48 lines
1.3 KiB
Bash
48 lines
1.3 KiB
Bash
|
#!/usr/bin/env bash
|
||
|
|
||
|
set -xo pipefail
|
||
|
|
||
|
# update_csr will add the sans_ip to the csr
|
||
|
update_csr() {
|
||
|
local sans_ip="$1"
|
||
|
local csr_file="$2"
|
||
|
sed -i "/\"hosts\".*/a \ \"${sans_ip}\"," "${csr_file}"
|
||
|
}
|
||
|
|
||
|
# cleanup will remove unneeded files
|
||
|
cleanup() {
|
||
|
rm -rf ca-key.pem ca.csr ca.pem server.csr server.pem
|
||
|
}
|
||
|
|
||
|
# gen will generate the key and bundle
|
||
|
gen() {
|
||
|
local bundle_destination="$1"
|
||
|
local key_destination="$2"
|
||
|
cfssl gencert -initca /code/tls/csr.json | cfssljson -bare ca -
|
||
|
cfssl gencert -config /code/tls/ca-config.json -ca ca.pem -ca-key ca-key.pem -profile server /code/tls/csr.json | cfssljson -bare server
|
||
|
cat server.pem ca.pem >"${bundle_destination}"
|
||
|
mv server-key.pem "${key_destination}"
|
||
|
}
|
||
|
|
||
|
# main orchestrates the process
|
||
|
main() {
|
||
|
local sans_ip="$1"
|
||
|
local csr_file="/code/tls/csr.json"
|
||
|
local bundle_file="/certs/${FACILITY:-onprem}/bundle.pem"
|
||
|
local server_key_file="/certs/${FACILITY:-onprem}/server-key.pem"
|
||
|
|
||
|
if ! grep -q "${sans_ip}" "${csr_file}"; then
|
||
|
update_csr "${sans_ip}" "${csr_file}"
|
||
|
else
|
||
|
echo "IP ${sans_ip} already in ${csr_file}"
|
||
|
fi
|
||
|
if [ ! -f "${bundle_file}" ] && [ ! -f "${server_key_file}" ]; then
|
||
|
gen "${bundle_file}" "${server_key_file}"
|
||
|
else
|
||
|
echo "Files [${bundle_file}, ${server_key_file}] already exist"
|
||
|
fi
|
||
|
cleanup
|
||
|
}
|
||
|
|
||
|
main "$1"
|