#!/bin/bash -eu # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to You under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. cd /tls FILE_CHECK_IF_RAN=/tls/server.key if [ -f "$FILE_CHECK_IF_RAN" ]; then echo "Using existing certs/keys since /tls/server.key exists. Skipping generation (most likely this script was ran previously). To generate new certs, delete /tls/server.key" exit fi rm -f cert_db.txt touch cert_db.txt export DOCKER_IP=$(cat /docker_ip) export MY_HOSTNAME=$(hostname) export MY_IP=$(hostname -i) cat < csr.conf [req] default_bits = 1024 prompt = no default_md = sha256 req_extensions = req_ext distinguished_name = dn [ dn ] C=DR ST=DR L=Druid City O=Druid OU=IntegrationTests emailAddress=integration-test@druid.apache.org CN = ${MY_IP} [ req_ext ] subjectAltName = @alt_names basicConstraints=CA:FALSE,pathlen:0 [ alt_names ] IP.1 = ${DOCKER_IP} IP.2 = ${MY_IP} IP.3 = 127.0.0.1 DNS.1 = ${MY_HOSTNAME} DNS.2 = localhost EOT # Generate a server certificate for this machine openssl genrsa -out server.key 1024 -sha256 openssl req -new -out server.csr -key server.key -reqexts req_ext -config csr.conf openssl x509 -req -days 3650 -in server.csr -CA root.pem -CAkey root.key -set_serial 0x22222222 -out server.pem -sha256 -extfile csr.conf -extensions req_ext # Create a Java keystore containing the generated certificate openssl pkcs12 -export -in server.pem -inkey server.key -out server.p12 -name druid -CAfile root.pem -caname druid-it-root -password pass:druid123 keytool -importkeystore -srckeystore server.p12 -srcstoretype PKCS12 -destkeystore server.jks -deststoretype JKS -srcstorepass druid123 -deststorepass druid123 # Create a Java truststore with the druid test cluster root CA keytool -import -alias druid-it-root -keystore truststore.jks -file root.pem -storepass druid123 -noprompt # Revoke one of the client certs openssl ca -revoke /client_tls/revoked_client.pem -config root.cnf -cert root.pem -keyfile root.key # Create the CRL openssl ca -gencrl -config root.cnf -cert root.pem -keyfile root.key -out /tls/revocations.crl # Generate empty CRLs for the intermediate cert test case rm -f cert_db2.txt touch cert_db2.txt openssl ca -gencrl -config root2.cnf -cert /client_tls/ca_intermediate.pem -keyfile /client_tls/ca_intermediate.key -out /tls/empty-revocations-intermediate.crl # Append CRLs cat empty-revocations-intermediate.crl >> revocations.crl