DIR}/ca.key" 4096
openssl req -new -x509 \
-key "${CERTS_DIR}/ca.key" \
-out "${CERTS_DIR}/ca.crt" \
-days "${DAYS}" \
-subj "/C=${COUNTRY}/ST=${STATE}/L=${CITY}/O=${ORG}/OU=${OU} CA/CN=${ORG} Internal CA"
echo "[cert-gen] CA certificate generated."
# ---------------------------------------------------------------------------
# 2. Generate Vault server private key and CSR
# ---------------------------------------------------------------------------
openssl genrsa -out "${CERTS_DIR}/vault.key" 4096
openssl req -new \
-key "${CERTS_DIR}/vault.key" \
-out "${CERTS_DIR}/vault.csr" \
-subj "/C=${COUNTRY}/ST=${STATE}/L=${CITY}/O=${ORG}/OU=${OU}/CN=${HOSTNAME}"
echo "[cert-gen] Server CSR generated."
# ---------------------------------------------------------------------------
# 3. Build the SAN extension config
# Always include the configured hostname as DNS and any IPs detected.
# ---------------------------------------------------------------------------
SAN_LIST="DNS:${HOSTNAME},DNS:localhost,IP:127.0.0.1"
if [ -n "${EXTRA_SANS}" ]; then
SAN_LIST="${SAN_LIST},${EXTRA_SANS}"
fi
cat > "${CERTS_DIR}/extfile.cnf" <<EOF
[ v3_req ]
subjectAltName = ${SAN_LIST}
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
EOF
echo "[cert-gen] SAN config: ${SAN_LIST}"
# ---------------------------------------------------------------------------
# 4. Sign the Vault certificate with our CA
# ---------------------------------------------------------------------------
openssl x509 -req \
-in "${CERTS_DIR}/vault.csr" \
-CA "${CERTS_DIR}/ca.crt" \
-CAkey "${CERTS_DIR}/ca.key" \
-CAcreateserial \
-out "${CERTS_DIR}/vault.crt" \
-days "${DAYS}" \
-extensions v3_req \
-extfile "${CERTS_DIR}/extfile.cnf"
echo "[cert-gen] Server certificate signed."
# ---------------------------------------------------------------------------
# 5. Set safe file permissions
# vault.key must be readable by the Vault process (UID 100)
# ---------------------------------------------------------------------------
set_permissions
# Remove the CSR and serial — no longer needed
rm -f "${CERTS_DIR}/vault.csr" "${CERTS_DIR}/ca.srl"
echo "[cert-gen] Done. Files in ${CERTS_DIR}:"
ls -lah "${CERTS_DIR}"