Skip to content

Instantly share code, notes, and snippets.

@v1k0d3n

v1k0d3n/README.md

Last active February 15, 2024 18:34
Show Gist options
  • Save v1k0d3n/08b9a1d37a06e90ff39646e1b09417d8 to your computer and use it in GitHub Desktop.
Save v1k0d3n/08b9a1d37a06e90ff39646e1b09417d8 to your computer and use it in GitHub Desktop.
Download ZIP
Creating Certificates for Demo PoC
Raw
README.md

Overview

This is just a simple script that I use to generate self-signed certificates. It's suited for general use of course, however it also includes v3 extensions which are required for container registries like Quay. This is my "easy button" for PoCs that can use temporary self-signed certificates.

Useage

  1. Download the script 
    curl -L https://gist.githubusercontent.com/v1k0d3n/08b9a1d37a06e90ff39646e1b09417d8/raw/certgen.sh -o certgen.sh
  2. Make it executable 
    chmod +x certgen.sh
  3. Edit the variables at the top of the file (look for the STOP notation)
  4. Run the script 
    ./certgen.sh

NOTE: Be sure that the openssl and tree packages are installed on your system first.

Example:

When you run the script, your output should look like the following:

[bjozsa@testing .local]$ ./certgen.sh
Certificate request self-signature ok
subject=C = US, ST = NC, L = Charlotte, O = RedHat, OU = IT, CN = vm-ocp-node59.ztp.dfw.ocp.run
Certificate Path: /home/bjozsa/.local/opt/demos/certs/vm-ocp-node59/etc/certs
/home/bjozsa/.local/opt/demos/certs/vm-ocp-node59
├── bin
│   ├── build-certs.sh
│   └── hosts-prep.sh
└── etc
    └── certs
        ├── ca.crt
        ├── ca.key
        ├── ca.srl
        ├── v3.ext
        ├── vm-ocp-node59.ztp.dfw.ocp.run.crt
        ├── vm-ocp-node59.ztp.dfw.ocp.run.csr
        └── vm-ocp-node59.ztp.dfw.ocp.run.key

3 directories, 9 files
[bjozsa@testing .local]$

You can modify the extensions that you want to add by modifying the v3.ext artifact which is generated with the createCertificates function. By default I include the following (for hosting OCP images on a Quay registry):

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=host01.example.com
DNS.2=host01
IP.1=192.168.1.80
IP.2=127.0.0.1

Obvious Disclaimer:

This is for demonstration purposes only! You should be using a real certificate management solution. Don't run this in productioon, and don't always trust what you find on the internet.

Raw
certgen.sh
#!/bin/bash
set -a
# NOTICE: EDIT FOLLOWING VARIABLES BELOW
ENDPOINT_HOSTNAME="vm-ocp-node59"
ENDPOINT_BASE_DNS_NAME=ztp.dfw.ocp.run
ENDPOINT_HOST_IP="192.168.3.59"
PATH_DEMO="$HOME/.local/opt/demos/certs/$ENDPOINT_HOSTNAME"
REGCERT_COUNTY="US"
REGCERT_STATE="NC"
REGCERT_CITY="Charlotte"
REGCERT_ORG="RedHat"
REGCERT_OU="IT"
#######################################################
# STOP: DO NOT EDIT BELOW (UNLESS REQUIRED)
function createDirectories() {
mkdir -p {$PATH_DEMO/bin,$PATH_DEMO/etc/certs}
}
function installReqs() {
sudo dnf install openssl tree -yy
}
function createHostsPrep() {
sed 's/^ *//' > $PATH_DEMO/bin/hosts-prep.sh <<EOF_HOSTS
#!/bin/bash
cat <<- EOF >> /etc/hosts
## Automated Certificates: $ENDPOINT_HOSTNAME.$ENDPOINT_BASE_DNS_NAME
$ENDPOINT_HOST_IP $ENDPOINT_HOSTNAME $ENDPOINT_HOSTNAME.$ENDPOINT_BASE_DNS_NAME
EOF
EOF_HOSTS
chmod +x $PATH_DEMO/bin/hosts-prep.sh
}
function createCertificates() {
cat > $PATH_DEMO/etc/certs/v3.ext <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=$ENDPOINT_HOSTNAME.$ENDPOINT_BASE_DNS_NAME
DNS.2=$ENDPOINT_HOSTNAME
IP.1=$ENDPOINT_HOST_IP
IP.2=127.0.0.1
EOF
cat <<EOF > $PATH_DEMO/bin/build-certs.sh
#!/bin/bash
openssl genrsa -out $PATH_DEMO/etc/certs/ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 365 \
-subj "/C=$REGCERT_COUNTY/ST=$REGCERT_STATE/L=$REGCERT_CITY/O=$REGCERT_ORG/OU=$REGCERT_OU/CN=$ENDPOINT_HOSTNAME.$ENDPOINT_BASE_DNS_NAME" \
-key $PATH_DEMO/etc/certs/ca.key \
-out $PATH_DEMO/etc/certs/ca.crt
openssl genrsa -out $PATH_DEMO/etc/certs/$ENDPOINT_HOSTNAME.$ENDPOINT_BASE_DNS_NAME.key 4096
openssl req -sha512 -new \
-subj "/C=$REGCERT_COUNTY/ST=$REGCERT_STATE/L=$REGCERT_CITY/O=$REGCERT_ORG/OU=$REGCERT_OU/CN=$ENDPOINT_HOSTNAME.$ENDPOINT_BASE_DNS_NAME" \
-key $PATH_DEMO/etc/certs/$ENDPOINT_HOSTNAME.$ENDPOINT_BASE_DNS_NAME.key \
-out $PATH_DEMO/etc/certs/$ENDPOINT_HOSTNAME.$ENDPOINT_BASE_DNS_NAME.csr
openssl x509 -req -sha512 -days 365 \
-extfile $PATH_DEMO/etc/certs/v3.ext \
-CA $PATH_DEMO/etc/certs/ca.crt -CAkey $PATH_DEMO/etc/certs/ca.key -CAcreateserial \
-in $PATH_DEMO/etc/certs/$ENDPOINT_HOSTNAME.$ENDPOINT_BASE_DNS_NAME.csr \
-out $PATH_DEMO/etc/certs/$ENDPOINT_HOSTNAME.$ENDPOINT_BASE_DNS_NAME.crt
EOF
chmod +x $PATH_DEMO/bin/build-certs.sh
$PATH_DEMO/bin/build-certs.sh
}
function resultsPrint() {
printf "Certificate Path: $PATH_DEMO/etc/certs\n"
tree $PATH_DEMO
}
# Run it:
createDirectories
createHostsPrep
createCertificates
resultsPrint
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment