Add IP subject alt name to cert gen

remingtonc · remingtonc · commit dd2e3da3000a · 2020-04-10T11:45:31.000-07:00
diff --git a/scripts/gen_certs.sh b/scripts/gen_certs.sh
@@ -4,23 +4,23 @@
 CERT_BASE="certs"
 
 if [ -z $1 ]; then
-    echo "Usage: gen_certs.sh <hostname> [<password>]"
+    echo "Usage: gen_certs.sh <hostname> <ip> [<password>]"
     exit 1
 fi
 
 mkdir -p $CERT_BASE
 
 # Setting up a CA
 openssl genrsa -out $CERT_BASE/rootCA.key 2048
-openssl req -subj /C=/ST=/L=/O=/CN=rootCA -x509 -new -nodes -key $CERT_BASE/rootCA.key -sha256 -out $CERT_BASE/rootCA.pem
+openssl req -subj /C=/ST=/L=/O=/CN=rootCA -x509 -new -nodes -key $CERT_BASE/rootCA.key -sha256 -days 1095 -out $CERT_BASE/rootCA.pem
 
 # Setting up device cert and key
 openssl genrsa -out $CERT_BASE/device.key 2048
 openssl req -subj /C=/ST=/L=/O=/CN=$1 -new -key $CERT_BASE/device.key -out $CERT_BASE/device.csr
-openssl x509 -req -in $CERT_BASE/device.csr -CA $CERT_BASE/rootCA.pem -CAkey $CERT_BASE/rootCA.key -CAcreateserial -out $CERT_BASE/device.crt -sha256
+openssl x509 -req -in $CERT_BASE/device.csr -CA $CERT_BASE/rootCA.pem -CAkey $CERT_BASE/rootCA.key -CAcreateserial -out $CERT_BASE/device.crt -days 1095 -sha256 -extfile <(printf "%s" "subjectAltName=DNS:$1,IP:$2")
 
 # Encrypt device key - needed for input to IOS
-if [ ! -z $2 ]; then
+if [ ! -z $3 ]; then
     openssl rsa -des3 -in $CERT_BASE/device.key -out $CERT_BASE/device.des3.key -passout pass:$2
 else
     echo "Skipping device key encryption."
@@ -29,4 +29,4 @@ fi
 # Setting up client cert and key
 openssl genrsa -out $CERT_BASE/client.key 2048
 openssl req -subj /C=/ST=/L=/O=/CN=gnmi_client -new -key $CERT_BASE/client.key -out $CERT_BASE/client.csr
-openssl x509 -req -in $CERT_BASE/client.csr -CA $CERT_BASE/rootCA.pem -CAkey $CERT_BASE/rootCA.key -CAcreateserial -out $CERT_BASE/client.crt -sha256
+openssl x509 -req -in $CERT_BASE/client.csr -CA $CERT_BASE/rootCA.pem -CAkey $CERT_BASE/rootCA.key -CAcreateserial -out $CERT_BASE/client.crt -days 1095 -sha256
