diff options
author | Jan-Simon Moeller <jsmoeller@linuxfoundation.org> | 2023-07-20 22:42:38 +0200 |
---|---|---|
committer | Jan-Simon Moeller <jsmoeller@linuxfoundation.org> | 2023-07-31 16:21:05 +0000 |
commit | e5ab749de2db4e3902159ee641ea5df08223d813 (patch) | |
tree | 142b9cd9bb914cbcf79f2d0e156fc827858ecbb9 /recipes-connectivity/kuksa-val/kuksa-certificates-agl/genCertsAGL.sh | |
parent | 4b1a8c3c557b283372f8853672da641bfef06ef4 (diff) |
Update certificates to include localhost and 127.0.0.1
This updates the certificates to have subjectAltName defined as
subjectAltName=DNS:$1,DNS:localhost,IP:127.0.0.1
It allows clients from the localhost to connect.
We're debating if we need the IP:127.0.0.1 going forward,
so this might change in the future.
Bug-AGL: SPEC-4868
Change-Id: Ic6bbf5fd55b9f6a14a84512ae8748b3f48dbc3c1
Signed-off-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
Diffstat (limited to 'recipes-connectivity/kuksa-val/kuksa-certificates-agl/genCertsAGL.sh')
-rwxr-xr-x | recipes-connectivity/kuksa-val/kuksa-certificates-agl/genCertsAGL.sh | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/recipes-connectivity/kuksa-val/kuksa-certificates-agl/genCertsAGL.sh b/recipes-connectivity/kuksa-val/kuksa-certificates-agl/genCertsAGL.sh new file mode 100755 index 000000000..b078fd1b2 --- /dev/null +++ b/recipes-connectivity/kuksa-val/kuksa-certificates-agl/genCertsAGL.sh @@ -0,0 +1,58 @@ +#!/bin/bash + + +genCAKey() { + openssl genrsa -out CA.key 2048 +} + + +genCACert() { + openssl req -key CA.key -new -out CA.csr -subj "/C=US/ST=San Francisco/L=California/O=automotivelinux.org/CN=localhost-ca/emailAddress=agl-dev-community@lists.automotivelinux.org" + openssl x509 -signkey CA.key -in CA.csr -req -days 3650 -out CA.pem +} + +genKey() { + openssl genrsa -out $1.key 2048 +} + +genCert() { + openssl req -new -key $1.key -out $1.csr -passin pass:"temp" -subj "/C=US/ST=San Francisco/L=California/O=automotivelinux.org/CN=$1/emailAddress=agl-dev-community@lists.automotivelinux.org" + openssl x509 -req -in $1.csr -extfile <(printf "subjectAltName=DNS:$1,DNS:localhost,IP:127.0.0.1") -CA CA.pem -CAkey CA.key -CAcreateserial -days 1460 -out $1.pem + openssl verify -CAfile CA.pem $1.pem +} + +set -e +# Check if the CA is available, else make CA certificates +if [ -f "CA.key" ]; then + echo "Existing CA.key will be used" +else + echo "No CA.key found, will generate new key" + genCAKey + rm -f CA.pem + echo "" +fi + +# Check if the CA.pem is available, else generate a new CA.pem +if [ -f "CA.pem" ]; then + echo "CA.pem will not be regenerated" +else + echo "No CA.pem found, will generate new CA.pem" + genCACert + echo "" +fi + + +for i in Server Client; +do + if [ -f $i.key ]; then + echo "Existing $i.key will be used" + else + echo "No $i.key found, will generate new key" + genKey $i + fi + echo "" + echo "Generating $i.pem" + genCert $i + echo "" +done + |