X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=demo%2Fssl%2Fssl.sh;h=1caa4b3b0c50a20e82a68555b6f3f8804af23e2b;hb=e96a083b731800c0089660088279f0e232b5c6b6;hp=f2bf1e6225de7ebd27428fa5128fbc6b360f817e;hpb=18af628c072e386420f03261ab207a72341a0a1b;p=lgpl%2Fargeo-commons.git diff --git a/demo/ssl/ssl.sh b/demo/ssl/ssl.sh index f2bf1e622..1caa4b3b0 100644 --- a/demo/ssl/ssl.sh +++ b/demo/ssl/ssl.sh @@ -5,44 +5,95 @@ # all *.p12 passwords are 'demo' # all *.jks passwords are 'changeit' -SERVER_DN=/C=DE/O=Example/OU=Systems/CN=apps.example.com/ -USERS_BASE_DN=/DC=com/DC=example/OU=users +# Fail if any error +set -e +ROOT_CA_DN="/C=DE/O=Example/OU=Certificate Authorities/CN=Root CA/" +INTERMEDIATE_CA_DN="/C=DE/O=Example/OU=Certificate Authorities/CN=Intermediate CA/" +SERVER_DN=/C=DE/O=Example/OU=Systems/CN=$HOSTNAME/ +USERS_BASE_DN=/DC=com/DC=example/OU=People + +echo -- Init directory structures +mkdir -p ./rootCA/{certs,crl,csr,newcerts,private} +mkdir -p ./CA/{certs,crl,csr,newcerts,private} + +# +# Root CA +# +export OPENSSL_CONF=./openssl_root.cnf +export CATOP=./rootCA +echo -- Create root CA in $CATOP +touch $CATOP/index.txt +openssl req -new -newkey rsa:4096 -extensions v3_ca \ + -subj "$ROOT_CA_DN" \ + -keyout $CATOP/private/cakey.pem -passout pass:demo -out ca_csr.pem \ + 2>/dev/null # quiet +openssl ca -create_serial -selfsign -batch -passin pass:demo -in ca_csr.pem -out $CATOP/cacert.pem \ + 2>/dev/null # quiet + +echo -- Create intermediate CA in ./CA +openssl req -new -newkey rsa:4096 -extensions v3_intermediate_ca \ + -subj "$INTERMEDIATE_CA_DN" \ + -keyout ./CA/private/cakey.pem -passout pass:demo -out ica_csr.pem \ + 2>/dev/null # quiet +openssl ca -batch -passin pass:demo -in ica_csr.pem -out ./CA/cacert.pem \ + 2>/dev/null # quiet + +# +# Intermediate CA +# export OPENSSL_CONF=./openssl.cnf export CATOP=./CA -/etc/pki/tls/misc/CA -newca +# create index and serial +touch $CATOP/index.txt +openssl x509 -in $CATOP/cacert.pem -noout -next_serial -out $CATOP/serial \ + 2>/dev/null # quiet -openssl req -x509 -new -newkey rsa:1024 -extensions server_ext -days 365 \ +echo -- Create server key and certificate +openssl req -new -newkey rsa:4096 -extensions server_ext \ -subj $SERVER_DN \ - -keyout newkey.pem -passout pass:demo -out newcrt.pem - + -keyout node_key.pem -passout pass:demo -out node_csr.pem \ + 2>/dev/null # quiet +openssl ca -batch -passin pass:demo -in node_csr.pem -out node_crt.pem \ + 2>/dev/null # quiet + +# create CA chain +cat node_crt.pem ./CA/cacert.pem ./rootCA/cacert.pem > chain.pem + +# convert to p12 openssl pkcs12 -export -passin pass:demo -passout pass:changeit \ - -name "jetty" -inkey newkey.pem -in newcrt.pem \ - -certfile ./CA/cacert.pem \ - -out server.p12 - - # Convert PKCS12 keystore into a JKS keystore -keytool -importkeystore \ - -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass changeit \ - -alias jetty -destkeystore server.jks -deststorepass changeit -#rm -f server.p12 - -# Import People CA -keytool -importcert -keystore server.jks -storepass changeit \ - -alias CA -file CA/cacert.pem - -# root user -openssl req -new -newkey rsa:1024 -extensions user_ext -days 365 \ + -name "$HOSTNAME" -inkey node_key.pem -in chain.pem \ + -out node.p12 \ + 2>/dev/null # quiet + +echo -- Import Certificate Authority into keystore +keytool -importcert -noprompt -keystore node.p12 -storepass changeit \ + -alias "rootCA" -file ./rootCA/cacert.pem +keytool -importcert -noprompt -keystore node.p12 -storepass changeit \ + -alias "CA" -file ./CA/cacert.pem + +echo -- Copy node.p12 to ../init/node +cp node.p12 ../init/node/ + +echo -- Create 'root' user client certificate root.p12 +openssl req -new -newkey rsa:4096 -extensions user_ext \ -subj $USERS_BASE_DN/UID=root/ \ - -keyout newkey.pem -passout pass:demo -out newcsr.pem -openssl ca -preserveDN -batch -passin pass:demo -in newcsr.pem -out newcrt.pem + -keyout newkey.pem -passout pass:demo -out newcsr.pem \ + 2>/dev/null # quiet + +openssl ca -preserveDN -batch -passin pass:demo -in newcsr.pem -out newcrt.pem \ + 2>/dev/null # quiet + +# create new CA chain +#cat newcrt.pem ./CA/cacert.pem ./rootCA/cacert.pem > newchain.pem openssl pkcs12 -export -passin pass:demo -passout pass:demo \ - -name "root" -inkey newkey.pem -in newcrt.pem \ - -out root.p12 + -name "root" -inkey newkey.pem -in chain.pem \ + -out root.p12 \ + 2>/dev/null # quiet # demo user -#openssl req -new -newkey rsa:1024 -extensions user_ext -days 365 \ +#openssl req -new -newkey rsa:4096 -extensions user_ext -days 365 \ # -subj $USERS_BASE_DN/UID=demo/ \ # -keyout newkey.pem -passout pass:demo -out newcsr.pem #openssl ca -preserveDN -batch -passin pass:demo -in newcsr.pem -out newcrt.pem @@ -50,5 +101,15 @@ openssl pkcs12 -export -passin pass:demo -passout pass:demo \ # -name "demo" -inkey newkey.pem -in newcrt.pem \ # -out demo.p12 -# Clean up -#rm -vf new*.pem +# Self-signed +#openssl req -x509 -new -newkey rsa:4096 -extensions server_ext -days 365 \ +# -subj $SERVER_DN \ +# -keyout newkey.pem -passout pass:demo -out newcrt.pem +# Self-signed server certificate +#openssl pkcs12 -export -passin pass:demo -passout pass:changeit \ +# -name "jetty" -inkey newkey.pem -in newcrt.pem \ +# -certfile ./CA/cacert.pem \ +# -out server.p12 + +echo ## Clean up +rm -vf *.pem