From 8a03bc48deb692117a6fbe95fe90f47ac5da1239 Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Tue, 11 Dec 2018 13:51:46 -0500
Subject: [PATCH] Tentatively store certutil

Commit to repository, even though not yet used.  It is likely to
be renamed.  The purpose is to help generate an appropriate self signed
cert for https including all the ip addresses as subject alternative
names so that names or addresses may be used with installers that
have had the cert injected.
---
 confluent_server/bin/confluentcertutil.py | 50 +++++++++++++++++++++++
 1 file changed, 50 insertions(+)
 create mode 100644 confluent_server/bin/confluentcertutil.py

diff --git a/confluent_server/bin/confluentcertutil.py b/confluent_server/bin/confluentcertutil.py
new file mode 100644
index 00000000..3dab5306
--- /dev/null
+++ b/confluent_server/bin/confluentcertutil.py
@@ -0,0 +1,50 @@
+import shutil
+import socket
+import subprocess
+import tempfile
+
+def get_openssl_conf_location():
+    # CentOS/RHAT
+    return '/etc/pki/tls/openssl.cnf'
+
+def get_ip_addresses():
+    lines = subprocess.check_output('ip addr'.split(' '))
+    for line in lines.split('\n'):
+        if line.startswith('    inet6 '):
+            line = line.replace('    inet6 ', '').split('/')[0]
+            if line.startswith('fe80::'):
+                continue
+            if line == '::1':
+                continue
+        elif line.startswith('    inet '):
+            line = line.replace('    inet ', '').split('/')[0]
+            if line == '127.0.0.1':
+                continue
+            if line.startswith('169.254.'):
+                continue
+        else:
+            continue
+        yield line
+
+def create_certificate():
+    shortname = socket.gethostname().split('.')[0]
+    longname = socket.getfqdn()
+    subprocess.check_call(
+        'openssl ecparam -name secp384r1 -genkey -out privkey.pem'.split(' '))
+    san = ['IP:{0}'.format(x) for x in get_ip_addresses()]
+    san.append('DNS:{0}'.format(shortname))
+    san.append('DNS:{0}'.format(longname))
+    san = ','.join(san)
+    sslcfg = get_openssl_conf_location()
+    tmpconfig = tempfile.mktemp()
+    shutil.copy2(sslcfg, tmpconfig)
+    with open(tmpconfig, 'a') as cfgfile:
+        cfgfile.write('\n[SAN]\nsubjectAltName={0}'.format(san))
+    subprocess.check_call(
+        'openssl req -new -x509 -key privkey.pem -days 7300 -out cert.pem '
+        '-subj /CN={0} -extensions SAN '
+        '-config {1}'.format(longname, tmpconfig).split(' ')
+    )
+
+if __name__ == '__main__':
+    create_certificate()
\ No newline at end of file