Added subject alternative names with list of

physical ip's and vip's in the certificates, so that the same certificate can be used to secure all the ip's of keystone nodes and their vips, similarly for all api-servers ip's and their vip's. Change-Id: I964763ae73ce46e2f8f7459ec69640851a480887 Closes-Bug: 1663076
Juniper · Feb 23, 2017 · 889ab50 · 889ab50
1 parent 1176587
commit 889ab50
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 11 deletions.
diff --git a/contrail_provisioning/common/scripts/create-ssl-certs.sh b/contrail_provisioning/common/scripts/create-ssl-certs.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 #
 # Copyright (c) 2016 Juniper Networks, Inc. All rights reserved.
 #
@@ -19,7 +19,7 @@ fi
   TOUCH="/bin/touch"
   RM="/bin/rm"
   CP="/bin/cp"
-  ECHO="/bin/echo"
+  ECHO="/bin/echo -e"
   CAT="/bin/cat"
   CHOWN="/bin/chown"
 }
@@ -28,6 +28,14 @@ argc=$#
 NODE_IP=$1
 SSL_PATH=$2
 CERT_FILE_PREFIX=$3
+SAN=$4
+
+SANS=$SAN,$NODE_IP
+IFS=',' read -ra SAN_LIST <<< "$SANS"
+for i in "${!SAN_LIST[@]}"; do
+    SAN_IPS=$(echo "$SAN_IPS\nIP.$(($i+1)) = ${SAN_LIST[$i]}")
+done
+
 
 main() {
     if [ "$argc" -lt 3 ]; then
@@ -63,18 +71,18 @@ main() {
     $MKDIR certs
 	$TOUCH database.txt database.txt.attr serial.txt
 	$ECHO 01 > serial.txt
-	$OPENSSL ca -policy policy_anything -config cfg/openssl.cfg -cert cacert/ca.cer -in req/client.csr -keyfile key/privatep8.key -days 3650 -out certs/client.crt -batch
+	$OPENSSL ca -policy policy_anything -config cfg/openssl.cfg -cert cacert/ca.cer -in req/client.csr -keyfile key/privatep8.key -days 3650 -extensions v3_req -out certs/client.crt -batch
 
 	$RM -f database.*
 	$TOUCH database.txt database.txt.attr 
-    $OPENSSL ca -policy policy_anything -config cfg/openssl.cfg -cert cacert/ca.cer -in req/server.csr -keyfile key/privatep8.key -days 3650 -out certs/server.crt -batch
+    $OPENSSL ca -policy policy_anything -config cfg/openssl.cfg -cert cacert/ca.cer -in req/server.csr -keyfile key/privatep8.key -days 3650 -extensions v3_req -out certs/server.crt -batch
     $RM -f database.*
     $RM -f serial.txt 
 #Convert from PEM to DER both Ca cert and Ca signed Cert
 
-	$OPENSSL x509 -in certs/client.crt -inform PEM -outform DER -out client.der
+	$OPENSSL x509 -in certs/client.crt -inform PEM -outform DER -out client.der -extensions v3_req
 
-	$OPENSSL x509 -in cacert/ca.cer -inform PEM -outform DER -out ca.der
+	$OPENSSL x509 -in cacert/ca.cer -inform PEM -outform DER -out ca.der -extensions v3_req
 
 #Create Root and server pem files 
 
@@ -149,6 +157,7 @@ default_keyfile                 = privkey.pem
 distinguished_name              = req_distinguished_name
 attributes                      = req_attributes
 x509_extensions = v3_ca # The extentions to add to the self signed cert
+req_extensions = v3_req
 [ req_distinguished_name ]
 countryName                             = Country Name (2 letter code)
 countryName_min                         = 2
@@ -170,6 +179,15 @@ emailAddress                            = Email Address
 emailAddress_default                    = admin@juniper.com
 emailAddress_max                        = 40
 
+[ v3_req ]
+# Extensions to add to a certificate request
+basicConstraints = CA:true
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+$SAN_IPS
+
 # SET-ex3                               = SET extension number 3
 [ req_attributes ]
 challengePassword                       = A challenge password

diff --git a/contrail_provisioning/config/openstack.py b/contrail_provisioning/config/openstack.py
@@ -161,7 +161,7 @@ def build_ctrl_details(self):
                     '/etc/neutron/ssl/certs/')
             ctrl_infos.append('KEYSTONE_CERTFILE=%s' % certfile)
             ctrl_infos.append('KEYSTONE_KEYFILE=%s' % certfile)
-            ctrl_infos.append('KEYSTONE_CAFILE=%s' % certfile)
+            ctrl_infos.append('KEYSTONE_CAFILE=%s' % cafile)
 
         self.update_vips_in_ctrl_details(ctrl_infos)
 

diff --git a/contrail_provisioning/config/scripts/create-api-ssl-certs.sh b/contrail_provisioning/config/scripts/create-api-ssl-certs.sh
@@ -6,14 +6,15 @@
 
 argc=$#
 API_VIP=$1
+SANS=$2
 SSL_PATH=/etc/contrail/ssl/
 CERT_FILE_PREFIX=contrail
 
 if [ "$argc" -eq 0 ]; then
     echo "Usage: $0 API_VIP";
-    echo "Example: $0 10.1.1.100";
+    echo "Example: $0 10.1.1.100 20.1.1.100,10.1.1.1,20.1.1.1";
     exit 1;
 fi
 
 #Generate Certs
-create-ssl-certs.sh $API_VIP $SSL_PATH $CERT_FILE_PREFIX
+create-ssl-certs.sh $API_VIP $SSL_PATH $CERT_FILE_PREFIX $SANS
diff --git a/contrail_provisioning/openstack/scripts/create-keystone-ssl-certs.sh b/contrail_provisioning/openstack/scripts/create-keystone-ssl-certs.sh
@@ -5,14 +5,15 @@
 # Script to generate Self Signed Certificates for keystone
 argc=$#
 KEYSTONE_VIP=$1
+SANS=$2
 SSL_PATH=/etc/keystone/ssl/
 CERT_FILE_PREFIX=keystone
 
 if [ "$argc" -eq 0 ]; then
     echo "Usage: $0 KEYSTONE_VIP";
-    echo "Example: $0 10.1.1.100";
+    echo "Example: $0 10.1.1.100 20.1.1.100,10.1.1.1,20.1.1.1";
     exit 1;
 fi
 
 #Generate Certs
-create-ssl-certs.sh $KEYSTONE_VIP $SSL_PATH $CERT_FILE_PREFIX
+create-ssl-certs.sh $KEYSTONE_VIP $SSL_PATH $CERT_FILE_PREFIX $SANS