Tentatively store certutil

Commit to repository, even though not yet used. It is likely to be renamed. The purpose is to help generate an appropriate self signed cert for https including all the ip addresses as subject alternative names so that names or addresses may be used with installers that have had the cert injected.
2024-11-22 09:32:21 +00:00 · 2018-12-11 13:51:46 -05:00 · 2018-12-11 13:51:46 -05:00 · 8a03bc48de
commit 8a03bc48de
parent 5831be091a
1 changed files with 50 additions and 0 deletions
--- a/confluent_server/bin/confluentcertutil.py
+++ b/confluent_server/bin/confluentcertutil.py
@ -0,0 +1,50 @@
+import shutil
+import socket
+import subprocess
+import tempfile
+
+def get_openssl_conf_location():
+    # CentOS/RHAT
+    return '/etc/pki/tls/openssl.cnf'
+
+def get_ip_addresses():
+    lines = subprocess.check_output('ip addr'.split(' '))
+    for line in lines.split('\n'):
+        if line.startswith('    inet6 '):
+            line = line.replace('    inet6 ', '').split('/')[0]
+            if line.startswith('fe80::'):
+                continue
+            if line == '::1':
+                continue
+        elif line.startswith('    inet '):
+            line = line.replace('    inet ', '').split('/')[0]
+            if line == '127.0.0.1':
+                continue
+            if line.startswith('169.254.'):
+                continue
+        else:
+            continue
+        yield line
+
+def create_certificate():
+    shortname = socket.gethostname().split('.')[0]
+    longname = socket.getfqdn()
+    subprocess.check_call(
+        'openssl ecparam -name secp384r1 -genkey -out privkey.pem'.split(' '))
+    san = ['IP:{0}'.format(x) for x in get_ip_addresses()]
+    san.append('DNS:{0}'.format(shortname))
+    san.append('DNS:{0}'.format(longname))
+    san = ','.join(san)
+    sslcfg = get_openssl_conf_location()
+    tmpconfig = tempfile.mktemp()
+    shutil.copy2(sslcfg, tmpconfig)
+    with open(tmpconfig, 'a') as cfgfile:
+        cfgfile.write('\n[SAN]\nsubjectAltName={0}'.format(san))
+    subprocess.check_call(
+        'openssl req -new -x509 -key privkey.pem -days 7300 -out cert.pem '
+        '-subj /CN={0} -extensions SAN '
+        '-config {1}'.format(longname, tmpconfig).split(' ')
+    )
+
+if __name__ == '__main__':
+    create_certificate()