#!/bin/bash | |
rm *.jks 2> /dev/null | |
rm *.pem 2> /dev/null | |
echo "====================================================" | |
echo "Creating fake third-party chain root -> ca" | |
echo "====================================================" | |
# generate private keys (for root and ca) | |
keytool -genkeypair -alias root -dname "cn=Local Network - Development" -validity 10000 -keyalg RSA -keysize 2048 -ext bc:c -keystore root.jks -keypass password -storepass password | |
keytool -genkeypair -alias ca -dname "cn=Local Network - Development" -validity 10000 -keyalg RSA -keysize 2048 -ext bc:c -keystore ca.jks -keypass password -storepass password | |
# generate root certificate | |
keytool -exportcert -rfc -keystore root.jks -alias root -storepass password > root.pem | |
# generate a certificate for ca signed by root (root -> ca) | |
keytool -keystore ca.jks -storepass password -certreq -alias ca \ | |
| keytool -keystore root.jks -storepass password -gencert -alias root -ext bc=0 -ext san=dns:ca -rfc > ca.pem | |
# import ca cert chain into ca.jks | |
keytool -keystore ca.jks -storepass password -importcert -trustcacerts -noprompt -alias root -file root.pem | |
keytool -keystore ca.jks -storepass password -importcert -alias ca -file ca.pem | |
echo "====================================================================" | |
echo "Fake third-party chain generated. Now generating my-keystore.jks ..." | |
echo "====================================================================" | |
# generate private keys (for server) | |
keytool -genkeypair -alias server -dname cn=server -validity 10000 -keyalg RSA -keysize 2048 -keystore my-keystore.jks -keypass password -storepass password | |
# generate a certificate for server signed by ca (root -> ca -> server) | |
keytool -keystore my-keystore.jks -storepass password -certreq -alias server \ | |
| keytool -keystore ca.jks -storepass password -gencert -alias ca -ext ku:c=dig,keyEnc -ext "san=dns:localhost,ip:192.1.1.18" -ext eku=sa,ca -rfc > server.pem | |
# import server cert chain into my-keystore.jks | |
keytool -keystore my-keystore.jks -storepass password -importcert -trustcacerts -noprompt -alias root -file root.pem | |
keytool -keystore my-keystore.jks -storepass password -importcert -alias ca -file ca.pem | |
keytool -keystore my-keystore.jks -storepass password -importcert -alias server -file server.pem | |
echo "=================================================" | |
echo "Keystore generated. Now generating truststore ..." | |
echo "=================================================" | |
# import server cert chain into my-truststore.jks | |
keytool -keystore my-truststore.jks -storepass password -importcert -trustcacerts -noprompt -alias root -file root.pem | |
keytool -keystore my-truststore.jks -storepass password -importcert -alias ca -file ca.pem | |
keytool -keystore my-truststore.jks -storepass password -importcert -alias server -file server.pem |
This comment has been minimized.
This comment has been minimized.
Update: when I look at root.pem with a hex editor, I see that it's UTF-16 (what Windows calls UNICODE). If I copy and paste it as UTF-8, then it imports it fine. That means something about how keytool pipes this out is causing it. By the way, I'm using Powershell on Windows. That's probably the problem, somehow. |
This comment has been minimized.
This comment has been minimized.
Yes, the problem was Powershell. When you use the '>' operator to send output to a file, it's an alias for Out-File. Out-File writes as UTF-16 by default. The answer is to replace "> root.pem" with "| Out-File root.pem -encoding ASCII". Hopefully, this will help a weary traveller. |
This comment has been minimized.
This comment has been minimized.
Thank you , this is amazing |
This comment has been minimized.
This comment has been minimized.
Thank you! |
This comment has been minimized.
This comment has been minimized.
It seems promising since it uses keytool for the entire procedure. Unfortunately it does not create the client side *.crt file that I need. This way the clients browsers will always show the security warning since I cannot import the certificate to windows trusted certificate authorities. |
This comment has been minimized.
This comment has been minimized.
Perfect ! Thank you! |
This comment has been minimized.
This comment has been minimized.
Thanks but why do you use "-ext eku=sa,ca"? |
This comment has been minimized.
This comment has been minimized.
it's is an Extended Key Usage for TLS server authentication |
This comment has been minimized.
I realize this is from two years ago, but it's very helpful.
However, when it gets to the point where I'm trying to import the root certificate into the intermediate store, I get this:
keytool error: java.lang.Exception: Input not an X.509 certificate
Given that this is a pretty stale post, I don't expect a response, but if someone else sees it, they'll know they're not alone. I'll look for the solution and post it here if I find it and remember. :-)