@@ -28,6 +28,7 @@ rlJournalStart
2828 # registrar = webserver cert used for the registrar server
2929 # tenant = webclient cert used (twice) by the tenant, running on AGENT server
3030 # webhook = webserver cert used for the revocation notification webhook
31+ # agent = webserver cert used for mTLS connection
3132 # btw, we could live with just one key instead of generating multiple keys.. but that's just how openssl/certgen works
3233 rlRun " x509KeyGen -t ${CRYPTO_ALG} ca" " Generating Root CA ${CRYPTO_ALG} key pair"
3334 rlRun " x509KeyGen -t ${CRYPTO_ALG} intermediate-ca" " Generating Intermediate CA ${CRYPTO_ALG} key pair"
@@ -36,15 +37,15 @@ rlJournalStart
3637 rlRun " x509KeyGen -t ${CRYPTO_ALG} registrar" " Generating registrar ${CRYPTO_ALG} key pair"
3738 rlRun " x509KeyGen -t ${CRYPTO_ALG} tenant" " Generating tenant ${CRYPTO_ALG} key pair"
3839 rlRun " x509KeyGen -t ${CRYPTO_ALG} webhook" " Generating webhook ${CRYPTO_ALG} key pair"
39- # rlRun "x509KeyGen agent" 0 "Preparing RSA tenant certificate "
40+ rlRun " x509KeyGen -t ${CRYPTO_ALG} agent" " Generating agent ${CRYPTO_ALG} key pair "
4041 rlRun " x509SelfSign ca" " Selfsigning Root CA certificate"
4142 rlRun " x509CertSign --CA ca --DN 'CN = ${HOSTNAME} ' -t CA --subjectAltName 'IP = ${MY_IP} ' intermediate-ca" " Signing intermediate CA certificate with our Root CA key"
4243 rlRun " x509CertSign --CA intermediate-ca --DN 'CN = ${HOSTNAME} ' -t webserver --subjectAltName 'IP = ${MY_IP} ' verifier" " Signing verifier certificate with intermediate CA key"
4344 rlRun " x509CertSign --CA intermediate-ca --DN 'CN = ${HOSTNAME} ' -t webclient --subjectAltName 'IP = ${MY_IP} ' verifier-client" " Signing verifier-client certificate with intermediate CA key"
4445 rlRun " x509CertSign --CA intermediate-ca --DN 'CN = ${HOSTNAME} ' -t webserver --subjectAltName 'IP = ${MY_IP} ' registrar" " Signing registrar certificate with intermediate CA key"
4546 rlRun " x509CertSign --CA intermediate-ca --DN 'CN = ${HOSTNAME} ' -t webclient --subjectAltName 'IP = ${MY_IP} ' tenant" " Signing tenant certificate with intermediate CA key"
4647 rlRun " x509CertSign --CA intermediate-ca --DN 'CN = ${HOSTNAME} ' -t webserver --subjectAltName 'IP = ${MY_IP} ' webhook" " Signing webhook certificate with intermediate CA key"
47- # rlRun "x509SelfSign --DN 'CN = ${HOSTNAME}' -t webserver agent" 0 "Self-signing agent certificate"
48+ rlRun " x509CertSign --CA intermediate-ca -- DN 'CN = ${HOSTNAME} ' -t webserver --subjectAltName 'IP = ${MY_IP} ' agent" " Signing agent certificate with intermediate CA key "
4849
4950 # copy verifier certificates to proper location
5051 CERTDIR=/var/lib/keylime/certs
@@ -61,8 +62,8 @@ rlJournalStart
6162 rlRun " cp $( x509Key tenant) $CERTDIR /tenant-key.pem"
6263 rlRun " cp $( x509Cert webhook) $CERTDIR /webhook-cert.pem"
6364 rlRun " cp $( x509Key webhook) $CERTDIR /webhook-key.pem"
64- # rlRun "cp $(x509Cert agent) $CERTDIR/agent-cert.pem"
65- # rlRun "cp $(x509Key agent) $CERTDIR/agent-key.pem"
65+ rlRun " cp $( x509Cert agent) $CERTDIR /agent-cert.pem"
66+ rlRun " cp $( x509Key agent) $CERTDIR /agent-key.pem"
6667 # assign cert ownership to keylime user if it exists
6768 id keylime && rlRun " chown -R keylime:keylime $CERTDIR "
6869
@@ -94,8 +95,8 @@ rlJournalStart
9495 rlRun " limeUpdateConf registrar server_key registrar-key.pem"
9596 # agent
9697 rlRun " limeUpdateConf agent trusted_client_ca '\" ['${CERTDIR} /intermediate-cacert.pem', '${CERTDIR} /cacert.pem']\" '"
97- rlRun " limeUpdateConf agent server_key '\" agent-key.pem\" '"
98- rlRun " limeUpdateConf agent server_cert '\" agent-cert.pem\" '"
98+ rlRun " limeUpdateConf agent server_key '\" ${CERTDIR} / agent-key.pem\" '"
99+ rlRun " limeUpdateConf agent server_cert '\" ${CERTDIR} / agent-cert.pem\" '"
99100 if [ -n " $KEYLIME_TEST_DISABLE_REVOCATION " ; then
100101 rlRun " limeUpdateConf revocations enabled_revocation_notifications '[]'"
101102 rlRun " limeUpdateConf agent enable_revocation_notifications false"
0 commit comments