Certificate Generation

The code snippet provided below must be saved as a file. For example, save this script as gencert.sh.

An example invocation of this script looks like ./gencert.sh namespace.

Where namespace is the namespace where you install the Certifai Enterprise instance

#!/bin/bash -eu

rm -rf ssl
mkdir -p ssl

NAMESPACE=${1:-certifai}

cat << EOF > ssl/req.cnf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = dex.$NAMESPACE.svc.cluster.local
DNS.2 = kubernetes.docker.internal
EOF

cat ssl/req.cnf > ssl/dex.cnf
DEX_INGRESS_IP=""; 
while [ -z $DEX_INGRESS_IP ] || [ "$DEX_INGRESS_IP" == "null" ]; do 
  echo "Waiting for end point..."
  DEX_INGRESS_IP=$(kubectl get ingress dex -o json -n $NAMESPACE | jq -r '.status.loadBalancer.ingress[0].ip'); 
  [ -z "$DEX_INGRESS_IP" ] || [ "$DEX_INGRESS_IP" == "null" ] && sleep 10; 
done 
echo "Dex end point ready-" && echo $DEX_INGRESS_IP
echo "IP = $DEX_INGRESS_IP" >> ssl/dex.cnf

cat ssl/req.cnf > ssl/console.cnf
sed -i.bak "s|dex.$NAMESPACE|console.$NAMESPACE|g" ssl/console.cnf && rm ssl/console.cnf.bak
CONSOLE_INGRESS_IP=""
while [ -z $CONSOLE_INGRESS_IP ] || [ "$CONSOLE_INGRESS_IP" == "null" ]; do 
  echo "Waiting for end point..."
  CONSOLE_INGRESS_IP=$(kubectl get ingress console -o json -n $NAMESPACE | jq -r '.status.loadBalancer.ingress[0].ip'); 
  [ -z "$CONSOLE_INGRESS_IP" ] || [ "$CONSOLE_INGRESS_IP" == "null" ] && sleep 10; 
done 
echo "Console end point ready-" && echo $CONSOLE_INGRESS_IP
echo "IP = $CONSOLE_INGRESS_IP" >> ssl/console.cnf

cat ssl/req.cnf > ssl/policy.cnf
sed -i.bak "s|dex.$NAMESPACE|policy.$NAMESPACE|g" ssl/policy.cnf && rm ssl/policy.cnf.bak
POLICY_INGRESS_IP=""
while [ -z $POLICY_INGRESS_IP ] || [ "$POLICY_INGRESS_IP" == "null" ]; do 
  echo "Waiting for end point..."
  POLICY_INGRESS_IP=$(kubectl get ingress policy -o json -n $NAMESPACE | jq -r '.status.loadBalancer.ingress[0].ip'); 
  [ -z "$POLICY_INGRESS_IP" ] || [ "$POLICY_INGRESS_IP" == "null" ] && sleep 10; 
done 
echo "Policy end point ready-" && echo $POLICY_INGRESS_IP
echo "IP = $POLICY_INGRESS_IP" >> ssl/policy.cnf

openssl genrsa -out ssl/ca-key.pem 2048
openssl req -x509 -new -nodes -key ssl/ca-key.pem -days 398 -out ssl/ca.pem -subj "/CN=kube-ca"

openssl genrsa -out ssl/key.pem 2048
openssl req -new -key ssl/key.pem -out ssl/dex_csr.pem -subj "/CN=kube-ca" -config ssl/dex.cnf
openssl x509 -req -in ssl/dex_csr.pem -CA ssl/ca.pem -CAkey ssl/ca-key.pem -CAcreateserial -out ssl/dex_cert.pem -days 398 -extensions v3_req -extfile ssl/dex.cnf

openssl req -new -key ssl/key.pem -out ssl/console_csr.pem -subj "/CN=kube-ca" -config ssl/console.cnf
openssl x509 -req -in ssl/console_csr.pem -CA ssl/ca.pem -CAkey ssl/ca-key.pem -CAcreateserial -out ssl/console_cert.pem -days 398 -extensions v3_req -extfile ssl/console.cnf

openssl req -new -key ssl/key.pem -out ssl/policy_csr.pem -subj "/CN=kube-ca" -config ssl/policy.cnf
openssl x509 -req -in ssl/policy_csr.pem -CA ssl/ca.pem -CAkey ssl/ca-key.pem -CAcreateserial -out ssl/policy_cert.pem -days 398 -extensions v3_req -extfile ssl/policy.cnf



kubectl delete secret --ignore-not-found dex-tls -n "$NAMESPACE"
kubectl create secret tls dex-tls --cert=ssl/dex_cert.pem --key=ssl/key.pem -n "$NAMESPACE"
kubectl delete secret --ignore-not-found certifai-console-tls -n "$NAMESPACE"
kubectl create secret tls certifai-console-tls --cert=ssl/console_cert.pem --key=ssl/key.pem -n "$NAMESPACE"
kubectl delete secret --ignore-not-found certifai-policy-tls -n "$NAMESPACE"
kubectl create secret tls certifai-policy-tls --cert=ssl/policy_cert.pem --key=ssl/key.pem -n "$NAMESPACE"
kubectl delete secret --ignore-not-found certifai-dex-ca -n "$NAMESPACE"
kubectl create secret generic certifai-dex-ca --from-file=ssl/ca.pem -n "$NAMESPACE"

Wait for 10-15 minutes till all the pods come up in your namespace