2 # Copyright (C) The Arvados Authors. All rights reserved.
4 # SPDX-License-Identifier: AGPL-3.0
9 . /usr/local/lib/arvbox/common.sh
11 if test ! -s /var/lib/arvados/root-cert.pem ; then
12 # req signing request sub-command
13 # -new new certificate request
14 # -nodes "no des" don't encrypt key
15 # -sha256 include sha256 fingerprint
16 # -x509 generate self-signed certificate
17 # -subj certificate subject
18 # -reqexts certificate request extension for subjectAltName
19 # -extensions certificate request extension for subjectAltName
20 # -config certificate generation configuration plus subjectAltName
21 # -out certificate output
22 # -keyout private key output
23 # -days certificate lifetime
29 -subj "/C=US/ST=MA/O=Arvados testing/OU=arvbox/CN=arvbox testing root CA for ${uuid_prefix}" \
30 -extensions x509_ext \
31 -config <(cat /etc/ssl/openssl.cnf \
32 <(printf "\n[x509_ext]\nbasicConstraints=critical,CA:true,pathlen:0\nkeyUsage=critical,keyCertSign,cRLSign")) \
33 -out /var/lib/arvados/root-cert.pem \
34 -keyout /var/lib/arvados/root-cert.key \
36 chown arvbox:arvbox /var/lib/arvados/root-cert.*
39 if test ! -s /var/lib/arvados/server-cert-${localip}.pem ; then
41 if [[ $localip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
47 # req signing request sub-command
48 # -new new certificate request
49 # -nodes "no des" don't encrypt key
50 # -sha256 include sha256 fingerprint
51 # -subj certificate subject
52 # -reqexts certificate request extension for subjectAltName
53 # -extensions certificate request extension for subjectAltName
54 # -config certificate generation configuration plus subjectAltName
55 # -out certificate output
56 # -keyout private key output
57 # -days certificate lifetime
62 -subj "/C=US/ST=MA/O=Arvados testing for ${uuid_prefix}/OU=arvbox/CN=localhost" \
64 -extensions x509_ext \
65 -config <(cat /etc/ssl/openssl.cnf \
66 <(printf "\n[x509_ext]\nkeyUsage=critical,digitalSignature,keyEncipherment\nsubjectAltName=DNS:localhost,$san")) \
67 -out /var/lib/arvados/server-cert-${localip}.csr \
68 -keyout /var/lib/arvados/server-cert-${localip}.key \
73 -in /var/lib/arvados/server-cert-${localip}.csr \
74 -CA /var/lib/arvados/root-cert.pem \
75 -CAkey /var/lib/arvados/root-cert.key \
76 -out /var/lib/arvados/server-cert-${localip}.pem \
77 -set_serial $RANDOM$RANDOM \
78 -extfile <(cat /etc/ssl/openssl.cnf \
79 <(printf "\n[x509_ext]\nkeyUsage=critical,digitalSignature,keyEncipherment\nsubjectAltName=DNS:localhost,$san")) \
82 chown arvbox:arvbox /var/lib/arvados/server-cert-${localip}.*
85 cp /var/lib/arvados/root-cert.pem /usr/local/share/ca-certificates/arvados-testing-cert.crt
86 update-ca-certificates