-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathMakefile
61 lines (53 loc) · 1.33 KB
/
Makefile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
FQDN ?= 127.0.0.1
OUTDIR ?= ops/tls
# may be /etc/pki/tls in some machines.
# use `openssl version -a | grep OPENSSLDIR` to find out.
OPENSSLDIR ?= /etc/ssl
.PHONY: generate
generate: prepare redis.crt clean
.PHONY: prepare
prepare:
mkdir ${OUTDIR}
.PHONY: clean
clean:
rm -f ${OUTDIR}/openssl.cnf
openssl.cnf:
cat ${OPENSSLDIR}/openssl.cnf > ${OUTDIR}/openssl.cnf
echo "" >> ${OUTDIR}/openssl.cnf
echo "[ san_env ]" >> ${OUTDIR}/openssl.cnf
echo "subjectAltName = IP:${FQDN}" >> ${OUTDIR}/openssl.cnf
ca.key:
openssl genrsa 4096 > ${OUTDIR}/ca.key
ca.crt: ca.key
openssl req \
-new \
-x509 \
-nodes \
-sha256 \
-key ${OUTDIR}/ca.key \
-days 3650 \
-subj "/C=AU/CN=example" \
-out ${OUTDIR}/ca.crt
redis.csr: openssl.cnf
# is -extensions necessary?
# https://security.stackexchange.com/a/86999
SAN=IP:$(FQDN) openssl req \
-reqexts san_env \
-extensions san_env \
-config ${OUTDIR}/openssl.cnf \
-newkey rsa:4096 \
-nodes -sha256 \
-keyout ${OUTDIR}/redis.key \
-subj "/C=AU/CN=$(FQDN)" \
-out ${OUTDIR}/redis.csr
redis.crt: openssl.cnf ca.key ca.crt redis.csr
SAN=IP:$(FQDN) openssl x509 \
-req -sha256 \
-extfile ${OUTDIR}/openssl.cnf \
-extensions san_env \
-days 3650 \
-in ${OUTDIR}/redis.csr \
-CA ${OUTDIR}/ca.crt \
-CAkey ${OUTDIR}/ca.key \
-CAcreateserial \
-out ${OUTDIR}/redis.crt