Update certificates to include localhost and 127.0.0.1

This updates the certificates to have subjectAltName defined as subjectAltName=DNS:$1,DNS:localhost,IP:127.0.0.1 It allows clients from the localhost to connect. We're debating if we need the IP:127.0.0.1 going forward, so this might change in the future. Bug-AGL: SPEC-4868 Change-Id: Ic6bbf5fd55b9f6a14a84512ae8748b3f48dbc3c1 Signed-off-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
author: Jan-Simon Moeller <jsmoeller@linuxfoundation.org> 2023-07-20 22:42:38 +0200
committer: Jan-Simon Moeller <jsmoeller@linuxfoundation.org> 2023-08-01 08:56:57 +0000
commit: 70ac3393d677da85aeab2a208ece874f13eb0e60 (patch)
tree: 12535e751de9df572aa2b63b076f98914eb80e46 /recipes-connectivity/kuksa-val/kuksa-certificates-agl/genCertsAGL.sh
parent: 9ee5b5b2186752d898fca40e9178226c60b495ad (diff)
1 files changed, 58 insertions, 0 deletions
diff --git a/recipes-connectivity/kuksa-val/kuksa-certificates-agl/genCertsAGL.sh b/recipes-connectivity/kuksa-val/kuksa-certificates-agl/genCertsAGL.sh
new file mode 100755
index 000000000..b078fd1b2
--- /dev/null
+++ b/recipes-connectivity/kuksa-val/kuksa-certificates-agl/genCertsAGL.sh
@@ -0,0 +1,58 @@
+#!/bin/bash
+
+
+genCAKey() {
+    openssl genrsa -out CA.key 2048
+}
+
+
+genCACert() {
+    openssl req -key CA.key -new -out CA.csr -subj "/C=US/ST=San Francisco/L=California/O=automotivelinux.org/CN=localhost-ca/emailAddress=agl-dev-community@lists.automotivelinux.org"
+    openssl x509 -signkey CA.key -in CA.csr -req -days 3650 -out CA.pem
+}
+
+genKey() {
+    openssl genrsa -out $1.key 2048
+}
+
+genCert() {
+    openssl req -new -key $1.key -out $1.csr -passin pass:"temp" -subj "/C=US/ST=San Francisco/L=California/O=automotivelinux.org/CN=$1/emailAddress=agl-dev-community@lists.automotivelinux.org"
+    openssl x509 -req -in $1.csr -extfile <(printf "subjectAltName=DNS:$1,DNS:localhost,IP:127.0.0.1") -CA CA.pem -CAkey CA.key -CAcreateserial -days 1460 -out $1.pem
+    openssl verify -CAfile CA.pem $1.pem
+}
+
+set -e
+# Check if the CA is available, else make CA certificates
+if [ -f "CA.key" ]; then
+    echo "Existing CA.key will be used"
+else
+    echo "No CA.key found, will generate new key"
+    genCAKey
+    rm -f CA.pem
+    echo ""
+fi
+
+# Check if the CA.pem is available, else generate a new CA.pem
+if [ -f "CA.pem" ]; then
+    echo "CA.pem will not be regenerated"
+else
+    echo "No CA.pem found, will generate new CA.pem"
+    genCACert
+    echo ""
+fi
+
+
+for i in Server Client;
+do
+    if [ -f $i.key ]; then
+        echo "Existing $i.key will be used"
+    else
+        echo "No $i.key found, will generate new key"
+        genKey $i
+    fi
+    echo ""
+    echo "Generating $i.pem"
+    genCert $i
+    echo ""
+done
+
author	Jan-Simon Moeller <jsmoeller@linuxfoundation.org>	2023-07-20 22:42:38 +0200
committer	Jan-Simon Moeller <jsmoeller@linuxfoundation.org>	2023-08-01 08:56:57 +0000
commit	70ac3393d677da85aeab2a208ece874f13eb0e60 (patch)
tree	12535e751de9df572aa2b63b076f98914eb80e46 /recipes-connectivity/kuksa-val/kuksa-certificates-agl/genCertsAGL.sh
parent	9ee5b5b2186752d898fca40e9178226c60b495ad (diff)