Loading services/register/register_prepare.sh +88 −26 Original line number Diff line number Diff line Loading @@ -6,24 +6,61 @@ cd $CERTS_FOLDER VAULT_ADDR="http://$VAULT_HOSTNAME:$VAULT_PORT" VAULT_TOKEN=$VAULT_ACCESS_TOKEN COUNTRY="ES" # 2 letter country-code STATE="Madrid" # state or province name LOCALITY="Madrid" # Locality Name (e.g. city) ORGNAME="Telefonica I+D" # Organization Name (eg, company) ORGUNIT="Innovation" # Organizational Unit Name (eg. section) # NEW: Get CAPIF instance ID from helper HELPER_URL="http://$HELPER_HOST:8080/api/getCcfId" echo "Retrieving CCF ID from Helper..." CCF_ID=$(curl -s --connect-timeout 5 "$HELPER_URL" | jq -r '.ccf_id') if [ -z "$CCF_ID" ] || [ "$CCF_ID" = "null" ]; then echo "ERROR: Could not retrieve CCF ID from Helper." exit 1 fi echo "CCF ID for this CAPIF instance: $CCF_ID" COUNTRY="ES" STATE="Madrid" LOCALITY="Madrid" ORGNAME="Telefonica I+D" ORGUNIT="Innovation" COMMONNAME=${REGISTER_HOSTNAME:-register} EMAIL="inno@tid.es" # certificate's email address TTL="4300h" # ============================================================== # 1) GENERATE PRIVATE KEY IF NOT EXISTS # ============================================================== if [ ! -f register_key.key ]; then echo "Generating private key for Register." openssl genrsa -out register_key.key 2048 else echo "Private key already exists → skipping generation." fi # ============================================================== # 2) GENERATE CSR ONLY IF CERT DOES NOT EXIST # ============================================================== if [ ! -f register_cert.crt ]; then echo "Creating CSR for CN=${COMMONNAME}." openssl req -new -key register_key.key \ -subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCALITY}/O=${ORGNAME}/OU=${ORGUNIT}/CN=${COMMONNAME}/emailAddress=${EMAIL}" \ -subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCALITY}/O=${ORGNAME}/OU=${ORGUNIT}/CN=${COMMONNAME}" \ -addext "subjectAltName=DNS:${COMMONNAME}" \ -out register.csr echo "CSR created." else echo "register_cert.crt already exists → skipping CSR generation." fi # ============================================================== # 3) DOWNLOAD CA FROM VAULT # ============================================================== echo "Downloading CA chain from Vault." curl -s -H "X-Vault-Token: ${VAULT_TOKEN}" \ "${VAULT_ADDR}/v1/secret/data/ca" | jq -r '.data.data.ca' > ca_root.crt Loading @@ -34,8 +71,12 @@ fi echo "CA chain retrieved successfully." # ============================================================== # 4) REQUEST SIGNATURE ONLY IF CERT DOES NOT EXIST # ============================================================== if [ ! -f register_cert.crt ]; then echo "Requesting certificate signature from Vault..." CSR_CONTENT=$(awk '{printf "%s\\n", $0}' register.csr) CSR_CONTENT=$(sed ':a;N;$!ba;s/\n/\\n/g' register.csr) curl -s -X POST \ -H "X-Vault-Token: ${VAULT_TOKEN}" \ Loading @@ -49,12 +90,33 @@ if [ ! -s register_cert.crt ]; then fi echo "Certificate signed successfully by Vault intermediate CA." else echo "register_cert.crt already exists → skipping signing step." fi # ============================================================== # 5) VERIFY CERTIFICATE CHAIN # ============================================================== echo "Verifying certificate chain." openssl verify -CAfile ca_root.crt register_cert.crt || { echo "WARNING: certificate verification failed" } # ============================================================== # 6) NEW → STORE REGISTER CERTIFICATES IN VAULT # ============================================================== echo "Storing Register certificates under secret/capif/${CCF_ID}/register" vault kv put secret/capif/$CCF_ID/register/server crt=@register_cert.crt vault kv put secret/capif/$CCF_ID/register/private key=@register_key.key vault kv put secret/capif/$CCF_ID/register/ca ca=@ca_root.crt echo "Certificates stored successfully." # ============================================================== # 7) START REGISTER SERVICE # ============================================================== echo "Starting Register service with signed certificate." gunicorn --certfile=/usr/src/app/register_service/certs/register_cert.crt \ --keyfile=/usr/src/app/register_service/certs/register_key.key \ Loading Loading
services/register/register_prepare.sh +88 −26 Original line number Diff line number Diff line Loading @@ -6,24 +6,61 @@ cd $CERTS_FOLDER VAULT_ADDR="http://$VAULT_HOSTNAME:$VAULT_PORT" VAULT_TOKEN=$VAULT_ACCESS_TOKEN COUNTRY="ES" # 2 letter country-code STATE="Madrid" # state or province name LOCALITY="Madrid" # Locality Name (e.g. city) ORGNAME="Telefonica I+D" # Organization Name (eg, company) ORGUNIT="Innovation" # Organizational Unit Name (eg. section) # NEW: Get CAPIF instance ID from helper HELPER_URL="http://$HELPER_HOST:8080/api/getCcfId" echo "Retrieving CCF ID from Helper..." CCF_ID=$(curl -s --connect-timeout 5 "$HELPER_URL" | jq -r '.ccf_id') if [ -z "$CCF_ID" ] || [ "$CCF_ID" = "null" ]; then echo "ERROR: Could not retrieve CCF ID from Helper." exit 1 fi echo "CCF ID for this CAPIF instance: $CCF_ID" COUNTRY="ES" STATE="Madrid" LOCALITY="Madrid" ORGNAME="Telefonica I+D" ORGUNIT="Innovation" COMMONNAME=${REGISTER_HOSTNAME:-register} EMAIL="inno@tid.es" # certificate's email address TTL="4300h" # ============================================================== # 1) GENERATE PRIVATE KEY IF NOT EXISTS # ============================================================== if [ ! -f register_key.key ]; then echo "Generating private key for Register." openssl genrsa -out register_key.key 2048 else echo "Private key already exists → skipping generation." fi # ============================================================== # 2) GENERATE CSR ONLY IF CERT DOES NOT EXIST # ============================================================== if [ ! -f register_cert.crt ]; then echo "Creating CSR for CN=${COMMONNAME}." openssl req -new -key register_key.key \ -subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCALITY}/O=${ORGNAME}/OU=${ORGUNIT}/CN=${COMMONNAME}/emailAddress=${EMAIL}" \ -subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCALITY}/O=${ORGNAME}/OU=${ORGUNIT}/CN=${COMMONNAME}" \ -addext "subjectAltName=DNS:${COMMONNAME}" \ -out register.csr echo "CSR created." else echo "register_cert.crt already exists → skipping CSR generation." fi # ============================================================== # 3) DOWNLOAD CA FROM VAULT # ============================================================== echo "Downloading CA chain from Vault." curl -s -H "X-Vault-Token: ${VAULT_TOKEN}" \ "${VAULT_ADDR}/v1/secret/data/ca" | jq -r '.data.data.ca' > ca_root.crt Loading @@ -34,8 +71,12 @@ fi echo "CA chain retrieved successfully." # ============================================================== # 4) REQUEST SIGNATURE ONLY IF CERT DOES NOT EXIST # ============================================================== if [ ! -f register_cert.crt ]; then echo "Requesting certificate signature from Vault..." CSR_CONTENT=$(awk '{printf "%s\\n", $0}' register.csr) CSR_CONTENT=$(sed ':a;N;$!ba;s/\n/\\n/g' register.csr) curl -s -X POST \ -H "X-Vault-Token: ${VAULT_TOKEN}" \ Loading @@ -49,12 +90,33 @@ if [ ! -s register_cert.crt ]; then fi echo "Certificate signed successfully by Vault intermediate CA." else echo "register_cert.crt already exists → skipping signing step." fi # ============================================================== # 5) VERIFY CERTIFICATE CHAIN # ============================================================== echo "Verifying certificate chain." openssl verify -CAfile ca_root.crt register_cert.crt || { echo "WARNING: certificate verification failed" } # ============================================================== # 6) NEW → STORE REGISTER CERTIFICATES IN VAULT # ============================================================== echo "Storing Register certificates under secret/capif/${CCF_ID}/register" vault kv put secret/capif/$CCF_ID/register/server crt=@register_cert.crt vault kv put secret/capif/$CCF_ID/register/private key=@register_key.key vault kv put secret/capif/$CCF_ID/register/ca ca=@ca_root.crt echo "Certificates stored successfully." # ============================================================== # 7) START REGISTER SERVICE # ============================================================== echo "Starting Register service with signed certificate." gunicorn --certfile=/usr/src/app/register_service/certs/register_cert.crt \ --keyfile=/usr/src/app/register_service/certs/register_key.key \ Loading
