Created
September 20, 2023 00:15
-
-
Save hawko2600/922b727634784614465b83e52ec2be52 to your computer and use it in GitHub Desktop.
Java keytool based CA and certificate signer for Apache NiFi
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
CANAME=${CANAME:-rootCA} | |
CA2NAME=${CA2NAME:-intermediateCA} | |
NIFI_SERVER=${NIFI_SERVER:-nifi01} | |
DOMAIN=${DOMAIN:-localdomain} | |
IP_ADDRESS=${IP_ADDRESS:-127.0.0.1} | |
EMAIL="${EMAIL:-nifi@${NIFI_SERVER}.${DOMAIN}}" | |
EXT="SAN=IP:127.0.0.1,IP:${IP_ADDRESS},DNS:${NIFI_SERVER}.${DOMAIN},DNS:${NIFI_SERVER},DNS:localhost,EMAIL:${EMAIL}" | |
EXT2="KeyUsage=digitalSignature,keyEncipherment,nonRepudiation,dataEncipherment,keyAgreement,keyCertSign,cRLSign" | |
EXT3="ExtendedKeyUsage=clientAuth,serverAuth" | |
EXT4="BC=CA:TRUE,pathlen:0" | |
DNAME="CN=${NIFI_SERVER}.${DOMAIN},O=NIFI,OU=PKI,L=New York,ST=NY,C=US" | |
CADNAME="CN=NiFi_RootCA,OU=MY_RootCertificateAuthority,o=NIFI,ST=NY,C=US" | |
CA2DNAME="CN=NiFi_IntermediateCA,OU=MY_IntermediateCertificateAuthority,o=NIFI,ST=NY,C=US" | |
EXT1CA="KU=digitalSignature,keyEncipherment,keyCertSign,cRLSign" | |
EXT2CA="BC=CA:TRUE,pathlen:1" | |
STOREPASS="changeme" | |
SIGALG="SHA256withRSA" | |
echo "Creating a keypair for the NiFi Server (nifi.jks)..." | |
keytool -genkeypair -alias "${NIFI_SERVER}" -dname "${DNAME}" -ext "${EXT}" -ext "${EXT2}" -ext "${EXT3}" -ext "${EXT4}" -storepass "${STOREPASS}" -keyalg RSA -keystore nifi.jks -keysize 2048 -validity 365 -sigalg "${SIGALG}" | |
if [[ ! -e .keystore ]]; then | |
echo "Creating internal CA..." | |
keytool -genkeypair -alias "${CANAME}" -dname "${CADNAME}" -ext "${EXT1CA}" -ext "${EXT2CA}" -storepass "${STOREPASS}" -keyalg RSA -keysize 4096 -validity 10950 -sigalg "${SIGALG}" | |
keytool -genkeypair -alias "${CA2NAME}" -dname "${CA2DNAME}" -ext "${EXT1CA}" -ext "${EXT4}" -storepass "${STOREPASS}" -keyalg RSA -keysize 4096 -validity 3650 -sigalg "${SIGALG}" | |
keytool -certreq -alias "${CA2NAME}" -storepass "${STOREPASS}" -keyalg RSA -ext "${EXT1CA}" -ext "${EXT4}" | keytool -gencert -alias "${CANAME}" -storepass "${STOREPASS}" -sigalg "${SIGALG}" -ext "${EXT1CA}" -ext "${EXT4}" | keytool -importcert -alias "${CA2DNAME}" -storepass "${STOREPASS}" | |
fi | |
echo "Importing root CA to nifi.jks..." | |
keytool -export -alias "${CANAME}" -storepass "${STOREPASS}" | keytool -import -alias "${CANAME}" -keystore nifi.jks -storepass "${STOREPASS}" -noprompt -trustcacerts | |
echo "Perform the key signing ceremony..." | |
keytool -certreq -alias "${NIFI_SERVER}" -ext "${EXT}" -ext "${EXT2}" -ext "${EXT3}" -ext "${EXT4}" -storepass "${STOREPASS}" -sigalg "${SIGALG}" -keystore nifi.jks | keytool -gencert -alias "${CA2NAME}" -ext "${EXT}" -ext "${EXT2}" -ext "${EXT3}" -ext "${EXT4}" -storepass "${STOREPASS}" -sigalg "${SIGALG}" | keytool -importcert -alias "${NIFI_SERVER}" -storepass "${STOREPASS}" -keystore nifi.jks -noprompt -trustcacerts | |
echo "Remove the unnecessary rootCA cert from nifi.jks..." | |
keytool -delete -alias "${CANAME}" -keystore nifi.jks -storepass "${STOREPASS}" | |
echo "Exporting Public CA certs to trust.jks..." | |
keytool -export -alias "${CA2NAME}" -storepass "${STOREPASS}" | keytool -import -alias "${CA2NAME}" -keystore trust.jks -storepass "${STOREPASS}" -trustcacerts -noprompt | |
keytool -export -alias "${CANAME}" -storepass "${STOREPASS}" | keytool -import -alias "${CANAME}" -keystore trust.jks -storepass "${STOREPASS}" -trustcacerts -noprompt | |
echo "Listing your new certificates..." | |
cp .keystore rootCA.jks | |
chmod 0640 rootCA.jks trust.jks nifi.jks | |
echo '#### ROOT CA PRIVATE ####' | |
keytool -list -v -keystore rootCA.jks -storepass "${STOREPASS}" | |
echo '#### ROOT CA PUBLIC TRUST ####' | |
keytool -list -v -keystore trust.jks -storepass "${STOREPASS}" | |
echo '#### SERVER PRIVATE ####' | |
keytool -list -v -keystore nifi.jks -storepass "${STOREPASS}" | |
echo "Converting to PKCS12 and changing key and keystore passwords." | |
echo "You will be prompted first for the current password, which is: ${STOREPASS}" | |
keytool -importkeystore -srckeystore nifi.jks -destkeystore nifi.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass "${STOREPASS}" -deststorepass "${STOREPASS}" -srcalias "${NIFI_SERVER}" -destalias "${NIFI_SERVER}" -srckeypass "${STOREPASS}" -destkeypass "${STOREPASS}" -noprompt | |
keytool -storepasswd -keystore nifi.p12 | |
echo "Changing truststore password; you will be prompted first for the current password: ${STOREPASS}" | |
keytool -storepasswd -keystore trust.jks | |
echo "Happy Days" | |
exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment