dom/telegraf
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Regenerate TLS certs due to expiration

Browse Source
This commit is contained in:
Daniel Nelson
2017-10-02 15:44:55 -07:00
parent 63e898c058
commit 9b7fe6ce99
2 changed files with 132 additions and 121 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
scripts/tls-certs.sh Normal file
View File

@@ -0,0 +1,66 @@
#!/bin/sh
mkdir certs certs_by_serial private &&
chmod 700 private &&
echo 01 > ./serial &&
touch ./index.txt &&
cat >./openssl.conf <<EOF
[ ca ]
default_ca = telegraf_ca
[ telegraf_ca ]
certificate = ./certs/cacert.pem
database = ./index.txt
new_certs_dir = ./certs_by_serial
private_key = ./private/cakey.pem
serial = ./serial
default_crl_days = 7
default_days = 3650
default_md = sha256
policy = telegraf_ca_policy
x509_extensions = certificate_extensions
[ telegraf_ca_policy ]
commonName = supplied
[ certificate_extensions ]
basicConstraints = CA:false
[ req ]
default_bits = 1024
default_keyfile = ./private/cakey.pem
default_md = sha256
prompt = yes
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
[ root_ca_distinguished_name ]
commonName = hostname
[ root_ca_extensions ]
basicConstraints = CA:true
keyUsage = keyCertSign, cRLSign
[ client_ca_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[ server_ca_extensions ]
basicConstraints = CA:false
keyUsage = keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
EOF
openssl req -x509 -config ./openssl.conf -newkey rsa:1024 -out ./certs/cacert.pem -keyout ./private/cakey.pem -subj "/CN=Telegraf CA/" -nodes &&
# Create server keypair
openssl genrsa -out ./private/serverkey.pem 1024 &&
openssl req -new -key ./private/serverkey.pem -out ./certs/servercsr.pem -outform PEM -subj "/CN=localhost/O=server/" &&
openssl ca -config ./openssl.conf -in ./certs/servercsr.pem -out ./certs/servercert.pem -notext -batch -extensions server_ca_extensions &&
# Create client keypair
openssl genrsa -out ./private/clientkey.pem 1024 &&
openssl req -new -key ./private/clientkey.pem -out ./certs/clientcsr.pem -outform PEM -subj "/CN=telegraf/O=client/" &&
openssl ca -config ./openssl.conf -in ./certs/clientcsr.pem -out ./certs/clientcert.pem -notext -batch -extensions client_ca_extensions