Last active
November 11, 2022 08:51
-
-
Save grawert/662cc062155d35e222fe17567b92dd27 to your computer and use it in GitHub Desktop.
Create Octavia PKI keys and certificates
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Create Octavia PKI keys and certificates | |
# run: make certs PASSPHRASE=${octavia_ca_password} | |
PASSPHRASE = foobar | |
export PASSPHRASE | |
KEY_LENGTH_CA = 4096 | |
KEY_LENGTH_CLIENT = 2048 | |
DAYS_VALID = 7300 | |
.PHONY: help clean mrproper certs archive | |
.DEFAULT_GOAL := help | |
help: ## This help. | |
@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST) | |
server_ca.key.pem: | |
openssl genrsa -aes256 -passout env:PASSPHRASE -out $@ ${KEY_LENGTH_CA} | |
server_ca.cert.pem: server_ca.key.pem | |
openssl req -config openssl.conf -new -x509 -days ${DAYS_VALID} \ | |
-sha256 -extensions v3_ca -passin env:PASSPHRASE -key $< -out $@ | |
client_ca.key.pem: | |
openssl genrsa -aes256 -passout env:PASSPHRASE -out $@ ${KEY_LENGTH_CA} | |
client_ca.cert.pem: client_ca.key.pem | |
openssl req -config openssl.conf -new -x509 -days ${DAYS_VALID} \ | |
-sha256 -extensions v3_ca -passin env:PASSPHRASE -key $< -out $@ | |
client.key.pem: client_ca.cert.pem | |
openssl genrsa -aes256 -passout env:PASSPHRASE -out $@ \ | |
${KEY_LENGTH_CLIENT} | |
client.csr.pem: client.key.pem | |
openssl req -config openssl.conf -new -sha256 -passin env:PASSPHRASE \ | |
-key $< -out $@ | |
client.cert.pem: client.csr.pem | |
openssl x509 -req -CA client_ca.cert.pem -CAkey client_ca.key.pem \ | |
-sha256 -extfile openssl.conf -extensions usr_cert -set_serial 1000 \ | |
-days ${DAYS_VALID} -passin env:PASSPHRASE -in $< -out $@ | |
client.cert-and-key.pem: client.key.pem client.cert.pem | |
openssl rsa -passin env:PASSPHRASE -in $< -out $@ | |
cat client.cert.pem >> $@ | |
certs: server_ca.cert.pem client.cert-and-key.pem ## Create Octavia certificates | |
archive: certs ## Create an archive with all necessary certificates for Octavia | |
tar --create --file certs.tar \ | |
server_ca.key.pem server_ca.cert.pem \ | |
client_ca.cert.pem client.cert-and-key.pem | |
clean: ## Remove openssl files but leave files needed for Octavia PKI | |
rm -f client_ca.key.pem client.cert.pem \ | |
client.csr.pem client.key.pem serial* index.txt* | |
mrproper: ## Remove openssl files and Octavia PKI files | |
rm -f *.pem serial* index.txt* |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment