forked from etcd-cpp-apiv3/etcd-cpp-apiv3
-
Notifications
You must be signed in to change notification settings - Fork 0
/
setup-ca.sh
executable file
·105 lines (79 loc) · 2.98 KB
/
setup-ca.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
#!/bin/bash
#
# generate ca certificate for etcd
#
# referred from: https://github.com/kelseyhightower/etcd-production-setup
set -x
set -e
set -o pipefail
ROOT=$(dirname "${BASH_SOURCE[0]}")
pushd $ROOT
touch index.txt
echo '01' > serial
mkdir -p private
mkdir -p certs
mkdir -p newcerts
# Create the CA Certificate and Key
openssl req -config ./openssl.cnf -new -x509 -extensions v3_ca \
-keyout private/ca.key -out certs/ca.crt \
-passin pass:etcd-ca -passout pass:etcd-ca \
-subj "/C=US/ST=CA/L=CA/O=etcd-ca/CN=ca.etcd.example.com/emailAddress=ca.etcd.example.com"
# Verify the CA Certificate
openssl x509 -in certs/ca.crt -noout -text
# Create an etcd server certificate
# If you want cert verification to work with IPs in addition to hostnames, be sure to set the SAN env var:
# export SAN="IP:127.0.0.1, IP:10.0.1.10"
export SAN="IP:127.0.0.1"
openssl req -config openssl.cnf -new -nodes \
-keyout private/etcd0.example.com.key -out etcd0.example.com.csr \
-subj "/C=US/ST=CA/L=CA/O=etcd-ca/CN=etcd0.example.com/emailAddress=ca.etcd.example.com"
# Sign the cert
openssl ca -batch -config openssl.cnf -extensions etcd_server \
-passin pass:etcd-ca \
-keyfile private/ca.key \
-cert certs/ca.crt \
-out certs/etcd0.example.com.crt -infiles etcd0.example.com.csr
# Verify the etcd Server Certificate
openssl x509 -in certs/etcd0.example.com.crt -noout -text
# Create an etcd client certificate
unset SAN
openssl req -config openssl.cnf -new -nodes \
-keyout private/etcd-client.key -out etcd-client.csr \
-subj "/C=US/ST=CA/L=CA/O=etcd-ca/CN=etcd_client/emailAddress=ca.etcd.example.com"
openssl ca -batch -config openssl.cnf -extensions etcd_client \
-passin pass:etcd-ca \
-keyfile private/ca.key \
-cert certs/ca.crt \
-out certs/etcd-client.crt -infiles etcd-client.csr
# Configuring etcd for SSL
# Configure etcd
# $ etcd --advertise-client-urls https://etcd0.example.com:2379 \
# --listen-client-urls https://10.0.1.10:2379 \
# --cert-file etcd0.example.com.crt \
# --key-file etcd0.example.com.key
# Configuring etcd clients for SSL
# cURL
# $ curl --cacert ca.crt -XPUT -v https://etcd0.example.com:2379/v2/keys/foo -d value=bar
# $ curl --cacert ca.crt -v https://etcd0.example.com:2379/v2/keys
# etcdctl
# $ etcdctl -C https://etcd0.example.com:2379 --ca-file ca.crt set foo bar
# $ etcdctl -C https://etcd0.example.com:2379 --ca-file ca.crt get foo
# Configuring etcd for client auth
# $ etcd --advertise-client-urls https://etcd0.example.com:2379 \
# --listen-client-urls https://10.0.1.10:2379 \
# --cert-file etcd0.example.com.crt \
# --key-file etcd0.example.com.key \
# --client-cert-auth --trusted-ca-file ca.crt \
#
# Notice the usage of the `--client-cert-auth` and `--trusted-ca-file` flag. This is what enables client auth.
# Configuring etcd clients for client auth
# etcdctl
# $ etcdctl -C https://etcd0.example.com:2379 \
# --cert etcd-client.crt \
# --key etcd-client.key \
# --cacert ca.crt \
# get foo
popd # $ROOT
set +x
set +e
set +o pipefail