ansible/files/genssl.sh - openwhisk - Git at Google

 #!/bin/bash
 # Licensed to the Apache Software Foundation (ASF) under one or more contributor
 # license agreements; and to You under the Apache License, Version 2.0.

 set -e

 PASSWORD="openwhisk"

 if [ "$#" -lt 3 ]; then
     echo "usage: $0 <common name: host or ip> [server|client] <scriptdir> <OPTIONAL:TrustorePassword> <OPTIONAL:generateKey>"
     exit
 fi
 CN=$1
 TYPE=$2
 SCRIPTDIR=$3
 export TRUSTSTORE_PASSWORD=${4:-PASSWORD}
 NAME_PREFIX=$5
 GENKEY=$6


 ## generates a (self-signed) certificate
 if [[ -n $GENKEY ]]
 then
   openssl genrsa -out "$SCRIPTDIR/${NAME_PREFIX}openwhisk-server-key.pem" 2048
 fi
 function gen_csr(){
   echo generating server certificate request
   openssl req -new \
       -key "$SCRIPTDIR/${NAME_PREFIX}openwhisk-server-key.pem" \
       -nodes \
       -subj "/C=US/ST=NY/L=Yorktown/O=OpenWhisk/CN=$CN" \
       -out "$SCRIPTDIR/${NAME_PREFIX}openwhisk-server-request.csr"
 }
 function gen_cert(){
   echo generating self-signed password-less server certificate
   openssl x509 -req \
       -in "$SCRIPTDIR/${NAME_PREFIX}openwhisk-server-request.csr" \
       -signkey "$SCRIPTDIR/${NAME_PREFIX}openwhisk-server-key.pem" \
       -out "${SCRIPTDIR}/${NAME_PREFIX}openwhisk-server-cert.pem" \
       -days 365
 }

 function gen_p12_keystore(){
   openssl pkcs12 -export -name $CN \
        -passout pass:$TRUSTSTORE_PASSWORD \
        -in "$SCRIPTDIR/${NAME_PREFIX}openwhisk-server-cert.pem" \
        -inkey "$SCRIPTDIR/${NAME_PREFIX}openwhisk-server-key.pem" \
        -out "$SCRIPTDIR/${NAME_PREFIX}openwhisk-keystore.p12"
 }

 if [ "$TYPE" == "server_with_JKS_keystore" ]; then
   gen_csr
   gen_cert
   echo generate new key and place it in the keystore
   keytool -genkey -v \
     -alias $CN \
     -dname "C=US,ST=NY,L=Yorktown,O=OpenWhisk,CN=$CN" \
     -keystore "${SCRIPTDIR}/${NAME_PREFIX}keystore.jks" \
     -keypass:env TRUSTSTORE_PASSWORD \
     -storepass:env TRUSTSTORE_PASSWORD \
     -keyalg RSA \
     -ext KeyUsage:critical="keyCertSign" \
     -ext BasicConstraints:critical="ca:true" \
     -validity 365
   echo export private key from the keystore
   keytool -keystore "${SCRIPTDIR}/${NAME_PREFIX}keystore.jks" -alias $CN -certreq -file "${SCRIPTDIR}/${NAME_PREFIX}cert-file" -storepass:env TRUSTSTORE_PASSWORD
   echo sign the certificate with private key
   openssl x509 -req -CA "${SCRIPTDIR}/${NAME_PREFIX}openwhisk-server-cert.pem" -CAkey "$SCRIPTDIR/${NAME_PREFIX}openwhisk-server-key.pem" -in "${SCRIPTDIR}/${NAME_PREFIX}cert-file" -out "${SCRIPTDIR}/${NAME_PREFIX}cert-signed" -days 365 -CAcreateserial -passin pass:$TRUSTSTORE_PASSWORD
   echo import CA cert in the keystore
   keytool -keystore "${SCRIPTDIR}/${NAME_PREFIX}keystore.jks" -alias CARoot -import -file "${SCRIPTDIR}/${NAME_PREFIX}openwhisk-server-cert.pem" -storepass:env TRUSTSTORE_PASSWORD -noprompt
   echo import the private key in the keystore
   keytool -keystore "${SCRIPTDIR}/${NAME_PREFIX}keystore.jks" -alias $CN -import -file "${SCRIPTDIR}/${NAME_PREFIX}cert-signed" -storepass:env TRUSTSTORE_PASSWORD -noprompt

 elif [ "$TYPE" == "server" ]; then
     gen_csr
     gen_cert
     echo generate keystore
     gen_p12_keystore
 elif [ "$TYPE" == "p12_keystore_only" ]; then
     gen_csr
     gen_p12_keystore
 else
     echo generating client ca key
     openssl genrsa -aes256 -passout pass:$PASSWORD -out "$SCRIPTDIR/openwhisk-client-ca-key.pem" 2048

     echo generating client ca request
     openssl req -new \
     -key "$SCRIPTDIR/openwhisk-client-ca-key.pem" \
     -passin pass:$PASSWORD \
     -subj "/C=US/ST=NY/L=Yorktown/O=OpenWhisk/CN=$CN" \
     -out "$SCRIPTDIR/openwhisk-client-ca.csr"

     echo generating client ca pem
     openssl x509 -req \
     -in "$SCRIPTDIR/openwhisk-client-ca.csr" \
     -signkey "$SCRIPTDIR/openwhisk-client-ca-key.pem" \
     -passin pass:$PASSWORD \
     -out "$SCRIPTDIR/openwhisk-client-ca-cert.pem" \
     -days 365 -sha1 -extensions v3_ca

     echo generating client key
     openssl genrsa -aes256 -passout pass:$PASSWORD -out "$SCRIPTDIR/openwhisk-client-key.pem" 2048

     echo generating client certificate csr file
     openssl req -new \
     -key "$SCRIPTDIR/openwhisk-client-key.pem" \
     -passin pass:$PASSWORD \
     -subj "/C=US/ST=NY/L=Yorktown/O=OpenWhisk/CN=guest" \
     -out "$SCRIPTDIR/openwhisk-client-certificate-request.csr"

     echo generating self-signed client certificate
     echo 01 > $SCRIPTDIR/openwhisk-client-ca-cert.srl
     openssl x509 -req \
     -in "$SCRIPTDIR/openwhisk-client-certificate-request.csr" \
     -CA "$SCRIPTDIR/openwhisk-client-ca-cert.pem" \
     -CAkey "$SCRIPTDIR/openwhisk-client-ca-key.pem" \
     -CAserial "$SCRIPTDIR/openwhisk-client-ca-cert.srl" \
     -passin pass:$PASSWORD \
     -out "$SCRIPTDIR/openwhisk-client-cert.pem" \
     -days 365 -sha1 -extensions v3_req

     echo remove client key\'s password
     openssl rsa \
     -in "$SCRIPTDIR/openwhisk-client-key.pem" \
     -passin pass:$PASSWORD \
     -out "$SCRIPTDIR/openwhisk-client-key.pem"
 fi
	#!/bin/bash
	# Licensed to the Apache Software Foundation (ASF) under one or more contributor
	# license agreements; and to You under the Apache License, Version 2.0.

	set -e

	PASSWORD="openwhisk"

	if [ "$#" -lt 3 ]; then
	echo "usage: $0 <common name: host or ip> [server\|client] <scriptdir> <OPTIONAL:TrustorePassword> <OPTIONAL:generateKey>"
	exit
	fi
	CN=$1
	TYPE=$2
	SCRIPTDIR=$3
	export TRUSTSTORE_PASSWORD=${4:-PASSWORD}
	NAME_PREFIX=$5
	GENKEY=$6


	## generates a (self-signed) certificate
	if [[ -n $GENKEY ]]
	then
	openssl genrsa -out "$SCRIPTDIR/${NAME_PREFIX}openwhisk-server-key.pem" 2048
	fi
	function gen_csr(){
	echo generating server certificate request
	openssl req -new \
	-key "$SCRIPTDIR/${NAME_PREFIX}openwhisk-server-key.pem" \
	-nodes \
	-subj "/C=US/ST=NY/L=Yorktown/O=OpenWhisk/CN=$CN" \
	-out "$SCRIPTDIR/${NAME_PREFIX}openwhisk-server-request.csr"
	}
	function gen_cert(){
	echo generating self-signed password-less server certificate
	openssl x509 -req \
	-in "$SCRIPTDIR/${NAME_PREFIX}openwhisk-server-request.csr" \
	-signkey "$SCRIPTDIR/${NAME_PREFIX}openwhisk-server-key.pem" \
	-out "${SCRIPTDIR}/${NAME_PREFIX}openwhisk-server-cert.pem" \
	-days 365
	}

	function gen_p12_keystore(){
	openssl pkcs12 -export -name $CN \
	-passout pass:$TRUSTSTORE_PASSWORD \
	-in "$SCRIPTDIR/${NAME_PREFIX}openwhisk-server-cert.pem" \
	-inkey "$SCRIPTDIR/${NAME_PREFIX}openwhisk-server-key.pem" \
	-out "$SCRIPTDIR/${NAME_PREFIX}openwhisk-keystore.p12"
	}

	if [ "$TYPE" == "server_with_JKS_keystore" ]; then
	gen_csr
	gen_cert
	echo generate new key and place it in the keystore
	keytool -genkey -v \
	-alias $CN \
	-dname "C=US,ST=NY,L=Yorktown,O=OpenWhisk,CN=$CN" \
	-keystore "${SCRIPTDIR}/${NAME_PREFIX}keystore.jks" \
	-keypass:env TRUSTSTORE_PASSWORD \
	-storepass:env TRUSTSTORE_PASSWORD \
	-keyalg RSA \
	-ext KeyUsage:critical="keyCertSign" \
	-ext BasicConstraints:critical="ca:true" \
	-validity 365
	echo export private key from the keystore
	keytool -keystore "${SCRIPTDIR}/${NAME_PREFIX}keystore.jks" -alias $CN -certreq -file "${SCRIPTDIR}/${NAME_PREFIX}cert-file" -storepass:env TRUSTSTORE_PASSWORD
	echo sign the certificate with private key
	openssl x509 -req -CA "${SCRIPTDIR}/${NAME_PREFIX}openwhisk-server-cert.pem" -CAkey "$SCRIPTDIR/${NAME_PREFIX}openwhisk-server-key.pem" -in "${SCRIPTDIR}/${NAME_PREFIX}cert-file" -out "${SCRIPTDIR}/${NAME_PREFIX}cert-signed" -days 365 -CAcreateserial -passin pass:$TRUSTSTORE_PASSWORD
	echo import CA cert in the keystore
	keytool -keystore "${SCRIPTDIR}/${NAME_PREFIX}keystore.jks" -alias CARoot -import -file "${SCRIPTDIR}/${NAME_PREFIX}openwhisk-server-cert.pem" -storepass:env TRUSTSTORE_PASSWORD -noprompt
	echo import the private key in the keystore
	keytool -keystore "${SCRIPTDIR}/${NAME_PREFIX}keystore.jks" -alias $CN -import -file "${SCRIPTDIR}/${NAME_PREFIX}cert-signed" -storepass:env TRUSTSTORE_PASSWORD -noprompt

	elif [ "$TYPE" == "server" ]; then
	gen_csr
	gen_cert
	echo generate keystore
	gen_p12_keystore
	elif [ "$TYPE" == "p12_keystore_only" ]; then
	gen_csr
	gen_p12_keystore
	else
	echo generating client ca key
	openssl genrsa -aes256 -passout pass:$PASSWORD -out "$SCRIPTDIR/openwhisk-client-ca-key.pem" 2048

	echo generating client ca request
	openssl req -new \
	-key "$SCRIPTDIR/openwhisk-client-ca-key.pem" \
	-passin pass:$PASSWORD \
	-subj "/C=US/ST=NY/L=Yorktown/O=OpenWhisk/CN=$CN" \
	-out "$SCRIPTDIR/openwhisk-client-ca.csr"

	echo generating client ca pem
	openssl x509 -req \
	-in "$SCRIPTDIR/openwhisk-client-ca.csr" \
	-signkey "$SCRIPTDIR/openwhisk-client-ca-key.pem" \
	-passin pass:$PASSWORD \
	-out "$SCRIPTDIR/openwhisk-client-ca-cert.pem" \
	-days 365 -sha1 -extensions v3_ca

	echo generating client key
	openssl genrsa -aes256 -passout pass:$PASSWORD -out "$SCRIPTDIR/openwhisk-client-key.pem" 2048

	echo generating client certificate csr file
	openssl req -new \
	-key "$SCRIPTDIR/openwhisk-client-key.pem" \
	-passin pass:$PASSWORD \
	-subj "/C=US/ST=NY/L=Yorktown/O=OpenWhisk/CN=guest" \
	-out "$SCRIPTDIR/openwhisk-client-certificate-request.csr"

	echo generating self-signed client certificate
	echo 01 > $SCRIPTDIR/openwhisk-client-ca-cert.srl
	openssl x509 -req \
	-in "$SCRIPTDIR/openwhisk-client-certificate-request.csr" \
	-CA "$SCRIPTDIR/openwhisk-client-ca-cert.pem" \
	-CAkey "$SCRIPTDIR/openwhisk-client-ca-key.pem" \
	-CAserial "$SCRIPTDIR/openwhisk-client-ca-cert.srl" \
	-passin pass:$PASSWORD \
	-out "$SCRIPTDIR/openwhisk-client-cert.pem" \
	-days 365 -sha1 -extensions v3_req

	echo remove client key\'s password
	openssl rsa \
	-in "$SCRIPTDIR/openwhisk-client-key.pem" \
	-passin pass:$PASSWORD \
	-out "$SCRIPTDIR/openwhisk-client-key.pem"
	fi