demo/ssl/ssl.sh

   1 #!/bin/sh
   2
   3 # COMPLETELY UNSAFE - FOR DEVELOPMENT ONLY
   4 # Run this script from its directory
   5 # all *.p12 passwords are 'demo'
   6 # all *.jks passwords are 'changeit'
   7
   8 export OPENSSL_CONF=./openssl.cnf
   9 export CATOP=./CA
  10
  11 /etc/pki/tls/misc/CA -newca
  12
  13 openssl req -x509 -new -newkey rsa:1024 -extensions server_ext -days 3650 \
  14  -subj /C=DE/ST=Berlin/O=Example/OU=Systems/CN=localhost/ \
  15  -keyout newkey.pem -passout pass:demo -out newcrt.pem
  16
  17 openssl pkcs12 -export -passin pass:demo -passout pass:changeit \
  18  -name "jetty" -inkey newkey.pem -in newcrt.pem \
  19  -out server.p12
  20
  21  # Convert PKCS12 keystore into a JKS keystore
  22 keytool -importkeystore \
  23  -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass changeit \
  24  -alias jetty  -destkeystore server.jks -deststorepass changeit
  25 rm -f server.p12
  26
  27 # Import People CA
  28 keytool -importcert -keystore server.jks -storepass changeit \
  29  -alias CA -file CA/cacert.pem
  30
  31 # root user
  32 openssl req -new -newkey rsa:1024 -extensions server_ext -days 3650 \
  33  -subj /C=DE/ST=Berlin/O=Example/OU=People/CN=root/ \
  34  -keyout newkey.pem -passout pass:demo -out newcsr.pem
  35 openssl ca -batch -passin pass:demo -in newcsr.pem -out newcrt.pem
  36 openssl pkcs12 -export -passin pass:demo -passout pass:demo \
  37  -name "root" -inkey newkey.pem -in newcrt.pem \
  38  -out root.p12
  39
  40 # demo user
  41 openssl req -new -newkey rsa:1024 -extensions server_ext -days 3650 \
  42  -subj /C=DE/ST=Berlin/O=Example/OU=People/CN=demo/ \
  43  -keyout newkey.pem -passout pass:demo -out newcsr.pem
  44 openssl ca -batch -passin pass:demo -in newcsr.pem -out newcrt.pem
  45 openssl pkcs12 -export -passin pass:demo -passout pass:demo \
  46  -name "demo" -inkey newkey.pem -in newcrt.pem \
  47  -out demo.p12
  48
  49 # Clean up
  50 rm -vf new*.pem