-
Notifications
You must be signed in to change notification settings - Fork 4
/
certs-create-per-user.sh
74 lines (63 loc) · 3.5 KB
/
certs-create-per-user.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
#!/usr/bin/bash
CA_PATH=$( dirname ${BASH_SOURCE[0]})
i=$1
# Create host keystore
keytool -genkey -noprompt \
-alias $i \
-dname "CN=$i,OU=FS,O=ADI,L=JAKBAR,S=DKI,C=ID" \
-ext "SAN=dns:$i,dns:localhost" \
-keystore kafka.$i.keystore.jks \
-keyalg RSA \
-storepass confluent \
-keypass confluent \
-storetype pkcs12
# Create the certificate signing request (CSR)
keytool -keystore kafka.$i.keystore.jks -alias $i -certreq -file $i.csr -storepass confluent -keypass confluent -ext "SAN=dns:$i,dns:localhost"
#openssl req -in $i.csr -text -noout
# Enables 'confluent login --ca-cert-path /etc/kafka/secrets/snakeoil-ca-1.crt --url https://kafka1:8091'
DNS_ALT_NAMES=$(printf '%s\n' "DNS.1 = $i" "DNS.2 = localhost")
if [[ "$i" == "mds" ]]; then
DNS_ALT_NAMES=$(printf '%s\n' "$DNS_ALT_NAMES" "DNS.3 = kafka1" "DNS.4 = kafka2")
fi
# control-center and ksqldb-server share a certificate
if [[ "$i" == "controlCenterAndKsqlDBServer" ]]; then
DNS_ALT_NAMES=$(printf '%s\n' "$DNS_ALT_NAMES" "DNS.3 = control-center" "DNS.4 = ksqldb-server")
fi
# Sign the host certificate with the certificate authority (CA)
# Set a random serial number (avoid problems from using '-CAcreateserial' when parallelizing certificate generation)
CERT_SERIAL=$(awk -v seed="$RANDOM" 'BEGIN { srand(seed); printf("0x%.4x%.4x%.4x%.4x\n", rand()*65535 + 1, rand()*65535 + 1, rand()*65535 + 1, rand()*65535 + 1) }')
openssl x509 -req -CA ${CA_PATH}/snakeoil-ca-1.crt -CAkey ${CA_PATH}/snakeoil-ca-1.key -in $i.csr -out $i-ca1-signed.crt -sha256 -days 365 -set_serial ${CERT_SERIAL} -passin pass:confluent -extensions v3_req -extfile <(cat <<EOF
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
CN = $i
[v3_req]
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
$DNS_ALT_NAMES
EOF
)
#openssl x509 -noout -text -in $i-ca1-signed.crt
# Sign and import the CA cert into the keystore
keytool -noprompt -keystore kafka.$i.keystore.jks -alias snakeoil-caroot -import -file ${CA_PATH}/snakeoil-ca-1.crt -storepass confluent -keypass confluent
#keytool -list -v -keystore kafka.$i.keystore.jks -storepass confluent
# Sign and import the host certificate into the keystore
keytool -noprompt -keystore kafka.$i.keystore.jks -alias $i -import -file $i-ca1-signed.crt -storepass confluent -keypass confluent -ext "SAN=dns:$i,dns:localhost"
#keytool -list -v -keystore kafka.$i.keystore.jks -storepass confluent
# Create truststore and import the CA cert
keytool -noprompt -keystore kafka.$i.truststore.jks -alias snakeoil-caroot -import -file ${CA_PATH}/snakeoil-ca-1.crt -storepass confluent -keypass confluent
# Save creds
echo "confluent" > ${i}_sslkey_creds
echo "confluent" > ${i}_keystore_creds
echo "confluent" > ${i}_truststore_creds
# Create pem files and keys used for Schema Registry HTTPS testing
# openssl x509 -noout -modulus -in client.certificate.pem | openssl md5
# openssl rsa -noout -modulus -in client.key | openssl md5
# echo "GET /" | openssl s_client -connect localhost:8085/subjects -cert client.certificate.pem -key client.key -tls1
keytool -export -alias $i -file $i.der -keystore kafka.$i.keystore.jks -storepass confluent
openssl x509 -inform der -in $i.der -out $i.certificate.pem
keytool -importkeystore -srckeystore kafka.$i.keystore.jks -destkeystore $i.keystore.p12 -deststoretype PKCS12 -deststorepass confluent -srcstorepass confluent -noprompt
openssl pkcs12 -in $i.keystore.p12 -nodes -nocerts -out $i.key -passin pass:confluent