Permalink
executable file 75 lines (52 sloc) 2.47 KB
#!/bin/bash
set -e
if [ -z "$CERT_API_CN" ] || [ -z "$CERT_STORAGE_CN" ] ; then
echo "Environment variables CERT_API_CN and CERT_STORAGE_CN need to be set."
echo "Example: CERT_API_CN=\"docker.mender.io\" CERT_STORAGE_CN=\"s3.docker.mender.io\" $0"
exit 1
fi
CERT_VALID_DAYS="3650"
FILE_NAME_PRIVATE_KEY="private.key"
FILE_NAME_CERT="cert.crt"
# verify openssl is present and sufficiently recent (genpkey seems to require openssl 1.0+)
command -v openssl >/dev/null 2>&1 || { echo >&2 "ERROR: Please install the openssl utility version 1.0.0 or newer to generate keys."; exit 1; }
OPENSSL_VERSION_REGEX_MAJOR_BACKREF="OpenSSL ([0-9]+).*"
OPENSSL_VERSION_STRING=$(openssl version)
OPENSSL_VERSION_MAJOR=$(echo "$OPENSSL_VERSION_STRING" | sed -En "s/$OPENSSL_VERSION_REGEX_MAJOR_BACKREF/\1/p")
if [ "$OPENSSL_VERSION_MAJOR" != "1" ]; then
echo "ERROR: openssl is too old, need version 1.0.0 or newer"
echo "ERROR: OPENSSL_VERSION_STRING=$OPENSSL_VERSION_STRING"
exit 1
fi
ROOTDIR=$(pwd)/keys-generated
CERTDIR=$ROOTDIR/certs
KEYDIR=$ROOTDIR/keys
# generate web certs and corresponding private keys
mkdir -p "$CERTDIR"
cd "$CERTDIR"
mkdir api-gateway storage-proxy
cd api-gateway
openssl req -x509 -sha256 -nodes -days $CERT_VALID_DAYS -newkey ec:<(openssl ecparam -name prime256v1) -keyout $FILE_NAME_PRIVATE_KEY -out $FILE_NAME_CERT -subj /CN="$CERT_API_CN"
cd ..
cd storage-proxy
openssl req -x509 -sha256 -nodes -days $CERT_VALID_DAYS -newkey ec:<(openssl ecparam -name prime256v1) -keyout $FILE_NAME_PRIVATE_KEY -out $FILE_NAME_CERT -subj /CN="$CERT_STORAGE_CN"
cd ..
# concatenate the certificates for inclusion on the Mender client
cat api-gateway/$FILE_NAME_CERT storage-proxy/$FILE_NAME_CERT > server.crt
# generate keys for signing JSON Web Tokens
mkdir -p "$KEYDIR"
cd "$KEYDIR"
for DIR in deviceauth useradm
do
mkdir $DIR
(
cd $DIR
openssl genpkey -algorithm RSA -out $FILE_NAME_PRIVATE_KEY -pkeyopt rsa_keygen_bits:3072
# convert to RSA private key format, otherwise services complain:"
# level=fatal msg="failed to read rsa private key: jwt: can't open key - not an rsa private key" file=proc.go func=runtime.main line=183
openssl rsa -in $FILE_NAME_PRIVATE_KEY -out $FILE_NAME_PRIVATE_KEY
)
done
echo "All Mender Server keys and certificates have been generated in directory $ROOTDIR."
echo "Please include them in your docker compose and device builds."
echo "For more information please see https://docs.mender.io/Administration/Certificates-and-keys."