forked from vmware/concord-bft
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcreate_tls_certs.sh
executable file
·93 lines (73 loc) · 2.82 KB
/
create_tls_certs.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
#!/usr/bin/env bash
# Creates simple self-signed certificates to use with TCP/TLS module
# by default, the script:
# 1) Creates "certs" folder in the current folder if use_unified_certificates is false
# With use_unified_certs new folder tls_certs will be created
# 2) Starts from node ID 0
#
# Examples usage:
# 1) To create 10 certificates folders with node IDs 0 to 9 in "./certs:
# > ./create_tls_certs.sh 10
#
# 2) To create 15 certificates folders with node IDs 0 to 14 in "/tmp/abc/:
# > ./create_tls_certs.sh 15 /tmp/abc
#
# 3) To create 30 certificates folders with node IDs 5 to 34 in "/tmp/fldkdsZ/:
# > ./create_tls_certs.sh 30 /tmp/fldkdsZ 5
KEY="15ec11a047f630ca00f65c25f0b3bfd89a7054a5b9e2e3cdb6a772a58251b4c2"
IV="38106509f6528ff859c366747aa04f21"
if [ "$#" -eq 0 ] || [ -z "$1" ]; then
echo "usage: create_tls_certs.sh {num of replicas} {optional - output folder} {optional - start node ID}"
exit 1
fi
start_node_id=$3
if [ -z "$start_node_id" ]; then
start_node_id=0
fi
i=$start_node_id
last_node_id=$((i + $1 - 1))
use_unified_certificates=$4
if [ $use_unified_certificates == 1 ]; then
echo "Use Unified Certificates"
dir=$2
if [ -z "$dir" ]; then
dir="tls_certs"
fi
while [ $i -le $last_node_id ]; do
echo "processing replica $i/$last_node_id"
certDir=$dir/$i
mkdir -p $certDir
openssl ecparam -name secp384r1 -genkey -noout -out $certDir/pk.pem
openssl req -new -key $certDir/pk.pem -nodes -days 365 -x509 \
-subj "/C=NA/ST=NA/L=NA/O=host_uuid${i}/OU=${i}/CN=node${i}" -out $certDir/node.cert
openssl enc -base64 -aes-256-cbc -e -in $certDir/pk.pem -K ${KEY} -iv ${IV} \
-p -out $certDir/pk.pem.enc 2>/dev/null
(( i=i+1 ))
done
else
dir=$2
if [ -z "$dir" ]; then
dir="certs"
fi
while [ $i -le $last_node_id ]; do
echo "processing replica $i/$last_node_id"
clientDir=$dir/$i/client
serverDir=$dir/$i/server
mkdir -p $clientDir
mkdir -p $serverDir
openssl ecparam -name secp384r1 -genkey -noout -out $serverDir/pk.pem
openssl ecparam -name secp384r1 -genkey -noout -out $clientDir/pk.pem
openssl req -new -key $serverDir/pk.pem -nodes -days 365 -x509 \
-subj "/C=NA/ST=NA/L=NA/O=NA/OU=${i}/CN=node${i}ser" -out $serverDir/server.cert
openssl req -new -key $clientDir/pk.pem -nodes -days 365 -x509 \
-subj "/C=NA/ST=NA/L=NA/O=NA/OU=${i}/CN=node${i}cli" -out $clientDir/client.cert
openssl enc -base64 -aes-256-cbc -e -in $serverDir/pk.pem -K ${KEY} -iv ${IV} \
-p -out $serverDir/pk.pem.enc 2>/dev/null
openssl enc -base64 -aes-256-cbc -e -in $clientDir/pk.pem -K ${KEY} -iv ${IV} \
-p -out $clientDir/pk.pem.enc 2>/dev/null
# rm $serverDir/pk.pem
# rm $clientDir/pk.pem
(( i=i+1 ))
done
fi
exit 0