learn_mqtt_go/scripts/gen-local-tls-certs.sh

#!/usr/bin/env bash

# https://mosquitto.org/man/mosquitto-tls-7.html
set -euo pipefail

# Set working directory to project root
cd "$(dirname "$0")/../"
CDIR=$(pwd -P)
export CDIR

MOSQUITTO_CERTS_DIR="${CDIR}/.mosquitto/certs"
TLS_CERT_DURATION="${TLS_CERT_DURATION:-365}"
CA_COMMON_NAME="${CA_COMMON_NAME:-runcible.io}"
HOSTNAME=$(hostname)

warn(){
    echo -e "\nFOR LOCAL DEVELOPMENT ONLY!!! These certs do not follow best practices.\n\
Keys are not encypted! Seriously, don't use this for anything other than local development.\n"
}

generate_ca_cert(){
    echo "Generating CA key in ${MOSQUITTO_CERTS_DIR}..."
    openssl genpkey -algorithm RSA -out "${MOSQUITTO_CERTS_DIR}/ca.key"

    echo "Generating CA cert..."
    openssl req -x509 -new -nodes -key "${MOSQUITTO_CERTS_DIR}/ca.key" -sha256 -days "${TLS_CERT_DURATION}" \
    -extensions v3_ca -out "${MOSQUITTO_CERTS_DIR}/ca.crt" -subj "/C=US/O=Runcible/CN=${CA_COMMON_NAME}"
    
    echo "CA cert generation complete."
}

generate_server_cert(){
    echo "Generating server key..."
    openssl genrsa -out "${MOSQUITTO_CERTS_DIR}/server.key" 2048
    
    echo "Generating cert signing request for CA..."
    openssl req -out "${MOSQUITTO_CERTS_DIR}/server.csr" -key "${MOSQUITTO_CERTS_DIR}/server.key" -new \
    -subj "/C=US/O=Runcible/CN=${HOSTNAME}"
    
    echo "Sending server CSR to CA..."
    openssl x509 -req -in "${MOSQUITTO_CERTS_DIR}/server.csr" -CA "${MOSQUITTO_CERTS_DIR}/ca.crt" \
    -CAkey "${MOSQUITTO_CERTS_DIR}/ca.key" -CAcreateserial -out "${MOSQUITTO_CERTS_DIR}/server.crt" \
    -days "${TLS_CERT_DURATION}"
    
    echo "Server cert generation complete."
}

generate_client_cert(){
    echo "Creating client cert in $CDIR"
    echo "Generating client key..."
    openssl genrsa -out "${CDIR}/client.key" 2048

    echo "Generating client CSR for CA..."
    openssl req -out "${CDIR}/client.csr" -key "${CDIR}/client.key" -new -subj "/C=US/O=Runcible/CN=localhost"

    echo "Sending client CSR to CA..."
    openssl x509 -req -in "${CDIR}/client.csr" -CA "${MOSQUITTO_CERTS_DIR}/ca.crt" -CAkey "${MOSQUITTO_CERTS_DIR}/ca.key" \
    -CAcreateserial -out "${CDIR}/client.crt" -days "${TLS_CERT_DURATION}"

    echo "Client cert generation complete."
}


warn
generate_ca_cert
generate_server_cert
generate_client_cert
warn
Prepare to use TLS in local dev 4 months ago			`#!/usr/bin/env bash`

			`# https://mosquitto.org/man/mosquitto-tls-7.html`
			`set -euo pipefail`

			`# Set working directory to project root`
			`cd "$(dirname "$0")/../"`
			`CDIR=$(pwd -P)`
			`export CDIR`

			`MOSQUITTO_CERTS_DIR="${CDIR}/.mosquitto/certs"`
			`TLS_CERT_DURATION="${TLS_CERT_DURATION:-365}"`
			`CA_COMMON_NAME="${CA_COMMON_NAME:-runcible.io}"`
			`HOSTNAME=$(hostname)`

			`warn(){`
			`echo -e "\nFOR LOCAL DEVELOPMENT ONLY!!! These certs do not follow best practices.\n\`
			`Keys are not encypted! Seriously, don't use this for anything other than local development.\n"`
			`}`

			`generate_ca_cert(){`
			`echo "Generating CA key in ${MOSQUITTO_CERTS_DIR}..."`
			`openssl genpkey -algorithm RSA -out "${MOSQUITTO_CERTS_DIR}/ca.key"`

			`echo "Generating CA cert..."`
			`openssl req -x509 -new -nodes -key "${MOSQUITTO_CERTS_DIR}/ca.key" -sha256 -days "${TLS_CERT_DURATION}" \`
			`-extensions v3_ca -out "${MOSQUITTO_CERTS_DIR}/ca.crt" -subj "/C=US/O=Runcible/CN=${CA_COMMON_NAME}"`

			`echo "CA cert generation complete."`
			`}`

			`generate_server_cert(){`
			`echo "Generating server key..."`
			`openssl genrsa -out "${MOSQUITTO_CERTS_DIR}/server.key" 2048`

			`echo "Generating cert signing request for CA..."`
			`openssl req -out "${MOSQUITTO_CERTS_DIR}/server.csr" -key "${MOSQUITTO_CERTS_DIR}/server.key" -new \`
			`-subj "/C=US/O=Runcible/CN=${HOSTNAME}"`

			`echo "Sending server CSR to CA..."`
			`openssl x509 -req -in "${MOSQUITTO_CERTS_DIR}/server.csr" -CA "${MOSQUITTO_CERTS_DIR}/ca.crt" \`
			`-CAkey "${MOSQUITTO_CERTS_DIR}/ca.key" -CAcreateserial -out "${MOSQUITTO_CERTS_DIR}/server.crt" \`
			`-days "${TLS_CERT_DURATION}"`

			`echo "Server cert generation complete."`
			`}`

			`generate_client_cert(){`
			`echo "Creating client cert in $CDIR"`
			`echo "Generating client key..."`
			`openssl genrsa -out "${CDIR}/client.key" 2048`

			`echo "Generating client CSR for CA..."`
			`openssl req -out "${CDIR}/client.csr" -key "${CDIR}/client.key" -new -subj "/C=US/O=Runcible/CN=localhost"`

			`echo "Sending client CSR to CA..."`
			`openssl x509 -req -in "${CDIR}/client.csr" -CA "${MOSQUITTO_CERTS_DIR}/ca.crt" -CAkey "${MOSQUITTO_CERTS_DIR}/ca.key" \`
			`-CAcreateserial -out "${CDIR}/client.crt" -days "${TLS_CERT_DURATION}"`

			`echo "Client cert generation complete."`
			`}`


			`warn`
			`generate_ca_cert`
			`generate_server_cert`
			`generate_client_cert`
			`warn`