Skip to content
GitLab
Menu
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
devops-tools
ssl-certificate-utils
Commits
62ffe5c6
Commit
62ffe5c6
authored
Sep 04, 2016
by
Xueshan Feng
Browse files
updated to allow renaming and upload new cert.
parent
398aa062
Changes
2
Hide whitespace changes
Inline
Side-by-side
README.md
View file @
62ffe5c6
Generate a wildcard ssl certificate request for a subdomain, e.g,
*
.foobar.stanford.edu:
##
Generate a wildcard ssl certificate request for a subdomain, e.g, *.foobar.stanford.edu:
```
$ git clone git@code.stanford.edu:devops-tools/star-cert-request.git
...
...
@@ -22,5 +22,12 @@ Normally you can use [cert request form](https://tools.stanford.edu/cgi-bin/cert
your request, however, if the subdomain is delegated to a cloud vendor, you will need to send the csr to
**its-ssl-service@lists.stanford.edu**
because the form cannot verify the ownership of a domain from NetDB.
## Upload cert to AWS IAM service
```
./upload_cert_to_aws.sh -s foo.stanford.edu -p foo.stanford.edu
```
If the SSL certificate already exists, the script will rename it and upload the new server server with the same server name.
If you use the cert in ELB, the ELB still uses the old certificate until you update the ELB cert to points to the new SSL cert.
upload_cert_to_aws.sh
View file @
62ffe5c6
...
...
@@ -3,39 +3,108 @@
# Usage: ./upload_cert_to_aws.sh foo.stanford.edu awsprofile
#
# To get arn: aws --profile awsprofile iam get-server-certificate --server-certificate-name=<fqdn>
#
# Author: Xueshan Feng <sfeng@stanford.edu>
#
domain
=
'stanford.edu'
server
=
$1
awsprofile
=
$2
if
[
"X
$server
"
=
"X"
]
;
then
echo
"SSL cert CN name is required. e.g. ./upload-cert-to-aws.sh foo.stanford.edu"
exit
1
fi
if
[
"X
$awsprofile
"
=
"X"
]
;
function
init
(){
domain
=
${
domain
:-
'stanford.edu'
}
server
=
"
${
server
%%.*
}
"
echo
"===
$server
"
domaincert
=
${
body
:-
'stanford_edu_cert.cer'
}
intermcert
=
${
chain
:
=
'stanford_edu_interm.cer'
}
server_name
=
$server
.
$domain
dryrun
=
0
}
function
upload_cert
(){
if
aws
--profile
$profile
iam get-server-certificate
--server-certificate-name
$server_name
>
/dev/null 2>&1
;
then
expirationdate
=
$(
aws
--profile
$profile
iam get-server-certificate
--server-certificate-name
$server
.stanford.edu |
\
jq
-r
'.ServerCertificate.ServerCertificateMetadata.Expiration'
|
sed
's/T.*//'
)
echo
"Renaming old server
$server_name
to
$server_name
.
$expirationdate
"
answer
=
'N'
echo
-n
"Do you want to continue? [Y/N]"
read
answer
echo
""
[
"X
$answer
"
!=
"XY"
]
&&
echo
"Do nothing. Quit."
&&
exit
0
aws
--profile
$profile
iam update-server-certificate
--server-certificate-name
$server_name
\
--new-server-certificate-name
$server_name
.
$expirationdate
fi
aws
--profile
$profile
iam upload-server-certificate
--server-certificate-name
$server_name
\
--certificate-body
file://
${
server
}
_
${
domaincert
}
\
--private-key
file://
$server_name
.key
--certificate-chain
file://
${
server
}
_
$intermcert
}
help
(){
echo
"upload_cert_to_aws.sh -p <profile> -s <server> [-d <domain>] -c <chain file> -b <body> [-n] [-y]"
echo
""
echo
" -p <aws profile>: authenticate as this profile."
echo
" -s <server>: server name. e.g. foo.stanford.edu"
echo
" -d <domain>: default to stanford.edu."
echo
" -b <cert file>: default to <server>_stanford_edu_cert.cer"
echo
" -c <chain file>: default to <server>_stanford_edu_interm.cer"
echo
" -y : non-interative mode. Answer to yes to all default values."
echo
" -n : dryrun. print out the commands"
echo
" -h : Help"
}
# Main
while
getopts
"b:c:d:p:s:hny"
OPTION
do
case
$OPTION
in
b
)
body
=
$OPTARG
;;
c
)
chain
=
$OPTARG
;;
d
)
domain
=
$OPTARG
;;
p
)
profile
=
$OPTARG
;;
s
)
server
=
$OPTARG
;;
n
)
dryrun
=
1
;;
y
)
interactive
=
0
;;
[
h?]
)
help
exit
;;
esac
done
if
[[
-z
$profile
||
-z
$server
]]
;
then
echo
"AWS profile for authentication is required."
help
exit
1
else
init
fi
aws
--profile
$awsprofile
support
help
2>/dev/null 1>&2
if
[
$?
=
"255"
]
;
then
echo
"Account
$awsprofile
doesn't exit."
echo
"Getting AWS account number ..."
accountId
=
$(
aws
--profile
$profile
iam get-user | jq
'.User.Arn'
|
grep
-Eo
'[[:digit:]]{12}'
)
if
[
-z
"
$accountId
"
]
;
then
echo
"Cannot find AWS account number."
exit
1
fi
server
=
"
${
server
%%.*
}
"
domaincert
=
"stanford_edu_cert.cer"
intermcert
=
"stanford_edu_interm.cer"
server_name
=
"
$server
.
$domain
"
if
[[
-f
${
server
}
_
${
domaincert
}
]]
&&
[[
-f
${
server
}
_
$intermcert
]]
&&
[[
-f
$server_name
.key
]]
;
then
aws
--profile
$awsprofile
iam upload-server-certificate
--server-certificate-name
$server_name
\
--certificate-body
file://
${
server
}
_
${
domaincert
}
\
--private-key
file://
$server_name
.key
--certificate-chain
file://
${
server
}
_
$intermcert
upload_cert
else
echo
"one of the files are missing:
${
server
}
_
${
domaincert
}
,
${
server
}
_
$intermcert
, or
$server
_name
.key"
echo
"one of the files are missing:
${
server
}
_
${
domaincert
}
,
${
server
}
_
$intermcert
, or
$server
.key"
exit
1
fi
[
$dryrun
-eq
1
]
&&
echo
"Dryrun mode. Nothing is changed."
exit
0
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment