-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathstep_certs.sh
executable file
·66 lines (60 loc) · 1.72 KB
/
step_certs.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
#!/usr/bin/env bash
PASSWORD=""
PASSWORD_OPTION=""
CA_KEY_TYPE="EC"
HOST_LIST="--san 127.0.0.1 --san localhost"
EXT_OPTIONS=""
parser_args() {
while (($# > 0)); do
OPTION=$1
case $OPTION in
-h)
HOST_LIST="$HOST_LIST --san $2"
shift
;;
-rsa)
CA_KEY_TYPE="RSA"
;;
-p)
PASSWORD=$(openssl rand -base64 32)
;;
*)
echo "Invalid option found: $OPTION"
echo "$OPTION is ignored"
;;
esac
shift
done
}
execute() {
docker exec stepca $@
}
copy_to_host() {
(docker exec stepca cat $1) > $2
}
parser_args $@
if test -z "$PASSWORD"; then
PASSWORD_OPTION="--no-password --insecure"
else
PASSWORD_OPTION="--password-file <(echo \"$PASSWORD\")"
fi
COMMAND="mkdir -p /home/step/localhost && \
step certificate create localhost \
/home/step/localhost/server.crt \
/home/step/localhost/server.key \
--force \
--profile leaf \
--kty ${CA_KEY_TYPE} \
--not-after=2160h \
--ca /home/step/certs/intermediate_ca.crt \
--ca-key /home/step/secrets/intermediate_ca_key \
--ca-password-file /home/step/secrets/password \
${PASSWORD_OPTION} ${HOST_LIST} --bundle"
execute mkdir -p /home/step/localhost
docker exec stepca bash -c "$(echo $COMMAND)" >/dev/null 2>&1
mkdir -p ./certs
copy_to_host /home/step/certs/root_ca.crt ./certs/root_ca.crt
copy_to_host /home/step/localhost/server.crt ./certs/server.crt
copy_to_host /home/step/localhost/server.key ./certs/server.key
test -z "$PASSWORD" || (echo "$PASSWORD" > ./certs/pass)
execute rm -rf /home/step/localhost