centra/photoncloud-monorepo
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
photoncloud-monorepo/scripts/generate-dev-certs.sh
centra 5c6eb04a46 T036: Add VM cluster deployment configs for nixos-anywhere 
- netboot-base.nix with SSH key auth
- Launch scripts for node01/02/03
- Node configuration.nix and disko.nix
- Nix modules for first-boot automation

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-11 09:59:19 +09:00

127 lines
4.1 KiB
Bash
Executable file
Raw Blame History

#!/usr/bin/env bash
# Generate self-signed CA and service certificates for development/testing
# Usage: ./scripts/generate-dev-certs.sh [output_dir]
#
# This script creates:
# - Self-signed CA certificate and key
# - Server certificates for IAM, Chainfire, and FlareDB
#
# For production, use a proper PKI or cert-manager.
set -euo pipefail
OUTPUT_DIR="${1:-./dev-certs}"
DAYS_VALID=365
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
log_info() {
echo -e "${GREEN}[INFO]${NC} $1"
}
log_warn() {
echo -e "${YELLOW}[WARN]${NC} $1"
}
log_error() {
echo -e "${RED}[ERROR]${NC} $1"
}
# Check if openssl is available
if ! command -v openssl &> /dev/null; then
log_error "openssl not found. Please install openssl."
exit 1
fi
log_info "Creating certificate directory: $OUTPUT_DIR"
mkdir -p "$OUTPUT_DIR"/{ca,iam,chainfire,flaredb}
# Generate CA private key
log_info "Generating CA private key..."
openssl genrsa -out "$OUTPUT_DIR/ca/ca.key" 4096
# Generate CA certificate
log_info "Generating CA certificate..."
openssl req -new -x509 -days $DAYS_VALID -key "$OUTPUT_DIR/ca/ca.key" \
-out "$OUTPUT_DIR/ca/ca.crt" \
-subj "/C=JP/ST=Tokyo/L=Tokyo/O=Centra Cloud/OU=Development/CN=Centra Cloud Dev CA"
log_info "CA certificate created:"
openssl x509 -in "$OUTPUT_DIR/ca/ca.crt" -noout -subject -dates
# Function to generate service certificate
generate_service_cert() {
local service=$1
local cn=$2
local san=$3
log_info "Generating certificate for $service..."
# Generate private key
openssl genrsa -out "$OUTPUT_DIR/$service/server.key" 2048
# Generate CSR
openssl req -new -key "$OUTPUT_DIR/$service/server.key" \
-out "$OUTPUT_DIR/$service/server.csr" \
-subj "/C=JP/ST=Tokyo/L=Tokyo/O=Centra Cloud/OU=Services/CN=$cn"
# Create extension file for SAN
cat > "$OUTPUT_DIR/$service/server.ext" << EXTEOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = $san
EXTEOF
# Sign with CA
openssl x509 -req -in "$OUTPUT_DIR/$service/server.csr" \
-CA "$OUTPUT_DIR/ca/ca.crt" -CAkey "$OUTPUT_DIR/ca/ca.key" \
-CAcreateserial -out "$OUTPUT_DIR/$service/server.crt" \
-days $DAYS_VALID -extfile "$OUTPUT_DIR/$service/server.ext"
# Cleanup CSR and extension file
rm "$OUTPUT_DIR/$service/server.csr" "$OUTPUT_DIR/$service/server.ext"
log_info "$service certificate created:"
openssl x509 -in "$OUTPUT_DIR/$service/server.crt" -noout -subject -dates
}
# Generate service certificates
generate_service_cert "iam" "iam.service.internal" "DNS:iam.service.internal,DNS:localhost,IP:127.0.0.1"
generate_service_cert "chainfire" "chainfire.service.internal" "DNS:chainfire.service.internal,DNS:localhost,IP:127.0.0.1"
generate_service_cert "flaredb" "flaredb.service.internal" "DNS:flaredb.service.internal,DNS:localhost,IP:127.0.0.1"
# Set proper permissions
log_info "Setting file permissions..."
chmod 600 "$OUTPUT_DIR"/*/server.key "$OUTPUT_DIR/ca/ca.key"
chmod 644 "$OUTPUT_DIR"/*/server.crt "$OUTPUT_DIR/ca/ca.crt"
# Summary
log_info "Certificate generation complete!"
echo ""
echo "Certificate structure:"
echo "$OUTPUT_DIR/"
echo "├── ca/"
echo "│ ├── ca.crt # CA certificate (public)"
echo "│ └── ca.key # CA private key (protect!)"
echo "├── iam/"
echo "│ ├── server.crt"
echo "│ └── server.key"
echo "├── chainfire/"
echo "│ ├── server.crt"
echo "│ └── server.key"
echo "└── flaredb/"
echo " ├── server.crt"
echo " └── server.key"
echo ""
log_info "To use these certificates:"
echo " 1. Copy to /etc/centra-cloud/certs/ (or configure path in service config)"
echo " 2. Update service TOML config with paths to cert_file, key_file, ca_file"
echo " 3. Set require_client_cert=true for mTLS, false for TLS-only"
echo ""
log_warn "These are DEVELOPMENT certificates. Do NOT use in production!"
Reference in a new issue View git blame Copy permalink