helper script for making a new CA and signing client (leaf) certs, including making java keystore (JKS) files. useful in creating test fixtures

mk-test-certs.sh

#!/bin/sh
# helper script for making a new CA and signing client (leaf) certs, including making java keystore (JKS) files. useful in creating test fixtures
#
# Example:
# ./mk-test-certs.sh
# ==> Creating new CA: certs/ca.key, certs/ca.crt
# Generating a 2048 bit RSA private key
# ....................................................+++
# ...............................+++
# writing new private key to 'certs/ca.key'
# -----
# ==> Creating key/cert for 'client': certs/client.key, certs/client.crt
# Generating a 2048 bit RSA private key
# ..+++
# ..............................................................+++
# writing new private key to 'certs/client.key'
# -----
# Signature ok
# subject=/CN=client
# Getting CA Private Key
# -rw-r--r--  1 joe  staff  1261 Dec 29 14:27 ./certs/ca.crt
# -rw-r--r--  1 joe  staff  1679 Dec 29 14:27 ./certs/ca.key
# -rw-r--r--  1 joe  staff  2940 Dec 29 14:27 ./certs/ca.pem
# -rw-r--r--  1 joe  staff  1066 Dec 29 14:27 ./certs/client.crt
# -rw-r--r--  1 joe  staff   887 Dec 29 14:27 ./certs/client.csr
# -rw-r--r--  1 joe  staff  1679 Dec 29 14:27 ./certs/client.key
# -rw-r--r--  1 joe  staff  2745 Dec 29 14:27 ./certs/client.pem
#
set -e

# reset/cleanup
function cleanup {
        rm -rf certs
        mkdir certs
}

# create CA
function create_ca {
        echo "==> Creating new CA: certs/ca.key, certs/ca.crt"
        openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
                -subj '/CN=test-CA/O=testco/C=US' \
                -keyout certs/ca.key \
                -out certs/ca.crt
        cat certs/ca.key \
                        certs/ca.crt >certs/ca.pem
}


# create a client key/cert signed by the CA.
# The first argument to this function is used for both the filenames and CN
#
# Example:
#    key_and_cert foo
# Results in:
#    - certs/foo.key, certs/foo.crt, certs/foo.pem
#    - Cert subject: /CN=foo/
#
function key_and_cert {
  name=$1
        if [ -z "$name" ]; then
                echo "key_and_cert missing argument"
                return 1
        fi
        echo "==> Creating key/cert for '$name': certs/$name.key, certs/$name.crt"
        openssl req -new -newkey rsa:2048 -subj "/CN=$name" -nodes \
                -keyout certs/$name.key \
                -out certs/$name.csr
        openssl x509 -req -days 365 -set_serial 02 \
                -CA certs/ca.crt \
                -CAkey certs/ca.key \
                -extfile openssl-test.cfg \
                -extensions v3_ca \
                -in certs/$name.csr \
                -out certs/$name.crt
        cat certs/$name.key \
                        certs/$name.crt >certs/$name.pem
}

function to_jks {
  name=$1
  if [ -z "$name" ]; then
    echo "to_jks missing argument"
    return 1
  fi
# create java keystore for $name key and cert
echo "==> Creating PKCS12: certs/$name.p12"
openssl pkcs12 -chain -export \
        -CAfile certs/ca.crt \
  -password pass:password \
        -inkey certs/$name.key \
        -in certs/$name.crt \
        -name $name \
        -out certs/$name.p12
echo "==> Creating Java Keystore: certs/$name.ks"
keytool -importkeystore \
        -srckeystore certs/$name.p12 \
        -srcstoretype pkcs12 \
        -srcstorepass password \
        -destkeystore certs/$name.ks \
        -deststoretype JKS \
        -storepass password
keytool -importcert \
        -alias ca \
        -noprompt \
        -trustcacerts \
        -file certs/ca.crt \
        -keystore certs/$name.ks \
        -storepass password
}

cleanup
create_ca
key_and_cert "client"
# optionally also create a client.ks java keystore file with password "password":
# to_jks "client"


ls -l $(find ./certs -type f)

openssl-test.cfg

default_md = sha256

[v3_ca]
extendedKeyUsage = clientAuth,serverAuth,emailProtection