@@ -39,14 +39,12 @@ function getComponentCertificateCn {
3939
4040# Generate a server certificate
4141function generateServerCertificate {
42- local COMPOSANT=" ${1} "
43- local KEY_PASS=" ${2} "
44- local INTERMEDIATE_CA_KEY=" ${3} "
45- local TYPE_CERTIFICAT=" ${4} "
46- local AUTHORITY=" ${5} "
47- local SERVICE_HOSTNAME=" ${6} "
48- local SERVICE_DC_HOSTNAME=" ${7} "
49- local REVERSE_SAN=" ${8} "
42+ local COMPONENT=" ${1} "
43+ local TYPE_CERTIFICAT=" ${2} "
44+ local AUTHORITY=" ${3} "
45+ local SERVICE_HOSTNAME=" ${4} "
46+ local SERVICE_DC_HOSTNAME=" ${5} "
47+ local REVERSE_SAN=" ${6} "
5048
5149 # Correctly set Subject Alternate Name (env var is read inside the openssl configuration file)
5250 export OPENSSL_SAN=" $( getComponentCertificateSan $SERVICE_HOSTNAME $SERVICE_DC_HOSTNAME $REVERSE_SAN ) "
@@ -55,23 +53,30 @@ function generateServerCertificate {
5553 # Correctly set certificate DIRECTORY (env var is read inside the openssl configuration file)
5654 export OPENSSL_CRT_DIR=${AUTHORITY}
5755
58- pki_logger " Starting process to generate ${TYPE_CERTIFICAT} certificate signed with CA ${AUTHORITY} for ${COMPOSANT} ..."
59- local SERVER_CERTIFICATE_PATH=$( getServerCertificatePath ${AUTHORITY} ${COMPOSANT} )
56+
57+ pki_logger " Starting process to generate ${TYPE_CERTIFICAT} certificate signed with CA ${AUTHORITY} for ${COMPONENT} ..."
58+ local SERVER_CERTIFICATE_PATH=$( getServerCertificatePath ${AUTHORITY} ${COMPONENT} )
6059 mkdir -p " ${SERVER_CERTIFICATE_PATH} "
61- pki_logger " Generating ${TYPE_CERTIFICAT} key for ${COMPOSANT} ..."
60+
61+ # Retrieve the passphrase of the CA_INTERMEDIATE from the vault-ca
62+ local CA_INTERMEDIATE_PASS=$( getPassphrase ca " ca_intermediate_${AUTHORITY} " )
63+
64+ local KEY_PASS=$( setPassphrase certs " ${AUTHORITY} _${TYPE_CERTIFICAT} _${COMPONENT} " )
65+
66+ pki_logger " Generating ${TYPE_CERTIFICAT} key for ${COMPONENT} ..."
6267 openssl req -newkey " ${CRYPTO_SPEC} "
6368 -passout pass:" ${KEY_PASS} "
64- -keyout " ${SERVER_CERTIFICATE_PATH} /${COMPOSANT } .key"
65- -out " ${SERVER_CERTIFICATE_PATH} /${COMPOSANT } .req"
69+ -keyout " ${SERVER_CERTIFICATE_PATH} /${COMPONENT } .key"
70+ -out " ${SERVER_CERTIFICATE_PATH} /${COMPONENT } .req"
6671 -nodes \
6772 -config " ${CONFIG_DIR} /crt-config"
6873 -batch
6974
70- pki_logger " Generating ${TYPE_CERTIFICAT} crt for ${COMPOSANT } ..."
75+ pki_logger " Generating ${TYPE_CERTIFICAT} crt for ${COMPONENT } ..."
7176 openssl ca -config " ${CONFIG_DIR} /crt-config"
72- -passin pass:" ${INTERMEDIATE_CA_KEY } "
73- -out " ${SERVER_CERTIFICATE_PATH} /${COMPOSANT } .crt"
74- -in " ${SERVER_CERTIFICATE_PATH} /${COMPOSANT } .req"
77+ -passin pass:" ${CA_INTERMEDIATE_PASS } "
78+ -out " ${SERVER_CERTIFICATE_PATH} /${COMPONENT } .crt"
79+ -in " ${SERVER_CERTIFICATE_PATH} /${COMPONENT } .req"
7580 -extensions extension_${TYPE_CERTIFICAT} -batch
7681
7782 purge_directory " ${SERVER_CERTIFICATE_PATH} "
@@ -81,51 +86,55 @@ function generateServerCertificate {
8186# Generate the path of a client certificate
8287function getClientCertificatePath {
8388 local AUTHORITY=" ${1} "
84- local COMPOSANT =" ${2} "
85- echo " ${CERTIFICATE_DIR} /${AUTHORITY} /clients/${COMPOSANT } "
89+ local COMPONENT =" ${2} "
90+ echo " ${CERTIFICATE_DIR} /${AUTHORITY} /clients/${COMPONENT } "
8691}
8792
8893# Generate a client certificate
8994function generateClientCertificate {
90- local COMPOSANT=" ${1} "
91- local KEY_PASS=" ${2} "
92- local CA_INTERMEDIATE_PASS=" ${3} "
93- local TYPE_CERTIFICAT=" ${4} "
94- local AUTHORITY=" ${5} "
95+ local COMPONENT=" ${1} "
96+ local TYPE_CERTIFICAT=" ${2} "
97+ local AUTHORITY=" ${3} "
9598
9699 # Correctly set certificate CN (env var is read inside the openssl configuration file)
97- export OPENSSL_CN=" ${COMPOSANT } "
100+ export OPENSSL_CN=" ${COMPONENT } "
98101 # Correctly set certificate DIRECTORY (env var is read inside the openssl configuration file)
99102 export OPENSSL_CRT_DIR=${AUTHORITY}
100103
101- pki_logger " Starting process to generate ${TYPE_CERTIFICAT} certificate for ${COMPOSANT } ..."
102- local CLIENT_CERTIFICATE_PATH=$( getClientCertificatePath ${AUTHORITY} ${COMPOSANT } )
104+ pki_logger " Starting process to generate ${TYPE_CERTIFICAT} certificate for ${COMPONENT } ..."
105+ local CLIENT_CERTIFICATE_PATH=$( getClientCertificatePath ${AUTHORITY} ${COMPONENT } )
103106 mkdir -p " ${CLIENT_CERTIFICATE_PATH} "
104- pki_logger " Generating ${TYPE_CERTIFICAT} key for ${COMPOSANT} ..."
107+
108+ # Retrieve the passphrase of the CA_INTERMEDIATE from the vault-ca
109+ local CA_INTERMEDIATE_PASS=$( getPassphrase ca " ca_intermediate_${AUTHORITY} " )
110+
111+ local KEY_PASS=$( getOrSetPassphrase certs " ${AUTHORITY} _${TYPE_CERTIFICAT} _${COMPONENT} " )
112+
113+ pki_logger " Generating ${TYPE_CERTIFICAT} key for ${COMPONENT} ..."
105114 # TODO: Workaround with -nodes parameter to avoid passphrase.
106115 # Remove this parameter when we have a solution for providing the passphrase to ansible during deployment.
107116 openssl req -newkey " ${CRYPTO_SPEC} "
108117 -passout pass:" ${KEY_PASS} "
109118 -nodes \
110- -keyout " ${CLIENT_CERTIFICATE_PATH} /${COMPOSANT } .key"
111- -out " ${CLIENT_CERTIFICATE_PATH} /${COMPOSANT } .req"
119+ -keyout " ${CLIENT_CERTIFICATE_PATH} /${COMPONENT } .key"
120+ -out " ${CLIENT_CERTIFICATE_PATH} /${COMPONENT } .req"
112121 -config " ${CONFIG_DIR} /crt-config"
113122 -batch
114123
115- pki_logger " Generating ${TYPE_CERTIFICAT} crt signed with ${AUTHORITY} for ${COMPOSANT } ..."
124+ pki_logger " Generating ${TYPE_CERTIFICAT} crt signed with ${AUTHORITY} for ${COMPONENT } ..."
116125 openssl ca -config " ${CONFIG_DIR} /crt-config"
117126 -passin pass:" ${CA_INTERMEDIATE_PASS} "
118- -out " ${CLIENT_CERTIFICATE_PATH} /${COMPOSANT } .crt"
119- -in " ${CLIENT_CERTIFICATE_PATH} /${COMPOSANT } .req"
127+ -out " ${CLIENT_CERTIFICATE_PATH} /${COMPONENT } .crt"
128+ -in " ${CLIENT_CERTIFICATE_PATH} /${COMPONENT } .req"
120129 -extensions extension_${TYPE_CERTIFICAT} -batch
121130
122- pki_logger " Generating ${TYPE_CERTIFICAT} pem only for cas-server and ui-* components..."
131+ # Generating pem only for cas-server and ui-* components...
123132 # Mandatory for loading the certificates in database 'security -> certificates' for authentification purposes
124- if [ " ${COMPOSANT } " == " cas-server" || [[ " ${COMPOSANT } " == ui-* ]]; then
125- pki_logger " Generating ${TYPE_CERTIFICAT} pem for ${COMPOSANT } ..."
133+ if [ " ${COMPONENT } " == " cas-server" || [[ " ${COMPONENT } " == ui-* ]]; then
134+ pki_logger " Generating ${TYPE_CERTIFICAT} pem for ${COMPONENT } ..."
126135 openssl x509 \
127- -in " ${CLIENT_CERTIFICATE_PATH} /${COMPOSANT } .crt"
128- -out " ${CLIENT_CERTIFICATE_PATH} /${COMPOSANT } .pem"
136+ -in " ${CLIENT_CERTIFICATE_PATH} /${COMPONENT } .crt"
137+ -out " ${CLIENT_CERTIFICATE_PATH} /${COMPONENT } .pem"
129138 fi
130139
131140 purge_directory " ${CLIENT_CERTIFICATE_PATH} "
@@ -145,14 +154,12 @@ function generateServerCertAndStorePassphrase {
145154 local COMPONENT=" ${1} "
146155 local AUTHORITY=" ${2} "
147156
148- pki_logger " DEBUG" " generateServerCertAndStorePassphrase called with $# args: COMPONENT=$1 , AUTHORITY=$2 "
157+ pki_logger " DEBUG" " ${FUNCNAME[0]} called with $# args: COMPONENT=$1 , AUTHORITY=$2 "
149158
150159 local TYPE_CERTIFICAT=" servers"
151160 local REVERSE_SAN=" "
152161
153- # Retrieve the passphrase of the CA_INTERMEDIATE from the vault-ca
154- CA_INTERMEDIATE_PASS=$( getPassphrase ca " ca_intermediate_${AUTHORITY} " )
155- DC_NAME=$( getDcName)
162+ local DC_NAME=$( getDcName)
156163
157164 if [ " ${COMPONENT} " == " reverse" ; then
158165 REVERSE_SAN=$( read_ansible_var " vitamui_reverse_external_dns" )
@@ -163,19 +170,13 @@ function generateServerCertAndStorePassphrase {
163170
164171 local SERVER_CERTIFICATE_PATH=$( getServerCertificatePath ${AUTHORITY} ${COMPONENT} )
165172 if [ ! -f " ${SERVER_CERTIFICATE_PATH} /${COMPONENT} .crt" ; then
166- # Generate the passphrase
167- local KEY_PASS=$( generatePassphrase)
168173 # Create the certificate
169174 generateServerCertificate ${COMPONENT} \
170- ${KEY_PASS} \
171- ${CA_INTERMEDIATE_PASS} \
172175 ${TYPE_CERTIFICAT} \
173176 ${AUTHORITY} \
174177 " vitamui-${COMPONENT} .service.${CONSUL_DOMAIN} "
175178 " vitamui-${COMPONENT} .service.${DC_NAME} .${CONSUL_DOMAIN} "
176179 " ${REVERSE_SAN} "
177- # Store the key to the vault
178- setPassphrase certs " ${AUTHORITY} _${TYPE_CERTIFICAT} _${COMPONENT} " " ${KEY_PASS} "
179180 else
180181 pki_logger " Le certificat ${AUTHORITY} - ${TYPE_CERTIFICAT} - ${COMPONENT} .crt existe déjà, il ne sera pas recréé..."
181182 fi
@@ -186,25 +187,16 @@ function generateClientCertAndStorePassphrase {
186187 local COMPONENT=" ${1} "
187188 local AUTHORITY=" ${2} "
188189
189- pki_logger " DEBUG" " generateClientCertAndStorePassphrase called with $# args: COMPONENT=$1 , AUTHORITY=$2 "
190+ pki_logger " DEBUG" " ${FUNCNAME[0]} called with $# args: COMPONENT=$1 , AUTHORITY=$2 "
190191
191192 local TYPE_CERTIFICAT=" clients"
192193
193194 local CLIENT_CERTIFICATE_PATH=$( getClientCertificatePath ${AUTHORITY} ${COMPONENT} )
194195 if [ ! -f " ${CLIENT_CERTIFICATE_PATH} /${COMPONENT} .crt" ; then
195- # Get the CA_INTERMEDIATE passphrase from the vault-ca
196- local CA_INTERMEDIATE_PASS=$( getPassphrase ca " ca_intermediate_${AUTHORITY} " )
197-
198- # Generate the key
199- local KEY_PASS=$( generatePassphrase)
200196 # Create the certificate
201197 generateClientCertificate ${COMPONENT} \
202- ${KEY_PASS} \
203- ${CA_INTERMEDIATE_PASS} \
204198 ${TYPE_CERTIFICAT} \
205199 ${AUTHORITY}
206- # Store the key to the vault
207- setPassphrase certs " ${AUTHORITY} _${TYPE_CERTIFICAT} _${COMPONENT} " " ${KEY_PASS} "
208200 else
209201 pki_logger " Le certificat ${AUTHORITY} - ${TYPE_CERTIFICAT} - ${COMPONENT} existe déjà, il ne sera pas recréé..."
210202 fi
@@ -227,9 +219,9 @@ function getConsulDomain {
227219
228220function getDcName {
229221 # Get DC_NAME
230- VITAMUI_SITE_NAME=$( read_ansible_var " vitamui_site_name" " hosts_vitamui_consul_server[0]" )
222+ local VITAMUI_SITE_NAME=$( read_ansible_var " vitamui_site_name" " hosts_vitamui_consul_server[0]" )
231223 if [[ -z " $VITAMUI_SITE_NAME " || " $VITAMUI_SITE_NAME " =~ " VARIABLEISNOTDEFINED" ; then
232- VITAM_SITE_NAME=$( read_ansible_var " vitam_site_name" " hosts_cas_server[0]" )
224+ local VITAM_SITE_NAME=$( read_ansible_var " vitam_site_name" " hosts_cas_server[0]" )
233225 echo $VITAM_SITE_NAME
234226 else
235227 echo $VITAMUI_SITE_NAME
0 commit comments