forked from hashicorp/consul
-
Notifications
You must be signed in to change notification settings - Fork 0
/
certgen.go
86 lines (78 loc) · 2.49 KB
/
certgen.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
// certgen: a tool for generating test certificates on disk for use as
// test-fixtures and for end-to-end testing and local development.
//
// Example usage:
//
// $ go run connect/certgen/certgen.go -out-dir /tmp/connect-certs
//
// You can verify a given leaf with a given root using:
//
// $ openssl verify -verbose -CAfile ca2-ca.cert.pem ca1-svc-db.cert.pem
//
// Note that to verify via the cross-signed intermediate, openssl requires it to
// be bundled with the _root_ CA bundle and will ignore the cert if it's passed
// with the subject. You can do that with:
//
// $ openssl verify -verbose -CAfile \
// <(cat ca1-ca.cert.pem ca2-xc-by-ca1.cert.pem) \
// ca2-svc-db.cert.pem
// ca2-svc-db.cert.pem: OK
//
// Note that the same leaf and root without the intermediate should fail:
//
// $ openssl verify -verbose -CAfile ca1-ca.cert.pem ca2-svc-db.cert.pem
// ca2-svc-db.cert.pem: CN = db
// error 20 at 0 depth lookup:unable to get local issuer certificate
//
// NOTE: THIS IS A QUIRK OF OPENSSL; in Connect we distribute the roots alone
// and stable intermediates like the XC cert to the _leaf_.
package main // import "github.com/hashicorp/consul/connect/certgen"
import (
"flag"
"fmt"
"io/ioutil"
"log"
"os"
"github.com/hashicorp/consul/agent/connect"
"github.com/hashicorp/consul/agent/structs"
"github.com/mitchellh/go-testing-interface"
)
func main() {
var numCAs = 2
var services = []string{"web", "db", "cache"}
var outDir string
flag.StringVar(&outDir, "out-dir", "",
"REQUIRED: the dir to write certificates to")
flag.Parse()
if outDir == "" {
flag.PrintDefaults()
os.Exit(1)
}
// Create CA certs
var prevCA *structs.CARoot
for i := 1; i <= numCAs; i++ {
ca := connect.TestCA(&testing.RuntimeT{}, prevCA)
prefix := fmt.Sprintf("%s/ca%d-ca", outDir, i)
writeFile(prefix+".cert.pem", ca.RootCert)
writeFile(prefix+".key.pem", ca.SigningKey)
if prevCA != nil {
fname := fmt.Sprintf("%s/ca%d-xc-by-ca%d.cert.pem", outDir, i, i-1)
writeFile(fname, ca.SigningCert)
}
prevCA = ca
// Create service certs for each CA
for _, svc := range services {
certPEM, keyPEM := connect.TestLeaf(&testing.RuntimeT{}, svc, ca)
prefix := fmt.Sprintf("%s/ca%d-svc-%s", outDir, i, svc)
writeFile(prefix+".cert.pem", certPEM)
writeFile(prefix+".key.pem", keyPEM)
}
}
}
func writeFile(name, content string) {
fmt.Println("Writing ", name)
err := ioutil.WriteFile(name, []byte(content), 0600)
if err != nil {
log.Fatalf("failed writing file: %s", err)
}
}