diff options
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | Makefile | 52 | ||||
| -rw-r--r-- | README.md | 84 | ||||
| -rw-r--r-- | certService/src/main/resources/application.properties | 3 | ||||
| -rwxr-xr-x | parseCertServiceResponse.sh | 4 |
5 files changed, 144 insertions, 0 deletions
@@ -3,6 +3,7 @@ target/ !**/src/test/** **/var compose-resources/client-volume +compose-resources/certs-from-curl ### STS ### .apt_generated @@ -32,3 +32,55 @@ stop-backend: @echo "##### Stop Cert Service #####" docker-compose down @echo "##### DONE #####" + +send-initialization-request: + @echo "##### Create folder for certificates from curl: `pwd`/compose-resources/certs-from-curl/ #####" + mkdir -p `pwd`/compose-resources/certs-from-curl/ + @echo "##### Generate CSR and Key #####" + openssl req -new -newkey rsa:2048 -nodes -keyout `pwd`/compose-resources/certs-from-curl/ir.key \ + -out `pwd`/compose-resources/certs-from-curl/ir.csr \ + -subj "/C=US/ST=California/L=San-Francisco/O=ONAP/OU=Linux-Foundation/CN=onap.org" \ + -addext "subjectAltName = DNS:test.onap.org" + @echo "##### Send Initialization Request #####" + curl -sN https://localhost:8443/v1/certificate/RA -H "PK: $$(cat ./compose-resources/certs-from-curl/ir.key | base64 | tr -d \\n)" \ + -H "CSR: $$(cat ./compose-resources/certs-from-curl/ir.csr | base64 | tr -d \\n)" \ + --cert `pwd`/certs/cmpv2Issuer-cert.pem \ + --key `pwd`/certs/cmpv2Issuer-key.pem \ + --cacert `pwd`/certs/cacert.pem | `pwd`/parseCertServiceResponse.sh "ir" + +send-key-update-request: verify-initialization-request-files-exist + @echo "##### Generate CSR and Key #####" + openssl req -new -newkey rsa:2048 -nodes -keyout `pwd`/compose-resources/certs-from-curl/kur.key \ + -out `pwd`/compose-resources/certs-from-curl/kur.csr \ + -subj "/C=US/ST=California/L=San-Francisco/O=ONAP/OU=Linux-Foundation/CN=onap.org" \ + -addext "subjectAltName = DNS:test.onap.org" + @echo "##### Send Key Update Request #####" + curl -sN https://localhost:8443/v1/certificate-update/RA -H "PK: $$(cat ./compose-resources/certs-from-curl/kur.key | base64 | tr -d \\n)" \ + -H "CSR: $$(cat ./compose-resources/certs-from-curl/kur.csr | base64 | tr -d \\n)" \ + -H "OLD_PK: $$(cat ./compose-resources/certs-from-curl/ir.key | base64 | tr -d \\n)" \ + -H "OLD_CERT: $$(cat ./compose-resources/certs-from-curl/ir-cert.pem | base64 | tr -d \\n)" \ + --cert `pwd`/certs/cmpv2Issuer-cert.pem \ + --key `pwd`/certs/cmpv2Issuer-key.pem \ + --cacert `pwd`/certs/cacert.pem | `pwd`/parseCertServiceResponse.sh "kur" + +send-certification-request: verify-initialization-request-files-exist + @echo "##### Generate CSR and Key #####" + openssl req -new -newkey rsa:2048 -nodes -keyout `pwd`/compose-resources/certs-from-curl/cr.key \ + -out `pwd`/compose-resources/certs-from-curl/cr.csr \ + -subj "/C=US/ST=California/L=San-Francisco/O=ONAP/OU=Linux-Foundation/CN=new-onap.org" \ + -addext "subjectAltName = DNS:test.onap.org" + @echo "##### Send Key Update Request #####" + curl -sN https://localhost:8443/v1/certificate-update/RA -H "PK: $$(cat ./compose-resources/certs-from-curl/cr.key | base64 | tr -d \\n)" \ + -H "CSR: $$(cat ./compose-resources/certs-from-curl/cr.csr | base64 | tr -d \\n)" \ + -H "OLD_PK: $$(cat ./compose-resources/certs-from-curl/ir.key | base64 | tr -d \\n)" \ + -H "OLD_CERT: $$(cat ./compose-resources/certs-from-curl/ir-cert.pem | base64 | tr -d \\n)" \ + --cert `pwd`/certs/cmpv2Issuer-cert.pem \ + --key `pwd`/certs/cmpv2Issuer-key.pem \ + --cacert `pwd`/certs/cacert.pem | `pwd`/parseCertServiceResponse.sh "cr" + +verify-initialization-request-files-exist: + ifeq (,$(wildcard compose-resources/certs-from-curl/ir.key)) + ifeq (,$(wildcard compose-resources/certs-from-curl/ir-cert.pem)) + $(error Execute send-initialization-request first) + endif + endif @@ -54,6 +54,90 @@ make run-client make stop-backend ``` +### Generating certificates via REST Api +#### Requirements +* OpenSSL +* cURL +* jq (for parseCertServiceResponse.sh script) +#### Initialization Request +1. Create Certificate Signing Request and Private Key +``` +openssl req -new -newkey rsa:2048 -nodes -keyout ./compose-resources/certs-from-curl/ir.key \ + -out ./compose-resources/certs-from-curl/ir.csr \ + -subj "/C=US/ST=California/L=San-Francisco/O=ONAP/OU=Linux-Foundation/CN=onap.org" \ + -addext "subjectAltName = DNS:test.onap.org" +``` +2. Send Initialization Request +``` +curl -s https://localhost:8443/v1/certificate/RA -H "PK: $(cat ./compose-resources/certs-from-curl/ir.key | base64 | tr -d \\n)" \ + -H "CSR: $(cat ./compose-resources/certs-from-curl/ir.csr | base64 | tr -d \\n)" \ + --cert ./certs/cmpv2Issuer-cert.pem \ + --key ./certs/cmpv2Issuer-key.pem \ + --cacert ./certs/cacert.pem +``` +to parse the response pipe the output to `parseCertserviceResponse.sh` script, providing prefix as argument +``` +curl -sN https://localhost:8443/v1/certificate/RA -H "PK: $(cat ./compose-resources/certs-from-curl/ir.key | base64 | tr -d \\n)" \ + -H "CSR: $(cat ./compose-resources/certs-from-curl/ir.csr | base64 | tr -d \\n)" \ + --cert ./certs/cmpv2Issuer-cert.pem \ + --key ./certs/cmpv2Issuer-key.pem \ + --cacert ./certs/cacert.pem | `pwd`/parseCertServiceResponse.sh "ir" +``` + +#### Update Request +1. Create Certificate Signing Request and Private Key - same as for Initialization Request. +When CSR data (like Subject and SANS) is unchanged, Key Update Request will be performed. +Otherwise Certification Request will be performed. +Example for KUR: +``` +openssl req -new -newkey rsa:2048 -nodes -keyout ./compose-resources/certs-from-curl/kur.key \ +-out ./compose-resources/certs-from-curl/kur.csr \ +-subj "/C=US/ST=California/L=San-Francisco/O=ONAP/OU=Linux-Foundation/CN=onap.org" \ +-addext "subjectAltName = DNS:test.onap.org" +``` +Example for CR: +``` +openssl req -new -newkey rsa:2048 -nodes -keyout ./compose-resources/certs-from-curl/cr.key \ +-out ./compose-resources/certs-from-curl/cr.csr \ +-subj "/C=US/ST=California/L=San-Francisco/O=ONAP/OU=Linux-Foundation/CN=new-onap.org" \ +-addext "subjectAltName = DNS:test.onap.org" +``` +2. Send Update Request. +Example for KUR: +``` +curl -sN https://localhost:8443/v1/certificate-update/RA -H "PK: $(cat ./compose-resources/certs-from-curl/kur.key | base64 | tr -d \\n)" \ + -H "CSR: $(cat ./compose-resources/certs-from-curl/kur.csr | base64 | tr -d \\n)" \ + -H "OLDPK: $(cat ./compose-resources/certs-from-curl/ir.key | base64 | tr -d \\n)" \ + -H "OLDCERT: $(cat ./compose-resources/certs-from-curl/ir-cert.pem | base64 | tr -d \\n)" \ + --cert ./certs/cmpv2Issuer-cert.pem \ + --key ./certs/cmpv2Issuer-key.pem \ + --cacert ./certs/cacert.pem | `pwd`/parseCertServiceResponse.sh "kur" +``` +Example CR: +``` +curl -sN https://localhost:8443/v1/certificate-update/RA -H "PK: $$(cat ./compose-resources/certs-from-curl/cr.key | base64 | tr -d \\n)" \ + -H "CSR: $$(cat ./compose-resources/certs-from-curl/cr.csr | base64 | tr -d \\n)" \ + -H "OLD_PK: $$(cat ./compose-resources/certs-from-curl/ir.key | base64 | tr -d \\n)" \ + -H "OLD_CERT: $$(cat ./compose-resources/certs-from-curl/ir-cert.pem | base64 | tr -d \\n)" \ + --cert ./certs/cmpv2Issuer-cert.pem \ + --key ./certs/cmpv2Issuer-key.pem \ + --cacert ./certs/cacert.pem | `pwd`/parseCertServiceResponse.sh "cr" +``` + +#### Using makefile +1. Perform Initialization Request: +``` +make send-initialization-request +``` +2. Perform Update Request: +``` +make send-key-update-request +``` +or: +``` +make send-certification-request +``` + ### OOM CertService CSITs #### CSIT repository ``` diff --git a/certService/src/main/resources/application.properties b/certService/src/main/resources/application.properties index a7f5eea8..8698a314 100644 --- a/certService/src/main/resources/application.properties +++ b/certService/src/main/resources/application.properties @@ -10,6 +10,9 @@ springdoc.swagger-ui.path=/docs # OOM CertService app specific configuration app.config.path=/etc/onap/oom/certservice +# HTTP Configuration +server.max-http-header-size=16384 + # Mutual TLS configuration server.ssl.enabled=true server.ssl.client-auth=need diff --git a/parseCertServiceResponse.sh b/parseCertServiceResponse.sh new file mode 100755 index 00000000..dff867fa --- /dev/null +++ b/parseCertServiceResponse.sh @@ -0,0 +1,4 @@ +#!/bin/bash +read -r RESPONSE +echo "$RESPONSE" | jq -r '.certificateChain[]' > ./compose-resources/certs-from-curl/$1-cert.pem +echo "$RESPONSE" | jq -r '.trustedCertificates[]' > ./compose-resources/certs-from-curl/$1-cacert.pem |