forked from evolix/ansible-roles
122 lines
2.7 KiB
Plaintext
122 lines
2.7 KiB
Plaintext
|
#!/bin/sh
|
||
|
# {{ ansible_managed }}
|
||
|
# Simplified ShellPKI for Docker with TLS
|
||
|
|
||
|
PREFIX={{ docker_tls_path }}
|
||
|
CONFFILE=$PREFIX/openssl.cnf
|
||
|
OPENSSL=`which openssl`
|
||
|
|
||
|
init() {
|
||
|
|
||
|
if [ ! -d $PREFIX/ca ]; then mkdir -p $PREFIX/ca; fi
|
||
|
if [ ! -d $PREFIX/ca/tmp ]; then mkdir -p $PREFIX/ca/tmp; fi
|
||
|
if [ ! -d $PREFIX/certs ]; then mkdir -p $PREFIX/certs; fi
|
||
|
if [ ! -d $PREFIX/files ]; then mkdir -p $PREFIX/files; fi
|
||
|
if [ ! -d $PREFIX/server ]; then mkdir -p $PREFIX/server; fi
|
||
|
|
||
|
echo "Generating CA Key...\n"
|
||
|
$OPENSSL genrsa -out $PREFIX/ca/ca-key.pem 4096
|
||
|
|
||
|
echo "Generating CA cert...\n"
|
||
|
$OPENSSL req \
|
||
|
-new -x509 -days 3650 -sha256 \
|
||
|
-key $PREFIX/{{ docker_tls_ca_key }} \
|
||
|
-out $PREFIX/{{ docker_tls_ca }} \
|
||
|
-subj "/CN={{ ansible_hostname }}/C=FR"
|
||
|
|
||
|
echo "Generating server key...\n"
|
||
|
$OPENSSL genrsa -out $PREFIX/{{ docker_tls_key }} 4096
|
||
|
|
||
|
echo "Generating server cert...\n"
|
||
|
$OPENSSL req \
|
||
|
-new -days 3650 -sha256 \
|
||
|
-key $PREFIX/{{ docker_tls_key }} \
|
||
|
-out $PREFIX/{{ docker_tls_csr }} \
|
||
|
-subj "/CN={{ ansible_hostname }}/C=FR"
|
||
|
|
||
|
echo "subjectAltName = {% for ip in ansible_all_ipv4_addresses %}IP:{{ ip }},{% endfor %}IP:127.0.0.1" > $PREFIX/extfile.cnf
|
||
|
|
||
|
echo "Signing server...\n"
|
||
|
$OPENSSL x509 \
|
||
|
-req -sha256 -days 3650 \
|
||
|
-in $PREFIX/{{ docker_tls_csr }} \
|
||
|
-CA $PREFIX/{{ docker_tls_ca }} \
|
||
|
-CAkey $PREFIX/{{ docker_tls_ca_key }} \
|
||
|
-CAcreateserial \
|
||
|
-out $PREFIX/{{ docker_tls_cert }} \
|
||
|
-extfile $PREFIX/extfile.cnf
|
||
|
|
||
|
rm $PREFIX/{{ docker_tls_csr }}
|
||
|
}
|
||
|
|
||
|
|
||
|
create() {
|
||
|
echo "Please enter your CN (Common Name)"
|
||
|
read cn
|
||
|
echo
|
||
|
echo "Your CN is '$cn'"
|
||
|
echo "Press return to continue..."
|
||
|
read
|
||
|
echo
|
||
|
|
||
|
DIR=$PREFIX/files/$cn
|
||
|
mkdir $DIR
|
||
|
|
||
|
# generate private key
|
||
|
$OPENSSL genrsa -out $DIR/$cn.key 4096
|
||
|
|
||
|
# generate csr req
|
||
|
$OPENSSL req \
|
||
|
-new \
|
||
|
-key $DIR/$cn.key \
|
||
|
-config $CONFFILE \
|
||
|
-out $DIR/$cn.csr \
|
||
|
-subj "/CN=$cn/C=FR"
|
||
|
|
||
|
# ca sign and generate cert
|
||
|
echo extendedKeyUsage = clientAuth > $DIR/extfile.cnf
|
||
|
$OPENSSL x509 \
|
||
|
-req -sha256 \
|
||
|
-in $DIR/$cn.csr \
|
||
|
-CA $PREFIX/{{ docker_tls_ca }} \
|
||
|
-CAkey $PREFIX/{{ docker_tls_ca_key }} \
|
||
|
-CAcreateserial \
|
||
|
-out $DIR/cert.pem \
|
||
|
-extfile $DIR/extfile.cnf
|
||
|
rm $DIR/$cn.csr
|
||
|
cp $PREFIX/{{ docker_tls_ca }} $DIR/
|
||
|
}
|
||
|
|
||
|
revoke() {
|
||
|
echo "Please enter CN (Common Name) to revoke"
|
||
|
read cn
|
||
|
echo
|
||
|
echo "CN '$cn' will be revoked"
|
||
|
echo "Press return to continue..."
|
||
|
read
|
||
|
echo
|
||
|
|
||
|
$OPENSSL ca \
|
||
|
-revoke $PREFIX/certs/$cn.crt
|
||
|
|
||
|
}
|
||
|
|
||
|
case "$1" in
|
||
|
init)
|
||
|
init
|
||
|
;;
|
||
|
|
||
|
create)
|
||
|
create
|
||
|
;;
|
||
|
|
||
|
revoke)
|
||
|
revoke
|
||
|
;;
|
||
|
|
||
|
*)
|
||
|
echo "Usage: shellpki.sh {init|create|revoke}"
|
||
|
exit 1
|
||
|
;;
|
||
|
esac
|