alexwoolford/create-java-keystore-truststore-freeipa.txt

## create-java-keystore-truststore-freeipa.txt
# generate a keystore containing a single key
keytool -genkey \
        -noprompt \
        -keyalg RSA \
        -alias cp01.woolford.io \
        -dname "CN=cp01.woolford.io, OU=woolford.io, O=woolford.io, L=Lafayette, ST=Colorado, C=US" \
        -keypass password \
        -keystore keystore.jks \
        -storepass password  \
        -storetype pkcs12 \
        -validity 365

#generate a certificate signing request (CSR)
keytool -certreq \
        -keystore keystore.jks \
        -alias cp01.woolford.io \
        -storepass password \
        -keypass password \
        -file cp01.woolford.io.csr

# login to ipa
kinit admin

# process the CSR
ipa cert-request cp01.woolford.io.csr \
        --principal=c3/cp01.woolford.io \
        --add \
        --certificate-out=cp01.woolford.io.signed.crt

# copy the ca.crt to the local folder

# inspect the signed certificate:
openssl x509 \
        -in cp01.woolford.io.signed.crt \
        -text

# add the CA certificate to Java's trusted certs
keytool -import \
        -keystore /usr/java/jdk1.8.0_201-amd64/jre/lib/security/cacerts \
        -storepass changeit \
        -alias IPARoot \
        -file ca.crt

# import signed certificate into keystore
keytool -import \
        -trustcacerts \
        -alias cp01.woolford.io \
        -keystore keystore.jks \
        -storepass password \
        -file cp01.woolford.io.signed.crt

# create truststore with ca certificate
keytool -import \
        -noprompt \
        -file ca.crt \
        -alias IPARoot \
        -keystore truststore.jks \
        -storepass password
	# generate a keystore containing a single key
	keytool -genkey \
	-noprompt \
	-keyalg RSA \
	-alias cp01.woolford.io \
	-dname "CN=cp01.woolford.io, OU=woolford.io, O=woolford.io, L=Lafayette, ST=Colorado, C=US" \
	-keypass password \
	-keystore keystore.jks \
	-storepass password \
	-storetype pkcs12 \
	-validity 365

	#generate a certificate signing request (CSR)
	keytool -certreq \
	-keystore keystore.jks \
	-alias cp01.woolford.io \
	-storepass password \
	-keypass password \
	-file cp01.woolford.io.csr

	# login to ipa
	kinit admin

	# process the CSR
	ipa cert-request cp01.woolford.io.csr \
	--principal=c3/cp01.woolford.io \
	--add \
	--certificate-out=cp01.woolford.io.signed.crt

	# copy the ca.crt to the local folder

	# inspect the signed certificate:
	openssl x509 \
	-in cp01.woolford.io.signed.crt \
	-text

	# add the CA certificate to Java's trusted certs
	keytool -import \
	-keystore /usr/java/jdk1.8.0_201-amd64/jre/lib/security/cacerts \
	-storepass changeit \
	-alias IPARoot \
	-file ca.crt

	# import signed certificate into keystore
	keytool -import \
	-trustcacerts \
	-alias cp01.woolford.io \
	-keystore keystore.jks \
	-storepass password \
	-file cp01.woolford.io.signed.crt

	# create truststore with ca certificate
	keytool -import \
	-noprompt \
	-file ca.crt \
	-alias IPARoot \
	-keystore truststore.jks \
	-storepass password