Last active
November 24, 2023 16:12
-
-
Save didier-wenzek/110b618eda6866814dc02fe4f168ff2d to your computer and use it in GitHub Desktop.
Generating thin-edge certificates
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
set -e | |
DEVICE=$(tedge config get device.id) | |
## Signing certificate | |
openssl req \ | |
-new \ | |
-x509 \ | |
-days 100 \ | |
-extensions v3_ca \ | |
-nodes \ | |
-subj "/O=thin-edge/OU=$DEVICE/CN=tedge-ca" \ | |
-keyout tedge-local-ca.key \ | |
-out tedge-local-ca.crt | |
## c8y mapper certificate | |
openssl genrsa -out c8y-mapper.key 2048 | |
openssl req -out c8y-mapper.csr -key c8y-mapper.key \ | |
-subj "/O=thin-edge/OU=$DEVICE/SN=c8y-mapper/CN=localhost" \ | |
-new | |
cat > v3.ext << EOF | |
authorityKeyIdentifier=keyid | |
basicConstraints=CA:FALSE | |
keyUsage = digitalSignature, keyAgreement | |
extendedKeyUsage = serverAuth, clientAuth | |
subjectAltName=DNS:$(hostname),DNS:localhost | |
EOF | |
openssl x509 -req \ | |
-in c8y-mapper.csr \ | |
-CA tedge-local-ca.crt \ | |
-CAkey tedge-local-ca.key \ | |
-extfile v3.ext \ | |
-CAcreateserial \ | |
-out c8y-mapper.crt \ | |
-days 100 | |
## main agent certificate | |
openssl genrsa -out main-agent.key 2048 | |
openssl req -out main-agent.csr \ | |
-key main-agent.key \ | |
-subj "/O=thin-edge/OU=$DEVICE/SN=main-agent/CN=localhost" \ | |
-new | |
openssl x509 -req \ | |
-in main-agent.csr \ | |
-CA tedge-local-ca.crt \ | |
-CAkey tedge-local-ca.key \ | |
-extfile v3.ext \ | |
-CAcreateserial \ | |
-out main-agent.crt \ | |
-days 100 | |
## client certificate | |
openssl genrsa -out tedge-client.key 2048 | |
openssl req -out tedge-client.csr \ | |
-key tedge-client.key \ | |
-subj "/O=thin-edge/OU=$DEVICE/SN=child/CN=tedge-client" \ | |
-new | |
cat > client-v3.ext << EOF | |
basicConstraints=CA:FALSE | |
extendedKeyUsage = clientAuth | |
EOF | |
openssl x509 -req \ | |
-in tedge-client.csr \ | |
-CA tedge-local-ca.crt \ | |
-CAkey tedge-local-ca.key \ | |
-extfile client-v3.ext \ | |
-CAcreateserial \ | |
-out tedge-client.crt \ | |
-days 100 | |
## Settings | |
mkdir -p /etc/tedge/device-local-certs/roots | |
mv tedge-local-ca.* /etc/tedge/device-local-certs/roots | |
mv c8y-mapper.* /etc/tedge/device-local-certs | |
mv main-agent.* /etc/tedge/device-local-certs | |
mv tedge-client.* /etc/tedge/device-local-certs | |
sudo cp /etc/tedge/device-local-certs/roots/tedge-local-ca.crt /usr/local/share/ca-certificates | |
sudo update-ca-certificates | |
### c8y mapper (serving c8y-proxy, file-transfer client) | |
tedge config set c8y.proxy.client.host localhost | |
tedge config set c8y.proxy.ca_path /etc/tedge/device-local-certs/roots | |
tedge config set c8y.proxy.cert_path /etc/tedge/device-local-certs/c8y-mapper.crt | |
tedge config set c8y.proxy.key_path /etc/tedge/device-local-certs/c8y-mapper.key | |
tedge config set http.client.host localhost | |
### main agent (serving file-transfer, c8y-proxy client) | |
tedge config set c8y.proxy.client.host localhost | |
tedge config set http.client.auth.cert_file /etc/tedge/device-local-certs/main-agent.crt | |
tedge config set http.client.auth.key_file /etc/tedge/device-local-certs/main-agent.key | |
tedge config set http.cert_path /etc/tedge/device-local-certs/main-agent.crt | |
tedge config set http.key_path /etc/tedge/device-local-certs/main-agent.key | |
tedge config set http.ca_path /etc/tedge/device-local-certs/roots | |
### child agent (file-transfer client, c8y-proxy client) | |
#### This must not be done on the same host as the main agent | |
exit 0 | |
tedge config set http.client.host $(main device hostname) | |
tedge config set c8y.proxy.client.host $(main device hostname) | |
tedge config set http.client.auth.cert_file /etc/tedge/device-local-certs/tedge-client.crt | |
tedge config set http.client.auth.key_file /etc/tedge/device-local-certs/tedge-client.key | |
## Client authentication (file-transfer client, c8y-proxy client) | |
curl --cert /etc/tedge/device-local-certs/tedge-client.crt --key /etc/tedge/device-local-certs/tedge-client.key https://localhost:8001/c8y/inventory/managedObjects | |
curl --cert /etc/tedge/device-local-certs/tedge-client.crt --key /etc/tedge/device-local-certs/tedge-client.key https://localhost:8000/tedge/file-transfer/foo.txt | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment