minishift rework sertificates

gistfile1.txt

#!/bin/bash

export CA_CN=minishift-signer
export DOMAIN=\*.$( minishift ip ).nip.io
OPENSSL_DIR_INFO=$(openssl version -d)
OPENSSL_DIR_WITH_QUOTES="${OPENSSL_DIR_INFO#*:}"
OPENSSL_DIR="${OPENSSL_DIR_WITH_QUOTES//\"}"

export OPENSSL_CNF="${OPENSSL_DIR}/openssl.cnf"
echo "${OPENSSL_CNF}"

openssl genrsa -out rootCA.key 4096
openssl req -x509 \
    -new -nodes \
    -key rootCA.key \
    -sha256 \
    -days 1024 \
    -out rootCA.crt \
    -subj /CN=${CA_CN} \
    -reqexts SAN \
    -extensions SAN \
    -config <(cat ${OPENSSL_CNF} \
    <(printf '[SAN]\nbasicConstraints=critical, CA:TRUE\nkeyUsage=keyCertSign, cRLSign, digitalSignature, keyEncipherment'))
openssl genrsa -out domain.key 2048

openssl req -new -sha256 \
    -key domain.key \
    -subj "/C=UA/ST=CK/O=RedHat/CN=${DOMAIN}" \
    -reqexts SAN \
    -config <(cat ${OPENSSL_CNF} \
    <(printf "\n[SAN]\nsubjectAltName=DNS:${DOMAIN}\nbasicConstraints=critical, CA:FALSE\nkeyUsage=keyCertSign, digitalSignature, keyEncipherment\nextendedKeyUsage=serverAuth")) \
    -out domain.csr

openssl x509 \
-req \
-extfile <(printf "subjectAltName=DNS:${DOMAIN}\nbasicConstraints=critical, CA:FALSE\nkeyUsage=keyCertSign, digitalSignature, keyEncipherment\nextendedKeyUsage=serverAuth") \
-days 365 \
-in domain.csr \
-CA rootCA.crt \
-CAkey rootCA.key \
-CAcreateserial -out domain.crt

# Add the newer minishift certificate to minishift router-certs
sleep 60
eval $(minishift oc-env)

oc login -u system:admin --insecure-skip-tls-verify=true
oc project default
oc delete secret router-certs
cat domain.crt domain.key > minishift.crt
oc create secret tls router-certs --key=domain.key --cert=minishift.crt
oc rollout latest router

cp rootCA.crt ca.crt
oc create namespace che
oc create secret generic self-signed-certificate --from-file=ca.crt -n=che