1. docker
  2. Commit 2fea30f14603613b40d8ce37c8ea7951f87abd1b
Browse code

hack: add script to regenerate certificates

Certificates were originally added in c000cb64712349141596318dea2a8de2462c8f81,
but did not include a script to generate them. Current versions of Go expect
certificates to use SAN instead of Common Name fields, so updating the script
to include those;

x509: certificate relies on legacy Common Name field, use SANs or temporarily
enable Common Name matching with GODEBUG=x509ignoreCN=0

Some fields were updated to be a bit more descriptive (instead of "replaceme"),
and the `-text` option was used to include a human-readable variant of the
content.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Sebastiaan van Stijn authored on 2020/07/27 00:28:19
Showing 1 changed files
hack/generate-test-certs.sh
History View file @ 2fea30f
1 1 
new file mode 100755
... ... 
@@ -0,0 +1,87 @@
0 
+#!/bin/bash
1 
+set -eu
2 
+
3 
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)"
4 
+
5 
+# integration/testdata/https (and integration-cli/fixtures/https, which has symlinks to these files)
6 
+OUT_DIR="${SCRIPT_DIR}/../integration/testdata/https"
7 
+
8 
+# generate CA
9 
+echo 01 > "${OUT_DIR}/ca.srl"
10 
+openssl genrsa -out "${OUT_DIR}/ca-key.pem"
11 
+
12 
+openssl req \
13 
+	-new \
14 
+	-x509 \
15 
+	-days 3652 \
16 
+	-subj "/C=US/ST=CA/L=SanFrancisco/O=Moby-project/OU=ci/CN=moby-ci/name=moby/emailAddress=moby@example.org" \
17 
+	-nameopt compat \
18 
+	-text \
19 
+	-key "${OUT_DIR}/ca-key.pem" \
20 
+	-out "${OUT_DIR}/ca.pem"
21 
+
22 
+# Now that we have a CA, create a server key and certificate signing request.
23 
+# Make sure that `"Common Name (e.g. server FQDN or YOUR name)"` matches the hostname you will use
24 
+# to connect or just use '*' for a certificate valid for any hostname:
25 
+
26 
+openssl genrsa -out server-key.pem
27 
+openssl req -new \
28 
+	-subj "/C=US/ST=CA/L=SanFrancisco/O=Moby-project/OU=ci/CN=server/name=moby/emailAddress=moby@example.org" \
29 
+	-text \
30 
+	-key "${OUT_DIR}/server-key.pem" \
31 
+	-out "${OUT_DIR}/server.csr"
32 
+
33 
+# Options for server certificate
34 
+cat > "${OUT_DIR}/server-options.cfg" << 'EOF'
35 
+basicConstraints=CA:FALSE
36 
+subjectKeyIdentifier=hash
37 
+authorityKeyIdentifier=keyid,issuer
38 
+extendedKeyUsage=serverAuth
39 
+subjectAltName=DNS:*,DNS:localhost,IP:127.0.0.1,IP:::1
40 
+EOF
41 
+
42 
+# Generate the certificate and sign with our CA
43 
+openssl x509 \
44 
+	-req \
45 
+	-days 3652 \
46 
+	-extfile "${OUT_DIR}/server-options.cfg" \
47 
+	-CA "${OUT_DIR}/ca.pem" \
48 
+	-CAkey "${OUT_DIR}/ca-key.pem" \
49 
+	-nameopt compat \
50 
+	-text \
51 
+	-in "${OUT_DIR}/server.csr" \
52 
+	-out "${OUT_DIR}/server-cert.pem"
53 
+
54 
+# For client authentication, create a client key and certificate signing request
55 
+openssl genrsa -out "${OUT_DIR}/client-key.pem"
56 
+openssl req -new \
57 
+	-subj "/C=US/ST=CA/L=SanFrancisco/O=Moby-project/OU=ci/CN=client/name=moby/emailAddress=moby@example.org" \
58 
+	-text \
59 
+	-key "${OUT_DIR}/client-key.pem" \
60 
+	-out "${OUT_DIR}/client.csr"
61 
+
62 
+# Options for client certificate
63 
+cat > "${OUT_DIR}/client-options.cfg" << 'EOF'
64 
+basicConstraints=CA:FALSE
65 
+subjectKeyIdentifier=hash
66 
+authorityKeyIdentifier=keyid,issuer
67 
+extendedKeyUsage=clientAuth
68 
+subjectAltName=DNS:*,DNS:localhost,IP:127.0.0.1,IP:::1
69 
+EOF
70 
+
71 
+# Generate the certificate and sign with our CA:
72 
+openssl x509 \
73 
+	-req \
74 
+	-days 3652 \
75 
+	-extfile "${OUT_DIR}/client-options.cfg" \
76 
+	-CA "${OUT_DIR}/ca.pem" \
77 
+	-CAkey "${OUT_DIR}/ca-key.pem" \
78 
+	-nameopt compat \
79 
+	-text \
80 
+	-in "${OUT_DIR}/client.csr" \
81 
+	-out "${OUT_DIR}/client-cert.pem"
82 
+
83 
+rm "${OUT_DIR}/ca.srl"
84 
+rm "${OUT_DIR}/ca-key.pem"
85 
+rm "${OUT_DIR}"/*.cfg
86 
+rm "${OUT_DIR}"/*.csr