feat: gen cert script added
This commit is contained in:
parent
5cbdb23e3f
commit
5ae0b20c86
34
README.md
34
README.md
@ -33,47 +33,19 @@ Additionally, you will need a Certificate Authority certificate file, a server c
|
|||||||
|
|
||||||
### Generating Certificates to Secure CoPilot
|
### Generating Certificates to Secure CoPilot
|
||||||
|
|
||||||
Credit is due to this [CodeShip blog post](https://blog.codeship.com/how-to-set-up-mutual-tls-authentication/) for the original instructions.
|
To help simplify the creation of certificates there is a _gen-keys.sh_ script. Run it and answer the prompts to generate all of the required keys to secure CoPilot.
|
||||||
|
|
||||||
Create the appropriate folders to contain the _ca_, _server_, and _client_ certificate files.
|
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
$ mkdir -p ca server client
|
$ ./gen-keys.sh
|
||||||
```
|
```
|
||||||
|
|
||||||
Generate the CA key and certificate files
|
|
||||||
```sh
|
|
||||||
$ openssl genrsa -aes256 -out ca/ca.key 4096 chmod 400 ca/ca.key
|
|
||||||
$ openssl req -new -x509 -sha256 -days 730 -key ca/ca.key -out ca/ca.crt
|
|
||||||
$ chmod 444 ca/ca.crt
|
|
||||||
```
|
|
||||||
|
|
||||||
Generate the server key files. The FQDN for your host should be specified. In the example below the host that the server will reside on is 'workshop.host' (please change to whatever host CoPilot will be accessible from).
|
|
||||||
```sh
|
|
||||||
$ openssl genrsa -out server/workshop.host.key 2048
|
|
||||||
$ chmod 400 server/workshop.host.key
|
|
||||||
$ openssl req -new -key server/workshop.host.key -sha256 -out server/workshop.host.csr
|
|
||||||
$ openssl x509 -req -days 365 -sha256 -in server/workshop.host.csr -CA ca/ca.crt -CAkey ca/ca.key -set_serial 1 -out server/workshop.host.crt
|
|
||||||
$ chmod 444 server/workshop.host.crt
|
|
||||||
```
|
|
||||||
|
|
||||||
Generate the client certificates that will be installed into the browser.
|
|
||||||
```sh
|
|
||||||
$ openssl genrsa -out client/browser.key 2048
|
|
||||||
$ openssl req -new -key client/browser.key -out client/browser.csr
|
|
||||||
$ openssl x509 -req -days 365 -sha256 -in client/browser.csr -CA ca/ca.crt -CAkey ca/ca.key -set_serial 2 -out client/browser.crt
|
|
||||||
$ openssl pkcs12 -export -clcerts -in client/browser.crt -inkey client/browser.key -out client/browser.p12
|
|
||||||
```
|
|
||||||
|
|
||||||
Next you should install the _client/browser.p12_ certificate in your browser.
|
|
||||||
|
|
||||||
|
|
||||||
### Generate `_env` file from _setup.sh_
|
### Generate `_env` file from _setup.sh_
|
||||||
|
|
||||||
Execute the _setup.sh_ script with the path to your key files.
|
Execute the _setup.sh_ script with the path to your key files.
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
$ ./setup.sh ~/.ssh/id_rsa ca/ca.crt server/workshop.host.key server/workshop.host.crt
|
$ ./setup.sh ~/path/to/TRITON_PRIVATE_KEY keys-test.com/ca.crt keys-test.com/server.key keys-test.com/server.crt
|
||||||
```
|
```
|
||||||
|
|
||||||
## Usage
|
## Usage
|
||||||
|
33
gen-keys.sh
Executable file
33
gen-keys.sh
Executable file
@ -0,0 +1,33 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
set -e -o pipefail
|
||||||
|
|
||||||
|
echo -n "Enter the domain name you plan to use for this key: "
|
||||||
|
read domain
|
||||||
|
echo -n "Enter the password to use for the key: "
|
||||||
|
read -s password
|
||||||
|
echo
|
||||||
|
echo "Generating key for $domain"
|
||||||
|
|
||||||
|
keys_path=keys-$domain
|
||||||
|
mkdir -p $keys_path
|
||||||
|
|
||||||
|
openssl genrsa -aes256 -passout pass:$password -out $keys_path/ca.key 4096
|
||||||
|
chmod 400 $keys_path/ca.key
|
||||||
|
openssl req -new -x509 -sha256 -days 730 -key $keys_path/ca.key -out $keys_path/ca.crt -passin pass:$password -subj "/CN=$domain"
|
||||||
|
chmod 444 $keys_path/ca.crt
|
||||||
|
|
||||||
|
|
||||||
|
openssl genrsa -out $keys_path/server.key 2048
|
||||||
|
chmod 400 $keys_path/server.key
|
||||||
|
openssl req -new -key $keys_path/server.key -sha256 -out $keys_path/server.csr -passin pass:$password -subj "/CN=$domain"
|
||||||
|
openssl x509 -req -days 365 -sha256 -in $keys_path/server.csr -passin pass:$password -CA $keys_path/ca.crt -CAkey $keys_path/ca.key -set_serial 1 -out $keys_path/server.crt
|
||||||
|
chmod 444 $keys_path/server.crt
|
||||||
|
|
||||||
|
openssl genrsa -out $keys_path/client.key 2048
|
||||||
|
openssl req -new -key $keys_path/client.key -out $keys_path/client.csr -subj "/CN=$domain"
|
||||||
|
openssl x509 -req -days 365 -sha256 -in $keys_path/client.csr -CA $keys_path/ca.crt -CAkey $keys_path/ca.key -set_serial 2 -out $keys_path/client.crt -passin pass:$password
|
||||||
|
openssl pkcs12 -export -clcerts -in $keys_path/client.crt -inkey $keys_path/client.key -out $keys_path/client.p12 -passout pass:$password
|
||||||
|
|
||||||
|
open $keys_path/client.p12 &
|
||||||
|
echo
|
||||||
|
echo "You can complete setup by running './setup.sh ~/path/to/TRITON_PRIVATE_KEY $keys_path/ca.crt $keys_path/server.key $keys_path/server.crt'"
|
6
setup.sh
6
setup.sh
@ -11,6 +11,12 @@ help() {
|
|||||||
echo 'TRITON_PRIVATE_KEY is the filesystem path to an SSH private key'
|
echo 'TRITON_PRIVATE_KEY is the filesystem path to an SSH private key'
|
||||||
echo 'used to connect to Triton.'
|
echo 'used to connect to Triton.'
|
||||||
echo
|
echo
|
||||||
|
echo 'CA_CRT is the filesystem path to a certificate authority crt file.'
|
||||||
|
echo
|
||||||
|
echo 'SERVER_KEY is the filesystem path to a TLS server key file.'
|
||||||
|
echo
|
||||||
|
echo 'SERVER_CRT is the filesystem path to a TLS server crt file.'
|
||||||
|
echo
|
||||||
}
|
}
|
||||||
|
|
||||||
# Check for correct configuration
|
# Check for correct configuration
|
||||||
|
Loading…
Reference in New Issue
Block a user