admin / Syanpse-Vanguard
public
Syanpse-Vanguard / synapse-vanguard-v3 / certs / gen-dev-certs.sh
1528 B · main
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | #!/usr/bin/env bash # Generate a dev CA + server cert + one client (agent) cert for mTLS testing. # NOT for production — use a real CA / cert lifecycle there. set -euo pipefail cd "$(dirname "$0")" # Git Bash / MSYS on Windows rewrites args that look like Unix paths (e.g. # "/CN=...") into "C:/Program Files/Git/CN=...". Disable that for openssl -subj. export MSYS_NO_PATHCONV=1 export MSYS2_ARG_CONV_EXCL="*" SERVER_CN="${SERVER_CN:-localhost}" AGENT_CN="${AGENT_CN:-agent-testhost}" echo "==> CA" openssl genrsa -out ca.key 4096 openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 \ -subj "/CN=Synapse-Vanguard-Dev-CA" -out ca.crt echo "==> Server cert (CN=${SERVER_CN})" printf "subjectAltName=DNS:%s,DNS:agent-ingest,DNS:localhost,IP:127.0.0.1\n" \ "${SERVER_CN}" > server.ext openssl genrsa -out server.key 2048 openssl req -new -key server.key -subj "/CN=${SERVER_CN}" -out server.csr openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \ -days 825 -sha256 -out server.crt -extfile server.ext echo "==> Agent client cert (CN=${AGENT_CN})" openssl genrsa -out agent.key 2048 openssl req -new -key agent.key -subj "/CN=${AGENT_CN}" -out agent.csr openssl x509 -req -in agent.csr -CA ca.crt -CAkey ca.key -CAcreateserial \ -days 825 -sha256 -out agent.crt rm -f server.csr agent.csr server.ext echo "==> Done. Server: server.crt/server.key CA: ca.crt Agent: agent.crt/agent.key" echo " The agent's cert CN (${AGENT_CN}) must match the agents.cert_cn bound at enrollment." |