forked from coreweave/docker-registry-proxy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcreate_ca_cert.sh
executable file
·153 lines (121 loc) · 4.55 KB
/
create_ca_cert.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
#! /bin/bash
set -Eeuo pipefail
# Default values
CERT_PASSWORD=${CERT_PASSWORD:-foobar} # Allow override via environment
KEY_SIZE_CA=${KEY_SIZE_CA:-4096}
KEY_SIZE_WEB=${KEY_SIZE_WEB:-2048}
ENCRYPTION_CIPHER="des3"
ALLDOMAINS=${ALLDOMAINS:-"gitpod.local"}
# Cleanup function
cleanup() {
local exit_code=$?
# Clean up temporary files if any
rm -f *.tmp 2>/dev/null
exit $exit_code
}
trap cleanup EXIT
trap 'trap - EXIT; cleanup; exit -1' INT PIPE TERM
# Enhanced logging
logInfo() {
echo "[INFO] $(date '+%Y-%m-%d %H:%M:%S') - $*"
}
logError() {
echo "[ERROR] $(date '+%Y-%m-%d %H:%M:%S') - $*" >&2
}
# Create directory with proper permissions
create_secure_dir() {
local dir=$1
mkdir -p "$dir"
chmod 700 "$dir"
}
# Generate key with proper permissions
generate_secure_key() {
local keyfile=$1
local keysize=$2
openssl genrsa -${ENCRYPTION_CIPHER} -passout "pass:${CERT_PASSWORD}" -out "$keyfile" "$keysize" &>/dev/null
chmod 600 "$keyfile"
}
# Main script starts here
PROJ_NAME=DockerMirrorBox
logInfo "Will create certificate with names $ALLDOMAINS"
CADATE=$(date "+%Y.%m.%d %H:%M")
CAID="$(hostname -f) ${CADATE}"
CN_CA="${PROJ_NAME} CA Root ${CAID}"
CN_IA="${PROJ_NAME} Intermediate IA ${CAID}"
CN_WEB="${PROJ_NAME} Web Cert ${CAID}"
CN_CA=${CN_CA:0:64}
CN_IA=${CN_IA:0:64}
CN_WEB=${CN_WEB:0:64}
mkdir -p /certs ca
cd /ca
CA_KEY_FILE=${CA_KEY_FILE:-/ca/ca.key}
CA_CRT_FILE=${CA_CRT_FILE:-/ca/ca.crt}
CA_SRL_FILE=${CA_SRL_FILE:-/ca/ca.srl}
if [ -f "$CA_CRT_FILE" ]; then
logInfo "CA already exists. Good. We'll reuse it."
if [ ! -f "$CA_SRL_FILE" ]; then
echo 01 >"${CA_SRL_FILE}"
fi
else
logInfo "No CA was found. Generating one."
logInfo "*** Please *** make sure to mount /ca as a volume -- if not, everytime this container starts, it will regenerate the CA and nothing will work."
create_secure_dir "/ca"
generate_secure_key "${CA_KEY_FILE}" "${KEY_SIZE_CA}"
logInfo "generate CA cert with key and self sign it: ${CAID}"
openssl req -new -x509 -days 36500 -sha256 -key "${CA_KEY_FILE}" -out "${CA_CRT_FILE}" -passin pass:foobar -subj "/C=DE/ST=Schleswig-Holstein/L=Kiel/O=Gitpod GmbH/OU=IT/CN=${CN_CA}" -extensions IA -config <(
cat <<-EOF
[req]
distinguished_name = dn
[dn]
[IA]
basicConstraints = critical,CA:TRUE
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
subjectKeyIdentifier = hash
EOF
)
echo 01 >"${CA_SRL_FILE}"
fi
cd /certs
logInfo "Generate IA key"
openssl genrsa -des3 -passout pass:foobar -out ia.key 4096 &>/dev/null
logInfo "Create a signing request for the IA: ${CAID}"
openssl req -new -key ia.key -out ia.csr -passin pass:foobar -subj "/C=DE/ST=Schleswig-Holstein/L=Kiel/O=Gitpod GmbH/OU=IT/CN=${CN_IA}" -reqexts IA -config <(
cat <<-EOF
[req]
distinguished_name = dn
[dn]
[IA]
basicConstraints = critical,CA:TRUE,pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
subjectKeyIdentifier = hash
EOF
)
logInfo "Sign the IA request with the CA cert and key, producing the IA cert"
openssl x509 -req -days 36500 -in ia.csr -CA "${CA_CRT_FILE}" -CAkey "${CA_KEY_FILE}" -CAserial "${CA_SRL_FILE}" -out ia.crt -passin pass:foobar -extensions IA -extfile <(
cat <<-EOF
[req]
distinguished_name = dn
[dn]
[IA]
basicConstraints = critical,CA:TRUE,pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
subjectKeyIdentifier = hash
EOF
) &>/dev/null
logInfo "Initialize the serial number for signed certificates"
echo 01 >ia.srl
logInfo "Create the key (w/o passphrase..)"
openssl genrsa -des3 -passout pass:foobar -out web.orig.key 2048 &>/dev/null
openssl rsa -passin pass:foobar -in web.orig.key -out web.key &>/dev/null
logInfo "Create the signing request, using extensions"
openssl req -new -key web.key -sha256 -out web.csr -passin pass:foobar -subj "/C=DE/ST=Schleswig-Holstein/L=Kiel/O=Gitpod GmbH/OU=IT/CN=${CN_WEB}" -reqexts SAN -config <(cat <(printf "[req]\ndistinguished_name = dn\n[dn]\n[SAN]\nsubjectAltName=DNS:%s" "$ALLDOMAINS"))
logInfo "Sign the request, using the intermediate cert and key"
openssl x509 -req -days 36500 -in web.csr -CA ia.crt -CAkey ia.key -out web.crt -passin pass:foobar -extensions SAN -extfile <(cat <(printf '[req]\ndistinguished_name = dn\n[dn]\n[SAN]\nsubjectAltName=DNS:%s' "$ALLDOMAINS")) &>/dev/null
logInfo "Concatenating fullchain.pem..."
cat web.crt ia.crt "${CA_CRT_FILE}" >fullchain.pem
logInfo "Concatenating fullchain_with_key.pem"
cat fullchain.pem web.key >fullchain_with_key.pem
# Secure the generated files
chmod 600 /certs/*.key
chmod 644 /certs/*.crt /certs/*.pem
logInfo "Certificate generation completed successfully"