@@ -11,13 +11,6 @@ set -e
1111# ################################# Functions ###################################
1212# ###############################################################################
1313
14- # Generate the path of a server certificate
15- function getServerCertificatePath {
16- local AUTHORITY=" ${1} "
17- local COMPONENT=" ${2} "
18- echo " ${CERTIFICATE_DIR} /${AUTHORITY} /servers/${COMPONENT} "
19- }
20-
2114# Generate the Subject Alternate Name for a server certificate
2215function getComponentCertificateSan {
2316 local SERVICE_HOSTNAME=" ${1} "
@@ -39,9 +32,9 @@ function getComponentCertificateCn {
3932
4033# Generate a server certificate
4134function generateServerCertificate {
42- local COMPONENT =" ${1} "
35+ local AUTHORITY =" ${1} "
4336 local TYPE_CERTIFICAT=" ${2} "
44- local AUTHORITY =" ${3} "
37+ local COMPONENT =" ${3} "
4538 local SERVICE_HOSTNAME=" ${4} "
4639 local SERVICE_DC_HOSTNAME=" ${5} "
4740 local REVERSE_SAN=" ${6} "
@@ -53,10 +46,8 @@ function generateServerCertificate {
5346 # Correctly set certificate DIRECTORY (env var is read inside the openssl configuration file)
5447 export OPENSSL_CRT_DIR=${AUTHORITY}
5548
56-
5749 pki_logger " Starting process to generate ${TYPE_CERTIFICAT} certificate signed with CA ${AUTHORITY} for ${COMPONENT} ..."
58- local SERVER_CERTIFICATE_PATH=$( getServerCertificatePath ${AUTHORITY} ${COMPONENT} )
59- mkdir -p " ${SERVER_CERTIFICATE_PATH} "
50+ mkdir -p " ${CERTIFICATE_DIR} /${AUTHORITY} /servers/${COMPONENT} "
6051
6152 # Retrieve the passphrase of the CA_INTERMEDIATE from the vault-ca
6253 local CA_INTERMEDIATE_PASS=$( getPassphrase ca " ca_intermediate_${AUTHORITY} " )
@@ -83,32 +74,24 @@ function generateServerCertificate {
8374 purge_directory " ${CONFIG_DIR} /${AUTHORITY} "
8475}
8576
86- # Generate the path of a client certificate
87- function getClientCertificatePath {
88- local AUTHORITY=" ${1} "
89- local COMPONENT=" ${2} "
90- echo " ${CERTIFICATE_DIR} /${AUTHORITY} /clients/${COMPONENT} "
91- }
92-
9377# Generate a client certificate
9478function generateClientCertificate {
95- local COMPONENT =" ${1} "
79+ local AUTHORITY =" ${1} "
9680 local TYPE_CERTIFICAT=" ${2} "
97- local AUTHORITY =" ${3} "
81+ local COMPONENT =" ${3} "
9882
9983 # Correctly set certificate CN (env var is read inside the openssl configuration file)
10084 export OPENSSL_CN=" ${COMPONENT} "
10185 # Correctly set certificate DIRECTORY (env var is read inside the openssl configuration file)
10286 export OPENSSL_CRT_DIR=${AUTHORITY}
10387
10488 pki_logger " Starting process to generate ${TYPE_CERTIFICAT} certificate for ${COMPONENT} ..."
105- local CLIENT_CERTIFICATE_PATH=$( getClientCertificatePath ${AUTHORITY} ${COMPONENT} )
106- mkdir -p " ${CLIENT_CERTIFICATE_PATH} "
89+ mkdir -p " ${CERTIFICATE_DIR} /${AUTHORITY} /clients/${COMPONENT} "
10790
10891 # Retrieve the passphrase of the CA_INTERMEDIATE from the vault-ca
10992 local CA_INTERMEDIATE_PASS=$( getPassphrase ca " ca_intermediate_${AUTHORITY} " )
11093
111- local KEY_PASS=$( getOrSetPassphrase certs " ${AUTHORITY} _${TYPE_CERTIFICAT} _${COMPONENT} " )
94+ local KEY_PASS=$( setPassphrase certs " ${AUTHORITY} _${TYPE_CERTIFICAT} _${COMPONENT} " )
11295
11396 pki_logger " Generating ${TYPE_CERTIFICAT} key for ${COMPONENT} ..."
11497 # TODO: Workaround with -nodes parameter to avoid passphrase.
@@ -154,7 +137,7 @@ function generateServerCertAndStorePassphrase {
154137 local COMPONENT=" ${1} "
155138 local AUTHORITY=" ${2} "
156139
157- pki_logger " DEBUG " " ${FUNCNAME[0]} called with $# args: COMPONENT= $1 , AUTHORITY= $2 "
140+ pki_logger " Creating server certificate for COMPONENT: ${ AUTHORITY} / ${COMPONENT} "
158141
159142 local TYPE_CERTIFICAT=" servers"
160143 local REVERSE_SAN=" "
@@ -168,17 +151,17 @@ function generateServerCertAndStorePassphrase {
168151
169152 pki_logger " DEBUG" " DC_NAME=${DC_NAME} , CONSUL_DOMAIN=${CONSUL_DOMAIN} "
170153
171- local SERVER_CERTIFICATE_PATH= $( getServerCertificatePath ${AUTHORITY} ${ COMPONENT})
172- if [ ! -f " ${SERVER_CERTIFICATE_PATH} / ${COMPONENT} .crt " ; then
173- # Create the certificate
174- generateServerCertificate ${COMPONENT } \
154+ local CERTIFICATE_FILE= " ${CERTIFICATE_DIR} / ${AUTHORITY} / ${TYPE_CERTIFICAT} / ${ COMPONENT}/ ${COMPONENT} .crt "
155+ if [ ! -f " ${CERTIFICATE_FILE} " ; then
156+ # Create the server certificate
157+ generateServerCertificate ${AUTHORITY } \
175158 ${TYPE_CERTIFICAT} \
176- ${AUTHORITY } \
159+ ${COMPONENT } \
177160 " vitamui-${COMPONENT} .service.${CONSUL_DOMAIN} "
178161 " vitamui-${COMPONENT} .service.${DC_NAME} .${CONSUL_DOMAIN} "
179162 " ${REVERSE_SAN} "
180163 else
181- pki_logger " Le certificat ${AUTHORITY} - ${TYPE_CERTIFICAT} - ${COMPONENT} .crt existe déjà, il ne sera pas recréé ..."
164+ pki_logger " Certificate ${CERTIFICATE_FILE} already exists, it will not be recreated ..."
182165 fi
183166}
184167
@@ -187,18 +170,17 @@ function generateClientCertAndStorePassphrase {
187170 local COMPONENT=" ${1} "
188171 local AUTHORITY=" ${2} "
189172
190- pki_logger " DEBUG " " ${FUNCNAME[0]} called with $# args: COMPONENT= $1 , AUTHORITY= $2 "
173+ pki_logger " Creating client certificate for COMPONENT: ${ AUTHORITY} / ${COMPONENT} "
191174
192175 local TYPE_CERTIFICAT=" clients"
193-
194- local CLIENT_CERTIFICATE_PATH=$( getClientCertificatePath ${AUTHORITY} ${COMPONENT} )
195- if [ ! -f " ${CLIENT_CERTIFICATE_PATH} /${COMPONENT} .crt" ; then
196- # Create the certificate
197- generateClientCertificate ${COMPONENT} \
176+ local CERTIFICATE_FILE=" ${CERTIFICATE_DIR} /${AUTHORITY} /${TYPE_CERTIFICAT} /${COMPONENT} /${COMPONENT} .crt"
177+ if [ ! -f " ${CERTIFICATE_FILE} " ; then
178+ # Create the client certificate
179+ generateClientCertificate ${AUTHORITY} \
198180 ${TYPE_CERTIFICAT} \
199- ${AUTHORITY }
181+ ${COMPONENT }
200182 else
201- pki_logger " Le certificat ${AUTHORITY} - ${TYPE_CERTIFICAT} - ${COMPONENT} existe déjà, il ne sera pas recréé ..."
183+ pki_logger " Certificate ${CERTIFICATE_FILE} already exists, it will not be recreated ..."
202184 fi
203185}
204186
@@ -245,7 +227,7 @@ function main {
245227
246228 ERASE=" false"
247229
248- # Vérification des paramètres
230+ # Parameters check
249231 if [ " ${1} " == " " ; then
250232 pki_logger " ERROR" " This script needs to know on which environment you want to apply to !"
251233 exit 1
@@ -255,16 +237,15 @@ function main {
255237 ERASE=" true"
256238 fi
257239 fi
258- ENVIRONNEMENT=" ${1} "
259- ENVIRONNEMENT_FILE=" ${1} "
240+ ENVIRONMENT_FILE=" ${1} "
260241
261- if [ ! -f " ${ENVIRONNEMENT_FILE } " ; then
262- pki_logger " ERROR" " Cannot find environment file: ${ENVIRONNEMENT_FILE } "
242+ if [ ! -f " ${ENVIRONMENT_FILE } " ; then
243+ pki_logger " ERROR" " Cannot find environment file: ${ENVIRONMENT_FILE } "
263244 exit 1
264245 fi
265246
266247 pki_logger " Input parameters:"
267- pki_logger " -> Environnement : ${ENVIRONNEMENT } "
248+ pki_logger " -> Environment : ${ENVIRONMENT_FILE } "
268249 pki_logger " -> Erase existing certificates: ${ERASE} "
269250
270251 # Get consul_domain
0 commit comments