diff --git a/AES_Cert b/AES_Cert new file mode 100644 index 0000000..6cbd098 --- /dev/null +++ b/AES_Cert @@ -0,0 +1,107 @@ +#!/bin/bash +# Generate self-signed certificates for mTLS implementation in OCPP +# +# Usage: ./scripts/generate-dev-certs.sh [output-dir] +# Default output directory: ./dev-certs + +set -e + +CERT_DIR="${1:-./dev-certs}" +mkdir -p "$CERT_DIR" + +echo "Generating development certificates in $CERT_DIR/" +echo "" + +# Generate CA private key and certificate +echo "1. Generating CA certificate..." +openssl req -x509 -newkey rsa:4096 -days 365 -nodes \ + -keyout "$CERT_DIR/ca-key.pem" \ + -out "$CERT_DIR/ca-cert.pem" \ + -subj "/CN=rstmdb-dev-ca/O=rstmdb-dev" + +# Generate server private key and CSR +echo "2. Generating server certificate..." +openssl req -newkey rsa:4096 -nodes \ + -keyout "$CERT_DIR/server-key.pem" \ + -out "$CERT_DIR/server-req.pem" \ + -subj "/CN=localhost/O=rstmdb-dev" + +# Create server certificate signed by CA +openssl x509 -req -days 365 \ + -in "$CERT_DIR/server-req.pem" \ + -CA "$CERT_DIR/ca-cert.pem" \ + -CAkey "$CERT_DIR/ca-key.pem" \ + -CAcreateserial \ + -out "$CERT_DIR/server-cert.pem" \ + -extfile <(echo "subjectAltName=DNS:localhost,IP:127.0.0.1") + +# Generate client certificate for mTLS (optional) +echo "3. Generating client certificate (for mTLS)..." +openssl req -newkey rsa:4096 -nodes \ + -keyout "$CERT_DIR/client-key.pem" \ + -out "$CERT_DIR/client-req.pem" \ + -subj "/CN=rstmdb-client/O=rstmdb-dev" + +openssl x509 -req -days 365 \ + -in "$CERT_DIR/client-req.pem" \ + -CA "$CERT_DIR/ca-cert.pem" \ + -CAkey "$CERT_DIR/ca-key.pem" \ + -CAcreateserial \ + -out "$CERT_DIR/client-cert.pem" + +# Cleanup CSR files +rm -f "$CERT_DIR"/*.srl "$CERT_DIR"/*-req.pem + +echo "" +echo "Certificates generated successfully!" +echo "" +echo "Files created:" +echo " $CERT_DIR/ca-cert.pem - CA certificate (for client verification)" +echo " $CERT_DIR/ca-key.pem - CA private key" +echo " $CERT_DIR/server-cert.pem - Server certificate" +echo " $CERT_DIR/server-key.pem - Server private key" +echo " $CERT_DIR/client-cert.pem - Client certificate (for mTLS)" +echo " $CERT_DIR/client-key.pem - Client private key (for mTLS)" +echo "" +echo "Server configuration (config.yaml):" +echo " tls:" +echo " enabled: true" +echo " cert_path: \"$CERT_DIR/server-cert.pem\"" +echo " key_path: \"$CERT_DIR/server-key.pem\"" +echo " # For mTLS:" +echo " # require_client_cert: true" +echo " # client_ca_path: \"$CERT_DIR/ca-cert.pem\"" +echo "" +echo "Client usage:" +echo " # Standard TLS:" +echo " rstmdb-cli --tls --ca-cert $CERT_DIR/ca-cert.pem ..." +echo "" +echo " # Insecure (skip verification):" +echo " rstmdb-cli --tls --insecure ..." +echo "" +echo " # mTLS:" +echo " rstmdb-cli --tls --ca-cert $CERT_DIR/ca-cert.pem \\" +echo " --client-cert $CERT_DIR/client-cert.pem \\" +echo " --client-key $CERT_DIR/client-key.pem ..." + + +# Create a certificate (aka public key of server.key + signature) for this private key +# We are making this certificate valid for 365 days. Also sign it with the certificate authority +openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt +printf "${BOLD_CYAN}Certificate for CLIENT created." +printf "Press enter to continue." +printf "${DEFAULT_COLOR} ->" +echo +read continue_input +echo "" +echo "" + +printf "${BOLD_YELLOW}Now we shall use these certificates to run nginx with mTLS in docker." +printf "Press enter to continue." +printf "${DEFAULT_COLOR} ->" +echo +read continue_input + +cd ../ + +docker run --rm --name mtls-nginx -p 443:443 -v $(pwd)/certs/ca.crt:/etc/nginx/mtls/ca.crt -v $(pwd)/certs/server.key:/etc/nginx/certs/tls.key -v $(pwd)/certs/server.crt:/etc/nginx/certs/tls.crt -v $(pwd)/nginx.mtls.conf:/etc/nginx/conf.d/nginx.conf -v $(pwd)/certs/passphrase.txt:/etc/nginx/certs/password nginx