-
Notifications
You must be signed in to change notification settings - Fork 20
/
docker-entrypoint.sh
executable file
·130 lines (114 loc) · 3.26 KB
/
docker-entrypoint.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
#!/bin/sh
# docker entrypoint script
# generate three tier certificate chain
SUBJ="/C=$COUNTRY/ST=$STATE/L=$LOCATION/O=$ORGANISATION"
if [ ! -f "$CERT_DIR/$ROOT_NAME.crt" ]
then
# generate root certificate
ROOT_SUBJ="$SUBJ/CN=$ROOT_CN"
echo " ---> Generate Root CA private key"
openssl genrsa \
-out "$CERT_DIR/$ROOT_NAME.key" \
"$RSA_KEY_NUMBITS"
echo " ---> Generate Root CA certificate request"
openssl req \
-new \
-key "$CERT_DIR/$ROOT_NAME.key" \
-out "$CERT_DIR/$ROOT_NAME.csr" \
-subj "$ROOT_SUBJ"
echo " ---> Generate self-signed Root CA certificate"
openssl req \
-x509 \
-key "$CERT_DIR/$ROOT_NAME.key" \
-in "$CERT_DIR/$ROOT_NAME.csr" \
-out "$CERT_DIR/$ROOT_NAME.crt" \
-days "$DAYS"
else
echo "ENTRYPOINT: $ROOT_NAME.crt already exists"
fi
if [ ! -f "$CERT_DIR/$ISSUER_NAME.crt" ]
then
# generate issuer certificate
ISSUER_SUBJ="$SUBJ/CN=$ISSUER_CN"
echo " ---> Generate Issuer private key"
openssl genrsa \
-out "$CERT_DIR/$ISSUER_NAME.key" \
"$RSA_KEY_NUMBITS"
echo " ---> Generate Issuer certificate request"
openssl req \
-new \
-key "$CERT_DIR/$ISSUER_NAME.key" \
-out "$CERT_DIR/$ISSUER_NAME.csr" \
-subj "$ISSUER_SUBJ"
echo " ---> Generate Issuer certificate"
openssl x509 \
-req \
-in "$CERT_DIR/$ISSUER_NAME.csr" \
-CA "$CERT_DIR/$ROOT_NAME.crt" \
-CAkey "$CERT_DIR/$ROOT_NAME.key" \
-out "$CERT_DIR/$ISSUER_NAME.crt" \
-CAcreateserial \
-extfile issuer.ext \
-days "$DAYS"
else
echo "ENTRYPOINT: $ISSUER_NAME.crt already exists"
fi
if [ ! -f "$CERT_DIR/$PUBLIC_NAME.key" ]
then
# generate public rsa key
echo " ---> Generate private key"
openssl genrsa \
-out "$CERT_DIR/$PUBLIC_NAME.key" \
"$RSA_KEY_NUMBITS"
else
echo "ENTRYPOINT: $PUBLIC_NAME.key already exists"
fi
if [ ! -f "$CERT_DIR/$PUBLIC_NAME.crt" ]
then
# generate public certificate
echo " ---> Generate public certificate request"
PUBLIC_SUBJ="$SUBJ/CN=$PUBLIC_CN"
openssl req \
-new \
-key "$CERT_DIR/$PUBLIC_NAME.key" \
-out "$CERT_DIR/$PUBLIC_NAME.csr" \
-subj "$PUBLIC_SUBJ"
# append public cn to subject alt names
echo "DNS.1 = $PUBLIC_CN" >> public.ext
echo " ---> Generate public certificate signed by $ISSUER_CN"
openssl x509 \
-req \
-in "$CERT_DIR/$PUBLIC_NAME.csr" \
-CA "$CERT_DIR/$ISSUER_NAME.crt" \
-CAkey "$CERT_DIR/$ISSUER_NAME.key" \
-out "$CERT_DIR/$PUBLIC_NAME.crt" \
-CAcreateserial \
-extfile public.ext \
-days "$DAYS"
else
echo "ENTRYPOINT: $PUBLIC_NAME.crt already exists"
fi
if [ ! -f "$CERT_DIR/ca.pem" ]
then
# make combined root and issuer ca.pem
echo " ---> Generate a combined root and issuer ca.pem"
cat "$CERT_DIR/$ISSUER_NAME.crt" "$CERT_DIR/$ROOT_NAME.crt" > "$CERT_DIR/ca.pem"
else
echo "ENTRYPOINT: ca.pem already exists"
fi
if [ ! -f "$CERT_DIR/$KEYSTORE_NAME.pfx" ]
then
# make PKCS12 keystore
echo " ---> Generate $KEYSTORE_NAME.pfx"
openssl pkcs12 \
-export \
-in "$CERT_DIR/$PUBLIC_NAME.crt" \
-inkey "$CERT_DIR/$PUBLIC_NAME.key" \
-certfile "$CERT_DIR/ca.pem" \
-password "pass:$KEYSTORE_PASS" \
-out "$CERT_DIR/$KEYSTORE_NAME.pfx"
else
echo "ENTRYPOINT: $KEYSTORE_NAME.pfx already exists"
fi
# run command passed to docker run
exec "$@"