Created
April 18, 2024 19:45
-
-
Save rvennam/b1e5f182c66b4a56c88f1365dad563e9 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ make SHELL='sh -x' -f Makefile.selfsigned.mk intermediate-certs VERBOSE=1 | |
+ echo 'generating root-key.pem' | |
generating root-key.pem | |
+ openssl genrsa -out root-key.pem 4096 | |
+ echo '[ req ]' | |
+ echo 'encrypt_key = no' | |
+ echo 'prompt = no' | |
+ echo 'utf8 = yes' | |
+ echo 'default_md = sha256' | |
+ echo 'default_bits = 4096' | |
+ echo 'req_extensions = req_ext' | |
+ echo 'x509_extensions = req_ext' | |
+ echo 'distinguished_name = req_dn' | |
+ echo '[ req_ext ]' | |
+ echo 'subjectKeyIdentifier = hash' | |
+ echo 'basicConstraints = critical, CA:true' | |
+ echo 'keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign' | |
+ echo '[ req_dn ]' | |
+ echo 'O = Istio' | |
+ echo 'CN = Root CA' | |
+ echo 'generating root-cert.csr' | |
generating root-cert.csr | |
+ openssl req -sha256 -new -key root-key.pem -config root-ca.conf -out root-cert.csr | |
+ echo 'generating root-cert.pem' | |
generating root-cert.pem | |
+ openssl x509 -req -sha256 -days 3650 -signkey root-key.pem -extensions req_ext -extfile root-ca.conf -in root-cert.csr -out root-cert.pem | |
Certificate request self-signature ok | |
subject=O=Istio, CN=Root CA | |
+ echo 'generating intermediate/ca-key.pem' | |
generating intermediate/ca-key.pem | |
+ mkdir -p intermediate/ | |
+ openssl genrsa -out intermediate/ca-key.pem 4096 | |
+ echo '[ req ]' | |
+ echo 'encrypt_key = no' | |
+ echo 'prompt = no' | |
+ echo 'utf8 = yes' | |
+ echo 'default_md = sha256' | |
+ echo 'default_bits = 4096' | |
+ echo 'req_extensions = req_ext' | |
+ echo 'x509_extensions = req_ext' | |
+ echo 'distinguished_name = req_dn' | |
+ echo '[ req_ext ]' | |
+ echo 'subjectKeyIdentifier = hash' | |
+ echo 'basicConstraints = critical, CA:true, pathlen:0' | |
+ echo 'keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign' | |
+ echo subjectAltName=@san | |
+ echo '[ san ]' | |
+ echo 'DNS.1 = istiod.istio-system.svc' | |
+ echo '[ req_dn ]' | |
+ echo 'O = Istio' | |
+ echo 'CN = Intermediate CA' | |
+ echo 'L = intermediate' | |
+ echo 'generating intermediate/cluster-ca.csr' | |
generating intermediate/cluster-ca.csr | |
+ openssl req -sha256 -new -config intermediate//intermediate.conf -key intermediate/ca-key.pem -out intermediate/cluster-ca.csr | |
+ echo 'generating intermediate/ca-cert.pem' | |
generating intermediate/ca-cert.pem | |
+ openssl x509 -req -sha256 -days 3650 -CA root-cert.pem -CAkey root-key.pem -CAcreateserial -extensions req_ext -extfile intermediate//intermediate.conf -in intermediate/cluster-ca.csr -out intermediate/ca-cert.pem | |
Certificate request self-signature ok | |
subject=O=Istio, CN=Intermediate CA, L=intermediate | |
+ echo 'generating intermediate/key.pem' | |
generating intermediate/key.pem | |
+ mkdir -p intermediate/ | |
+ openssl genrsa -out intermediate/key.pem 4096 | |
+ echo '[ req ]' | |
+ echo 'encrypt_key = no' | |
+ echo 'prompt = no' | |
+ echo 'utf8 = yes' | |
+ echo 'default_md = sha256' | |
+ echo 'default_bits = 4096' | |
+ echo 'req_extensions = req_ext' | |
+ echo 'x509_extensions = req_ext' | |
+ echo 'distinguished_name = req_dn' | |
+ echo '[ req_ext ]' | |
+ echo 'subjectKeyIdentifier = hash' | |
+ echo 'basicConstraints = critical, CA:false' | |
+ echo 'keyUsage = digitalSignature, keyEncipherment' | |
+ echo 'extendedKeyUsage = serverAuth, clientAuth' | |
+ echo subjectAltName=@san | |
+ echo '[ san ]' | |
+ echo 'URI.1 = spiffe://cluster.local/ns/intermediate/sa/default' | |
+ echo '[ req_dn ]' | |
+ echo 'O = Istio' | |
+ echo 'CN = Workload' | |
+ echo 'L = intermediate' | |
+ echo 'generating intermediate/workload.csr' | |
generating intermediate/workload.csr | |
+ openssl req -sha256 -new -config intermediate//workload.conf -key intermediate/key.pem -out intermediate/workload.csr | |
+ echo 'generating intermediate/workload-cert.pem' | |
generating intermediate/workload-cert.pem | |
+ openssl x509 -sha256 -req -days 1 -CA intermediate//ca-cert.pem -CAkey intermediate//ca-key.pem -CAcreateserial -extensions req_ext -extfile intermediate//workload.conf -in intermediate/workload.csr -out intermediate/workload-cert.pem | |
Certificate request self-signature ok | |
subject=O=Istio, CN=Workload, L=intermediate | |
+ echo 'generating intermediate/workload-cert-chain.pem' | |
generating intermediate/workload-cert-chain.pem | |
+ cat intermediate/workload-cert.pem intermediate/ca-cert.pem root-cert.pem | |
+ echo 'Intermediate and workload certs stored in intermediate/' | |
Intermediate and workload certs stored in intermediate/ | |
+ cp root-cert.pem intermediate//root-cert.pem | |
+ echo done | |
done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment