summaryrefslogtreecommitdiffstats
path: root/ssl
diff options
context:
space:
mode:
Diffstat (limited to 'ssl')
-rw-r--r--ssl/.gitignore4
-rw-r--r--ssl/Makefile33
-rw-r--r--ssl/README.md28
-rwxr-xr-xssl/connect.sh26
4 files changed, 91 insertions, 0 deletions
diff --git a/ssl/.gitignore b/ssl/.gitignore
new file mode 100644
index 00000000..598dc753
--- /dev/null
+++ b/ssl/.gitignore
@@ -0,0 +1,4 @@
+*.crt
+*.key
+*.srl
+*.csr
diff --git a/ssl/Makefile b/ssl/Makefile
new file mode 100644
index 00000000..d9d1027f
--- /dev/null
+++ b/ssl/Makefile
@@ -0,0 +1,33 @@
+FILE=sample
+CA_PASSWD=onap
+SUBJ=/C=PL/ST=DL/L=Wroclaw/O=Nokia/OU=MANO
+CA=onap
+
+sign: $(FILE).crt
+
+clean:
+ rm -f *.crt *.key *.srl *.csr
+
+generate-ca-certificate: $(CA).crt
+
+generate-private-key: $(FILE).key
+
+create-public-key: $(FILE).pub
+
+create-sign-request: $(FILE).csr
+
+$(CA).crt:
+ openssl req -new -x509 -keyout $(CA).key -out $(CA).crt -days 365 -passout pass:$(CA_PASSWD) -subj "$(SUBJ)"
+
+$(FILE).key:
+ openssl genpkey -algorithm RSA -out $(FILE).key -pkeyopt rsa_keygen_bits:2048
+
+$(FILE).pub: $(FILE).key
+ openssl x509 -req -days 360 -in client.csr -CA $(CA).crt -CAkey $(CA).key -CAcreateserial -out client.crt
+
+$(FILE).csr: $(FILE).key
+ openssl req -new -sha256 -key $(FILE).key -out $(FILE).csr -subj "$(SUBJ)"
+
+$(FILE).crt: $(CA).crt $(FILE).csr
+ openssl x509 -req -days 360 -in $(FILE).csr -CA $(CA).crt -CAkey $(CA).key -out $(FILE).crt -CAcreateserial -passin pass:$(CA_PASSWD)
+
diff --git a/ssl/README.md b/ssl/README.md
new file mode 100644
index 00000000..efba6107
--- /dev/null
+++ b/ssl/README.md
@@ -0,0 +1,28 @@
+# Generating SSL certificates
+
+Typical usage:
+
+```shell
+make FILE=client
+make FILE=server
+```
+
+Will generate CA certificate and signed client and server certificates.
+
+More "low-level" usage:
+
+```shell
+make generate-ca-certificate
+make generate-private-key FILE=client
+make sign FILE=client
+```
+
+# Connecting to a server
+
+First generate *client* and *server* certificates. Then start a server with it's cert and make ca.crt a trusted certification authority.
+
+After that you can:
+
+```shell
+./connect.sh client localhost:8600 < file_with_a_data_to_be_sent.dat
+```
diff --git a/ssl/connect.sh b/ssl/connect.sh
new file mode 100755
index 00000000..16524c3e
--- /dev/null
+++ b/ssl/connect.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+set -eou pipefail
+
+if [[ $# < 2 ]]; then
+ echo "Please provide a key file prefix and a target host:port"
+ exit 1
+fi
+
+key_prefix=$1
+host_and_port=$2
+
+cert_file="$key_prefix.crt"
+key_file="$key_prefix.key"
+
+if [[ ! -r "$cert_file" ]]; then
+ echo "$cert_file is not readable"
+ exit 2
+fi
+
+if [[ ! -r "$key_file" ]]; then
+ echo "$key_file is not readable"
+ exit 2
+fi
+
+openssl s_client -connect $host_and_port -cert "$cert_file" -key "$key_file" -CAfile onap.crt
+