2 # Copyright (C) The Arvados Authors. All rights reserved.
4 # SPDX-License-Identifier: AGPL-3.0
9 . /usr/local/lib/arvbox/common.sh
11 uuid_prefix=$(cat /var/lib/arvados/api_uuid_prefix)
13 if ! openssl verify -CAfile $root_cert $root_cert ; then
14 # req signing request sub-command
15 # -new new certificate request
16 # -nodes "no des" don't encrypt key
17 # -sha256 include sha256 fingerprint
18 # -x509 generate self-signed certificate
19 # -subj certificate subject
20 # -reqexts certificate request extension for subjectAltName
21 # -extensions certificate request extension for subjectAltName
22 # -config certificate generation configuration plus subjectAltName
23 # -out certificate output
24 # -keyout private key output
25 # -days certificate lifetime
31 -subj "/C=US/ST=MA/O=Arvados testing/OU=arvbox/CN=test root CA for ${uuid_prefix} generated $(date --rfc-3339=seconds)" \
32 -extensions x509_ext \
33 -config <(cat /etc/ssl/openssl.cnf \
34 <(printf "\n[x509_ext]\nbasicConstraints=critical,CA:true,pathlen:0\nkeyUsage=critical,keyCertSign,cRLSign")) \
36 -keyout $root_cert_key \
38 chown arvbox:arvbox $root_cert $root_cert_key
39 rm -f $server_cert $server_cert_key
42 cp $root_cert /usr/local/share/ca-certificates/arvados-testing-cert.crt
43 update-ca-certificates
45 if ! openssl verify -CAfile $root_cert $server_cert ; then
47 rm -f $server_cert $server_cert_key
49 if [[ $localip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
55 # req signing request sub-command
56 # -new new certificate request
57 # -nodes "no des" don't encrypt key
58 # -sha256 include sha256 fingerprint
59 # -subj certificate subject
60 # -reqexts certificate request extension for subjectAltName
61 # -extensions certificate request extension for subjectAltName
62 # -config certificate generation configuration plus subjectAltName
63 # -out certificate output
64 # -keyout private key output
65 # -days certificate lifetime
70 -subj "/C=US/ST=MA/O=Arvados testing/OU=arvbox/CN=test server cert for ${uuid_prefix} generated $(date --rfc-3339=seconds)" \
72 -extensions x509_ext \
73 -config <(cat /etc/ssl/openssl.cnf \
74 <(printf "\n[x509_ext]\nkeyUsage=critical,digitalSignature,keyEncipherment\nsubjectAltName=DNS:localhost,$san")) \
75 -out /var/lib/arvados/server-cert-${localip}.csr \
76 -keyout $server_cert_key \
81 -in /var/lib/arvados/server-cert-${localip}.csr \
83 -CAkey $root_cert_key \
85 -set_serial $RANDOM$RANDOM \
86 -extfile <(cat /etc/ssl/openssl.cnf \
87 <(printf "\n[x509_ext]\nkeyUsage=critical,digitalSignature,keyEncipherment\nsubjectAltName=DNS:localhost,$san")) \
88 -extensions x509_ext \
91 chown arvbox:arvbox $server_cert $server_cert_key