aboutsummaryrefslogtreecommitdiffstats
path: root/kubernetes/platform/components/oom-cert-service/Makefile
diff options
context:
space:
mode:
authorSylvain Desbureaux <sylvain.desbureaux@orange.com>2020-09-24 12:18:58 +0000
committerGerrit Code Review <gerrit@onap.org>2020-09-24 12:18:58 +0000
commitf102a9a56146213c15bb986d25056a35ee939cb4 (patch)
tree7b0ac7701f98844cdf4e4cb457efa81ab059aba6 /kubernetes/platform/components/oom-cert-service/Makefile
parent98d5bbdccc8c448e26c08a69b2b85b2a3138cbe8 (diff)
parent8f0b6f6e7a3a231558343b7dba0b06c0c1228527 (diff)
Merge "[OOM] Automate certificate generation for CMPv2 Cert Service"
Diffstat (limited to 'kubernetes/platform/components/oom-cert-service/Makefile')
-rw-r--r--kubernetes/platform/components/oom-cert-service/Makefile148
1 files changed, 148 insertions, 0 deletions
diff --git a/kubernetes/platform/components/oom-cert-service/Makefile b/kubernetes/platform/components/oom-cert-service/Makefile
new file mode 100644
index 0000000000..c4723dfdd1
--- /dev/null
+++ b/kubernetes/platform/components/oom-cert-service/Makefile
@@ -0,0 +1,148 @@
+CERTS_DIR = resources
+CURRENT_DIR := ${CURDIR}
+DOCKER_CONTAINER = generate-certs
+DOCKER_EXEC = docker exec ${DOCKER_CONTAINER}
+
+all: start_docker \
+ clear_all \
+ root_generate_keys \
+ root_create_certificate \
+ root_self_sign_certificate \
+ client_generate_keys \
+ client_generate_csr \
+ client_sign_certificate_by_root \
+ client_import_root_certificate \
+ client_convert_certificate_to_jks \
+ server_generate_keys \
+ server_generate_csr \
+ server_sign_certificate_by_root \
+ server_import_root_certificate \
+ server_convert_certificate_to_jks \
+ server_convert_certificate_to_p12 \
+ clear_unused_files \
+ stop_docker
+
+.PHONY: all
+
+# Starts docker container for generating certificates - deletes first, if already running
+start_docker:
+ @make stop_docker
+ docker run -d --rm --name ${DOCKER_CONTAINER} --mount type=bind,source=${CURRENT_DIR}/${CERTS_DIR},target=/certs -w /certs docker.io/openjdk:11-jre-slim tail -f /dev/null
+
+# Stops docker container for generating certificates. 'true' is used to return 0 status code, if container is already deleted
+stop_docker:
+ docker rm ${DOCKER_CONTAINER} -f 1>/dev/null || true
+
+#Clear all files related to certificates
+clear_all:
+ @make clear_existing_certificates
+ @make clear_unused_files
+
+#Clear certificates
+clear_existing_certificates:
+ @echo "Clear certificates"
+ ${DOCKER_EXEC} rm -f certServiceClient-keystore.jks certServiceServer-keystore.jks root.crt truststore.jks certServiceServer-keystore.p12
+ @echo "#####done#####"
+
+#Generate root private and public keys
+root_generate_keys:
+ @echo "Generate root private and public keys"
+ ${DOCKER_EXEC} keytool -genkeypair -v -alias root -keyalg RSA -keysize 4096 -validity 3650 -keystore root-keystore.jks \
+ -dname "CN=root.com, OU=Root Org, O=Root Company, L=Wroclaw, ST=Dolny Slask, C=PL" -keypass secret \
+ -storepass secret -ext BasicConstraints:critical="ca:true"
+ @echo "#####done#####"
+
+#Export public key as certificate
+root_create_certificate:
+ @echo "(Export public key as certificate)"
+ ${DOCKER_EXEC} keytool -exportcert -alias root -keystore root-keystore.jks -storepass secret -file root.crt -rfc
+ @echo "#####done#####"
+
+#Self-signed root (import root certificate into truststore)
+root_self_sign_certificate:
+ @echo "(Self-signed root (import root certificate into truststore))"
+ ${DOCKER_EXEC} keytool -importcert -alias root -keystore truststore.jks -file root.crt -storepass secret -noprompt
+ @echo "#####done#####"
+
+#Generate certService's client private and public keys
+client_generate_keys:
+ @echo "Generate certService's client private and public keys"
+ ${DOCKER_EXEC} keytool -genkeypair -v -alias certServiceClient -keyalg RSA -keysize 2048 -validity 365 \
+ -keystore certServiceClient-keystore.jks -storetype JKS \
+ -dname "CN=certServiceClient.com,OU=certServiceClient company,O=certServiceClient org,L=Wroclaw,ST=Dolny Slask,C=PL" \
+ -keypass secret -storepass secret
+ @echo "####done####"
+
+#Generate certificate signing request for certService's client
+client_generate_csr:
+ @echo "Generate certificate signing request for certService's client"
+ ${DOCKER_EXEC} keytool -certreq -keystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -file certServiceClient.csr
+ @echo "####done####"
+
+#Sign certService's client certificate by root CA
+client_sign_certificate_by_root:
+ @echo "Sign certService's client certificate by root CA"
+ ${DOCKER_EXEC} keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceClient.csr \
+ -outfile certServiceClientByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth"
+ @echo "####done####"
+
+#Import root certificate into client
+client_import_root_certificate:
+ @echo "Import root certificate into intermediate"
+ ${DOCKER_EXEC} bash -c "cat root.crt >> certServiceClientByRoot.crt"
+ @echo "####done####"
+
+#Import signed certificate into certService's client
+client_convert_certificate_to_jks:
+ @echo "Import signed certificate into certService's client"
+ ${DOCKER_EXEC} keytool -importcert -file certServiceClientByRoot.crt -destkeystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -noprompt
+ @echo "####done####"
+
+#Generate certService private and public keys
+server_generate_keys:
+ @echo "Generate certService private and public keys"
+ ${DOCKER_EXEC} keytool -genkeypair -v -alias oom-cert-service -keyalg RSA -keysize 2048 -validity 365 \
+ -keystore certServiceServer-keystore.jks -storetype JKS \
+ -dname "CN=oom-cert-service,OU=certServiceServer company,O=certServiceServer org,L=Wroclaw,ST=Dolny Slask,C=PL" \
+ -keypass secret -storepass secret -ext BasicConstraints:critical="ca:false"
+ @echo "####done####"
+
+#Generate certificate signing request for certService
+server_generate_csr:
+ @echo "Generate certificate signing request for certService"
+ ${DOCKER_EXEC} keytool -certreq -keystore certServiceServer-keystore.jks -alias oom-cert-service -storepass secret -file certServiceServer.csr
+ @echo "####done####"
+
+#Sign certService certificate by root CA
+server_sign_certificate_by_root:
+ @echo "Sign certService certificate by root CA"
+ ${DOCKER_EXEC} keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceServer.csr \
+ -outfile certServiceServerByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth" \
+ -ext SubjectAlternativeName:="DNS:oom-cert-service,DNS:localhost"
+ @echo "####done####"
+
+#Import root certificate into server
+server_import_root_certificate:
+ @echo "Import root certificate into intermediate(server)"
+ ${DOCKER_EXEC} bash -c "cat root.crt >> certServiceServerByRoot.crt"
+ @echo "####done####"
+
+#Import signed certificate into certService
+server_convert_certificate_to_jks:
+ @echo "Import signed certificate into certService"
+ ${DOCKER_EXEC} keytool -importcert -file certServiceServerByRoot.crt -destkeystore certServiceServer-keystore.jks -alias oom-cert-service \
+ -storepass secret -noprompt
+ @echo "####done####"
+
+#Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)
+server_convert_certificate_to_p12:
+ @echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)"
+ ${DOCKER_EXEC} keytool -importkeystore -srckeystore certServiceServer-keystore.jks -srcstorepass secret \
+ -destkeystore certServiceServer-keystore.p12 -deststoretype PKCS12 -deststorepass secret
+ @echo "#####done#####"
+
+#Clear unused certificates
+clear_unused_files:
+ @echo "Clear unused certificates"
+ ${DOCKER_EXEC} rm -f certServiceClientByRoot.crt certServiceClient.csr root-keystore.jks certServiceServerByRoot.crt certServiceServer.csr
+ @echo "#####done#####"