marcinantkiewicz · May 30, 2022 20:41
diff --git a/AWS Parameter Store and Openssl b/AWS Parameter Store and Openssl
 # defaults for you, change the CMD if you do not use aws-okta anymore
 NAME_PREFIX="${1:-test}"; shift;
 SUBJECT="${1:-/[email protected]/O=ExampleOrg/OU=SRE/C=US/ST=CA/L=SanDiego}"; shift;
 AWS_CMD="aws-okta exec labs -- aws";
 PARAM_NAME="${1:-/certs/${NAME_PREFIX}/pass}";
 DAYS_VALID="3650";

 # - in my use case the cert does not have name (CAN or CN) but email address: /[email protected]/O=ExampleOrg/OU=SRE/C=US/ST=CA/L=Lodi" \
 # if SAN or CN are needed, remove email from the subject and add to the openssl command another argument:
 #      -addext "subjectAltName = DNS:sre.example.com"

 PW="$(${AWS_CMD} ssm get-parameter --name ${PARAM_NAME} --with-decryption --query 'Parameter.Value' --output text)";

 # - I used to worry about seeding /dev/urandom, but that is no longer necessary
 # https://research.nccgroup.com/2019/12/19/on-linuxs-random-number-generation/
 # https://www.amossys.fr/fr/ressources/blog-technique/linux-csprng-architecture/

 # OpenSSL will take private key pass from command line, file, and environment, but I don't want it
 # on the filesystem or in the process table. We use named pipe. I think this makes credentials as ephemeral as it gets.
 openssl req -x509 -newkey rsa:4096 \
                  -config <(echo -e "[req]\ndistinguished_name=rdn\n[rdn]\n") \
                  -keyout "${NAME_PREFIX}.key" \
                  -out "${NAME_PREFIX}.pem" \
                  -sha256 \
                  -days "${DAYS_VALID}" \
                  -subj "${SUBJECT}" \
                  -addext basicConstraints=critical,CA:FALSE \
                  -passout file:<( echo -n "${PW}" )

 # loose tests, but they cover key issues. This barfs ugly errors, but it's clear when it works right.
 echo -e "\n-- Sanity checks";
 echo "* files matching the prefix";
 ls -lah ${NAME_PREFIX}*;
 echo "* verify cert subject and expiration date, should be ${DAYS_VALID} from today";
 openssl x509 -in "${NAME_PREFIX}.pem" -noout -subject -enddate;
 echo "* private keys consitency check, should say something like 'RSA key ok'";
 openssl rsa  -in "${NAME_PREFIX}.key" -passin file:<( echo -n "${PW}" ) -noout -check;
 echo "-- Done";
	# defaults for you, change the CMD if you do not use aws-okta anymore
	NAME_PREFIX="${1:-test}"; shift;
	SUBJECT="${1:-/[email protected]/O=ExampleOrg/OU=SRE/C=US/ST=CA/L=SanDiego}"; shift;
	AWS_CMD="aws-okta exec labs -- aws";
	PARAM_NAME="${1:-/certs/${NAME_PREFIX}/pass}";
	DAYS_VALID="3650";

	# - in my use case the cert does not have name (CAN or CN) but email address: /[email protected]/O=ExampleOrg/OU=SRE/C=US/ST=CA/L=Lodi" \
	# if SAN or CN are needed, remove email from the subject and add to the openssl command another argument:
	# -addext "subjectAltName = DNS:sre.example.com"

	PW="$(${AWS_CMD} ssm get-parameter --name ${PARAM_NAME} --with-decryption --query 'Parameter.Value' --output text)";

	# - I used to worry about seeding /dev/urandom, but that is no longer necessary
	# https://research.nccgroup.com/2019/12/19/on-linuxs-random-number-generation/
	# https://www.amossys.fr/fr/ressources/blog-technique/linux-csprng-architecture/

	# OpenSSL will take private key pass from command line, file, and environment, but I don't want it
	# on the filesystem or in the process table. We use named pipe. I think this makes credentials as ephemeral as it gets.
	openssl req -x509 -newkey rsa:4096 \
	-config <(echo -e "[req]\ndistinguished_name=rdn\n[rdn]\n") \
	-keyout "${NAME_PREFIX}.key" \
	-out "${NAME_PREFIX}.pem" \
	-sha256 \
	-days "${DAYS_VALID}" \
	-subj "${SUBJECT}" \
	-addext basicConstraints=critical,CA:FALSE \
	-passout file:<( echo -n "${PW}" )

	# loose tests, but they cover key issues. This barfs ugly errors, but it's clear when it works right.
	echo -e "\n-- Sanity checks";
	echo "* files matching the prefix";
	ls -lah ${NAME_PREFIX}*;
	echo "* verify cert subject and expiration date, should be ${DAYS_VALID} from today";
	openssl x509 -in "${NAME_PREFIX}.pem" -noout -subject -enddate;
	echo "* private keys consitency check, should say something like 'RSA key ok'";
	openssl rsa -in "${NAME_PREFIX}.key" -passin file:<( echo -n "${PW}" ) -noout -check;
	echo "-- Done";