Re-work SSL certificate

Author: williamdes

Makefile

@@ -7,7 +7,7 @@ PLATFORM ?= linux/amd64
 ACTION ?= load
 PROGRESS_MODE ?= plain
 
-.PHONY: update-tags docker-build docker-push
+.PHONY: update-tags docker-build docker-push test-certificates
 
 docker-build:
 	# https://github.com/docker/buildx#building
@@ -38,3 +38,6 @@ update-tags:
 test:
 	BUILDKIT_PROGRESS=plain docker compose -f ./docker/docker-compose.test.yml down
 	BUILDKIT_PROGRESS=plain docker compose -f ./docker/docker-compose.test.yml up --build --abort-on-container-exit --exit-code-from=sut
+
+test-certificates:
+	./docker/tests/make-certs.sh

docker/tests/README.md

@@ -8,27 +8,6 @@ make test
 
 ### Re-Build the test certificate
 
-Source: [MariaDB docs](https://mariadb.com/docs/security/data-in-transit-encryption/create-self-signed-certificates-keys-openssl/)
-
 ```sh
-openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 \
-    -subj "/C=FR/OU=Testing/O=Datacenters Network" \
-    -keyout ca.key  -out ca.pem
-
-openssl req -new -newkey rsa:4096 -nodes \
-    -subj "/emailAddress=williamdes+sudo-bot-test-cert@wdes.fr/C=FR/OU=Testing/O=Datacenters Network/CN=openldap" \
-    -keyout server-key.pem  -out server-req.pem
-
-openssl x509 -req -days 365 -set_serial 01 \
-   -in server-req.pem \
-   -out server-cert.pem \
-   -CA ca.pem \
-   -CAkey ca.key
-
-# Cleanup
-rm server-req.pem
-# Could be needed
-# chmod 777 server-cert.pem server-key.pem ca.pem
-# Verify
-openssl verify -verbose -x509_strict -CAfile ca.pem server-cert.pem
+./docker/tests/make-certs.sh
 ```

docker/tests/data/.gitignore

@@ -0,0 +1,6 @@
+/*.pem
+/*.key
+/*.srl
+/*.cer
+/*.crl
+/*.csr

docker/tests/data/ca.key

@@ -0,0 +1,24 @@
+[alt_names]
+DNS.1 = ldap.server.intranet
+
+[ req_distinguished_name ]
+CN=ldap.server.intranet
+
+[ req ]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+x509_extensions = ext_cert
+prompt = no
+
+[ v3_req ]
+extendedKeyUsage = serverAuth,clientAuth
+subjectAltName = @alt_names
+basicConstraints = CA:FALSE
+
+[ ext_cert ]
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, digitalSignature,keyEncipherment
+basicConstraints = critical,CA:FALSE
+extendedKeyUsage = serverAuth,clientAuth
+subjectAltName = @alt_names

docker/tests/data/ca.pem

@@ -0,0 +1,41 @@
+#!/bin/sh
+
+set -eux
+
+ME=$(realpath $(dirname $0))
+
+cd $ME
+
+printf 'Running in: %s\n' "$ME"
+
+DOMAIN="ldap.server.intranet"
+SSL_PATH="$ME/"
+CA_PATH="$SSL_PATH/data/${DOMAIN}_ca"
+KEYCERT_PATH="$SSL_PATH/data/${DOMAIN}"
+
+# bake the keys
+if [ ! -f $CA_PATH.key ]; then
+    openssl ecparam -out $CA_PATH.key -name prime256v1 -genkey
+fi
+
+if [ ! -f $KEYCERT_PATH.key ]; then
+    openssl ecparam -out $KEYCERT_PATH.key -name prime256v1 -genkey
+fi
+
+# bake the CA
+openssl req -x509 -config $SSL_PATH/openssl.cnf -new -nodes -key $CA_PATH.key -sha384 -days 15 -out $CA_PATH.cer
+
+# bake the CSR
+if [ ! -f $KEYCERT_PATH.csr ]; then
+    openssl req -new -config ${SSL_PATH}/${DOMAIN}.csr.conf -key $KEYCERT_PATH.key -out $KEYCERT_PATH.csr
+fi
+
+# bake the cert
+openssl x509 -req -extensions ext_cert -extfile ${SSL_PATH}/${DOMAIN}.csr.conf -in $KEYCERT_PATH.csr -CA $CA_PATH.cer -CAkey $CA_PATH.key \
+    -CAcreateserial -out $KEYCERT_PATH.cer -days 7 -sha384
+
+openssl req -in $KEYCERT_PATH.csr -noout -text
+openssl x509 -in $KEYCERT_PATH.cer -noout -text
+
+cat $KEYCERT_PATH.cer > ${KEYCERT_PATH}_fullchain.cer
+cat $CA_PATH.cer >> ${KEYCERT_PATH}_fullchain.cer

docker/tests/data/server-cert.pem

@@ -0,0 +1,12 @@
+[req]
+distinguished_name=req_distinguished_name
+prompt = no
+
+[ req_distinguished_name ]
+C=FR
+ST=Test State
+L=Test Locality
+O=Wdes SAS
+OU=Testing
+CN=Emails
+emailAddress=tech@test-ca.intranet