From 3ca0cbd96a5a4826e0dc86e4625c4b2f508bce93 Mon Sep 17 00:00:00 2001 From: Ashwini Oruganti Date: Tue, 16 May 2017 16:09:34 -0700 Subject: [PATCH 1/2] Update test cert generation script for postgresql Signed-off-by: Ashwini Oruganti --- fixtures/regenerateTestingCerts.sh | 44 ++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/fixtures/regenerateTestingCerts.sh b/fixtures/regenerateTestingCerts.sh index 192ed06d0..029c09b3a 100755 --- a/fixtures/regenerateTestingCerts.sh +++ b/fixtures/regenerateTestingCerts.sh @@ -167,3 +167,47 @@ EOL rm "${selfsigned}.cnf" "${selfsigned}.csr" "${selfsigned}.key" done + +# Postgresql keys for testing server/client auth + +# TODO: test if cfssl is installed, if not, cleanly exit with a message + +# Create a dir to store keys generated temporarily +mkdir cfssl +cd cfssl + +# Generate CA and certificates + +echo '{"CN": "Test Notary CA","key":{"algo":"rsa","size":2048}}' | cfssl gencert -initca - | cfssljson -bare ca - + +echo '{"signing":{"default":{"expiry":"43800h"},"profiles":{"server":{"expiry":"43800h", "usages":["signing","key encipherment","server auth"]},"client":{"expiry":"43800h", "usages":["signing","key encipherment","client auth"]}}}}' > ca-config.json + +echo '{"CN":"database","hosts":["postgresql","mysql"],"key":{"algo":"rsa","size":2048}}' > server.json + +# Generate server cert and private key +cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server server.json | cfssljson -bare server + +# Generate client certificate (notary server) +echo '{"CN":"server","hosts":[""],"key":{"algo":"rsa","size":2048}}' > notary-server.json + +cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client notary-server.json | cfssljson -bare notary-server + +# Generate client certificate (notary notary-signer) +echo '{"CN":"signer","hosts":[""],"key":{"algo":"rsa","size":2048}}' > notary-signer.json + +cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client notary-signer.json | cfssljson -bare notary-signer + +# Copy keys over to ../fixtures/database/[...] and ../notarysql/postgresql-initdb.d/[...] +cp ca.pem ../database/ +cp notary-signer.pem ../database/ +cp notary-signer-key.pem ../database/ +cp notary-server.pem ../database +cp notary-server-key.pem ../database/ + +cp ca.pem ../../notarysql/postgresql-initdb.d/root.crt +cp server.pem ../../notarysql/postgresql-initdb.d/server.crt +cp server-key.pem ../../notarysql/postgresql-initdb.d/server.key + +# remove the working dir +cd .. +rm -rf cfssl From eddeade089b7e60dad21ddabe30a9382f2f5b986 Mon Sep 17 00:00:00 2001 From: Ashwini Oruganti Date: Tue, 23 May 2017 10:29:57 -0700 Subject: [PATCH 2/2] Install cfssl tools if absent. Signed-off-by: Ashwini Oruganti --- fixtures/regenerateTestingCerts.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fixtures/regenerateTestingCerts.sh b/fixtures/regenerateTestingCerts.sh index 029c09b3a..f66cd8ad9 100755 --- a/fixtures/regenerateTestingCerts.sh +++ b/fixtures/regenerateTestingCerts.sh @@ -170,7 +170,9 @@ done # Postgresql keys for testing server/client auth -# TODO: test if cfssl is installed, if not, cleanly exit with a message +command -v cfssljson >/dev/null 2>&1 || { + echo >&2 "Installing cfssl tools"; go get -u github.com/cloudflare/cfssl/cmd/...; +} # Create a dir to store keys generated temporarily mkdir cfssl