+++ /dev/null
-grant {
- permission java.security.AllPermission;
-};
\ No newline at end of file
+++ /dev/null
-#argeo.osgi.baseUrl=http://forge.argeo.org/data/java/argeo-2.1/
-#argeo.osgi.distributionUrl=org/argeo/commons/org.argeo.dep.cms.sdk/2.1.65/org.argeo.dep.cms.sdk-2.1.65.jar
-#argeo.osgi.distributionUrl=org/argeo/commons/org.argeo.dep.cms.sdk/2.1.67/org.argeo.dep.cms.sdk-2.1.67.jar
-#argeo.osgi.distributionUrl=org/argeo/commons/org.argeo.dep.cms.sdk/2.1.68-SNAPSHOT/org.argeo.dep.cms.sdk-2.1.68-SNAPSHOT.jar
-
-#argeo.osgi.boot.debug=true
-
-argeo.osgi.start.1.osgiboot=org.argeo.init
-#argeo.osgi.start.2.node=org.eclipse.equinox.http.servlet,org.eclipse.equinox.http.jetty,org.eclipse.equinox.cm,org.eclipse.rap.rwt.osgi
-#argeo.osgi.start.3.node=org.argeo.cms,org.eclipse.gemini.blueprint.extender,org.eclipse.equinox.http.registry
-
-#java.security.manager=
-#java.security.policy=file:../../all.policy
-
-argeo.node.repo.type=localfs
-org.osgi.service.http.port=7070
-log4j.configuration=file:../../log4j.properties
-
-#java.util.logging.config.file=../../logging.properties
-
-
-# DON'T CHANGE BELOW
-org.eclipse.rap.workbenchAutostart=false
-org.eclipse.equinox.http.jetty.autostart=false
\ No newline at end of file
+++ /dev/null
-argeo.osgi.start.2.node=\
-org.eclipse.equinox.http.servlet,\
-org.eclipse.equinox.metatype,\
-org.eclipse.equinox.cm,\
-org.eclipse.equinox.ds,\
-org.eclipse.rap.rwt.osgi
-
-argeo.osgi.start.3.node=\
-org.argeo.cms
-
-argeo.osgi.start.5.node=\
-org.argeo.cms.e4.rap
-
-# Local
-org.osgi.service.http.port=7070
-argeo.node.useradmin.uris=ldap://cn=Directory%20Manager:argeoargeo@test-pgsql-ldap/dc=example,dc=com
-argeo.node.repo.type=postgresql_cluster_ds
-argeo.node.repo.clusterId=03233754-16c3-49a1-8a00-58bf89a65182
-argeo.node.repo.dburl=jdbc:postgresql://test-pgsql-ldap/argeo_cluster
-argeo.node.repo.dbuser=argeo
-argeo.node.repo.dbpassword=argeo
-
-# Logging
-log4j.configuration=file:../../log4j.properties
-
-# DON'T CHANGE BELOW
-org.eclipse.equinox.http.jetty.autostart=false
-org.osgi.framework.bootdelegation=com.sun.jndi.ldap,\
-com.sun.jndi.ldap.sasl,\
-com.sun.security.jgss,\
-com.sun.jndi.dns,\
-com.sun.nio.file,\
-com.sun.nio.sctp
+++ /dev/null
-argeo.osgi.start.2.node=\
-org.eclipse.equinox.http.servlet,\
-org.eclipse.equinox.metatype,\
-org.eclipse.equinox.cm,\
-org.eclipse.equinox.ds,\
-org.eclipse.rap.rwt.osgi
-
-argeo.osgi.start.3.node=\
-org.argeo.cms
-
-argeo.osgi.start.5.node=\
-org.argeo.cms.e4.rap
-
-# Local
-org.osgi.service.http.port=7071
-argeo.node.useradmin.uris=ldap://cn=Directory%20Manager:argeoargeo@test-pgsql-ldap/dc=example,dc=com
-argeo.node.repo.type=postgresql_cluster_ds
-argeo.node.repo.clusterId=52463fa3-2917-4814-9ff7-685c41cbc7c7
-argeo.node.repo.dburl=jdbc:postgresql://test-pgsql-ldap/argeo_cluster
-argeo.node.repo.dbuser=argeo
-argeo.node.repo.dbpassword=argeo
-
-# Logging
-log4j.configuration=file:../../log4j.properties
-
-# DON'T CHANGE BELOW
-org.eclipse.equinox.http.jetty.autostart=false
-org.osgi.framework.bootdelegation=com.sun.jndi.ldap,\
-com.sun.jndi.ldap.sasl,\
-com.sun.security.jgss,\
-com.sun.jndi.dns,\
-com.sun.nio.file,\
-com.sun.nio.sctp
+++ /dev/null
-argeo.osgi.start.2.node=\
-org.eclipse.equinox.http.servlet,\
-org.eclipse.equinox.metatype,\
-org.eclipse.equinox.cm,\
-org.eclipse.equinox.ds,\
-org.eclipse.rap.rwt.osgi,\
-org.argeo.init
-
-argeo.osgi.start.3.node=\
-org.argeo.cms
-
-argeo.osgi.start.4.node=\
-org.argeo.cms.jcr
-
-argeo.osgi.start.5.node=\
-org.argeo.cms.e4.rap
-
-# Local
-argeo.node.repo.type=h2
-org.osgi.service.http.port=7070
-#org.eclipse.equinox.http.jetty.http.host=[IP address to listen to]
-#org.osgi.service.http.port.secure=7073
-#org.eclipse.equinox.http.jetty.websocket.enabled=true
-
-# Logging
-log4j.configuration=file:../../log4j.properties
-
-# SSL
-#org.osgi.service.http.port.secure=7073
-#org.eclipse.equinox.http.jetty.https.enabled=true
-#org.eclipse.equinox.http.jetty.ssl.keystore=data/node.p12
-#org.eclipse.equinox.http.jetty.ssl.keystoretype=PKCS12
-#org.eclipse.equinox.http.jetty.ssl.password=changeit
-#org.eclipse.equinox.http.jetty.ssl.wantclientauth=true
-
-# Hardened
-#org.osgi.framework.security=osgi
-#java.security.policy=file:../../all.policy
-
-# Internationalisation
-#argeo.i18n.locales=en,fr,ru
-#eclipse.registry.MultiLanguage=true
-#argeo.i18n.defaultLocale=en
-
-# Tuning
-# Number of DB connections
-#argeo.node.repo.maxPoolSize=10
-# Max amount of memory available to Jackrabbit caches
-#argeo.node.repo.maxCacheMB=16
-# Persistence level cache
-#argeo.node.repo.bundleCacheMB=8
-# Search, see http://wiki.apache.org/jackrabbit/Search
-#argeo.node.repo.extractorPoolSize=0
-#argeo.node.repo.searchCacheSize=1000
-#argeo.node.repo.maxVolatileIndexSize=1048576
-
-# Legacy
-#argeo.node.transaction.manager=bitronix
-
-# DON'T CHANGE BELOW
-org.eclipse.equinox.http.jetty.autostart=false
-org.osgi.framework.bootdelegation=com.sun.jndi.ldap,\
-com.sun.jndi.ldap.sasl,\
-com.sun.security.jgss,\
-com.sun.jndi.dns,\
-com.sun.nio.file,\
-com.sun.nio.sctp
+++ /dev/null
-argeo.osgi.start.2.node=\
-org.eclipse.equinox.http.servlet,\
-org.eclipse.equinox.metatype,\
-org.eclipse.equinox.cm,\
-org.eclipse.equinox.ds,\
-org.eclipse.rap.rwt.osgi
-
-argeo.osgi.start.3.node=\
-org.argeo.cms
-
-argeo.osgi.start.5.node=\
-org.argeo.cms.e4.rap
-
-# Local
-argeo.node.repo.type=h2
-org.osgi.service.http.port=7070
-argeo.node.useradmin.uris=os:///
-
-# Logging
-log4j.configuration=file:../../log4j.properties
-
-# DON'T CHANGE BELOW
-org.eclipse.equinox.http.jetty.autostart=false
-org.osgi.framework.bootdelegation=com.sun.jndi.ldap,\
-com.sun.jndi.ldap.sasl,\
-com.sun.security.jgss,\
-com.sun.jndi.dns,\
-com.sun.nio.file,\
-com.sun.nio.sctp
+++ /dev/null
-argeo.osgi.start.2.node=\
-org.eclipse.equinox.http.servlet,\
-org.eclipse.equinox.metatype,\
-org.eclipse.equinox.cm,\
-org.eclipse.equinox.ds,\
-org.eclipse.rap.rwt.osgi
-
-argeo.osgi.start.3.node=\
-org.argeo.cms
-
-argeo.osgi.start.5.node=\
-org.argeo.cms.e4.rap
-
-# Local
-org.osgi.service.http.port=7070
-argeo.node.useradmin.uris=ldap://cn=Directory%20Manager:argeoargeo@test-pgsql-ldap/dc=example,dc=com
-argeo.node.repo.type=postgresql_ds
-argeo.node.repo.dburl=jdbc:postgresql://test-pgsql-ldap/argeo
-argeo.node.repo.dbuser=argeo
-argeo.node.repo.dbpassword=argeo
-
-# Logging
-log4j.configuration=file:../../log4j.properties
-
-# DON'T CHANGE BELOW
-org.eclipse.equinox.http.jetty.autostart=false
-org.osgi.framework.bootdelegation=com.sun.jndi.ldap,\
-com.sun.jndi.ldap.sasl,\
-com.sun.security.jgss,\
-com.sun.jndi.dns,\
-com.sun.nio.file,\
-com.sun.nio.sctp
+++ /dev/null
-/krb5.keytab
-/krb5.keytab.old
-/*.p12
-/*.jks
\ No newline at end of file
+++ /dev/null
-dn: cn=admin,ou=roles,ou=node
-objectClass: groupOfNames
-objectClass: top
-cn: admin
-member: uid=root,ou=People,dc=example,dc=com
-
-dn: cn=userAdmin,ou=roles,ou=node
-objectClass: groupOfNames
-objectClass: top
-member: cn=admin,ou=roles,ou=node
-cn: userAdmin
-
+++ /dev/null
-log4j.rootLogger=WARN, development
-
-log4j.logger.org.argeo=DEBUG
-
-## Appenders
-log4j.appender.console=org.apache.log4j.ConsoleAppender
-log4j.appender.console.layout=org.apache.log4j.PatternLayout
-log4j.appender.console.layout.ConversionPattern= %-5p %d{ISO8601} %m %n
-
-log4j.appender.development=org.apache.log4j.ConsoleAppender
-log4j.appender.development.layout=org.apache.log4j.PatternLayout
-log4j.appender.development.layout.ConversionPattern=%d{ABSOLUTE} %m (%F:%L) [%t] %p %n
+++ /dev/null
-############################################################
-# Default Logging Configuration File
-#
-# You can use a different file by specifying a filename
-# with the java.util.logging.config.file system property.
-# For example java -Djava.util.logging.config.file=myfile
-############################################################
-
-############################################################
-# Global properties
-############################################################
-
-# "handlers" specifies a comma separated list of log Handler
-# classes. These handlers will be installed during VM startup.
-# Note that these classes must be on the system classpath.
-# By default we only configure a ConsoleHandler, which will only
-# show messages at the INFO and above levels.
-#handlers= java.util.logging.ConsoleHandler
-#handlers=org.argeo.init.logging.jse.ThinHandler
-handlers=
-
-# To also add the FileHandler, use the following line instead.
-#handlers= java.util.logging.FileHandler, java.util.logging.ConsoleHandler
-
-# Default global logging level.
-# This specifies which kinds of events are logged across
-# all loggers. For any given facility this global level
-# can be overriden by a facility specific level
-# Note that the ConsoleHandler also has a separate level
-# setting to limit messages printed to the console.
-.level= INFO
-
-############################################################
-# Handler specific properties.
-# Describes specific configuration info for Handlers.
-############################################################
-
-# default file output is in user's home directory.
-java.util.logging.FileHandler.pattern = %h/java%u.log
-java.util.logging.FileHandler.limit = 50000
-java.util.logging.FileHandler.count = 1
-# Default number of locks FileHandler can obtain synchronously.
-# This specifies maximum number of attempts to obtain lock file by FileHandler
-# implemented by incrementing the unique field %u as per FileHandler API documentation.
-java.util.logging.FileHandler.maxLocks = 100
-java.util.logging.FileHandler.formatter = java.util.logging.XMLFormatter
-
-# Limit the message that are printed on the console to INFO and above.
-java.util.logging.ConsoleHandler.level = INFO
-java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
-
-# Example to customize the SimpleFormatter output format
-# to print one-line log message like this:
-# <level>: <log message> [<date/time>]
-#
-# java.util.logging.SimpleFormatter.format=%4$s: %5$s [%1$tc]%n
-
-############################################################
-# Facility specific properties.
-# Provides extra control for each logger.
-############################################################
-
-# For example, set the com.xyz.foo logger to only log SEVERE
-# messages:
-com.xyz.foo.level = SEVERE
+++ /dev/null
-/CA/
-/*.p12
-/*.jks
-/nssdb/
-/*.pem
-/old/
-/rootCA/
+++ /dev/null
-dir = ./CA # Where everything is kept
-
-[ ca ]
-default_ca = CA_default # The default ca section
-
-[ CA_default ]
-certs = $dir/certs # Where the issued certs are kept
-crl_dir = $dir/crl # Where the issued crl are kept
-database = $dir/index.txt # database index file.
-new_certs_dir = $dir/newcerts # default place for new certs.
-certificate = $dir/cacert.pem # The CA certificate
-serial = $dir/serial # The current serial number
-crlnumber = $dir/crlnumber # the current crl number
-crl = $dir/crl.pem # The current CRL
-private_key = $dir/private/cakey.pem # The private key
-x509_extensions = usr_cert # The extentions to add to the cert
-name_opt = ca_default # Subject Name options
-cert_opt = ca_default # Certificate field options
-crl_extensions = crl_ext
-default_days = 365 # how long to certify for
-default_crl_days= 30 # how long before next CRL
-default_md = default # use public key default MD
-preserve = no # keep passed DN ordering
-policy = policy_match
-
-[ policy_match ]
-countryName = optional
-stateOrProvinceName = optional
-organizationName = optional
-organizationalUnitName = optional
-commonName = optional
-emailAddress = optional
-
-[ policy_anything ]
-countryName = optional
-stateOrProvinceName = optional
-localityName = optional
-organizationName = optional
-organizationalUnitName = optional
-commonName = optional
-emailAddress = optional
-
-[ req ]
-default_bits = 4096
-default_md = sha1
-default_keyfile = privkey.pem
-distinguished_name = req_distinguished_name
-attributes = req_attributes
-x509_extensions = v3_ca # The extensions to add to the self signed cert
-
-# Passwords for private keys if not present they will be prompted for
-input_password = demo
-output_password = demo
-
-string_mask = utf8only
-req_extensions = v3_req # The extensions to add to a certificate request
-
-[ req_distinguished_name ]
-countryName = Country Name (2 letter code)
-countryName_min = 2
-countryName_max = 2
-#stateOrProvinceName = State or Province Name (full name)
-#localityName = Locality Name (eg, city)
-0.organizationName = Organization Name (eg, company)
-organizationalUnitName = Organizational Unit Name (eg, section)
-commonName = Common Name (eg, your name or your server\'s hostname)
-commonName_max = 64
-emailAddress = Email Address
-emailAddress_max = 64
-# SET-ex3 = SET extension number 3
-
-##
-## DEFAULT VALUES
-##
-countryName_default = DE
-#stateOrProvinceName_default = Berlin
-#localityName_default = Berlin
-0.organizationName_default = Example
-organizationalUnitName_default = Certificate Authorities
-commonName_default = Intermediate CA
-
-[ req_attributes ]
-#challengePassword = A challenge password
-#challengePassword_min = 4
-#challengePassword_max = 20
-#unstructuredName = An optional company name
-
-[ usr_cert ]
-basicConstraints=CA:FALSE
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
-subjectAltName=email:move
-issuerAltName=issuer:copy
-
-[ v3_req ]
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-[ v3_ca ]
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer
-basicConstraints = critical, CA:true
-keyUsage = critical, digitalSignature, cRLSign, keyCertSign
-
-[ v3_intermediate_ca ]
-# Extensions for a typical intermediate CA (`man x509v3_config`).
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always,issuer
-basicConstraints = critical, CA:true, pathlen:0
-keyUsage = critical, digitalSignature, cRLSign, keyCertSign
-
-[ crl_ext ]
-issuerAltName=issuer:copy
-authorityKeyIdentifier=keyid:always
-
-[ server_ext ]
-extendedKeyUsage=serverAuth
-
-[ user_ext ]
-extendedKeyUsage=clientAuth,emailProtection
+++ /dev/null
-dir = ./rootCA # Where everything is kept
-
-[ ca ]
-default_ca = CA_default # The default ca section
-
-[ CA_default ]
-certs = $dir/certs # Where the issued certs are kept
-crl_dir = $dir/crl # Where the issued crl are kept
-database = $dir/index.txt # database index file.
-new_certs_dir = $dir/newcerts # default place for new certs.
-certificate = $dir/cacert.pem # The CA certificate
-serial = $dir/serial # The current serial number
-crlnumber = $dir/crlnumber # the current crl number
-crl = $dir/crl.pem # The current CRL
-private_key = $dir/private/cakey.pem # The private key
-x509_extensions = usr_cert # The extentions to add to the cert
-name_opt = ca_default # Subject Name options
-cert_opt = ca_default # Certificate field options
-crl_extensions = crl_ext
-default_days = 3650 # how long to certify for
-default_crl_days= 30 # how long before next CRL
-default_md = default # use public key default MD
-preserve = no # keep passed DN ordering
-policy = policy_match
-
-[ policy_match ]
-countryName = optional
-stateOrProvinceName = optional
-organizationName = optional
-organizationalUnitName = optional
-commonName = optional
-emailAddress = optional
-
-[ policy_anything ]
-countryName = optional
-stateOrProvinceName = optional
-localityName = optional
-organizationName = optional
-organizationalUnitName = optional
-commonName = optional
-emailAddress = optional
-
-[ req ]
-default_bits = 4096
-default_md = sha1
-default_keyfile = privkey.pem
-distinguished_name = req_distinguished_name
-attributes = req_attributes
-x509_extensions = v3_ca # The extensions to add to the self signed cert
-
-# Passwords for private keys if not present they will be prompted for
-input_password = demo
-output_password = demo
-
-string_mask = utf8only
-req_extensions = v3_req # The extensions to add to a certificate request
-
-[ req_distinguished_name ]
-countryName = Country Name (2 letter code)
-countryName_min = 2
-countryName_max = 2
-#stateOrProvinceName = State or Province Name (full name)
-#localityName = Locality Name (eg, city)
-0.organizationName = Organization Name (eg, company)
-organizationalUnitName = Organizational Unit Name (eg, section)
-commonName = Common Name (eg, your name or your server\'s hostname)
-commonName_max = 64
-emailAddress = Email Address
-emailAddress_max = 64
-# SET-ex3 = SET extension number 3
-
-##
-## DEFAULT VALUES
-##
-countryName_default = DE
-#stateOrProvinceName_default = Berlin
-#localityName_default = Berlin
-0.organizationName_default = Example
-organizationalUnitName_default = Certificate Authorities
-commonName_default = Root CA
-
-[ req_attributes ]
-#challengePassword = A challenge password
-#challengePassword_min = 4
-#challengePassword_max = 20
-#unstructuredName = An optional company name
-
-[ usr_cert ]
-basicConstraints=CA:FALSE
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
-subjectAltName=email:move
-issuerAltName=issuer:copy
-
-[ v3_req ]
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-
-[ v3_ca ]
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer
-basicConstraints = critical, CA:true
-keyUsage = critical, digitalSignature, cRLSign, keyCertSign
-
-[ v3_intermediate_ca ]
-# Extensions for a typical intermediate CA (`man x509v3_config`).
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid:always,issuer
-basicConstraints = critical, CA:true, pathlen:0
-keyUsage = critical, digitalSignature, cRLSign, keyCertSign
-
-[ crl_ext ]
-issuerAltName=issuer:copy
-authorityKeyIdentifier=keyid:always
-
-[ server_ext ]
-extendedKeyUsage=serverAuth
-
-[ user_ext ]
-extendedKeyUsage=clientAuth,emailProtection
+++ /dev/null
-#!/bin/sh
-
-# COMPLETELY UNSAFE - FOR DEVELOPMENT ONLY
-# Run this script from its directory
-# all *.p12 passwords are 'demo'
-# all *.jks passwords are 'changeit'
-
-# Fail if any error
-set -e
-
-ROOT_CA_DN="/C=DE/O=Example/OU=Certificate Authorities/CN=Root CA/"
-INTERMEDIATE_CA_DN="/C=DE/O=Example/OU=Certificate Authorities/CN=Intermediate CA/"
-SERVER_DN=/C=DE/O=Example/OU=Systems/CN=$HOSTNAME/
-USERS_BASE_DN=/DC=com/DC=example/OU=People
-
-echo -- Init directory structures
-mkdir -p ./rootCA/{certs,crl,csr,newcerts,private}
-mkdir -p ./CA/{certs,crl,csr,newcerts,private}
-
-#
-# Root CA
-#
-export OPENSSL_CONF=./openssl_root.cnf
-export CATOP=./rootCA
-echo -- Create root CA in $CATOP
-touch $CATOP/index.txt
-openssl req -new -newkey rsa:4096 -extensions v3_ca \
- -subj "$ROOT_CA_DN" \
- -keyout $CATOP/private/cakey.pem -passout pass:demo -out ca_csr.pem \
- 2>/dev/null # quiet
-openssl ca -create_serial -selfsign -batch -passin pass:demo -in ca_csr.pem -out $CATOP/cacert.pem \
- 2>/dev/null # quiet
-
-echo -- Create intermediate CA in ./CA
-openssl req -new -newkey rsa:4096 -extensions v3_intermediate_ca \
- -subj "$INTERMEDIATE_CA_DN" \
- -keyout ./CA/private/cakey.pem -passout pass:demo -out ica_csr.pem \
- 2>/dev/null # quiet
-openssl ca -batch -passin pass:demo -in ica_csr.pem -out ./CA/cacert.pem \
- 2>/dev/null # quiet
-
-#
-# Intermediate CA
-#
-export OPENSSL_CONF=./openssl.cnf
-export CATOP=./CA
-
-# create index and serial
-touch $CATOP/index.txt
-openssl x509 -in $CATOP/cacert.pem -noout -next_serial -out $CATOP/serial \
- 2>/dev/null # quiet
-
-echo -- Create server key and certificate
-openssl req -new -newkey rsa:4096 -extensions server_ext \
- -subj $SERVER_DN \
- -keyout node_key.pem -passout pass:demo -out node_csr.pem \
- 2>/dev/null # quiet
-openssl ca -batch -passin pass:demo -in node_csr.pem -out node_crt.pem \
- 2>/dev/null # quiet
-
-# create CA chain
-cat node_crt.pem ./CA/cacert.pem ./rootCA/cacert.pem > chain.pem
-
-# convert to p12
-openssl pkcs12 -export -passin pass:demo -passout pass:changeit \
- -name "$HOSTNAME" -inkey node_key.pem -in chain.pem \
- -out node.p12 \
- 2>/dev/null # quiet
-
-echo -- Import Certificate Authority into keystore
-keytool -importcert -noprompt -keystore node.p12 -storepass changeit \
- -alias "rootCA" -file ./rootCA/cacert.pem
-keytool -importcert -noprompt -keystore node.p12 -storepass changeit \
- -alias "CA" -file ./CA/cacert.pem
-
-echo -- Copy node.p12 to ../init/node
-cp node.p12 ../init/node/
-
-echo -- Create 'root' user client certificate root.p12
-openssl req -new -newkey rsa:4096 -extensions user_ext \
- -subj $USERS_BASE_DN/UID=root/ \
- -keyout newkey.pem -passout pass:demo -out newcsr.pem \
- 2>/dev/null # quiet
-
-openssl ca -preserveDN -batch -passin pass:demo -in newcsr.pem -out newcrt.pem \
- 2>/dev/null # quiet
-
-# create new CA chain
-#cat newcrt.pem ./CA/cacert.pem ./rootCA/cacert.pem > newchain.pem
-openssl pkcs12 -export -passin pass:demo -passout pass:demo \
- -name "root" -inkey newkey.pem -in chain.pem \
- -out root.p12 \
- 2>/dev/null # quiet
-
-# demo user
-#openssl req -new -newkey rsa:4096 -extensions user_ext -days 365 \
-# -subj $USERS_BASE_DN/UID=demo/ \
-# -keyout newkey.pem -passout pass:demo -out newcsr.pem
-#openssl ca -preserveDN -batch -passin pass:demo -in newcsr.pem -out newcrt.pem
-#openssl pkcs12 -export -passin pass:demo -passout pass:demo \
-# -name "demo" -inkey newkey.pem -in newcrt.pem \
-# -out demo.p12
-
-# Self-signed
-#openssl req -x509 -new -newkey rsa:4096 -extensions server_ext -days 365 \
-# -subj $SERVER_DN \
-# -keyout newkey.pem -passout pass:demo -out newcrt.pem
-# Self-signed server certificate
-#openssl pkcs12 -export -passin pass:demo -passout pass:changeit \
-# -name "jetty" -inkey newkey.pem -in newcrt.pem \
-# -certfile ./CA/cacert.pem \
-# -out server.p12
-
-echo ## Clean up
-rm -vf *.pem
--- /dev/null
+grant {
+ permission java.security.AllPermission;
+};
\ No newline at end of file
--- /dev/null
+#argeo.osgi.baseUrl=http://forge.argeo.org/data/java/argeo-2.1/
+#argeo.osgi.distributionUrl=org/argeo/commons/org.argeo.dep.cms.sdk/2.1.65/org.argeo.dep.cms.sdk-2.1.65.jar
+#argeo.osgi.distributionUrl=org/argeo/commons/org.argeo.dep.cms.sdk/2.1.67/org.argeo.dep.cms.sdk-2.1.67.jar
+#argeo.osgi.distributionUrl=org/argeo/commons/org.argeo.dep.cms.sdk/2.1.68-SNAPSHOT/org.argeo.dep.cms.sdk-2.1.68-SNAPSHOT.jar
+
+#argeo.osgi.boot.debug=true
+
+argeo.osgi.start.1.osgiboot=org.argeo.init
+#argeo.osgi.start.2.node=org.eclipse.equinox.http.servlet,org.eclipse.equinox.http.jetty,org.eclipse.equinox.cm,org.eclipse.rap.rwt.osgi
+#argeo.osgi.start.3.node=org.argeo.cms,org.eclipse.gemini.blueprint.extender,org.eclipse.equinox.http.registry
+
+#java.security.manager=
+#java.security.policy=file:../../all.policy
+
+argeo.node.repo.type=localfs
+org.osgi.service.http.port=7070
+log4j.configuration=file:../../log4j.properties
+
+#java.util.logging.config.file=../../logging.properties
+
+
+# DON'T CHANGE BELOW
+org.eclipse.rap.workbenchAutostart=false
+org.eclipse.equinox.http.jetty.autostart=false
\ No newline at end of file
--- /dev/null
+argeo.osgi.start.2.node=\
+org.eclipse.equinox.http.servlet,\
+org.eclipse.equinox.metatype,\
+org.eclipse.equinox.cm,\
+org.eclipse.equinox.ds,\
+org.eclipse.rap.rwt.osgi
+
+argeo.osgi.start.3.node=\
+org.argeo.cms
+
+argeo.osgi.start.5.node=\
+org.argeo.cms.e4.rap
+
+# Local
+org.osgi.service.http.port=7070
+argeo.node.useradmin.uris=ldap://cn=Directory%20Manager:argeoargeo@test-pgsql-ldap/dc=example,dc=com
+argeo.node.repo.type=postgresql_cluster_ds
+argeo.node.repo.clusterId=03233754-16c3-49a1-8a00-58bf89a65182
+argeo.node.repo.dburl=jdbc:postgresql://test-pgsql-ldap/argeo_cluster
+argeo.node.repo.dbuser=argeo
+argeo.node.repo.dbpassword=argeo
+
+# Logging
+log4j.configuration=file:../../log4j.properties
+
+# DON'T CHANGE BELOW
+org.eclipse.equinox.http.jetty.autostart=false
+org.osgi.framework.bootdelegation=com.sun.jndi.ldap,\
+com.sun.jndi.ldap.sasl,\
+com.sun.security.jgss,\
+com.sun.jndi.dns,\
+com.sun.nio.file,\
+com.sun.nio.sctp
--- /dev/null
+argeo.osgi.start.2.node=\
+org.eclipse.equinox.http.servlet,\
+org.eclipse.equinox.metatype,\
+org.eclipse.equinox.cm,\
+org.eclipse.equinox.ds,\
+org.eclipse.rap.rwt.osgi
+
+argeo.osgi.start.3.node=\
+org.argeo.cms
+
+argeo.osgi.start.5.node=\
+org.argeo.cms.e4.rap
+
+# Local
+org.osgi.service.http.port=7071
+argeo.node.useradmin.uris=ldap://cn=Directory%20Manager:argeoargeo@test-pgsql-ldap/dc=example,dc=com
+argeo.node.repo.type=postgresql_cluster_ds
+argeo.node.repo.clusterId=52463fa3-2917-4814-9ff7-685c41cbc7c7
+argeo.node.repo.dburl=jdbc:postgresql://test-pgsql-ldap/argeo_cluster
+argeo.node.repo.dbuser=argeo
+argeo.node.repo.dbpassword=argeo
+
+# Logging
+log4j.configuration=file:../../log4j.properties
+
+# DON'T CHANGE BELOW
+org.eclipse.equinox.http.jetty.autostart=false
+org.osgi.framework.bootdelegation=com.sun.jndi.ldap,\
+com.sun.jndi.ldap.sasl,\
+com.sun.security.jgss,\
+com.sun.jndi.dns,\
+com.sun.nio.file,\
+com.sun.nio.sctp
--- /dev/null
+argeo.osgi.start.2.node=\
+org.eclipse.equinox.http.servlet,\
+org.eclipse.equinox.metatype,\
+org.eclipse.equinox.cm,\
+org.eclipse.equinox.ds,\
+org.eclipse.rap.rwt.osgi,\
+org.argeo.init
+
+argeo.osgi.start.3.node=\
+org.argeo.cms
+
+argeo.osgi.start.4.node=\
+org.argeo.cms.jcr
+
+argeo.osgi.start.5.node=\
+org.argeo.cms.e4.rap
+
+# Local
+argeo.node.repo.type=h2
+org.osgi.service.http.port=7070
+#org.eclipse.equinox.http.jetty.http.host=[IP address to listen to]
+#org.osgi.service.http.port.secure=7073
+#org.eclipse.equinox.http.jetty.websocket.enabled=true
+
+# Logging
+log4j.configuration=file:../../log4j.properties
+
+# SSL
+#org.osgi.service.http.port.secure=7073
+#org.eclipse.equinox.http.jetty.https.enabled=true
+#org.eclipse.equinox.http.jetty.ssl.keystore=data/node.p12
+#org.eclipse.equinox.http.jetty.ssl.keystoretype=PKCS12
+#org.eclipse.equinox.http.jetty.ssl.password=changeit
+#org.eclipse.equinox.http.jetty.ssl.wantclientauth=true
+
+# Hardened
+#org.osgi.framework.security=osgi
+#java.security.policy=file:../../all.policy
+
+# Internationalisation
+#argeo.i18n.locales=en,fr,ru
+#eclipse.registry.MultiLanguage=true
+#argeo.i18n.defaultLocale=en
+
+# Tuning
+# Number of DB connections
+#argeo.node.repo.maxPoolSize=10
+# Max amount of memory available to Jackrabbit caches
+#argeo.node.repo.maxCacheMB=16
+# Persistence level cache
+#argeo.node.repo.bundleCacheMB=8
+# Search, see http://wiki.apache.org/jackrabbit/Search
+#argeo.node.repo.extractorPoolSize=0
+#argeo.node.repo.searchCacheSize=1000
+#argeo.node.repo.maxVolatileIndexSize=1048576
+
+# Legacy
+#argeo.node.transaction.manager=bitronix
+
+# DON'T CHANGE BELOW
+org.eclipse.equinox.http.jetty.autostart=false
+org.osgi.framework.bootdelegation=com.sun.jndi.ldap,\
+com.sun.jndi.ldap.sasl,\
+com.sun.security.jgss,\
+com.sun.jndi.dns,\
+com.sun.nio.file,\
+com.sun.nio.sctp
--- /dev/null
+argeo.osgi.start.2.node=\
+org.eclipse.equinox.http.servlet,\
+org.eclipse.equinox.metatype,\
+org.eclipse.equinox.cm,\
+org.eclipse.equinox.ds,\
+org.eclipse.rap.rwt.osgi
+
+argeo.osgi.start.3.node=\
+org.argeo.cms
+
+argeo.osgi.start.5.node=\
+org.argeo.cms.e4.rap
+
+# Local
+argeo.node.repo.type=h2
+org.osgi.service.http.port=7070
+argeo.node.useradmin.uris=os:///
+
+# Logging
+log4j.configuration=file:../../log4j.properties
+
+# DON'T CHANGE BELOW
+org.eclipse.equinox.http.jetty.autostart=false
+org.osgi.framework.bootdelegation=com.sun.jndi.ldap,\
+com.sun.jndi.ldap.sasl,\
+com.sun.security.jgss,\
+com.sun.jndi.dns,\
+com.sun.nio.file,\
+com.sun.nio.sctp
--- /dev/null
+argeo.osgi.start.2.node=\
+org.eclipse.equinox.http.servlet,\
+org.eclipse.equinox.metatype,\
+org.eclipse.equinox.cm,\
+org.eclipse.equinox.ds,\
+org.eclipse.rap.rwt.osgi
+
+argeo.osgi.start.3.node=\
+org.argeo.cms
+
+argeo.osgi.start.5.node=\
+org.argeo.cms.e4.rap
+
+# Local
+org.osgi.service.http.port=7070
+argeo.node.useradmin.uris=ldap://cn=Directory%20Manager:argeoargeo@test-pgsql-ldap/dc=example,dc=com
+argeo.node.repo.type=postgresql_ds
+argeo.node.repo.dburl=jdbc:postgresql://test-pgsql-ldap/argeo
+argeo.node.repo.dbuser=argeo
+argeo.node.repo.dbpassword=argeo
+
+# Logging
+log4j.configuration=file:../../log4j.properties
+
+# DON'T CHANGE BELOW
+org.eclipse.equinox.http.jetty.autostart=false
+org.osgi.framework.bootdelegation=com.sun.jndi.ldap,\
+com.sun.jndi.ldap.sasl,\
+com.sun.security.jgss,\
+com.sun.jndi.dns,\
+com.sun.nio.file,\
+com.sun.nio.sctp
--- /dev/null
+/krb5.keytab
+/krb5.keytab.old
+/*.p12
+/*.jks
\ No newline at end of file
--- /dev/null
+dn: cn=admin,ou=roles,ou=node
+objectClass: groupOfNames
+objectClass: top
+cn: admin
+member: uid=root,ou=People,dc=example,dc=com
+
+dn: cn=userAdmin,ou=roles,ou=node
+objectClass: groupOfNames
+objectClass: top
+member: cn=admin,ou=roles,ou=node
+cn: userAdmin
+
--- /dev/null
+log4j.rootLogger=WARN, development
+
+log4j.logger.org.argeo=DEBUG
+
+## Appenders
+log4j.appender.console=org.apache.log4j.ConsoleAppender
+log4j.appender.console.layout=org.apache.log4j.PatternLayout
+log4j.appender.console.layout.ConversionPattern= %-5p %d{ISO8601} %m %n
+
+log4j.appender.development=org.apache.log4j.ConsoleAppender
+log4j.appender.development.layout=org.apache.log4j.PatternLayout
+log4j.appender.development.layout.ConversionPattern=%d{ABSOLUTE} %m (%F:%L) [%t] %p %n
--- /dev/null
+/CA/
+/*.p12
+/*.jks
+/nssdb/
+/*.pem
+/old/
+/rootCA/
--- /dev/null
+dir = ./CA # Where everything is kept
+
+[ ca ]
+default_ca = CA_default # The default ca section
+
+[ CA_default ]
+certs = $dir/certs # Where the issued certs are kept
+crl_dir = $dir/crl # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+new_certs_dir = $dir/newcerts # default place for new certs.
+certificate = $dir/cacert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+crlnumber = $dir/crlnumber # the current crl number
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/private/cakey.pem # The private key
+x509_extensions = usr_cert # The extentions to add to the cert
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+crl_extensions = crl_ext
+default_days = 365 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = default # use public key default MD
+preserve = no # keep passed DN ordering
+policy = policy_match
+
+[ policy_match ]
+countryName = optional
+stateOrProvinceName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = optional
+emailAddress = optional
+
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = optional
+emailAddress = optional
+
+[ req ]
+default_bits = 4096
+default_md = sha1
+default_keyfile = privkey.pem
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+input_password = demo
+output_password = demo
+
+string_mask = utf8only
+req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_min = 2
+countryName_max = 2
+#stateOrProvinceName = State or Province Name (full name)
+#localityName = Locality Name (eg, city)
+0.organizationName = Organization Name (eg, company)
+organizationalUnitName = Organizational Unit Name (eg, section)
+commonName = Common Name (eg, your name or your server\'s hostname)
+commonName_max = 64
+emailAddress = Email Address
+emailAddress_max = 64
+# SET-ex3 = SET extension number 3
+
+##
+## DEFAULT VALUES
+##
+countryName_default = DE
+#stateOrProvinceName_default = Berlin
+#localityName_default = Berlin
+0.organizationName_default = Example
+organizationalUnitName_default = Certificate Authorities
+commonName_default = Intermediate CA
+
+[ req_attributes ]
+#challengePassword = A challenge password
+#challengePassword_min = 4
+#challengePassword_max = 20
+#unstructuredName = An optional company name
+
+[ usr_cert ]
+basicConstraints=CA:FALSE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+subjectAltName=email:move
+issuerAltName=issuer:copy
+
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ crl_ext ]
+issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+[ server_ext ]
+extendedKeyUsage=serverAuth
+
+[ user_ext ]
+extendedKeyUsage=clientAuth,emailProtection
--- /dev/null
+dir = ./rootCA # Where everything is kept
+
+[ ca ]
+default_ca = CA_default # The default ca section
+
+[ CA_default ]
+certs = $dir/certs # Where the issued certs are kept
+crl_dir = $dir/crl # Where the issued crl are kept
+database = $dir/index.txt # database index file.
+new_certs_dir = $dir/newcerts # default place for new certs.
+certificate = $dir/cacert.pem # The CA certificate
+serial = $dir/serial # The current serial number
+crlnumber = $dir/crlnumber # the current crl number
+crl = $dir/crl.pem # The current CRL
+private_key = $dir/private/cakey.pem # The private key
+x509_extensions = usr_cert # The extentions to add to the cert
+name_opt = ca_default # Subject Name options
+cert_opt = ca_default # Certificate field options
+crl_extensions = crl_ext
+default_days = 3650 # how long to certify for
+default_crl_days= 30 # how long before next CRL
+default_md = default # use public key default MD
+preserve = no # keep passed DN ordering
+policy = policy_match
+
+[ policy_match ]
+countryName = optional
+stateOrProvinceName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = optional
+emailAddress = optional
+
+[ policy_anything ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = optional
+emailAddress = optional
+
+[ req ]
+default_bits = 4096
+default_md = sha1
+default_keyfile = privkey.pem
+distinguished_name = req_distinguished_name
+attributes = req_attributes
+x509_extensions = v3_ca # The extensions to add to the self signed cert
+
+# Passwords for private keys if not present they will be prompted for
+input_password = demo
+output_password = demo
+
+string_mask = utf8only
+req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_min = 2
+countryName_max = 2
+#stateOrProvinceName = State or Province Name (full name)
+#localityName = Locality Name (eg, city)
+0.organizationName = Organization Name (eg, company)
+organizationalUnitName = Organizational Unit Name (eg, section)
+commonName = Common Name (eg, your name or your server\'s hostname)
+commonName_max = 64
+emailAddress = Email Address
+emailAddress_max = 64
+# SET-ex3 = SET extension number 3
+
+##
+## DEFAULT VALUES
+##
+countryName_default = DE
+#stateOrProvinceName_default = Berlin
+#localityName_default = Berlin
+0.organizationName_default = Example
+organizationalUnitName_default = Certificate Authorities
+commonName_default = Root CA
+
+[ req_attributes ]
+#challengePassword = A challenge password
+#challengePassword_min = 4
+#challengePassword_max = 20
+#unstructuredName = An optional company name
+
+[ usr_cert ]
+basicConstraints=CA:FALSE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+subjectAltName=email:move
+issuerAltName=issuer:copy
+
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ crl_ext ]
+issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+[ server_ext ]
+extendedKeyUsage=serverAuth
+
+[ user_ext ]
+extendedKeyUsage=clientAuth,emailProtection
--- /dev/null
+#!/bin/sh
+
+# COMPLETELY UNSAFE - FOR DEVELOPMENT ONLY
+# Run this script from its directory
+# all *.p12 passwords are 'demo'
+# all *.jks passwords are 'changeit'
+
+# Fail if any error
+set -e
+
+ROOT_CA_DN="/C=DE/O=Example/OU=Certificate Authorities/CN=Root CA/"
+INTERMEDIATE_CA_DN="/C=DE/O=Example/OU=Certificate Authorities/CN=Intermediate CA/"
+SERVER_DN=/C=DE/O=Example/OU=Systems/CN=$HOSTNAME/
+USERS_BASE_DN=/DC=com/DC=example/OU=People
+
+echo -- Init directory structures
+mkdir -p ./rootCA/{certs,crl,csr,newcerts,private}
+mkdir -p ./CA/{certs,crl,csr,newcerts,private}
+
+#
+# Root CA
+#
+export OPENSSL_CONF=./openssl_root.cnf
+export CATOP=./rootCA
+echo -- Create root CA in $CATOP
+touch $CATOP/index.txt
+openssl req -new -newkey rsa:4096 -extensions v3_ca \
+ -subj "$ROOT_CA_DN" \
+ -keyout $CATOP/private/cakey.pem -passout pass:demo -out ca_csr.pem \
+ 2>/dev/null # quiet
+openssl ca -create_serial -selfsign -batch -passin pass:demo -in ca_csr.pem -out $CATOP/cacert.pem \
+ 2>/dev/null # quiet
+
+echo -- Create intermediate CA in ./CA
+openssl req -new -newkey rsa:4096 -extensions v3_intermediate_ca \
+ -subj "$INTERMEDIATE_CA_DN" \
+ -keyout ./CA/private/cakey.pem -passout pass:demo -out ica_csr.pem \
+ 2>/dev/null # quiet
+openssl ca -batch -passin pass:demo -in ica_csr.pem -out ./CA/cacert.pem \
+ 2>/dev/null # quiet
+
+#
+# Intermediate CA
+#
+export OPENSSL_CONF=./openssl.cnf
+export CATOP=./CA
+
+# create index and serial
+touch $CATOP/index.txt
+openssl x509 -in $CATOP/cacert.pem -noout -next_serial -out $CATOP/serial \
+ 2>/dev/null # quiet
+
+echo -- Create server key and certificate
+openssl req -new -newkey rsa:4096 -extensions server_ext \
+ -subj $SERVER_DN \
+ -keyout node_key.pem -passout pass:demo -out node_csr.pem \
+ 2>/dev/null # quiet
+openssl ca -batch -passin pass:demo -in node_csr.pem -out node_crt.pem \
+ 2>/dev/null # quiet
+
+# create CA chain
+cat node_crt.pem ./CA/cacert.pem ./rootCA/cacert.pem > chain.pem
+
+# convert to p12
+openssl pkcs12 -export -passin pass:demo -passout pass:changeit \
+ -name "$HOSTNAME" -inkey node_key.pem -in chain.pem \
+ -out node.p12 \
+ 2>/dev/null # quiet
+
+echo -- Import Certificate Authority into keystore
+keytool -importcert -noprompt -keystore node.p12 -storepass changeit \
+ -alias "rootCA" -file ./rootCA/cacert.pem
+keytool -importcert -noprompt -keystore node.p12 -storepass changeit \
+ -alias "CA" -file ./CA/cacert.pem
+
+echo -- Copy node.p12 to ../init/node
+cp node.p12 ../init/node/
+
+echo -- Create 'root' user client certificate root.p12
+openssl req -new -newkey rsa:4096 -extensions user_ext \
+ -subj $USERS_BASE_DN/UID=root/ \
+ -keyout newkey.pem -passout pass:demo -out newcsr.pem \
+ 2>/dev/null # quiet
+
+openssl ca -preserveDN -batch -passin pass:demo -in newcsr.pem -out newcrt.pem \
+ 2>/dev/null # quiet
+
+# create new CA chain
+#cat newcrt.pem ./CA/cacert.pem ./rootCA/cacert.pem > newchain.pem
+openssl pkcs12 -export -passin pass:demo -passout pass:demo \
+ -name "root" -inkey newkey.pem -in chain.pem \
+ -out root.p12 \
+ 2>/dev/null # quiet
+
+# demo user
+#openssl req -new -newkey rsa:4096 -extensions user_ext -days 365 \
+# -subj $USERS_BASE_DN/UID=demo/ \
+# -keyout newkey.pem -passout pass:demo -out newcsr.pem
+#openssl ca -preserveDN -batch -passin pass:demo -in newcsr.pem -out newcrt.pem
+#openssl pkcs12 -export -passin pass:demo -passout pass:demo \
+# -name "demo" -inkey newkey.pem -in newcrt.pem \
+# -out demo.p12
+
+# Self-signed
+#openssl req -x509 -new -newkey rsa:4096 -extensions server_ext -days 365 \
+# -subj $SERVER_DN \
+# -keyout newkey.pem -passout pass:demo -out newcrt.pem
+# Self-signed server certificate
+#openssl pkcs12 -export -passin pass:demo -passout pass:changeit \
+# -name "jetty" -inkey newkey.pem -in newcrt.pem \
+# -certfile ./CA/cacert.pem \
+# -out server.p12
+
+echo ## Clean up
+rm -vf *.pem