From 5041858954133d19ee30cd3e12b85741467dee6b Mon Sep 17 00:00:00 2001 From: Federico Stagni Date: Wed, 26 Feb 2025 17:00:11 +0100 Subject: [PATCH] feat: added pilot certificate --- certificates-generation/Dockerfile | 1 + certificates-generation/entrypoint.sh | 28 ++++++++++++++++++- .../openssl_config_host.cnf | 3 -- .../openssl_config_pilot.cnf | 20 +++++++++++++ 4 files changed, 48 insertions(+), 4 deletions(-) create mode 100644 certificates-generation/openssl_config_pilot.cnf diff --git a/certificates-generation/Dockerfile b/certificates-generation/Dockerfile index 7f3aad4..9e659ef 100644 --- a/certificates-generation/Dockerfile +++ b/certificates-generation/Dockerfile @@ -20,6 +20,7 @@ RUN chmod 700 /ca/private && \ COPY openssl_config_ca.cnf /ca/openssl_config_ca.cnf COPY openssl_config_host.cnf /ca/openssl_config_host.cnf COPY openssl_config_user.cnf /ca/openssl_config_user.cnf +COPY openssl_config_pilot.cnf /ca/openssl_config_pilot.cnf # Generate CA private key and certificate RUN openssl genrsa -out /ca/private/ca.key 2048 diff --git a/certificates-generation/entrypoint.sh b/certificates-generation/entrypoint.sh index 5b3f3b7..6ad77c4 100644 --- a/certificates-generation/entrypoint.sh +++ b/certificates-generation/entrypoint.sh @@ -29,7 +29,7 @@ if ! openssl ca -config /ca/openssl_config_ca.cnf \ exit 1 fi -### User +### User (for DIRAC client) if ! openssl genrsa -out /ca/certs/client.key 2048; then echo "Failed to generate user private key" @@ -55,6 +55,32 @@ if ! openssl ca -config /ca/openssl_config_ca.cnf \ exit 1 fi +### DIRAC Pilot + +if ! openssl genrsa -out /ca/certs/pilot.key 2048; then + echo "Failed to generate pilot private key" + exit 1 +fi +chmod 400 pilot.key + +if ! openssl req -config /ca/openssl_config_pilot.cnf \ + -key /ca/certs/pilot.key \ + -new \ + -out /ca/requests/pilot.req; then + echo "Failed to generate pilot certificate signing request" + exit 1 +fi + +if ! openssl ca -config /ca/openssl_config_ca.cnf \ + -extensions usr_cert \ + -batch \ + -days 5 \ + -in /ca/requests/pilot.req \ + -out /ca/certs/pilot.pem; then + echo "Failed to generate pilot certificate" + exit 1 +fi + ### echo "DIRAC Certificates generated and available in /ca/certs" diff --git a/certificates-generation/openssl_config_host.cnf b/certificates-generation/openssl_config_host.cnf index 853d946..94ce8e3 100644 --- a/certificates-generation/openssl_config_host.cnf +++ b/certificates-generation/openssl_config_host.cnf @@ -1,6 +1,3 @@ -# OpenSSL root CA configuration file - - [ req ] # Options for the `req` tool (`man req`). default_bits = 2048 diff --git a/certificates-generation/openssl_config_pilot.cnf b/certificates-generation/openssl_config_pilot.cnf new file mode 100644 index 0000000..b9944de --- /dev/null +++ b/certificates-generation/openssl_config_pilot.cnf @@ -0,0 +1,20 @@ +[ req ] +default_bits = 2048 +encrypt_key = yes +distinguished_name = req_dn +prompt = no +req_extensions = v3_req + +# Generates the following subject +# Subject: O=DIRAC CI, O=CERN, CN=pilot +[ req_dn ] +C = ch +O = DIRAC +OU = DIRAC CI +CN = pilot + +[ v3_req ] +# Extensions for client certificates (`man x509v3_config`). +nsComment = "OpenSSL Generated Client Certificate" +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth