param( [string]$DockerSshAlias = "docker-test", [string]$RemoteOutputDir = "/tmp/rap-p3-5-platform-ca", [string]$LocalCaOutputPath = "artifacts/p3-5-platform-ca.crt", [string]$WorkerHost = "192.168.200.61", [string]$WorkerDnsName = "", [string]$ClusterId = "default", [string]$WorkerId = "rdp-worker-1", [int]$Days = 30 ) Set-StrictMode -Version Latest $ErrorActionPreference = "Stop" function Quote-Bash { param([string]$Value) return "'" + $Value.Replace("'", "'\''") + "'" } $remoteDir = Quote-Bash $RemoteOutputDir $workerHost = Quote-Bash $WorkerHost $workerDnsName = Quote-Bash $WorkerDnsName $clusterId = Quote-Bash $ClusterId $workerId = Quote-Bash $WorkerId $remoteScript = @" set -euo pipefail REMOTE_DIR=$remoteDir WORKER_HOST=$workerHost WORKER_DNS_NAME=$workerDnsName CLUSTER_ID=$clusterId WORKER_ID=$workerId DAYS=$Days mkdir -p "`$REMOTE_DIR" chmod 700 "`$REMOTE_DIR" rm -f "`$REMOTE_DIR"/ca.crt "`$REMOTE_DIR"/ca.key "`$REMOTE_DIR"/ca.srl \ "`$REMOTE_DIR"/worker.crt "`$REMOTE_DIR"/worker.key "`$REMOTE_DIR"/worker.csr \ "`$REMOTE_DIR"/ca-openssl.cnf "`$REMOTE_DIR"/worker-openssl.cnf cat >"`$REMOTE_DIR/ca-openssl.cnf" <<'EOF_CA' [req] distinguished_name = dn x509_extensions = v3_ca prompt = no [dn] CN = RAP Test Platform Root CA [v3_ca] basicConstraints = critical,CA:true,pathlen:1 keyUsage = critical,keyCertSign,cRLSign subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer EOF_CA cat >"`$REMOTE_DIR/worker-openssl.cnf" <>"`$REMOTE_DIR/worker-openssl.cnf" fi openssl genrsa -out "`$REMOTE_DIR/ca.key" 3072 >/dev/null 2>&1 openssl req -x509 -new -nodes -key "`$REMOTE_DIR/ca.key" -sha256 -days "`$DAYS" \ -out "`$REMOTE_DIR/ca.crt" -config "`$REMOTE_DIR/ca-openssl.cnf" >/dev/null 2>&1 openssl genrsa -out "`$REMOTE_DIR/worker.key" 3072 >/dev/null 2>&1 openssl req -new -key "`$REMOTE_DIR/worker.key" -out "`$REMOTE_DIR/worker.csr" \ -config "`$REMOTE_DIR/worker-openssl.cnf" >/dev/null 2>&1 openssl x509 -req -in "`$REMOTE_DIR/worker.csr" -CA "`$REMOTE_DIR/ca.crt" -CAkey "`$REMOTE_DIR/ca.key" \ -CAcreateserial -out "`$REMOTE_DIR/worker.crt" -days "`$DAYS" -sha256 \ -extensions v3_req -extfile "`$REMOTE_DIR/worker-openssl.cnf" >/dev/null 2>&1 if [ -f /tmp/rap-dp1d1/dp-public.pem ]; then cp /tmp/rap-dp1d1/dp-public.pem "`$REMOTE_DIR/dp-public.pem" elif [ -f /tmp/rap-dp1c/dp-public.pem ]; then cp /tmp/rap-dp1c/dp-public.pem "`$REMOTE_DIR/dp-public.pem" fi chmod 600 "`$REMOTE_DIR"/ca.key "`$REMOTE_DIR"/worker.key chmod 644 "`$REMOTE_DIR"/ca.crt "`$REMOTE_DIR"/worker.crt echo "remote_dir=`$REMOTE_DIR" echo "ca_cert=`$REMOTE_DIR/ca.crt" echo "worker_cert=`$REMOTE_DIR/worker.crt" echo "worker_key=`$REMOTE_DIR/worker.key" openssl x509 -in "`$REMOTE_DIR/worker.crt" -noout -subject -ext subjectAltName "@ $remoteScript | & ssh $DockerSshAlias "bash -s" if ($LASTEXITCODE -ne 0) { throw "Failed to prepare platform CA and worker certificate on SSH alias '$DockerSshAlias'." } $localCaPsPath = if ([System.IO.Path]::IsPathRooted($LocalCaOutputPath)) { $LocalCaOutputPath } else { Join-Path (Resolve-Path -LiteralPath ".").Path $LocalCaOutputPath } $resolvedLocalCaPath = $ExecutionContext.SessionState.Path.GetUnresolvedProviderPathFromPSPath($localCaPsPath) $localCaDirectory = Split-Path -Parent $resolvedLocalCaPath if (-not [string]::IsNullOrWhiteSpace($localCaDirectory)) { New-Item -ItemType Directory -Force -Path $localCaDirectory | Out-Null } $remoteCaSource = "$DockerSshAlias`:$RemoteOutputDir/ca.crt" & scp $remoteCaSource $resolvedLocalCaPath if ($LASTEXITCODE -ne 0) { throw "Failed to copy platform CA certificate from '$remoteCaSource'." } Write-Host "Local platform CA bundle: $resolvedLocalCaPath" Write-Host "Remote worker TLS directory: $RemoteOutputDir"