diff options
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/.gitignore | 4 | ||||
-rw-r--r-- | ssl/Makefile | 33 | ||||
-rw-r--r-- | ssl/README.md | 28 | ||||
-rwxr-xr-x | ssl/connect.sh | 26 |
4 files changed, 91 insertions, 0 deletions
diff --git a/ssl/.gitignore b/ssl/.gitignore new file mode 100644 index 00000000..598dc753 --- /dev/null +++ b/ssl/.gitignore @@ -0,0 +1,4 @@ +*.crt +*.key +*.srl +*.csr diff --git a/ssl/Makefile b/ssl/Makefile new file mode 100644 index 00000000..d9d1027f --- /dev/null +++ b/ssl/Makefile @@ -0,0 +1,33 @@ +FILE=sample +CA_PASSWD=onap +SUBJ=/C=PL/ST=DL/L=Wroclaw/O=Nokia/OU=MANO +CA=onap + +sign: $(FILE).crt + +clean: + rm -f *.crt *.key *.srl *.csr + +generate-ca-certificate: $(CA).crt + +generate-private-key: $(FILE).key + +create-public-key: $(FILE).pub + +create-sign-request: $(FILE).csr + +$(CA).crt: + openssl req -new -x509 -keyout $(CA).key -out $(CA).crt -days 365 -passout pass:$(CA_PASSWD) -subj "$(SUBJ)" + +$(FILE).key: + openssl genpkey -algorithm RSA -out $(FILE).key -pkeyopt rsa_keygen_bits:2048 + +$(FILE).pub: $(FILE).key + openssl x509 -req -days 360 -in client.csr -CA $(CA).crt -CAkey $(CA).key -CAcreateserial -out client.crt + +$(FILE).csr: $(FILE).key + openssl req -new -sha256 -key $(FILE).key -out $(FILE).csr -subj "$(SUBJ)" + +$(FILE).crt: $(CA).crt $(FILE).csr + openssl x509 -req -days 360 -in $(FILE).csr -CA $(CA).crt -CAkey $(CA).key -out $(FILE).crt -CAcreateserial -passin pass:$(CA_PASSWD) + diff --git a/ssl/README.md b/ssl/README.md new file mode 100644 index 00000000..efba6107 --- /dev/null +++ b/ssl/README.md @@ -0,0 +1,28 @@ +# Generating SSL certificates + +Typical usage: + +```shell +make FILE=client +make FILE=server +``` + +Will generate CA certificate and signed client and server certificates. + +More "low-level" usage: + +```shell +make generate-ca-certificate +make generate-private-key FILE=client +make sign FILE=client +``` + +# Connecting to a server + +First generate *client* and *server* certificates. Then start a server with it's cert and make ca.crt a trusted certification authority. + +After that you can: + +```shell +./connect.sh client localhost:8600 < file_with_a_data_to_be_sent.dat +``` diff --git a/ssl/connect.sh b/ssl/connect.sh new file mode 100755 index 00000000..16524c3e --- /dev/null +++ b/ssl/connect.sh @@ -0,0 +1,26 @@ +#!/bin/bash +set -eou pipefail + +if [[ $# < 2 ]]; then + echo "Please provide a key file prefix and a target host:port" + exit 1 +fi + +key_prefix=$1 +host_and_port=$2 + +cert_file="$key_prefix.crt" +key_file="$key_prefix.key" + +if [[ ! -r "$cert_file" ]]; then + echo "$cert_file is not readable" + exit 2 +fi + +if [[ ! -r "$key_file" ]]; then + echo "$key_file is not readable" + exit 2 +fi + +openssl s_client -connect $host_and_port -cert "$cert_file" -key "$key_file" -CAfile onap.crt + |