Skip to content
This repository has been archived by the owner on Mar 27, 2023. It is now read-only.

Commit

Permalink
Revert "Try to generate certificates with SAN"
Browse files Browse the repository at this point in the history 
This reverts commit fb253bd.
  • Loading branch information
Neeraj Poddar committed Aug 30, 2020
1 parent fb253bd commit 7435cda
Showing 1 changed file with 2 additions and 60 deletions.
62 changes: 2 additions & 60 deletions section_3/generate_tls_credentials.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,16 +3,6 @@
set -Eeuo pipefail

scriptName=$(basename $0)
tmpDir=$(mktemp -d $PWD/ca-XXXXXX)

trap cleanup EXIT

function cleanup {
if [ -n "$tmpDir" ]; then
rm -rf $tmpDir
fi
}

if [ "$#" -ne 4 ]; then
cat << EOF
$scriptName <organization> <domain> <sub-domain> <secret-name>
Expand All @@ -39,60 +29,12 @@ openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 \

# Generate a private key and CSR for the server
openssl req -out $serverCsrFile -newkey rsa:2048 -nodes \
-reqexts SAN -extensions SAN \
-config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:$subDomain\n")) \
-keyout $serverKeyFile -subj "/CN=$subDomain/O=$org"

echo "Creating certificate for domain $subDomain"
# Sign the server CSR with the root CA and generate the server certificate

touch "$tmpDir/index.txt"
mkdir -p $tmpDir/newcerts
cp $rootKeyFile $tmpDir/root.key
cp $rootCertFile $tmpDir/root.crt

cat << EOF > $tmpDir/ssl.conf
[ca]
default_ca = CA_default
[CA_default]
dir = $tmpDir
database = $tmpDir/index.txt
new_certs_dir = $tmpDir/newcerts
serial = $tmpDir/serial
private_key = $tmpDir/root.key
certificate = $tmpDir/root.crt
default_days = 365
default_md = sha256
policy = policy_anything
copy_extensions = copyall
[policy_anything]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[req]
prompt = no
distinguished_name = req_distinguished_name
req_extensions = v3_ca
[req_distinguished_name]
CN = $subDomain/O=$org
[v3_ca]
subjectAltName = @alt_names
[alt_names]
DNS.1 = $subDomain
EOF

openssl ca -create_serial -batch -in $serverCsrFile \
-config $tmpDir/ssl.conf -out $serverCertFile
openssl x509 -req -days 365 -CA $rootCertFile -CAkey $rootKeyFile \
-set_serial 0 -in $serverCsrFile -out $serverCertFile

# Create Kubernetes secret with the generated credentials above
kubectl -n istio-system create secret tls $secretName \
Expand Down

0 comments on commit 7435cda

Please sign in to comment.