blob: 36e92bd30a8da2c4a812d727e41b2f8938960878 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
|
#!/bin/sh
set -e
CA_PASSWORD="${CA_PASSWORD:-use_strong_password_ca}"
KEYSTORE_PASSWORD="${KEYSTORE_PASSWORD:-use_strong_password_keystore}"
TRUSTSTORE_PASSWORD="${TRUSTSTORE_PASSWORD:-use_strong_password_truststore}"
OUTPUT_FOLDER=${OUTPUT_FOLDER:-$( dirname "$0" )}
CNS=${@:-client}
cd ${OUTPUT_FOLDER}
CA_ROOT_KEY=caroot.key
CA_ROOT_CRT=caroot.crt
echo "# Generate CA"
openssl req -new -x509 -keyout $CA_ROOT_KEY \
-out $CA_ROOT_CRT -days 3650 -subj \
'/CN=caroot/OU=/O=/L=/ST=/C=' -passin "pass:${CA_PASSWORD}" \
-passout "pass:${CA_PASSWORD}"
for CN in $CNS; do
KEYSTORE=$CN.keystore.p12
TRUSTSTORE=$CN.truststore.p12
SIGNED_CRT=$CN-ca-signed.crt
CERTIFICATE=$CN.certificate.pem
KEY=$CN.key
# Get specific password for this CN
CN_KEYSTORE_PASSWORD="$(eval echo \$${CN}_KEYSTORE_PASSWORD)"
if [ -z "$CN_KEYSTORE_PASSWORD" ]; then
CN_KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}_$CN
fi
echo ${CN_KEYSTORE_PASSWORD}
echo "# $CN: Generate Keystore"
keytool -genkey -noprompt \
-alias $CN \
-dname "CN=$CN,OU=,O=,L=,S=,C=" \
-ext "SAN=dns:$CN,dns:localhost" \
-keystore $KEYSTORE \
-keyalg RSA \
-storepass "${CN_KEYSTORE_PASSWORD}" \
-storetype pkcs12
echo "# $CN: Generate Truststore"
keytool -noprompt -keystore \
$TRUSTSTORE -alias caroot -import \
-file $CA_ROOT_CRT -storepass "${TRUSTSTORE_PASSWORD}"
echo "# $CN: Generate CSR"
keytool -keystore $KEYSTORE -alias $CN \
-certreq -file $CN.csr -storepass "${CN_KEYSTORE_PASSWORD}" \
-keypass "${CN_KEYSTORE_PASSWORD}" \
-ext "SAN=dns:$CN,dns:localhost"
echo "# $CN: Generate extfile"
cat << EOF > extfile
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
CN = $CN
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = $CN
DNS.2 = localhost
EOF
echo "# $CN: Sign the certificate with the CA"
openssl x509 -req -CA $CA_ROOT_CRT -CAkey $CA_ROOT_KEY \
-in $CN.csr \
-out $CN-ca-signed.crt -days 9999 \
-CAcreateserial -passin "pass:${CA_PASSWORD}" \
-extensions v3_req -extfile extfile
echo "# $CN: Import root certificate"
keytool -noprompt -keystore $KEYSTORE \
-alias caroot -import -file $CA_ROOT_CRT -storepass "${CN_KEYSTORE_PASSWORD}"
echo "# $CN: Import signed certificate"
keytool -noprompt -keystore $KEYSTORE -alias $CN \
-import -file $SIGNED_CRT -storepass "${CN_KEYSTORE_PASSWORD}" \
-ext "SAN=dns:$CN,dns:localhost"
echo "# $CN: Export PEM certificate"
openssl pkcs12 -in "$KEYSTORE" -out "$CERTIFICATE" \
-nodes -passin "pass:${CN_KEYSTORE_PASSWORD}"
echo "# $CN: Export PEM key"
openssl pkcs12 -in "$KEYSTORE" -out "$KEY" \
-nocerts -passin "pass:${CN_KEYSTORE_PASSWORD}" \
-passout "pass:${CN_KEYSTORE_PASSWORD}"
done
|
