Created
February 5, 2020 21:39
-
-
Save ncknt/063635f5f93634d929ab7913de5a3513 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash -xe | |
CA_PASSWORD="asdf1234" | |
SERVER_PASSWORD="qwer1234" | |
CLIENT_PASSWORD="zxcv1234" | |
# Don't change me actually | |
DEFAULT_TRUSTSTORE_PASSWORD="changeit" | |
TRUSTSTORE_PASSWORD="poiu1234" | |
USERS=("user1" "user2" "user3") | |
CLIENT_SERIAL=01 | |
echo "Cleaning up..." | |
rm -rf server/* ca/* client/* | |
mkdir -p server/java | |
echo "Generating CA key..." | |
openssl genrsa -aes256 -passout pass:${CA_PASSWORD} -out ca/ca.key 2048 | |
echo "Generate self signed root certificate" | |
openssl req -x509 -new -nodes -key ca/ca.key -sha256 -days 3650 -out ca/ca.pem -passin pass:${CA_PASSWORD} -subj /C=US/CN=Test | |
echo "Generate server key..." | |
openssl genrsa -aes256 -passout pass:${SERVER_PASSWORD} -out server/server.key 2048 | |
echo "Generate server CSR..." | |
openssl req -new -key server/server.key -out server/server.csr -subj /C=US/CN=local.armory.io -passin pass:${SERVER_PASSWORD} | |
echo "Generating server certificate..." | |
openssl x509 -req -in server/server.csr -CA ca/ca.pem -CAkey ca/ca.key -CAcreateserial \ | |
-out server/server.crt -days 3649 -sha256 -extfile server-cert.ext -passin pass:${CA_PASSWORD} | |
echo "Making server key without password..." | |
openssl rsa -in server/server.key -out server/server-nopassword.key -passin pass:${SERVER_PASSWORD} | |
echo "Making server PEMs..." | |
cat server/server.crt server/server.key > server/server.pem | |
cat server/server.crt server/server-nopassword.key > server/server-nopassword.pem | |
echo "Making server PKCS12 key store" | |
openssl pkcs12 -export -in server/server.pem -inkey server/server.key -name server -passout pass:${SERVER_PASSWORD} -passin pass:${SERVER_PASSWORD} > server/java/server.p12 | |
echo "Making JKS trust store..." | |
cp ${JAVA_HOME}/jre/lib/security/cacerts ca/truststore.jks | |
keytool -import -trustcacerts -file ca/ca.pem -alias ca -keystore ca/truststore.jks -storepass ${DEFAULT_TRUSTSTORE_PASSWORD} -noprompt | |
keytool -storepasswd -new ${TRUSTSTORE_PASSWORD} -keystore ca/truststore.jks -storepass ${DEFAULT_TRUSTSTORE_PASSWORD} | |
echo "Making client certificates..." | |
for i in ${!USERS[@]}; | |
do | |
user=${USERS[$i]} | |
openssl genrsa -aes256 -passout pass:${CLIENT_PASSWORD} -out client/${user}.key 4096 | |
openssl req -new -key client/${user}.key -out client/${user}.csr -subj /C=US/CN=${user}@localhost -passin pass:${CLIENT_PASSWORD} | |
openssl x509 -req -days 3650 -in client/${user}.csr -CA ca/ca.pem -CAkey ca/ca.key -set_serial ${CLIENT_SERIAL} -out client/${user}.pem -passin pass:${CA_PASSWORD} | |
done | |
echo "Done" | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment