# gencert

This script generates x509 server certificate (with all IPs in SAN) signed by a
self-signed CA.

## Purpose
  - This script will always produce a self-signed x509 certificate in the
    current path with the IP addresses embedded to x509's SAN.
    It will also produce a CA certificate and can be used by other services
    which may need to authenticate against this self-signed certificate.
    The authentication works in a way that a public CA certificate will be
    used by the client in order to validate the server's certificate.

## Application
### Backend requiring x509 running behind reverse proxy
  - This script has been created in order to ease the Minio's SSE-C
    (Server Side Encryption - Customer provided keys) enablement when
    Minio server is running as a backend behind a reverse proxy like Traefik.
    Minio server enables SSE-C only when it detects the x509 certificates.
    Traefik running with docker service provider talks to the backend using
    the IP. The IP usually is not static, hence this script comes handy.

## Example usage
### Minio server with Traefik example

  1. Replace ``minio server`` command with the following one:
     - ``cd /root/.minio/certs && ./gencert.sh --cn minio.example.com && minio server /data``
  > This way Minio server will get the certificate it needs, hence SSE-C
  > will be enabled.
  2. Copy the CA certificate ``ca.crt`` file to ``/usr/local/share/ca-certificates/`` and
     run ``update-ca-certificates`` command which will update
     ``/etc/ssl/certs/ca-certificates.crt`` file.
  3. Restart Traefik.

> Steps 2. and 3. will need to be repeated each time you get a new CA
> certificate. Then they can be automated this way:
> Start Traefik with this command: ``sh -c "update-ca-certificates && traefik"``
> while ``/usr/local/share/ca-certificates`` path is a host mounted
> path with the CA certificate produced by this script.

> I am using Alpine Traefik image, the correct ca certificates path is
> ``/usr/local/share/ca-certificates/``, otherwise one of these
> https://golang.org/src/crypto/x509/root_linux.go

## Script logic
  - generate CA certificate if does not find any
  - always generate server certificate on startup to ensure all IP addresses
    are in x509 SAN
  - warn if the CA certificate is about to expire (<30 days till expiration)
  - regenerate the CA certificate if it finds it has expired

## Notes
  - The CA certificate will be valid for 3650 days (10 years)
  - The server certifcate will be valid for 365 days (1 year)
  - The x509 certs are ECDSA with prime256v1 curve and SHA256 signatures

## Testing

I have added a simplistic script [testme.sh](testme.sh) that helps to test this
script in the following  Linux distributions:

- Alpine 3.7
- Ubuntu Bionic
- Debian Stretch
- CentOS 7