Skip to content

Commit c3fe2e8

Browse files
marten-seemannmarten-seemann
authored
switch certificates to ECDSA, limit validity to 10 days (#373)
1 parent 3059fde commit c3fe2e8

File tree

1 file changed

+22
-19
lines changed

1 file changed

+22
-19
lines changed

certs.sh

Lines changed: 22 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -2,56 +2,59 @@
22

33
set -e
44

5-
if [ -z "$1" ] || [ -z "$2" ] ; then
5+
if [ -z "$1" ] || [ -z "$2" ]; then
66
echo "$0 <cert dir> <chain length>"
77
exit 1
88
fi
99

1010
CERTDIR=$1
1111
CHAINLEN=$2
1212

13-
mkdir -p $CERTDIR || true
13+
mkdir -p "$CERTDIR" || true
1414

1515
# Generate Root CA and certificate
16-
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 \
17-
-keyout $CERTDIR/ca_0.key -out $CERTDIR/cert_0.pem \
16+
openssl ecparam -name prime256v1 -genkey -out "$CERTDIR"/ca_0.key
17+
openssl req -x509 -sha256 -nodes -days 10 -key "$CERTDIR"/ca_0.key \
18+
-out "$CERTDIR"/cert_0.pem \
1819
-subj "/O=interop runner Root Certificate Authority/" \
1920
-config cert_config.txt \
2021
-extensions v3_ca \
2122
2> /dev/null
2223

23-
for i in $(seq 1 $CHAINLEN); do
24+
for i in $(seq 1 "$CHAINLEN"); do
2425
# Generate a CSR
2526
SUBJ="interop runner intermediate $i"
26-
if [[ $i == $CHAINLEN ]]; then
27+
if [[ $i == "$CHAINLEN" ]]; then
2728
SUBJ="interop runner leaf"
2829
fi
29-
openssl req -out $CERTDIR/cert.csr -new -newkey rsa:2048 -nodes -keyout $CERTDIR/ca_$i.key \
30+
31+
openssl ecparam -name prime256v1 -genkey -out "$CERTDIR"/ca_"$i".key
32+
openssl req -out "$CERTDIR"/cert.csr -new -key "$CERTDIR"/ca_"$i".key -nodes \
3033
-subj "/O=$SUBJ/" \
3134
2> /dev/null
3235

3336
# Sign the certificate
34-
j=$(($i-1))
35-
if [[ $i < $CHAINLEN ]]; then
36-
openssl x509 -req -sha256 -days 365 -in $CERTDIR/cert.csr -out $CERTDIR/cert_$i.pem \
37-
-CA $CERTDIR/cert_$j.pem -CAkey $CERTDIR/ca_$j.key -CAcreateserial \
37+
j=$((i-1))
38+
if [[ $i < "$CHAINLEN" ]]; then
39+
openssl x509 -req -sha256 -days 10 -in "$CERTDIR"/cert.csr -out "$CERTDIR"/cert_"$i".pem \
40+
-CA "$CERTDIR"/cert_"$j".pem -CAkey "$CERTDIR"/ca_"$j".key -CAcreateserial \
3841
-extfile cert_config.txt \
3942
-extensions v3_ca \
4043
2> /dev/null
4144
else
42-
openssl x509 -req -sha256 -days 365 -in $CERTDIR/cert.csr -out $CERTDIR/cert_$i.pem \
43-
-CA $CERTDIR/cert_$j.pem -CAkey $CERTDIR/ca_$j.key -CAcreateserial \
45+
openssl x509 -req -sha256 -days 10 -in "$CERTDIR"/cert.csr -out "$CERTDIR"/cert_"$i".pem \
46+
-CA "$CERTDIR"/cert_"$j".pem -CAkey "$CERTDIR"/ca_"$j".key -CAcreateserial \
4447
-extfile <(printf "subjectAltName=DNS:server,DNS:server4,DNS:server6,DNS:server46") \
4548
2> /dev/null
4649
fi
4750
done
4851

49-
mv $CERTDIR/cert_0.pem $CERTDIR/ca.pem
50-
cp $CERTDIR/ca_$CHAINLEN.key $CERTDIR/priv.key
52+
mv "$CERTDIR"/cert_0.pem "$CERTDIR"/ca.pem
53+
cp "$CERTDIR"/ca_"$CHAINLEN".key "$CERTDIR"/priv.key
5154

5255
# combine certificates
53-
for i in $(seq $CHAINLEN -1 1); do
54-
cat $CERTDIR/cert_$i.pem >> $CERTDIR/cert.pem
55-
rm $CERTDIR/cert_$i.pem $CERTDIR/ca_$i.key
56+
for i in $(seq "$CHAINLEN" -1 1); do
57+
cat "$CERTDIR"/cert_"$i".pem >> "$CERTDIR"/cert.pem
58+
rm "$CERTDIR"/cert_"$i".pem "$CERTDIR"/ca_"$i".key
5659
done
57-
rm -f $CERTDIR/*.srl $CERTDIR/ca_0.key $CERTDIR/cert.csr
60+
rm -f "$CERTDIR"/*.srl "$CERTDIR"/ca_0.key "$CERTDIR"/cert.csr

0 commit comments

Comments
 (0)