ncknt/generate-certs.sh

## generate-certs.sh
#!/bin/bash -xe

CA_PASSWORD="asdf1234"
SERVER_PASSWORD="qwer1234"
CLIENT_PASSWORD="zxcv1234"
# Don't change me actually
DEFAULT_TRUSTSTORE_PASSWORD="changeit"
TRUSTSTORE_PASSWORD="poiu1234"
USERS=("user1" "user2" "user3")
CLIENT_SERIAL=01


echo "Cleaning up..."
rm -rf server/* ca/* client/*
mkdir -p server/java

echo "Generating CA key..."
openssl genrsa -aes256 -passout pass:${CA_PASSWORD} -out ca/ca.key 2048

echo "Generate self signed root certificate"
openssl req -x509 -new -nodes -key ca/ca.key -sha256 -days 3650 -out ca/ca.pem -passin pass:${CA_PASSWORD} -subj /C=US/CN=Test

echo "Generate server key..."
openssl genrsa -aes256 -passout pass:${SERVER_PASSWORD} -out server/server.key 2048

echo "Generate server CSR..."
openssl req -new -key server/server.key -out server/server.csr -subj /C=US/CN=local.armory.io -passin pass:${SERVER_PASSWORD}

echo "Generating server certificate..."
openssl x509 -req -in server/server.csr -CA ca/ca.pem -CAkey ca/ca.key -CAcreateserial \
 -out server/server.crt -days 3649 -sha256 -extfile server-cert.ext -passin pass:${CA_PASSWORD}

echo "Making server key without password..."
openssl rsa -in server/server.key -out server/server-nopassword.key -passin pass:${SERVER_PASSWORD}


echo "Making server PEMs..."
cat server/server.crt server/server.key > server/server.pem
cat server/server.crt server/server-nopassword.key > server/server-nopassword.pem

echo "Making server PKCS12 key store"
openssl pkcs12 -export -in server/server.pem -inkey server/server.key -name server -passout pass:${SERVER_PASSWORD} -passin pass:${SERVER_PASSWORD} > server/java/server.p12

echo "Making JKS trust store..."
cp ${JAVA_HOME}/jre/lib/security/cacerts ca/truststore.jks
keytool -import -trustcacerts -file ca/ca.pem -alias ca -keystore ca/truststore.jks -storepass ${DEFAULT_TRUSTSTORE_PASSWORD} -noprompt
keytool -storepasswd -new ${TRUSTSTORE_PASSWORD} -keystore ca/truststore.jks -storepass ${DEFAULT_TRUSTSTORE_PASSWORD}

echo "Making client certificates..."
for i in ${!USERS[@]};
do
	user=${USERS[$i]}
	openssl genrsa -aes256 -passout pass:${CLIENT_PASSWORD} -out client/${user}.key 4096
	openssl req -new -key client/${user}.key -out client/${user}.csr -subj /C=US/CN=${user}@localhost -passin pass:${CLIENT_PASSWORD}
	openssl x509 -req -days 3650 -in client/${user}.csr -CA ca/ca.pem -CAkey ca/ca.key -set_serial ${CLIENT_SERIAL} -out client/${user}.pem -passin pass:${CA_PASSWORD}
done

echo "Done"
	#!/bin/bash -xe

	CA_PASSWORD="asdf1234"
	SERVER_PASSWORD="qwer1234"
	CLIENT_PASSWORD="zxcv1234"
	# Don't change me actually
	DEFAULT_TRUSTSTORE_PASSWORD="changeit"
	TRUSTSTORE_PASSWORD="poiu1234"
	USERS=("user1" "user2" "user3")
	CLIENT_SERIAL=01


	echo "Cleaning up..."
	rm -rf server/* ca/* client/*
	mkdir -p server/java

	echo "Generating CA key..."
	openssl genrsa -aes256 -passout pass:${CA_PASSWORD} -out ca/ca.key 2048

	echo "Generate self signed root certificate"
	openssl req -x509 -new -nodes -key ca/ca.key -sha256 -days 3650 -out ca/ca.pem -passin pass:${CA_PASSWORD} -subj /C=US/CN=Test

	echo "Generate server key..."
	openssl genrsa -aes256 -passout pass:${SERVER_PASSWORD} -out server/server.key 2048

	echo "Generate server CSR..."
	openssl req -new -key server/server.key -out server/server.csr -subj /C=US/CN=local.armory.io -passin pass:${SERVER_PASSWORD}

	echo "Generating server certificate..."
	openssl x509 -req -in server/server.csr -CA ca/ca.pem -CAkey ca/ca.key -CAcreateserial \
	-out server/server.crt -days 3649 -sha256 -extfile server-cert.ext -passin pass:${CA_PASSWORD}

	echo "Making server key without password..."
	openssl rsa -in server/server.key -out server/server-nopassword.key -passin pass:${SERVER_PASSWORD}


	echo "Making server PEMs..."
	cat server/server.crt server/server.key > server/server.pem
	cat server/server.crt server/server-nopassword.key > server/server-nopassword.pem

	echo "Making server PKCS12 key store"
	openssl pkcs12 -export -in server/server.pem -inkey server/server.key -name server -passout pass:${SERVER_PASSWORD} -passin pass:${SERVER_PASSWORD} > server/java/server.p12

	echo "Making JKS trust store..."
	cp ${JAVA_HOME}/jre/lib/security/cacerts ca/truststore.jks
	keytool -import -trustcacerts -file ca/ca.pem -alias ca -keystore ca/truststore.jks -storepass ${DEFAULT_TRUSTSTORE_PASSWORD} -noprompt
	keytool -storepasswd -new ${TRUSTSTORE_PASSWORD} -keystore ca/truststore.jks -storepass ${DEFAULT_TRUSTSTORE_PASSWORD}

	echo "Making client certificates..."
	for i in ${!USERS[@]};
	do
	user=${USERS[$i]}
	openssl genrsa -aes256 -passout pass:${CLIENT_PASSWORD} -out client/${user}.key 4096
	openssl req -new -key client/${user}.key -out client/${user}.csr -subj /C=US/CN=${user}@localhost -passin pass:${CLIENT_PASSWORD}
	openssl x509 -req -days 3650 -in client/${user}.csr -CA ca/ca.pem -CAkey ca/ca.key -set_serial ${CLIENT_SERIAL} -out client/${user}.pem -passin pass:${CA_PASSWORD}
	done

	echo "Done"