# all *.p12 passwords are 'demo'
# all *.jks passwords are 'changeit'
+# Fail if any error
+set -e
+
+ROOT_CA_DN="/C=DE/O=Example/OU=Certificate Authorities/CN=Root CA/"
+INTERMEDIATE_CA_DN="/C=DE/O=Example/OU=Certificate Authorities/CN=Intermediate CA/"
SERVER_DN=/C=DE/O=Example/OU=Systems/CN=$HOSTNAME/
-USERS_BASE_DN=/DC=com/DC=example/OU=users
+USERS_BASE_DN=/DC=com/DC=example/OU=People
+
+echo -- Init directory structures
+mkdir -p ./rootCA/{certs,crl,csr,newcerts,private}
+mkdir -p ./CA/{certs,crl,csr,newcerts,private}
+
+#
+# Root CA
+#
+export OPENSSL_CONF=./openssl_root.cnf
+export CATOP=./rootCA
+echo -- Create root CA in $CATOP
+touch $CATOP/index.txt
+openssl req -new -newkey rsa:4096 -extensions v3_ca \
+ -subj "$ROOT_CA_DN" \
+ -keyout $CATOP/private/cakey.pem -passout pass:demo -out ca_csr.pem \
+ 2>/dev/null # quiet
+openssl ca -create_serial -selfsign -batch -passin pass:demo -in ca_csr.pem -out $CATOP/cacert.pem \
+ 2>/dev/null # quiet
+
+echo -- Create intermediate CA in ./CA
+openssl req -new -newkey rsa:4096 -extensions v3_intermediate_ca \
+ -subj "$INTERMEDIATE_CA_DN" \
+ -keyout ./CA/private/cakey.pem -passout pass:demo -out ica_csr.pem \
+ 2>/dev/null # quiet
+openssl ca -batch -passin pass:demo -in ica_csr.pem -out ./CA/cacert.pem \
+ 2>/dev/null # quiet
+#
+# Intermediate CA
+#
export OPENSSL_CONF=./openssl.cnf
export CATOP=./CA
-/etc/pki/tls/misc/CA -newca
+# create index and serial
+touch $CATOP/index.txt
+openssl x509 -in $CATOP/cacert.pem -noout -next_serial -out $CATOP/serial \
+ 2>/dev/null # quiet
-#openssl req -x509 -new -newkey rsa:4096 -extensions server_ext -days 365 \
-# -subj $SERVER_DN \
-# -keyout newkey.pem -passout pass:demo -out newcrt.pem
-
-# Self-signed server certificate
-#openssl pkcs12 -export -passin pass:demo -passout pass:changeit \
-# -name "jetty" -inkey newkey.pem -in newcrt.pem \
-# -certfile ./CA/cacert.pem \
-# -out server.p12
-
- # Convert PKCS12 keystore into a JKS keystore
-#keytool -importkeystore \
-# -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass changeit \
-# -alias jetty -destkeystore server.jks -deststorepass changeit
-#rm -f server.p12
-
-# Import People CA
-#keytool -importcert -keystore server.jks -storepass changeit \
-# -alias CA -file CA/cacert.pem
-
-openssl req -new -newkey rsa:4096 -extensions server_ext -days 365 \
+echo -- Create server key and certificate
+openssl req -new -newkey rsa:4096 -extensions server_ext \
-subj $SERVER_DN \
- -keyout node_key.pem -passout pass:demo -out node_csr.pem
-openssl ca -batch -passin pass:demo -in node_csr.pem -out node_crt.pem
-cat node_crt.pem CA/cacert.pem > node.pem
-openssl pkcs12 -export -passin pass:demo -passout pass:demo \
- -name "node" -inkey node_key.pem -in node.pem \
- -out node.p12
+ -keyout node_key.pem -passout pass:demo -out node_csr.pem \
+ 2>/dev/null # quiet
+openssl ca -batch -passin pass:demo -in node_csr.pem -out node_crt.pem \
+ 2>/dev/null # quiet
+
+# create CA chain
+cat node_crt.pem ./CA/cacert.pem ./rootCA/cacert.pem > chain.pem
+# convert to p12
+openssl pkcs12 -export -passin pass:demo -passout pass:changeit \
+ -name "$HOSTNAME" -inkey node_key.pem -in chain.pem \
+ -out node.p12 \
+ 2>/dev/null # quiet
-# root user
-openssl req -new -newkey rsa:4096 -extensions user_ext -days 365 \
+echo -- Import Certificate Authority into keystore
+keytool -importcert -noprompt -keystore node.p12 -storepass changeit \
+ -alias "rootCA" -file ./rootCA/cacert.pem
+keytool -importcert -noprompt -keystore node.p12 -storepass changeit \
+ -alias "CA" -file ./CA/cacert.pem
+
+echo -- Copy node.p12 to ../init/node
+cp node.p12 ../init/node/
+
+echo -- Create 'root' user client certificate root.p12
+openssl req -new -newkey rsa:4096 -extensions user_ext \
-subj $USERS_BASE_DN/UID=root/ \
- -keyout newkey.pem -passout pass:demo -out newcsr.pem
-openssl ca -preserveDN -batch -passin pass:demo -in newcsr.pem -out newcrt.pem
+ -keyout newkey.pem -passout pass:demo -out newcsr.pem \
+ 2>/dev/null # quiet
+
+openssl ca -preserveDN -batch -passin pass:demo -in newcsr.pem -out newcrt.pem \
+ 2>/dev/null # quiet
+
+# create new CA chain
+#cat newcrt.pem ./CA/cacert.pem ./rootCA/cacert.pem > newchain.pem
openssl pkcs12 -export -passin pass:demo -passout pass:demo \
- -name "root" -inkey newkey.pem -in newcrt.pem \
- -out root.p12
+ -name "root" -inkey newkey.pem -in chain.pem \
+ -out root.p12 \
+ 2>/dev/null # quiet
# demo user
#openssl req -new -newkey rsa:4096 -extensions user_ext -days 365 \
# -name "demo" -inkey newkey.pem -in newcrt.pem \
# -out demo.p12
-# Clean up
-#rm -vf new*.pem
+# Self-signed
+#openssl req -x509 -new -newkey rsa:4096 -extensions server_ext -days 365 \
+# -subj $SERVER_DN \
+# -keyout newkey.pem -passout pass:demo -out newcrt.pem
+# Self-signed server certificate
+#openssl pkcs12 -export -passin pass:demo -passout pass:changeit \
+# -name "jetty" -inkey newkey.pem -in newcrt.pem \
+# -certfile ./CA/cacert.pem \
+# -out server.p12
+
+echo ## Clean up
+rm -vf *.pem