Skip to content

Commit 1afa3f2

Browse files
ameba23ameba23
authored
Merge pull request #46 from flashbots/peg/generate-cert-script
Add helper script for generating mock certificate chain when testing
2 parents 28665f2 + 1115736 commit 1afa3f2

File tree

1 file changed

+77
-0
lines changed

1 file changed

+77
-0
lines changed

scripts/generate-cert.sh

Lines changed: 77 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,77 @@
1+
#!/usr/bin/env bash
2+
3+
# Script to generate a certificate chain with a mock CA for testing
4+
#
5+
# Requires `openssl` to be installed
6+
#
7+
# Usage: ./generate-cert.sh HOSTNAME IPADDR
8+
#
9+
# On GCP the hostname is the IP address in reverse order followed by `@googleusercontent.com`
10+
# For example:
11+
# ./generate-cert.sh [email protected] 34.63.107.227
12+
#
13+
# The ca.crt file then needs to be transfered to the client, and given with
14+
# `--tls-ca-certificate ca.crt` when starting proxy-client
15+
16+
set -euo pipefail
17+
18+
# -------- config --------
19+
HOSTNAME="${1:-localhost}"
20+
IPADDR="${2:-127.0.0.1}"
21+
22+
echo "==> Generating certificates for:"
23+
echo " DNS: $HOSTNAME"
24+
echo " IP : $IPADDR"
25+
echo ""
26+
27+
# Clean old files
28+
rm -f ca.key ca.crt ca.srl server.key server.csr server.crt
29+
30+
# -------- CA key + cert --------
31+
echo "==> Creating CA private key"
32+
openssl genrsa -out ca.key 4096
33+
34+
echo "==> Creating CA certificate"
35+
openssl req -x509 -new -key ca.key -sha256 -days 3650 \
36+
-subj "/CN=My Test CA" \
37+
-addext "basicConstraints=critical,CA:true,pathlen:0" \
38+
-addext "keyUsage=critical,keyCertSign,cRLSign" \
39+
-out ca.crt
40+
41+
# -------- Server key + CSR --------
42+
echo "==> Creating server private key"
43+
openssl genrsa -out server.key 2048
44+
45+
echo "==> Creating server CSR"
46+
openssl req -new -key server.key \
47+
-subj "/CN=${HOSTNAME}" \
48+
-out server.csr
49+
50+
# -------- Server certificate signed by CA --------
51+
echo "==> Creating server certificate signed by CA"
52+
53+
# Build SAN extension file dynamically
54+
EXTFILE=$(mktemp)
55+
cat > "$EXTFILE" <<EOF
56+
basicConstraints=CA:false
57+
keyUsage=digitalSignature,keyEncipherment
58+
extendedKeyUsage=serverAuth
59+
subjectAltName=DNS:${HOSTNAME},IP:${IPADDR}
60+
EOF
61+
62+
openssl x509 -req -in server.csr \
63+
-CA ca.crt -CAkey ca.key -CAcreateserial \
64+
-out server.crt -days 365 -sha256 \
65+
-extfile "$EXTFILE"
66+
67+
rm -f "$EXTFILE"
68+
69+
echo ""
70+
echo "==> Done"
71+
echo "Generated files:"
72+
echo " ca.key # CA private key"
73+
echo " ca.crt # CA certificate (required by client)"
74+
echo " server.key # Server private key"
75+
echo " server.crt # Server certificate signed by CA"
76+
echo ""
77+

0 commit comments

Comments
 (0)