-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsetup-certs.sh
More file actions
executable file
·111 lines (98 loc) · 3.66 KB
/
Copy pathsetup-certs.sh
File metadata and controls
executable file
·111 lines (98 loc) · 3.66 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
#!/usr/bin/env bash
# setup-certs.sh - generate a self-signed CA plus one shared server cert/key
# suitable for inter-component TLS in lab-15.
#
# Output (all in ./certs/):
# ca.pem - self-signed CA
# ca-key.pem - CA private key
# server.pem - server cert signed by the CA
# server-key.pem - server private key
# server.cnf - openssl config used (kept for traceability)
#
# The server cert SANs cover:
# - localhost, 127.0.0.1 (phase 1 bare-process)
# - pd-0, tikv-0, tidb-0, tiflash-0 (phase 3 multi-container)
# so the same CA + server cert pair works for both phases.
#
# Idempotent: if certs already exist in ${CERT_DIR}, this script is a no-op
# (delete the dir to force regeneration).
#
# Cert chain follows the pattern in TiDB's "Generate Self-Signed Certificates"
# doc: https://docs.pingcap.com/tidb/stable/generate-self-signed-certificates/
# but uses one shared server cert across the four components for simplicity.
# Real production deployments use per-component certs with distinct CNs and
# `cluster-verify-cn` enforcement.
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
CERT_DIR="${CERT_DIR:-${SCRIPT_DIR}/certs}"
if [ -f "${CERT_DIR}/ca.pem" ] && [ -f "${CERT_DIR}/server.pem" ]; then
echo "Certs already exist in ${CERT_DIR}. To regenerate, delete the dir first:"
echo " rm -rf '${CERT_DIR}'"
exit 0
fi
mkdir -p "${CERT_DIR}"
cd "${CERT_DIR}"
echo "=== Generating CA (4096-bit RSA, 10-year validity) ==="
openssl genrsa -out ca-key.pem 4096 2>/dev/null
openssl req -x509 -new -nodes -key ca-key.pem -days 3650 -out ca.pem \
-subj "/CN=lab15-ca/O=lab15"
echo "=== Generating server key (4096-bit RSA) ==="
openssl genrsa -out server-key.pem 4096 2>/dev/null
echo "=== Writing openssl config with SANs ==="
cat > server.cnf <<'EOF'
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
CN = lab15-server
O = lab15
[v3_req]
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = pd-0
DNS.3 = tikv-0
DNS.4 = tidb-0
DNS.5 = tiflash-0
IP.1 = 127.0.0.1
EOF
echo "=== Generating server CSR ==="
openssl req -new -key server-key.pem -out server.csr -config server.cnf
echo "=== Signing server cert with the CA (10-year validity) ==="
openssl x509 -req -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial \
-out server.pem -days 3650 -extensions v3_req -extfile server.cnf 2>/dev/null
# Cleanup transient artifacts (CSR + serial); keep the cnf for traceability.
rm -f server.csr ca.srl
echo
echo "=== Done ==="
echo "Files in ${CERT_DIR}:"
ls -la "${CERT_DIR}"
echo
echo "Each TiDB component uses different [security] key names:"
echo
echo " # tidb-server (in tidb.toml):"
echo " [security]"
echo " cluster-ssl-ca = \"${CERT_DIR}/ca.pem\""
echo " cluster-ssl-cert = \"${CERT_DIR}/server.pem\""
echo " cluster-ssl-key = \"${CERT_DIR}/server-key.pem\""
echo
echo " # tikv-server (in tikv.toml):"
echo " [security]"
echo " ca-path = \"${CERT_DIR}/ca.pem\""
echo " cert-path = \"${CERT_DIR}/server.pem\""
echo " key-path = \"${CERT_DIR}/server-key.pem\""
echo
echo " # pd-server (in pd.toml):"
echo " [security]"
echo " cacert-path = \"${CERT_DIR}/ca.pem\""
echo " cert-path = \"${CERT_DIR}/server.pem\""
echo " key-path = \"${CERT_DIR}/server-key.pem\""
echo
echo " # tiflash (in tiflash.toml; snake_case, distinct from the others):"
echo " [security]"
echo " ca_path = \"${CERT_DIR}/ca.pem\""
echo " cert_path = \"${CERT_DIR}/server.pem\""
echo " key_path = \"${CERT_DIR}/server-key.pem\""