# Usage: | |
# This script is designed to be run after you have Solr running locally without SSL | |
# It will generate a trusted, self-signed certificate for LOCAL DEV (this must be modified for production) | |
# Notes: The keystore must be under server/etc on Solr root, and MUST be named solr-ssl.keystore.jks | |
# The cert will be added to locally trusted certs, so no security warnings in browsers | |
# You must still reconfigure Solr to use the keystore and restart it after running this script | |
# | |
# THIS SCRIPT REQUIRES WINDOWS 10 (for the SSL trust); without 10 remove the lines around trusting the cert. | |
# License: MIT | |
.\solrssl.ps1 -KeystoreFile C:\Solr\apache-solr\server\etc\solr-ssl.keystore.jks |
param( | |
[string]$KeystoreFile = 'solr-ssl.keystore.jks', | |
[string]$KeystorePassword = 'secret', | |
[string]$SolrDomain = 'localhost', | |
[switch]$Clobber | |
) | |
$ErrorActionPreference = 'Stop' | |
### PARAM VALIDATION | |
if($KeystorePassword -ne 'secret') { | |
Write-Error 'The keystore password must be "secret", because Solr apparently ignores the parameter' | |
} | |
if((Test-Path $KeystoreFile)) { | |
if($Clobber) { | |
Write-Host "Removing $KeystoreFile..." | |
Remove-Item $KeystoreFile | |
} else { | |
$KeystorePath = Resolve-Path $KeystoreFile | |
Write-Error "Keystore file $KeystorePath already existed. To regenerate it, pass -Clobber." | |
} | |
} | |
$P12Path = [IO.Path]::ChangeExtension($KeystoreFile, 'p12') | |
if((Test-Path $P12Path)) { | |
if($Clobber) { | |
Write-Host "Removing $P12Path..." | |
Remove-Item $P12Path | |
} else { | |
$P12Path = Resolve-Path $P12Path | |
Write-Error "Keystore file $P12Path already existed. To regenerate it, pass -Clobber." | |
} | |
} | |
try { | |
$keytool = (Get-Command 'keytool.exe').Source | |
} catch { | |
$keytool = Read-Host "keytool.exe not on path. Enter path to keytool (found in JRE bin folder)" | |
if([string]::IsNullOrEmpty($keytool) -or -not (Test-Path $keytool)) { | |
Write-Error "Keytool path was invalid." | |
} | |
} | |
### DOING STUFF | |
Write-Host '' | |
Write-Host 'Generating JKS keystore...' | |
& $keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass $KeystorePassword -storepass $KeystorePassword -validity 9999 -keystore $KeystoreFile -ext SAN=DNS:$SolrDomain,IP:127.0.0.1 -dname "CN=$SolrDomain, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country" | |
Write-Host '' | |
Write-Host 'Generating .p12 to import to Windows...' | |
& $keytool -importkeystore -srckeystore $KeystoreFile -destkeystore $P12Path -srcstoretype jks -deststoretype pkcs12 -srcstorepass $KeystorePassword -deststorepass $KeystorePassword | |
Write-Host '' | |
Write-Host 'Trusting generated SSL certificate...' | |
$secureStringKeystorePassword = ConvertTo-SecureString -String $KeystorePassword -Force -AsPlainText | |
$root = Import-PfxCertificate -FilePath $P12Path -Password $secureStringKeystorePassword -CertStoreLocation Cert:\LocalMachine\Root | |
Write-Host 'SSL certificate is now locally trusted. (added as root CA)' | |
Write-Host '' | |
Write-Host '########## NEXT STEPS ##########' -ForegroundColor Green | |
Write-Host '' | |
Write-Host '1. Copy your keystore to $SOLR_HOME\server\etc (MUST be here)' -ForegroundColor Green | |
if(-not $KeystoreFile.EndsWith('solr-ssl.keystore.jks')) { | |
Write-Warning 'Your keystore file is not named "solr-ssl.keystore.jks"' | |
Write-Warning 'Solr requires this exact name, so make sure to rename it before use.' | |
} | |
$KeystorePath = Resolve-Path $KeystoreFile | |
Write-Host '' | |
Write-Host '2. Add the following lines to your solr.in.cmd:' -ForegroundColor Green | |
Write-Host '' | |
Write-Host "set SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks" -ForegroundColor Yellow | |
Write-Host "set SOLR_SSL_KEY_STORE_PASSWORD=$KeystorePassword" -ForegroundColor Yellow | |
Write-Host "set SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks" -ForegroundColor Yellow | |
Write-Host "set SOLR_SSL_TRUST_STORE_PASSWORD=$KeystorePassword" -ForegroundColor Yellow | |
Write-Host '' | |
Write-Host 'Done!' |
This comment has been minimized.
This comment has been minimized.
Cool stuff! Thanks |
This comment has been minimized.
This comment has been minimized.
Nice work @kamsar |
This comment has been minimized.
This comment has been minimized.
Awesome. Thanks!! |
This comment has been minimized.
This comment has been minimized.
Fantastic! Thanks. |
This comment has been minimized.
This comment has been minimized.
Thanks a lot @kamsar |
This comment has been minimized.
This comment has been minimized.
Hi PS C:\sitecore> .\solr-ssl.ps1 -keystoreFile C:\solr-6.6.2\server\etc\solr-ssl.keystore.jks Generating JKS keystore...
|
This comment has been minimized.
This comment has been minimized.
This was quick , really good! thanks. |
This comment has been minimized.
This comment has been minimized.
Correct your script to: |
This comment has been minimized.
This comment has been minimized.
@SoulOfUniverse the lack of variable was intentional, because Solr will not use a keystore with any other name or path. |
This comment has been minimized.
This comment has been minimized.
@kamsar yes already noticed that, it just confused me initially when I specify different name for certificate it still forces to use default one, but its more for the path to be correctly identified and file to be created. |
This comment has been minimized.
This comment has been minimized.
Hi, @JagatheeshMenon, I am also getting the same error that you posted, could you please let me know how you got fixed? for @ALL: I am getting this below error, any turn around would be highly appreciated! Thanks in advance! |
This comment has been minimized.
This comment has been minimized.
Hello, this script don´t work for me ether. PS C:\sitecore\install> .\solrssl.ps1 -KeystoreFile C:\sitecore\solr-6.6.2\server\etc\solr-ssl.keystore.jks Generating JKS keystore...
|
This comment has been minimized.
This comment has been minimized.
Hi @kamsar, & $keytool -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass $Keyst ...
I am using Windows Server 2012 R2. |
This comment has been minimized.
This comment has been minimized.
Am I missing something? keytool.exe : Importing keystore C:\solr-6.6.1\server\etc\solr-ssl.keystore.jks to C:\solr-6.6.1\server\etc\solr-ssl.keystore.p12...
|
This comment has been minimized.
This comment has been minimized.
Hi, I am getting the following error message::
Any help? |
This comment has been minimized.
This comment has been minimized.
The issue got resolved., I was facing because I was using v4 powershell. Updated PS to 5.2 and it worked. |
This comment has been minimized.
This comment has been minimized.
Just in case it would help somebody:
|
This comment has been minimized.
This comment has been minimized.
Folks, I'm having trouble running this script. I tried at least 4 different machines. When I try to run this script, I get the following error: Generating JKS keystore...
Can anyone please help? |
This comment has been minimized.
This comment has been minimized.
I had similar $keytool error as above- for me the JAVA_HOME var was not set. |
This comment has been minimized.
This comment has been minimized.
Upgrading to Powershell 5.1 fixed it for me |
This comment has been minimized.
This comment has been minimized.
Running into the same issue, can anyone help? |
This comment has been minimized.
This comment has been minimized.
To everyone having the NativeCommandError problem, I had the same when trying to run this script inside the PowerShell ISE. |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
If you don't want to mess around with the java certstore you can also just use the pfx directly.
|
This comment has been minimized.
Fantastic! Thanks for sharing.