-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathgen-ca-selfsign-import.sh
executable file
·135 lines (109 loc) · 4.07 KB
/
gen-ca-selfsign-import.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
#!/usr/bin/env bash
#
# This script generates a CA cert/key and selfsigned cert/key for a Hostname
# Execute this command locally
#
# ./gen-ca-selfsign-import.sh
#
# Example:
# HOSTNAME=127.0.0.1 STORE_PASSWORD=password ./scripts/gen-ca-selfsign-import.sh
#
# Define the following env vars:
# - HOSTNAME: Host name or IP address of the HTTPS server (E.G. 127.0.0.1, ...)
# - STORE_PASSWORD: password to be used for the keys store. (E.g: password)
#
HOSTNAME=${HOSTNAME:=127.0.0.1}
FQ_HOSTNAME=${HOSTNAME}.nip.io
STORE_PASSWORD=${STORE_PASSWORD:=password}
TEMP_DIR="_temp"
# Defining some colors for output
RED='\033[0;31m'
NC='\033[0m' # No Color
YELLOW='\033[0;33m'
GREEN='\033[0;32m'
BLUE='\033[0;34m'
MAGENTA='\033[0;35m'
CYAN='\033[0;36m'
WHITE='\033[0;37m'
repeat_char(){
COLOR=${1}
for i in {1..50}; do echo -ne "${!COLOR}$2${NC}"; done
}
log_msg() {
COLOR=${1}
MSG="${@:2}"
echo -e "\n${!COLOR}## ${MSG}${NC}"
}
log_line() {
COLOR=${1}
MSG="${@:2}"
echo -e "${!COLOR}## ${MSG}${NC}"
}
log() {
MSG="${@:2}"
echo; repeat_char ${1} '#'; log_msg ${1} ${MSG}; repeat_char ${1} '#'; echo
}
log_line "CYAN" "The fully qualified name of the server is: ${FQ_HOSTNAME}"
rm -rf ${TEMP_DIR} && mkdir -p ${TEMP_DIR}/{root,server,java}
log_line "CYAN" "Generate the CA certificate (ca.pem) and its private key file (ca.key)"
openssl genrsa -out ${TEMP_DIR}/root/ca.key 2048
openssl req -x509 -new \
-nodes \
-sha256 \
-days 3650 \
-subj '/CN=CA Authory/O=Red Hat/L=Florennes/C=BE' \
-key ${TEMP_DIR}/root/ca.key \
-out ${TEMP_DIR}/root/ca.pem
log_line "CYAN" "Generate the server or tls key (tls.key) & certificate signing request (tls.csr)"
#Create OpenSSL config
cat <<EOF > ${TEMP_DIR}/root/ca.cnf
[req]
default_bits = 4096
prompt = no
default_md = sha256
distinguished_name = dn
[dn]
C = BE
ST = Namur
L = Florennes
O = Red Hat
OU = Snowdrop
CN = "$FQ_HOSTNAME"
EOF
cat <<EOF > ${TEMP_DIR}/root/v3.ext
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, cRLSign, digitalSignature, keyCertSign
subjectAltName = @alt_names
[alt_names]
DNS.1 = "$FQ_HOSTNAME"
[alt_names]
DNS.1 = ${FQ_HOSTNAME}
EOF
openssl req -new -sha256 -nodes \
-out ${TEMP_DIR}/server/tls.csr \
-newkey rsa:4096 \
-keyout ${TEMP_DIR}/server/tls.key -config <( cat ${TEMP_DIR}/root/ca.cnf )
log_line "CYAN" "Sign the Server or TLS CSR with CA and generates the certificate file (tls.crt)"
openssl x509 -req \
-in ${TEMP_DIR}/server/tls.csr \
-CA ${TEMP_DIR}/root/ca.pem \
-CAkey ${TEMP_DIR}/root/ca.key -CAcreateserial \
-out ${TEMP_DIR}/server/tls.crt -days 3650 -sha256 \
-extfile ${TEMP_DIR}/root/v3.ext
log_line "CYAN" "Combine the server or TLS key and certificate in a PKCS#12 (P12) bundle"
openssl pkcs12 -inkey ${TEMP_DIR}/server/tls.key -in ${TEMP_DIR}/server/tls.crt -CAfile ${TEMP_DIR}/root/ca.pem -chain -passin pass:${STORE_PASSWORD} -passout pass:${STORE_PASSWORD} -export -out ${TEMP_DIR}/server/tls.p12
log_line "CYAN" "Generate the jks file from the p12 file"
keytool -importkeystore -srckeystore ${TEMP_DIR}/server/tls.p12 -srcstoretype pkcs12 -srcstorepass ${STORE_PASSWORD} -deststorepass ${STORE_PASSWORD} -destkeystore ${TEMP_DIR}/java/tls.jks
log_line "CYAN" "Check the content of the jks store"
keytool -list -keystore ${TEMP_DIR}/java/tls.jks -storepass ${STORE_PASSWORD}
log_line "CYAN" "Exporting the public key"
openssl x509 -pubkey -in ${TEMP_DIR}/server/tls.crt -noout > ${TEMP_DIR}/server/tls_pub.key
log_line "CYAN" "Show p12 content"
openssl pkcs12 -info -in _temp/server/tls.p12 -passin pass:${STORE_PASSWORD} -passout pass:${STORE_PASSWORD}
# TODO: To be checked if we need them
#openssl x509 -outform der -in cert/tls.pem -out cert/tls.cer
#openssl x509 -outform der -in ca/ca.pem -out ca/ca.cer
#keytool -noprompt -import -alias tls -storetype PKCS12 -file cert/tls.cer -keystore cert/cacerts -trustcacerts -storepass changeit
#keytool -noprompt -import -alias ca -storetype PKCS12 -file ca/ca.cer -keystore cert/cacerts -trustcacerts -storepass changeit