mirror of
https://github.com/xcat2/confluent.git
synced 2025-01-28 20:07:48 +00:00
114324f513
Some applications require this be set for it to work as an enrolled certificate. Notably UEFI requires this.
56 lines
1.8 KiB
Python
56 lines
1.8 KiB
Python
from os.path import exists
|
|
import shutil
|
|
import socket
|
|
import subprocess
|
|
import tempfile
|
|
|
|
def get_openssl_conf_location():
|
|
if exists('/etc/pki/tls/openssl.cnf'):
|
|
return '/etc/pki/tls/openssl.cnf'
|
|
elif exists('/etc/ssl/openssl.cnf'):
|
|
return '/etc/ssl/openssl.cnf'
|
|
else:
|
|
raise Exception("Cannot find openssl config file")
|
|
|
|
def get_ip_addresses():
|
|
lines = subprocess.check_output('ip addr'.split(' '))
|
|
for line in lines.split('\n'):
|
|
if line.startswith(' inet6 '):
|
|
line = line.replace(' inet6 ', '').split('/')[0]
|
|
if line.startswith('fe80::'):
|
|
continue
|
|
if line == '::1':
|
|
continue
|
|
elif line.startswith(' inet '):
|
|
line = line.replace(' inet ', '').split('/')[0]
|
|
if line == '127.0.0.1':
|
|
continue
|
|
if line.startswith('169.254.'):
|
|
continue
|
|
else:
|
|
continue
|
|
yield line
|
|
|
|
def create_certificate():
|
|
shortname = socket.gethostname().split('.')[0]
|
|
longname = socket.getfqdn()
|
|
subprocess.check_call(
|
|
'openssl ecparam -name secp384r1 -genkey -out privkey.pem'.split(' '))
|
|
san = ['IP:{0}'.format(x) for x in get_ip_addresses()]
|
|
san.append('DNS:{0}'.format(shortname))
|
|
san.append('DNS:{0}'.format(longname))
|
|
san = ','.join(san)
|
|
sslcfg = get_openssl_conf_location()
|
|
tmpconfig = tempfile.mktemp()
|
|
shutil.copy2(sslcfg, tmpconfig)
|
|
with open(tmpconfig, 'a') as cfgfile:
|
|
cfgfile.write('\n[SAN]\nbasicConstraints = CA:true\nsubjectAltName={0}'.format(san))
|
|
subprocess.check_call(
|
|
'openssl req -new -x509 -key privkey.pem -days 7300 -out cert.pem '
|
|
'-subj /CN={0} -extensions SAN '
|
|
'-config {1}'.format(longname, tmpconfig).split(' ')
|
|
)
|
|
|
|
if __name__ == '__main__':
|
|
create_certificate()
|