gogrlx/nats-server
1
0
Fork 0
mirror of https://github.com/gogrlx/nats-server.git synced 2026-04-02 03:38:42 -07:00
Code Issues Packages Projects Releases Wiki Activity
Files
3f760760dea8ce6bb5332dda94f5abc5316a2412
nats-server/test/configs/certs/regenerate_top.sh
Phil Pennock 3f760760de test data: x509 cert reissuance script 
We had some certs which used SHA1 still; this top-level script is a bit rough,
but works to recreate all the top-level certs, using a common CA.

RSA 2048 bits with SHA256.

I've put the IPv6 localhost IP into the certs too, wherever the IPv4 localhost
IP was present, as this might improve test-runner resilience in some
situations.  Seems like a good idea, can't think of a reason not to.
2022-07-28 02:52:36 -04:00

228 lines
7.0 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh
set -eu
#
# regenerate_top: just remake the certs in this top-dir
# we don't (currently) handle any sub-dirs
#
progname="$(basename "$0" .sh)"
note() { printf >&2 '%s: %s\n' "$progname" "$*"; }
warn() { note "$@"; }
die() { warn "$@"; exit 1; }
readonly COMMON_SUB_COUNTRY=US
readonly COMMON_SUB_STATE=California
readonly COMMON_SUB_ORG=Synadia
readonly COMMON_SUB_ORGUNIT=nats.io
readonly COMMON_SUBJECT="/C=$COMMON_SUB_COUNTRY/ST=$COMMON_SUB_STATE/O=$COMMON_SUB_ORG/OU=$COMMON_SUB_ORGUNIT"
readonly TEMP_CONFIG=openssl.cnf
readonly TEMP_CA_KEY_REL=ca-key.pem
readonly CA_FILE=ca.pem
CA_NAME="Certificate Authority $(date +%Y-%m-%d)"
readonly CA_NAME
readonly RSA_SIZE=2048
readonly DIGEST_ALG=sha256
okay=true
for cmd in openssl ; do
if command -v "$cmd" >/dev/null 2>&1; then
continue
fi
okay=false
warn "missing command: $cmd"
done
$okay || die "missing necessary commands"
delete_list=""
trap 'if test -n "$delete_list"; then rm -rfv $delete_list; fi' EXIT
add_delete() {
delete_list="${delete_list:-}${delete_list:+ }$*"
}
# Issuer: C = US, ST = CA, O = Synadia, OU = nats.io, CN = localhost, emailAddress = derek@nats.io
CA_DIR="$(mktemp -d)"
add_delete "$CA_DIR"
mkdir "$CA_DIR/copies"
touch "$CA_DIR/index.txt"
readonly CA_DIR
readonly CA_KEY="$CA_DIR/$TEMP_CA_KEY_REL"
COMMON_X509V3='
basicConstraints = CA:FALSE
nsComment = "nats.io nats-server test-suite certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
subjectAltName = ${ENV::SUBJECTALTNAME}
'
cat > "$TEMP_CONFIG" <<EOCONFIG
SUBJECTALTNAME = email:copy
NSCERTTYPE = server
NAME_CONSTRAINTS =
[ ca ]
default_ca = CA_nats
[ CA_nats ]
certificate = $CA_FILE
dir = $CA_DIR
certs = \$dir/certs
new_certs_dir = \$dir/copies
crl_dir = \$dir/crl
database = \$dir/index.txt
private_key = \$dir/$TEMP_CA_KEY_REL
rand_serial = yes
unique_subject = no
# modern TLS is moving towards rejecting longer-lived certs, be prepared to lower this to less than a year and regenerate more often
default_days = $(( 10 * 365 ))
default_md = $DIGEST_ALG
copy_extensions = copy
policy = policy_anything
x509_extensions = nats_x509_ext
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional
[ req ]
default_bits = $RSA_SIZE
default_md = $DIGEST_ALG
utf8 = yes
distinguished_name = req_distinguished_name
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
nsComment = "nats.io nats-server test-suite transient CA"
[ nats_x509_ext ]
$COMMON_X509V3
[ nats_server_nopeer ]
$COMMON_X509V3
nsCertType = server
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, nsSGC, msSGC
# NATS server certs are used as clients in peering (cluster, gateways, etc)
[ nats_server ]
$COMMON_X509V3
nsCertType = server, client
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, nsSGC, msSGC, clientAuth
[ nats_client ]
$COMMON_X509V3
nsCertType = client
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = $COMMON_SUB_COUNTRY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $COMMON_SUB_STATE
0.organizationName = Organization Name (eg, company)
0.organizationName_default = $COMMON_SUB_ORG
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = $COMMON_SUB_ORGUNIT
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
# no email address for our certs
EOCONFIG
add_delete "$TEMP_CONFIG"
make_keyfile() {
local keyfile="${1:?need a keyfile to create}"
(umask 077; openssl genrsa "$RSA_SIZE" > "$keyfile")
}
ensure_keyfile() {
local keyfile="${1:?need a keyfile to create}"
local description="${2:?need a description}"
if [ -f "$keyfile" ]; then
note "reusing EXISTING $description file: $keyfile"
return 0
fi
note "creating NEW $description file: $keyfile"
make_keyfile "$keyfile"
}
o_req() { openssl req -config "$TEMP_CONFIG" "$@"; }
sign_csr() {
local san="${1:?need subjectAltName}"
shift
env SUBJECTALTNAME="$san" openssl ca -config "$TEMP_CONFIG" -policy policy_anything -batch "$@"
}
make_keyfile "$CA_KEY"
o_req -x509 -new -key "$CA_KEY" -out "$CA_FILE" -outform PEM -subj "$COMMON_SUBJECT/CN=$CA_NAME" -extensions v3_ca
echo
readonly CLIENT_KEY=client-key.pem
BASE=client-cert
ensure_keyfile "$CLIENT_KEY" "client key"
o_req -new -key "$CLIENT_KEY" -out "$BASE.csr" -subj "$COMMON_SUBJECT/CN=localhost"
add_delete "$BASE.csr"
sign_csr "DNS:localhost, IP:127.0.0.1, IP:::1, email:derek@nats.io" -in "$BASE.csr" -out "$BASE.pem" -extensions nats_client
echo
readonly CLIENT_ID_AUTH_KEY=client-id-auth-key.pem
BASE=client-id-auth-cert
ensure_keyfile "$CLIENT_ID_AUTH_KEY" "client id auth key"
o_req -new -key "$CLIENT_ID_AUTH_KEY" -out "$BASE.csr" -subj "$COMMON_SUBJECT/CN=localhost"
add_delete "$BASE.csr"
sign_csr "DNS:localhost, IP:127.0.0.1, IP:::1, email:derek@nats.io" -in "$BASE.csr" -out "$BASE.pem" -extensions nats_client
echo
readonly SERVER_KEY=server-key.pem
BASE=server-cert
ensure_keyfile "$SERVER_KEY" "server key"
o_req -new -key "$SERVER_KEY" -out "$BASE.csr" -subj "$COMMON_SUBJECT/CN=localhost"
add_delete "$BASE.csr"
sign_csr "DNS:localhost, IP:127.0.0.1, IP:::1" -in "$BASE.csr" -out "$BASE.pem" -extensions nats_server
echo
readonly SK_IPONLY=server-key-iponly.pem
BASE=server-iponly
ensure_keyfile "$SK_IPONLY" "server key, IP-only"
# Be careful not to put something verifiable that's not an IP into the CN field, for verifiers which check CN
o_req -new -key "$SK_IPONLY" -out "$BASE.csr" -subj "$COMMON_SUBJECT/CN=ip-only-localhost"
add_delete "$BASE.csr"
sign_csr "IP:127.0.0.1, IP:::1" -in "$BASE.csr" -out "$BASE.pem" -extensions nats_server
echo
readonly SK_NOIP=server-key-noip.pem
BASE=server-noip
ensure_keyfile "$SK_NOIP" "server key, no IPs"
o_req -new -key "$SK_NOIP" -out "$BASE.csr" -subj "$COMMON_SUBJECT/CN=localhost"
add_delete "$BASE.csr"
sign_csr "DNS:localhost" -in "$BASE.csr" -out "$BASE.pem" -extensions nats_server
for SRV in srva srvb; do
echo
KEY="${SRV}-key.pem"
BASE="${SRV}-cert"
ensure_keyfile "$KEY" "server key, variant $SRV"
o_req -new -key "$KEY" -out "$BASE.csr" -subj "$COMMON_SUBJECT/CN=localhost"
add_delete "$BASE.csr"
sign_csr "DNS:localhost, IP:127.0.0.1, IP:::1" -in "$BASE.csr" -out "$BASE.pem" -extensions nats_server
done
Reference in New Issue View Git Blame Copy Permalink