#!/usr/bin/env bash set -euo pipefail SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" CERT_DIR="${SCRIPT_DIR}/../../deploy/telemetry/certs" mkdir -p "${CERT_DIR}" CA_KEY="${CERT_DIR}/ca.key" CA_CRT="${CERT_DIR}/ca.crt" COL_KEY="${CERT_DIR}/collector.key" COL_CSR="${CERT_DIR}/collector.csr" COL_CRT="${CERT_DIR}/collector.crt" CLIENT_KEY="${CERT_DIR}/client.key" CLIENT_CSR="${CERT_DIR}/client.csr" CLIENT_CRT="${CERT_DIR}/client.crt" echo "[*] Generating OpenTelemetry dev CA and certificates in ${CERT_DIR}" # Root CA if [[ ! -f "${CA_KEY}" ]]; then openssl genrsa -out "${CA_KEY}" 4096 >/dev/null 2>&1 fi openssl req -x509 -new -key "${CA_KEY}" -days 365 -sha256 \ -out "${CA_CRT}" -subj "/CN=StellaOps Dev Telemetry CA" \ -config <(cat <<'EOF' [req] distinguished_name = req_distinguished_name prompt = no [req_distinguished_name] EOF ) >/dev/null 2>&1 # Collector certificate (server + client auth) openssl req -new -nodes -newkey rsa:4096 \ -keyout "${COL_KEY}" \ -out "${COL_CSR}" \ -subj "/CN=stellaops-otel-collector" >/dev/null 2>&1 openssl x509 -req -in "${COL_CSR}" -CA "${CA_CRT}" -CAkey "${CA_KEY}" \ -CAcreateserial -out "${COL_CRT}" -days 365 -sha256 \ -extensions v3_req -extfile <(cat <<'EOF' [v3_req] subjectAltName = @alt_names extendedKeyUsage = serverAuth, clientAuth [alt_names] DNS.1 = stellaops-otel-collector DNS.2 = localhost IP.1 = 127.0.0.1 EOF ) >/dev/null 2>&1 # Client certificate openssl req -new -nodes -newkey rsa:4096 \ -keyout "${CLIENT_KEY}" \ -out "${CLIENT_CSR}" \ -subj "/CN=stellaops-otel-client" >/dev/null 2>&1 openssl x509 -req -in "${CLIENT_CSR}" -CA "${CA_CRT}" -CAkey "${CA_KEY}" \ -CAcreateserial -out "${CLIENT_CRT}" -days 365 -sha256 \ -extensions v3_req -extfile <(cat <<'EOF' [v3_req] extendedKeyUsage = clientAuth subjectAltName = @alt_names [alt_names] DNS.1 = stellaops-otel-client DNS.2 = localhost IP.1 = 127.0.0.1 EOF ) >/dev/null 2>&1 rm -f "${COL_CSR}" "${CLIENT_CSR}" rm -f "${CERT_DIR}/ca.srl" echo "[✓] Certificates ready:" ls -1 "${CERT_DIR}"