3 # COMPLETELY UNSAFE - FOR DEVELOPMENT ONLY
4 # Run this script from its directory
5 # all *.p12 passwords are 'demo'
6 # all *.jks passwords are 'changeit'
11 ROOT_CA_DN
="/C=DE/O=Example/OU=Certificate Authorities/CN=Root CA/"
12 INTERMEDIATE_CA_DN
="/C=DE/O=Example/OU=Certificate Authorities/CN=Intermediate CA/"
13 SERVER_DN
=/C
=DE
/O
=Example
/OU
=Systems
/CN
=$HOSTNAME/
14 USERS_BASE_DN
=/DC
=com
/DC
=example
/OU
=People
16 echo -- Init directory structures
17 mkdir
-p .
/rootCA
/{certs
,crl
,csr
,newcerts
,private
}
18 mkdir
-p .
/CA
/{certs
,crl
,csr
,newcerts
,private
}
23 export OPENSSL_CONF
=.
/openssl_root.cnf
25 echo -- Create root CA
in $CATOP
26 touch $CATOP/index.txt
27 openssl req
-new -newkey rsa
:4096 -extensions v3_ca \
29 -keyout $CATOP/private
/cakey.pem
-passout pass
:demo
-out ca_csr.pem \
31 openssl ca
-create_serial -selfsign -batch -passin pass
:demo
-in ca_csr.pem
-out $CATOP/cacert.pem \
34 echo -- Create intermediate CA
in .
/CA
35 openssl req
-new -newkey rsa
:4096 -extensions v3_intermediate_ca \
36 -subj "$INTERMEDIATE_CA_DN" \
37 -keyout .
/CA
/private
/cakey.pem
-passout pass
:demo
-out ica_csr.pem \
39 openssl ca
-batch -passin pass
:demo
-in ica_csr.pem
-out .
/CA
/cacert.pem \
45 export OPENSSL_CONF
=.
/openssl.cnf
48 # create index and serial
49 touch $CATOP/index.txt
50 openssl x509
-in $CATOP/cacert.pem
-noout -next_serial -out $CATOP/serial \
53 echo -- Create server key and certificate
54 openssl req
-new -newkey rsa
:4096 -extensions server_ext \
56 -keyout node_key.pem
-passout pass
:demo
-out node_csr.pem \
58 openssl ca
-batch -passin pass
:demo
-in node_csr.pem
-out node_crt.pem \
62 cat node_crt.pem .
/CA
/cacert.pem .
/rootCA
/cacert.pem
> chain.pem
65 openssl pkcs12
-export -passin pass
:demo
-passout pass
:changeit \
66 -name "$HOSTNAME" -inkey node_key.pem
-in chain.pem \
70 echo -- Import Certificate Authority into keystore
71 keytool
-importcert -noprompt -keystore node.p12
-storepass changeit \
72 -alias "rootCA" -file .
/rootCA
/cacert.pem
73 keytool
-importcert -noprompt -keystore node.p12
-storepass changeit \
74 -alias "CA" -file .
/CA
/cacert.pem
76 echo -- Copy node.p12 to ..
/init
/node
77 cp node.p12 ..
/init
/node
/
79 echo -- Create
'root' user client certificate root.p12
80 openssl req
-new -newkey rsa
:4096 -extensions user_ext \
81 -subj $USERS_BASE_DN/UID
=root
/ \
82 -keyout newkey.pem
-passout pass
:demo
-out newcsr.pem \
85 openssl ca
-preserveDN -batch -passin pass
:demo
-in newcsr.pem
-out newcrt.pem \
89 #cat newcrt.pem ./CA/cacert.pem ./rootCA/cacert.pem > newchain.pem
90 openssl pkcs12
-export -passin pass
:demo
-passout pass
:demo \
91 -name "root" -inkey newkey.pem
-in chain.pem \
96 #openssl req -new -newkey rsa:4096 -extensions user_ext -days 365 \
97 # -subj $USERS_BASE_DN/UID=demo/ \
98 # -keyout newkey.pem -passout pass:demo -out newcsr.pem
99 #openssl ca -preserveDN -batch -passin pass:demo -in newcsr.pem -out newcrt.pem
100 #openssl pkcs12 -export -passin pass:demo -passout pass:demo \
101 # -name "demo" -inkey newkey.pem -in newcrt.pem \
105 #openssl req -x509 -new -newkey rsa:4096 -extensions server_ext -days 365 \
107 # -keyout newkey.pem -passout pass:demo -out newcrt.pem
108 # Self-signed server certificate
109 #openssl pkcs12 -export -passin pass:demo -passout pass:changeit \
110 # -name "jetty" -inkey newkey.pem -in newcrt.pem \
111 # -certfile ./CA/cacert.pem \