-
Notifications
You must be signed in to change notification settings - Fork 11
/
doit.sh
executable file
·124 lines (104 loc) · 2.96 KB
/
doit.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
#!/bin/bash
# Automates much of the process of generating
# the Certificate Authority, Client and Server Keypairs
set -x
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
export NAME=prototype
export ORG=myorg
export PW="changeit"
# If you have pwgen installed, do this
#export PW=`pwgen -Bs 10 1`
#echo ${PW} > ${DIR}/password
# and then in other scripts you can do
# export PW=`cat password`
cfssl gencert -initca ca-csr.json | cfssljson -bare $ORG-ca
cfssl gencert \
-ca=$ORG-ca.pem \
-ca-key=$ORG-ca-key.pem \
-config=ca-config.json \
-profile=server \
server-csr.json | cfssljson -bare ${NAME}-server
cfssl gencert \
-ca=$ORG-ca.pem \
-ca-key=$ORG-ca-key.pem \
-config=ca-config.json \
-profile=client \
client-csr.json | cfssljson -bare ${NAME}-client
# Create PKCS12 store and JKS stores for Java based systems.
#
# Both formats are broken, so in order to get the correct result
# we have to treat trust stores and keystore differently.
#
# For truststore: create in JKS format, convert to PKCS12
# For keystores, create in PKCS12 format, convert to JKS.
openssl pkcs12 -export \
-passout env:PW \
-inkey ${NAME}-server-key.pem \
-name "$NAME-server" \
-in ${NAME}-server.pem \
-chain \
-CAfile $ORG-ca.pem \
-out ${NAME}-server-keystore.p12
keytool -importkeystore \
-srckeystore ${NAME}-server-keystore.p12 \
-srcstorepass:env PW \
-alias "$NAME-server" \
-srckeypass:env PW \
-srcstoretype pkcs12 \
-destkeystore ${NAME}-server-keystore.jks \
-deststoretype jks \
-deststorepass:env PW
keytool -import \
-alias $ORG-ca \
-file $ORG-ca.pem \
-keystore ${NAME}-server-truststore.jks \
-storepass:env PW << EOF
yes
EOF
keytool -importkeystore \
-srckeystore ${NAME}-server-truststore.jks \
-srcstorepass:env PW \
-srcstoretype JKS \
-destkeystore ${NAME}-server-truststore.p12 \
-deststoretype PKCS12 \
-deststorepass:env PW
## Client keystore and trust store
openssl pkcs12 -export \
-passout env:PW \
-inkey ${NAME}-client-key.pem \
-name "$NAME-client" \
-in ${NAME}-client.pem \
-chain \
-CAfile $ORG-ca.pem \
-out ${NAME}-client-keystore.p12
keytool -importkeystore \
-srckeystore ${NAME}-client-keystore.p12 \
-srcstorepass:env PW \
-alias "$NAME-client" \
-srckeypass:env PW \
-srcstoretype pkcs12 \
-destkeystore ${NAME}-client-keystore.jks \
-deststoretype jks \
-deststorepass:env PW
keytool -import \
-alias $ORG-ca \
-file $ORG-ca.pem \
-keystore ${NAME}-client-truststore.jks \
-storepass:env PW << EOF
yes
EOF
# Import CA certs
keytool -importkeystore \
-srckeystore $JAVA_HOME/jre/lib/security/cacerts \
-srcstorepass changeit \
-srcstoretype jks \
-destkeystore ${NAME}-client-truststore.jks \
-deststoretype jks \
-storepass:env PW
keytool -importkeystore \
-srckeystore ${NAME}-client-truststore.jks \
-srcstorepass:env PW \
-srcstoretype jks \
-destkeystore ${NAME}-client-truststore.p12 \
-deststoretype pkcs12 \
-deststorepass:env PW