Merge pull request #252 from neuralinternet/ssl-cert-script-update

feat: refactor certificate generation script to use temporary extensions file
neuralinternet · Jan 16, 2025 · 07b5bf4 · 07b5bf4
2 parents 383741f + e9ca277
commit 07b5bf4
Showing 1 changed file with 15 additions and 8 deletions.
diff --git a/cert/gen_ca.sh b/cert/gen_ca.sh
@@ -25,8 +25,8 @@ echo "2.2 Use the server private key to generate a certificate generation reques
 openssl req -new -key server.key -out server.req -sha256 -subj "/C=US/ST=NY/CN=server.neuralinternet.ai/O=NI"
 
 echo "2.3 Use the certificate generation request and the CA cert to generate the server cert."
-openssl x509 -req -in server.req -CA ca.cer -CAkey ca.key -CAcreateserial -set_serial 100 -days "$ca_cert_expire_days" -outform PEM -passin pass:"$pem_password" -out server.cer -sha256 -extensions v3_req -extfile <(
-cat << EOF
+# Create a temporary extensions file
+cat << EOF > extfile.cnf
 [ v3_req ]
 subjectAltName = @alt_names
 
@@ -35,13 +35,16 @@ IP.1 = 127.0.0.1
 IP.2 = 0.0.0.0
 IP.3 = "$local_ip"
 EOF
-)
 
+openssl x509 -req -in server.req -CA ca.cer -CAkey ca.key -CAcreateserial -set_serial 100 -days "$ca_cert_expire_days" -outform PEM -passin pass:"$pem_password" -out server.cer -sha256 -extensions v3_req -extfile extfile.cnf
+
+# Remove the temporary extensions file
+rm extfile.cnf
 
 echo "2.4 Convert the cer to PEM CRT format"
 openssl x509 -inform PEM -in server.cer -out server.crt
 
-echo "2.5 Clean up – now that the cert has been created, we no longer need the request"
+echo "2.5 Clean up - now that the cert has been created, we no longer need the request"
 rm server.req
 
 #for frontend server
@@ -52,8 +55,8 @@ echo "3.2 Use the client private key to generate a certificate generation reques
 openssl req -new -key client.key -out client.req -subj "/C=US/ST=NY/CN=client.neuralinternet.ai/O=NI"
 
 echo "3.3 Use the certificate generation request and the CA cert to generate the client cert."
-openssl x509 -req -in client.req -CA ca.cer -CAkey ca.key -CAcreateserial -set_serial 101 -days "$ca_cert_expire_days" -outform PEM -out client.cer -passin pass:"$pem_password" -extensions v3_req -extfile <(
-cat << EOF
+# Create a temporary extensions file
+cat << EOF > extfile.cnf
 [ v3_req ]
 subjectAltName = @alt_names
 
@@ -62,13 +65,17 @@ IP.1 = 127.0.0.1
 IP.2 = 0.0.0.0
 IP.3 = "$local_ip"
 EOF
-)
+
+openssl x509 -req -in client.req -CA ca.cer -CAkey ca.key -CAcreateserial -set_serial 101 -days "$ca_cert_expire_days" -outform PEM -out client.cer -passin pass:"$pem_password" -extensions v3_req -extfile extfile.cnf
+
+# Remove the temporary extensions file
+rm extfile.cnf
 
 echo "3.4 Convert the client certificate and private key to pkcs#12 format for use by browsers."
 openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12 -passout pass:"$pem_password"
 
 echo "3.5. Convert the cer to PEM CRT format"
 openssl x509 -inform PEM -in client.cer -out client.crt
 
-echo "3.6. Clean up – now that the cert has been created, we no longer need the request."
+echo "3.6. Clean up - now that the cert has been created, we no longer need the request."
 rm client.req