1#!/usr/bin/env bash
2set -e
3
4if ! [[ "$0" =~ "./gencerts.sh" ]]; then
5	echo "must be run from 'fixtures-expired'"
6	exit 255
7fi
8
9if which cfssl >/dev/null; then
10    echo "cfssl is installed; generating certs"
11else
12    echo "cfssl is not installed; exiting"
13    exit 255
14fi
15
16cat > ./etcd-root-ca-csr.json <<EOF
17{
18  "key": {
19    "algo": "rsa",
20    "size": 4096
21  },
22  "names": [
23    {
24      "O": "etcd",
25      "OU": "etcd Security",
26      "L": "San Francisco",
27      "ST": "California",
28      "C": "USA"
29    }
30  ],
31  "CN": "etcd-root-ca",
32  "ca": {
33    "expiry": "1h"
34  }
35}
36EOF
37
38cfssl gencert --initca=true ./etcd-root-ca-csr.json | cfssljson --bare ./etcd-root-ca
39
40cat > ./etcd-gencert.json <<EOF
41{
42  "signing": {
43    "default": {
44        "usages": [
45          "signing",
46          "key encipherment",
47          "server auth",
48          "client auth"
49        ],
50        "expiry": "1h"
51    }
52  }
53}
54EOF
55
56cat > ./server-ca-csr.json <<EOF
57{
58  "key": {
59    "algo": "rsa",
60    "size": 4096
61  },
62  "names": [
63    {
64      "O": "etcd",
65      "OU": "etcd Security",
66      "L": "San Francisco",
67      "ST": "California",
68      "C": "USA"
69    }
70  ],
71  "CN": "example.com",
72  "hosts": [
73    "127.0.0.1",
74    "localhost"
75  ]
76}
77EOF
78
79cfssl gencert \
80    --ca ./etcd-root-ca.pem \
81    --ca-key ./etcd-root-ca-key.pem \
82    --config ./etcd-gencert.json \
83    ./server-ca-csr.json | cfssljson --bare ./server
84
85rm ./*.json
86rm ./*.csr
87
88if which openssl >/dev/null; then
89    openssl x509 -in ./etcd-root-ca.pem -text -noout
90    openssl x509 -in ./server.pem -text -noout
91fi
92