artifact-attestations-opa-provider/scripts/gen_certs.sh at main · github/artifact-attestations-opa-provider · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
#!/bin/bash

set -u
set -e
set -o pipefail

NAMESPACE=${NAMESPACE:-provider-system}
HOST=${HOST:-artifact-attestations-opa-provider.${NAMESPACE}}

if [ ! -d certs ]; then
   mkdir certs
fi

pushd .
cd certs

#
# Note, only RSA keys appears to be supported
#

# Generate CA cert
openssl ecparam -name prime256v1 -genkey -noout -out ca.key
openssl req -new -x509 \
        -subj "/O=GitHub Provider dev/CN=GitHub Provider dev Root CA" \
        -key ca.key \
        -out ca.crt \
        -days 365

# Generate server (provider) key and cert
openssl ecparam -name prime256v1 -genkey -noout -out tls.key
openssl req -new \
        -key tls.key \
        -nodes \
        -subj "/CN=${HOST}" \
        -out server.csr
openssl x509 -req \
        -extfile <(printf "subjectAltName=DNS:%s" "${HOST}") \
        -days 180 \
        -sha256 \
        -in server.csr \
        -CA ca.crt \
        -CAkey ca.key \
        -CAcreateserial \
        -out tls.crt

popd