demo/ssl/ssl.sh

   1 #!/bin/sh
   2
   3 # COMPLETELY UNSAFE - FOR DEVELOPMENT ONLY
   4 # Run this script from its directory
   5 # all *.p12 passwords are 'demo'
   6 # all *.jks passwords are 'changeit'
   7
   8 INTERMEDIATE_CA_DN="/C=DE/O=Example/OU=Certificate Authorities/CN=Intermediate CA/"
   9 SERVER_DN=/C=DE/O=Example/OU=Systems/CN=$HOSTNAME/
  10 USERS_BASE_DN=/DC=com/DC=example/OU=People
  11
  12 echo ## Init directory structure
  13 # Root
  14 export OPENSSL_CONF=./openssl_root.cnf
  15 export CATOP=./rootCA
  16 /etc/pki/tls/misc/CA -newca
  17 # Intermediate
  18 mkdir -p ./CA/{certs,crl,csr,newcerts,private}
  19
  20 echo ## Create intermediate certificate
  21 openssl req -new -newkey rsa:4096 -extensions v3_intermediate_ca \
  22  -subj "$INTERMEDIATE_CA_DN" \
  23  -keyout ./CA/private/cakey.pem -passout pass:demo -out ica_csr.pem
  24 openssl ca -batch -passin pass:demo -in ica_csr.pem -out ./CA/cacert.pem
  25
  26 # create index and serial
  27 touch ./CA/index.txt
  28 # (below is from openssl CA script)
  29 openssl x509 -in ./CA/cacert.pem -noout -next_serial -out ./CA/serial
  30
  31 # Switch to intermediate CA
  32 export OPENSSL_CONF=./openssl.cnf
  33 export CATOP=./CA
  34
  35 echo ## Create server key and certificate
  36 openssl req -new -newkey rsa:4096 -extensions server_ext \
  37  -subj $SERVER_DN \
  38  -keyout node_key.pem -passout pass:demo -out node_csr.pem
  39 openssl ca -batch -passin pass:demo -in node_csr.pem -out node_crt.pem
  40 cat node_crt.pem ./CA/cacert.pem ./rootCA/cacert.pem > chain.pem
  41 openssl pkcs12 -export -passin pass:demo -passout pass:changeit \
  42  -name "$HOSTNAME" -inkey node_key.pem -in chain.pem \
  43  -out node.p12
  44
  45 echo ## Import Certificate Authority into keystore
  46 keytool -importcert -noprompt -keystore node.p12 -storepass changeit \
  47  -alias "rootCA" -file ./rootCA/cacert.pem
  48 keytool -importcert -noprompt -keystore node.p12 -storepass changeit \
  49  -alias "CA" -file ./CA/cacert.pem
  50 cp node.p12 ../init/node/
  51
  52 echo ## Create 'root' user client certificate
  53 openssl req -new -newkey rsa:4096 -extensions user_ext \
  54  -subj $USERS_BASE_DN/UID=root/ \
  55  -keyout newkey.pem -passout pass:demo -out newcsr.pem
  56 openssl ca -preserveDN -batch -passin pass:demo -in newcsr.pem -out newcrt.pem
  57 cat newcrt.pem ./CA/cacert.pem ./rootCA/cacert.pem > newchain.pem
  58 openssl pkcs12 -export -passin pass:demo -passout pass:demo \
  59  -name "root" -inkey newkey.pem -in newchain.pem \
  60  -out root.p12
  61
  62 # demo user
  63 #openssl req -new -newkey rsa:4096 -extensions user_ext -days 365 \
  64 # -subj $USERS_BASE_DN/UID=demo/ \
  65 # -keyout newkey.pem -passout pass:demo -out newcsr.pem
  66 #openssl ca -preserveDN -batch -passin pass:demo -in newcsr.pem -out newcrt.pem
  67 #openssl pkcs12 -export -passin pass:demo -passout pass:demo \
  68 # -name "demo" -inkey newkey.pem -in newcrt.pem \
  69 # -out demo.p12
  70
  71 # Self-signed
  72 #openssl req -x509 -new -newkey rsa:4096 -extensions server_ext -days 365 \
  73 # -subj $SERVER_DN \
  74 # -keyout newkey.pem -passout pass:demo -out newcrt.pem
  75 # Self-signed server certificate
  76 #openssl pkcs12 -export -passin pass:demo -passout pass:changeit \
  77 # -name "jetty" -inkey newkey.pem -in newcrt.pem \
  78 # -certfile ./CA/cacert.pem \
  79 # -out server.p12
  80
  81 echo ## Clean up
  82 rm -vf *.pem