3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-29 18:36:30 +02:00
Code Issues Projects Releases Packages Wiki Activity
pomerium/scripts/self-signed-sign-key.sh
Bobby DeSimone 426e003b03
proxy: add JWT request signing support (#19) 
- Refactored middleware and request hander logging.
- Request refactored to use context.Context.
- Add helper (based on Alice) to allow middleware chaining.
- Add helper scripts to generate elliptic curve self-signed certificate that can be used to sign JWT.
- Changed LetsEncrypt scripts to use acme instead of certbot.
- Add script to have LetsEncrypt sign an RSA based certificate.
- Add documentation to explain how to verify headers.
- Refactored internal/cryptutil signer's code to expect a valid EC priv key.
- Changed JWT expiries to use default leeway period.
- Update docs and add screenshots.
- Replaced logging handler logic to use context.Context.
- Removed specific XML error handling.
- Refactored handler function signatures to prefer standard go idioms.
2019-01-22 21:44:22 -08:00

47 lines
1.5 KiB
Bash
Executable file
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/bin/bash
# Thank you @ https://medium.com/@benjamin.black/how-to-obtain-an-ecdsa-wildcard-certificate-from-lets-encrypt-be217c737cfe
# See also:
# https://cloud.google.com/iot/docs/how-tos/credentials/keys#generating_an_es256_key_with_a_self-signed_x509_certificate
# https://community.letsencrypt.org/t/ecc-certificates/46729
#
# Lets Encrypt currently generates RSA certificates, but not yet ECDSA certificates.
# Support for generating ECDSA certificates is on the horizon, but is not here yet.
# However, Lets Encrypt does support *signing* ECDSA certificates when presented with a
# Certificate Signing Request. So we can generate the appropriate CSR on the client,
# and send it to Lets Encrypt using the --csr option of the certbot client for Lets Encrypt to sign.
# The following generates a NIST P-256 (aka secp256r1 aka prime256v1) EC Key Pair
openssl ecparam \
-genkey \
-name prime256v1 \
-noout \
-out ec_private.pem
openssl req -x509 -new \
-key ec_private.pem \
-days 365 \
-out ec_public.pem \
-subj "/CN=unused"
openssl req -new \
-sha512 \
-key privkey.pem \
-nodes \
-subj "/CN=beyondperimeter.com" \
-reqexts SAN \
-extensions SAN \
-config <(cat /etc/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:*.corp.beyondperimeter.com')) \
-out csr.pem \
-outform pem
openssl req -in csr.pem -noout -text
certbot certonly \
--preferred-challenges dns-01 \
--work-dir le/work \
--config-dir le/config \
--logs-dir le/logs \
--agree-tos \
--email bobbydesimone@gmail.com \
-d *.corp.beyondperimeter.com \
--csr csr.pem
Reference in a new issue View git blame Copy permalink