mirror of
https://github.com/clearlinux/koji-setup-scripts.git
synced 2026-04-28 11:03:50 +00:00
7b752b5ff3
With the latest urllib3 the CN match is no longer used for hostname verification and instead the use of subjectAltName is required. With openssl 3.3.1 this is needed to be handled with both an additional parameter when generating the cert/request and also some new configuration for the ssl.cnf. It is also necessary to have extensions copied so the SAN information is preserved down the cert chain. Signed-off-by: William Douglas <william.douglas@intel.com>
19 lines
951 B
Bash
Executable File
19 lines
951 B
Bash
Executable File
#!/bin/bash
|
|
# Copyright (C) 2019 Intel Corporation
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
KOJI_USER="$1"
|
|
CERT_SUBJECT="$2"
|
|
CERT_EXT="$3"
|
|
|
|
openssl genrsa -out private/"$KOJI_USER".key 2048
|
|
if [ -z "$CERT_SUBJECT" ]; then
|
|
openssl req -config ssl.cnf -new -nodes -out certs/"$KOJI_USER".csr -key private/"$KOJI_USER".key
|
|
else
|
|
openssl req -subj "$CERT_SUBJECT" -addext "$CERT_EXT" -config ssl.cnf -new -nodes -out certs/"$KOJI_USER".csr -key private/"$KOJI_USER".key
|
|
fi
|
|
openssl ca -batch -config ssl.cnf -keyfile private/koji_ca_cert.key -cert koji_ca_cert.crt -out certs/"$KOJI_USER".crt -outdir certs -infiles certs/"$KOJI_USER".csr
|
|
cat certs/"$KOJI_USER".crt private/"$KOJI_USER".key > "$KOJI_USER".pem
|
|
# Browser certificate is not password-protected, ask users to change their password
|
|
openssl pkcs12 -export -inkey private/"$KOJI_USER".key -in certs/"$KOJI_USER".crt -CAfile koji_ca_cert.crt -out certs/"$KOJI_USER"_browser_cert.p12 -passout pass:
|