simple-opensearch-installer/static/opensearch_certs.sh

#!/bin/sh
# Create TLS self-signed CA certificates for 5 years required to comply
# with transport security layer requirement.
# Source:
# https://opensearch.org/docs/latest/security-plugin/configuration/generate-certificates/#sample-script

rm -rf tls_store
mkdir -p tls_store
TLS_DN="/C=CA/ST=OPENSEARCH/L=NODE/O=OPENSEARCH/OU=FTS"

# Root CA
openssl genrsa -out root-ca-key.pem 4096
openssl req -new -x509 -sha256 -key root-ca-key.pem -subj "${TLS_DN}/CN=ROOT" -out root-ca.pem -days 1825
# Admin cert
openssl genrsa -out admin-key-temp.pem 4096
openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
openssl req -new -key admin-key.pem -subj "${TLS_DN}/CN=ADMIN" -out admin.csr
openssl x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem -days 1825
# Node cert
openssl genrsa -out node-key-temp.pem 4096
openssl pkcs8 -inform PEM -outform PEM -in node-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node-key.pem
openssl req -new -key node-key.pem -subj "${TLS_DN}/CN=__FTSDOMAIN__" -out node.csr
openssl x509 -req -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem -days 1825
# Client cert
openssl genrsa -out client-key-temp.pem 4096
openssl pkcs8 -inform PEM -outform PEM -in client-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out client-key.pem
openssl req -new -key client-key.pem -subj "${TLS_DN}/CN=CLIENT" -out client.csr
openssl x509 -req -in client.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out client.pem -days 1825

# Cleanup
rm admin-key-temp.pem \
   admin.csr \
   node-key-temp.pem \
   node.csr \
   client-key-temp.pem \
   client.csr

# Store
mv client.pem \
   client-key.pem \
   root-ca-key.pem -t tls_store

# openssl 3.0 workaround
if [ "$(lsb_release -sc)" = "focal" ]; then
   mv root-ca.srl tls_store
fi
simple-opensearch-installer: initial commit. 2023-11-29 08:19:30 +00:00			`#!/bin/sh`
			`# Create TLS self-signed CA certificates for 5 years required to comply`
			`# with transport security layer requirement.`
			`# Source:`
			`# https://opensearch.org/docs/latest/security-plugin/configuration/generate-certificates/#sample-script`

add safe removal tls_store 2023-12-05 06:46:57 +00:00			`rm -rf tls_store`
			`mkdir -p tls_store`
simple-opensearch-installer: initial commit. 2023-11-29 08:19:30 +00:00			`TLS_DN="/C=CA/ST=OPENSEARCH/L=NODE/O=OPENSEARCH/OU=FTS"`

			`# Root CA`
			`openssl genrsa -out root-ca-key.pem 4096`
			`openssl req -new -x509 -sha256 -key root-ca-key.pem -subj "${TLS_DN}/CN=ROOT" -out root-ca.pem -days 1825`
			`# Admin cert`
			`openssl genrsa -out admin-key-temp.pem 4096`
			`openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem`
			`openssl req -new -key admin-key.pem -subj "${TLS_DN}/CN=ADMIN" -out admin.csr`
			`openssl x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem -days 1825`
			`# Node cert`
			`openssl genrsa -out node-key-temp.pem 4096`
			`openssl pkcs8 -inform PEM -outform PEM -in node-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node-key.pem`
			`openssl req -new -key node-key.pem -subj "${TLS_DN}/CN=__FTSDOMAIN__" -out node.csr`
			`openssl x509 -req -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem -days 1825`
			`# Client cert`
			`openssl genrsa -out client-key-temp.pem 4096`
			`openssl pkcs8 -inform PEM -outform PEM -in client-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out client-key.pem`
			`openssl req -new -key client-key.pem -subj "${TLS_DN}/CN=CLIENT" -out client.csr`
			`openssl x509 -req -in client.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out client.pem -days 1825`

			`# Cleanup`
			`rm admin-key-temp.pem \`
			`admin.csr \`
			`node-key-temp.pem \`
			`node.csr \`
			`client-key-temp.pem \`
			`client.csr`

			`# Store`
			`mv client.pem \`
			`client-key.pem \`
			`root-ca-key.pem -t tls_store`
add workaround for root-ca.srl on focal 2023-12-05 08:41:50 +00:00
			`# openssl 3.0 workaround`
			`if [ "$(lsb_release -sc)" = "focal" ]; then`
			`mv root-ca.srl tls_store`
			`fi`