Skip to content

Instantly share code, notes, and snippets.

@hawko2600
Created September 20, 2023 00:15
Show Gist options
  • Save hawko2600/922b727634784614465b83e52ec2be52 to your computer and use it in GitHub Desktop.
Save hawko2600/922b727634784614465b83e52ec2be52 to your computer and use it in GitHub Desktop.
Java keytool based CA and certificate signer for Apache NiFi
#!/bin/bash
CANAME=${CANAME:-rootCA}
CA2NAME=${CA2NAME:-intermediateCA}
NIFI_SERVER=${NIFI_SERVER:-nifi01}
DOMAIN=${DOMAIN:-localdomain}
IP_ADDRESS=${IP_ADDRESS:-127.0.0.1}
EMAIL="${EMAIL:-nifi@${NIFI_SERVER}.${DOMAIN}}"
EXT="SAN=IP:127.0.0.1,IP:${IP_ADDRESS},DNS:${NIFI_SERVER}.${DOMAIN},DNS:${NIFI_SERVER},DNS:localhost,EMAIL:${EMAIL}"
EXT2="KeyUsage=digitalSignature,keyEncipherment,nonRepudiation,dataEncipherment,keyAgreement,keyCertSign,cRLSign"
EXT3="ExtendedKeyUsage=clientAuth,serverAuth"
EXT4="BC=CA:TRUE,pathlen:0"
DNAME="CN=${NIFI_SERVER}.${DOMAIN},O=NIFI,OU=PKI,L=New York,ST=NY,C=US"
CADNAME="CN=NiFi_RootCA,OU=MY_RootCertificateAuthority,o=NIFI,ST=NY,C=US"
CA2DNAME="CN=NiFi_IntermediateCA,OU=MY_IntermediateCertificateAuthority,o=NIFI,ST=NY,C=US"
EXT1CA="KU=digitalSignature,keyEncipherment,keyCertSign,cRLSign"
EXT2CA="BC=CA:TRUE,pathlen:1"
STOREPASS="changeme"
SIGALG="SHA256withRSA"
echo "Creating a keypair for the NiFi Server (nifi.jks)..."
keytool -genkeypair -alias "${NIFI_SERVER}" -dname "${DNAME}" -ext "${EXT}" -ext "${EXT2}" -ext "${EXT3}" -ext "${EXT4}" -storepass "${STOREPASS}" -keyalg RSA -keystore nifi.jks -keysize 2048 -validity 365 -sigalg "${SIGALG}"
if [[ ! -e .keystore ]]; then
echo "Creating internal CA..."
keytool -genkeypair -alias "${CANAME}" -dname "${CADNAME}" -ext "${EXT1CA}" -ext "${EXT2CA}" -storepass "${STOREPASS}" -keyalg RSA -keysize 4096 -validity 10950 -sigalg "${SIGALG}"
keytool -genkeypair -alias "${CA2NAME}" -dname "${CA2DNAME}" -ext "${EXT1CA}" -ext "${EXT4}" -storepass "${STOREPASS}" -keyalg RSA -keysize 4096 -validity 3650 -sigalg "${SIGALG}"
keytool -certreq -alias "${CA2NAME}" -storepass "${STOREPASS}" -keyalg RSA -ext "${EXT1CA}" -ext "${EXT4}" | keytool -gencert -alias "${CANAME}" -storepass "${STOREPASS}" -sigalg "${SIGALG}" -ext "${EXT1CA}" -ext "${EXT4}" | keytool -importcert -alias "${CA2DNAME}" -storepass "${STOREPASS}"
fi
echo "Importing root CA to nifi.jks..."
keytool -export -alias "${CANAME}" -storepass "${STOREPASS}" | keytool -import -alias "${CANAME}" -keystore nifi.jks -storepass "${STOREPASS}" -noprompt -trustcacerts
echo "Perform the key signing ceremony..."
keytool -certreq -alias "${NIFI_SERVER}" -ext "${EXT}" -ext "${EXT2}" -ext "${EXT3}" -ext "${EXT4}" -storepass "${STOREPASS}" -sigalg "${SIGALG}" -keystore nifi.jks | keytool -gencert -alias "${CA2NAME}" -ext "${EXT}" -ext "${EXT2}" -ext "${EXT3}" -ext "${EXT4}" -storepass "${STOREPASS}" -sigalg "${SIGALG}" | keytool -importcert -alias "${NIFI_SERVER}" -storepass "${STOREPASS}" -keystore nifi.jks -noprompt -trustcacerts
echo "Remove the unnecessary rootCA cert from nifi.jks..."
keytool -delete -alias "${CANAME}" -keystore nifi.jks -storepass "${STOREPASS}"
echo "Exporting Public CA certs to trust.jks..."
keytool -export -alias "${CA2NAME}" -storepass "${STOREPASS}" | keytool -import -alias "${CA2NAME}" -keystore trust.jks -storepass "${STOREPASS}" -trustcacerts -noprompt
keytool -export -alias "${CANAME}" -storepass "${STOREPASS}" | keytool -import -alias "${CANAME}" -keystore trust.jks -storepass "${STOREPASS}" -trustcacerts -noprompt
echo "Listing your new certificates..."
cp .keystore rootCA.jks
chmod 0640 rootCA.jks trust.jks nifi.jks
echo '#### ROOT CA PRIVATE ####'
keytool -list -v -keystore rootCA.jks -storepass "${STOREPASS}"
echo '#### ROOT CA PUBLIC TRUST ####'
keytool -list -v -keystore trust.jks -storepass "${STOREPASS}"
echo '#### SERVER PRIVATE ####'
keytool -list -v -keystore nifi.jks -storepass "${STOREPASS}"
echo "Converting to PKCS12 and changing key and keystore passwords."
echo "You will be prompted first for the current password, which is: ${STOREPASS}"
keytool -importkeystore -srckeystore nifi.jks -destkeystore nifi.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass "${STOREPASS}" -deststorepass "${STOREPASS}" -srcalias "${NIFI_SERVER}" -destalias "${NIFI_SERVER}" -srckeypass "${STOREPASS}" -destkeypass "${STOREPASS}" -noprompt
keytool -storepasswd -keystore nifi.p12
echo "Changing truststore password; you will be prompted first for the current password: ${STOREPASS}"
keytool -storepasswd -keystore trust.jks
echo "Happy Days"
exit 0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment