Your IP : 216.73.216.247

Current Path : /etc/rubrik/
Upload File :
Current File : //etc/rubrik/gen_tls_cert.sh

#!/usr/bin/env bash

# Generate a certificate and private key pair.

if [ "$#" -ne 3 ] && [ "$#" -ne 4 ];
then
  echo "Usage: $0 <common_name> <pem_file> <cert_file>"
  echo "  or"
  echo "Usage: $0 <common_name> <pem_file> <cert_file> <validity_days>"
  exit 1
fi

common_name="$1"
pem_file="$2"
cert_file="$3"
scratch_dir="$(mktemp -d)"
conf_file="${scratch_dir}"/conf
csr_file="${scratch_dir}"/temp.csr
ext_file="${scratch_dir}"/v3.ext
script_dir=`dirname "$0"`
days=10000

if [ -n "$4" ];
then
  days="$4"
fi

echo $script_dir

cat << EOT >> "${conf_file}"
[ ca ]
default_ca = myca

[ myca ]
new_certs_dir = "${scratch_dir}"
unique_subject = no
certificate = "${cert_file}"
database = "${scratch_dir}"/certindex
private_key = "${pem_file}"
serial = "${scratch_dir}"/certserial
default_days = "${days}"
default_md = sha512
policy = myca_policy
default_crl_days = 10000

[ myca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = supplied
emailAddress = optional
organizationName = supplied
organizationalUnitName = optional
localityName = supplied

EOT

cat << EOT >> "${ext_file}"

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyCertSign, keyAgreement
subjectAltName = @alt_names

[alt_names]
DNS.1 = "${common_name}"

EOT
# Generate private key.
# Cluster certs are used by CDP which has a Rubrik limit of certs
# to be less than 2048 bytes. This script is used to generate
# cluster and api server certs. Any future changes should use
# more modern alg like Elliptic Curves because RSA-4096 goes over
# the 2048 character limit.
openssl genrsa -out "${pem_file}" 2048

# Generate a Certificate Signing Request
openssl req -new -key "${pem_file}" -out "${csr_file}" \
  -subj "/CN=${common_name}/C=US/ST=California/L=Palo\ Alto/O=Rubrik\, Inc\."

# Self-sign it
touch "${scratch_dir}"/certindex
serial=1000
echo "${serial}" > "${scratch_dir}"/certserial

# We will use yesterday's date for SSL agent's
# certificate start date.
# This is to provide a window of tolerance in
# case the agent's local time differs from the
# cluster's local time.
startdate="$(date +%y%m%d%H%M%SZ --date=yesterday)"
openssl ca -notext -config "${conf_file}" -in "${csr_file}" \
  -out "${cert_file}" -selfsign -startdate "$startdate" -batch \
  -extfile "${ext_file}"

chmod 0400 "${pem_file}"
chmod 0444 "${cert_file}"

# Clean up
rm -rf "${scratch_dir}"