This repository has been archived by the owner on Feb 22, 2022. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add support for intermediate CA creation, Move to file based Cert inc…
…ludes * Bump chart version to 0.2.0 * Make intermediate key readonly after creation * Separete ca/intermediate ssl configs, align notes with new upsdate, fix scripts * intermediate CA and CA should have slightly different policies so separate them * Ignore yaml files in root of directory that are not values.yaml * Update notes for new file based setup * Fix ca/intermediate cert creation scripts * Move to files for Cert Secrets * Add secret-cert-password secret. Add env to values.yaml and deployment * Update readme to match values, add intermediate domain for pulling correct files. Add docs for adding key for sec * Ignore values that are not values.yaml in the root folder of the mtls chart Signed-off-by: Danny Grove <danny@drgrovellc.com>
- Loading branch information
Showing
12 changed files
with
437 additions
and
23 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,4 @@ | ||
output/ | ||
charts/ | ||
/*.yaml | ||
/values.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,133 @@ | ||
# OpenSSL root CA configuration file. | ||
|
||
[ ca ] | ||
# `man ca` | ||
default_ca = CA_default | ||
|
||
[ CA_default ] | ||
# Directory and file locations. | ||
# DIR should be changed to the current directory for this to work | ||
dir = /root/ca | ||
certs = $dir/certs | ||
crl_dir = $dir/crl | ||
new_certs_dir = $dir/newcerts | ||
database = $dir/index.txt | ||
serial = $dir/serial | ||
RANDFILE = $dir/private/.rand | ||
|
||
# The root key and root certificate. | ||
private_key = $dir/private/ca.key.pem | ||
certificate = $dir/certs/ca.cert.pem | ||
|
||
# For certificate revocation lists. | ||
crlnumber = $dir/crlnumber | ||
crl = $dir/crl/ca.crl.pem | ||
crl_extensions = crl_ext | ||
default_crl_days = 30 | ||
|
||
# SHA-1 is deprecated, so use SHA-2 instead. | ||
default_md = sha256 | ||
|
||
name_opt = ca_default | ||
cert_opt = ca_default | ||
default_days = 375 | ||
preserve = no | ||
policy = policy_strict | ||
|
||
[ policy_strict ] | ||
# The root CA should only sign intermediate certificates that match. | ||
# See the POLICY FORMAT section of `man ca`. | ||
countryName = match | ||
stateOrProvinceName = match | ||
organizationName = match | ||
organizationalUnitName = optional | ||
commonName = supplied | ||
emailAddress = optional | ||
|
||
[ policy_loose ] | ||
# Allow the intermediate CA to sign a more diverse range of certificates. | ||
# See the POLICY FORMAT section of the `ca` man page. | ||
countryName = optional | ||
stateOrProvinceName = optional | ||
localityName = optional | ||
organizationName = optional | ||
organizationalUnitName = optional | ||
commonName = supplied | ||
emailAddress = optional | ||
|
||
[ req ] | ||
# Options for the `req` tool (`man req`). | ||
default_bits = 2048 | ||
distinguished_name = req_distinguished_name | ||
string_mask = utf8only | ||
|
||
# SHA-1 is deprecated, so use SHA-2 instead. | ||
default_md = sha256 | ||
|
||
# Extension to add when the -x509 option is used. | ||
x509_extensions = v3_ca | ||
|
||
[ req_distinguished_name ] | ||
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>. | ||
countryName = Country Name (2 letter code) | ||
stateOrProvinceName = State or Province Name | ||
localityName = Locality Name | ||
0.organizationName = Organization Name | ||
organizationalUnitName = Organizational Unit Name | ||
commonName = Common Name | ||
emailAddress = Email Address | ||
|
||
# Optionally, specify some defaults. | ||
countryName_default = US | ||
stateOrProvinceName_default = California | ||
localityName_default = | ||
0.organizationName_default = MTLS CA | ||
organizationalUnitName_default = IT | ||
emailAddress_default = example@mtls.network | ||
|
||
[ v3_ca ] | ||
# Extensions for a typical CA (`man x509v3_config`). | ||
subjectKeyIdentifier = hash | ||
authorityKeyIdentifier = keyid:always,issuer | ||
basicConstraints = critical, CA:true | ||
keyUsage = critical, digitalSignature, cRLSign, keyCertSign | ||
|
||
[ v3_intermediate_ca ] | ||
# Extensions for a typical intermediate CA (`man x509v3_config`). | ||
subjectKeyIdentifier = hash | ||
authorityKeyIdentifier = keyid:always,issuer | ||
basicConstraints = critical, CA:true, pathlen:0 | ||
keyUsage = critical, digitalSignature, cRLSign, keyCertSign | ||
|
||
[ usr_cert ] | ||
# Extensions for client certificates (`man x509v3_config`). | ||
basicConstraints = CA:FALSE | ||
nsCertType = client, email | ||
nsComment = "OpenSSL Generated Client Certificate" | ||
subjectKeyIdentifier = hash | ||
authorityKeyIdentifier = keyid,issuer | ||
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment | ||
extendedKeyUsage = clientAuth, emailProtection | ||
|
||
[ server_cert ] | ||
# Extensions for server certificates (`man x509v3_config`). | ||
basicConstraints = CA:FALSE | ||
nsCertType = server | ||
nsComment = "OpenSSL Generated Server Certificate" | ||
subjectKeyIdentifier = hash | ||
authorityKeyIdentifier = keyid,issuer:always | ||
keyUsage = critical, digitalSignature, keyEncipherment | ||
extendedKeyUsage = serverAuth | ||
|
||
[ crl_ext ] | ||
# Extension for CRLs (`man x509v3_config`). | ||
authorityKeyIdentifier=keyid:always | ||
|
||
[ ocsp ] | ||
# Extension for OCSP signing certificates (`man ocsp`). | ||
basicConstraints = CA:FALSE | ||
subjectKeyIdentifier = hash | ||
authorityKeyIdentifier = keyid,issuer | ||
keyUsage = critical, digitalSignature | ||
extendedKeyUsage = critical, OCSPSigning | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,93 @@ | ||
#!/bin/bash | ||
set -e | ||
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" > /dev/null 2>&1 && pwd )" | ||
if [[ "$PWD" == "$DIR" ]]; then | ||
echo "This script should not be run from scripts. It should be run in the base of the mtls chart" | ||
exit 1 | ||
fi | ||
|
||
prompt_continue() { | ||
read -p 'Create an intermediate certificate? (y/N) ' CREATE | ||
|
||
if [[ "${CREATE}" == "y" ]]; then | ||
query | ||
fi | ||
} | ||
|
||
query() { | ||
if [[ -z "${CN}" ]]; then | ||
read -p 'What is the common name for this? (ie. My Intermediate CA): ' CN | ||
fi | ||
echo "Creating Intermediate Certificate Output Folders For ${CN}..." | ||
NORMALIZED_CN=$(echo "${CN}" | tr -d '[:space:][:punct:]') | ||
mkdir -p output/ca/intermediate/${NORMALIZED_CN}/certs \ | ||
output/ca/intermediate/${NORMALIZED_CN}/crl \ | ||
output/ca/intermediate/${NORMALIZED_CN}/newcerts \ | ||
output/ca/intermediate/${NORMALIZED_CN}/private \ | ||
output/ca/intermediate/${NORMALIZED_CN}/csr | ||
chmod 700 output/ca/intermediate/${NORMALIZED_CN}/private | ||
touch output/ca/intermediate/${NORMALIZED_CN}/index.txt | ||
echo 1000 > output/ca/intermediate/${NORMALIZED_CN}/serial | ||
cp ${DIR}/intermediate.cnf output/ca/intermediate/${NORMALIZED_CN}/openssl.cnf | ||
sed -i "s|^dir = /root/ca|dir = ${PWD}/output/intermediate/${NORMALIZED_CN}|g" \ | ||
output/ca/intermediate/${NORMALIZED_CN}/openssl.cnf | ||
gen_key $NORMALIZED_CN | ||
if [[ -z "$SUBJ" ]]; then | ||
if [[ -z "$C" ]]; then | ||
read -p 'COUNTRY: ' C | ||
fi | ||
if [[ -z "$ST" ]]; then | ||
read -p 'State/Province: ' ST | ||
fi | ||
if [[ -z "$L" ]]; then | ||
read -p 'Locality: ' L | ||
fi | ||
if [[ -z "$O" ]]; then | ||
read -p 'Organization Name: ' O | ||
fi | ||
if [[ -z "$OU" ]]; then | ||
read -p 'Organizational Unit: ' OU | ||
fi | ||
if [[ -z "$CN" ]]; then | ||
read -p 'Common Name: ' CN | ||
fi | ||
SUBJ="/CN=$CN/O=$O/OU=$OU/C=$C/ST=$ST/L=$L" | ||
fi | ||
echo "Generating Intermediate CA Certificate CSR for ${CN}..." | ||
openssl req -config output/ca/intermediate/${NORMALIZED_CN}/openssl.cnf \ | ||
-new -sha256 \ | ||
-subj "$SUBJ" \ | ||
-key output/ca/intermediate/${NORMALIZED_CN}/private/${NORMALIZED_CN}.key.pem \ | ||
-out output/ca/intermediate/${NORMALIZED_CN}/csr/${NORMALIZED_CN}.csr.pem | ||
|
||
echo "Generating Intermediate CA Certificate for ${NORMALIZED_CN}..." | ||
openssl ca -config output/ca/openssl.cnf -extensions v3_intermediate_ca \ | ||
-days 3650 -notext -md sha256 \ | ||
-in output/ca/intermediate/${NORMALIZED_CN}/csr/${NORMALIZED_CN}.csr.pem \ | ||
-out output/ca/intermediate/${NORMALIZED_CN}/certs/${NORMALIZED_CN}.cert.pem | ||
chmod 444 output/ca/intermediate/${NORMALIZED_CN}/certs/${NORMALIZED_CN}.cert.pem | ||
|
||
echo "Creating ca-chain..." | ||
cat output/ca/intermediate/${NORMALIZED_CN}/certs/${NORMALIZED_CN}.cert.pem \ | ||
output/ca/certs/ca.cert.pem > \ | ||
output/ca/intermediate/${NORMALIZED_CN}/certs/ca-chain.cert.pem | ||
|
||
unset $NORMALIZED_CN | ||
prompt_continue | ||
} | ||
|
||
gen_key() { | ||
local NORMALIZED_CN=$1 | ||
echo "Generating 4096 RSA Key..." | ||
EXTRA="" | ||
if [[ -z $NOPASSWORD ]]; then | ||
EXTRA="-aes256" | ||
fi | ||
openssl \ | ||
genrsa \ | ||
$EXTRA \ | ||
-out output/ca/intermediate/${NORMALIZED_CN}/private/${NORMALIZED_CN}.key.pem 4096 | ||
chmod 400 output/ca/intermediate/${CN}/private/${CN}.key.pem | ||
} | ||
|
||
query |
Oops, something went wrong.