Build a Java Keystore from certificate and private key
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/ash | |
# | |
# Set up HTTPS in OpenCast | |
# ~~~~~~~~~~~~~~~~~~~~~~~~ | |
set -e | |
dir_before="$PWD" | |
# Apply default values to environment variables | |
OPENCAST_HTTPS_ENABLED=${OPENCAST_HTTPS_ENABLED:=false} | |
OPENCAST_KEYSTORE_PASSWORD=${OPENCAST_KEYSTORE_PASSWORD:=password} | |
OPENCAST_KEY_PASSWORD=${OPENCAST_KEY_PASSWORD:=password} | |
# Ensure the methods required are present | |
. "${OPENCAST_SCRIPTS}/helper.sh" | |
# Replace env variables in HTTP(S) Webserver config | |
opencast_helper_replaceinfile "etc/org.ops4j.pax.web.cfg" \ | |
"OPENCAST_HTTPS_ENABLED" \ | |
"OPENCAST_KEYSTORE_PASSWORD" \ | |
"OPENCAST_KEY_PASSWORD" | |
# Exit here if HTTPS is disabled | |
case $OPENCAST_HTTPS_ENABLED in | |
(false) return 0;; | |
esac | |
# Change into the directory containing the certificates and keys | |
cd $OPENCAST_CONFIG/cert | |
# Java Server require/ work best with a Java Keystore | |
# So check whether it exists and if not, attempt to create one (for debugging) | |
make_new_keystore() { | |
# Create a new Java keystore | |
keytool -keystore keystore.jks \ | |
-genkeypair \ | |
-alias serverkey \ | |
-keyalg RSA \ | |
-keypass "$OPENCAST_KEY_PASSWORD" \ | |
-storepass "$OPENCAST_KEYSTORE_PASSWORD" \ | |
-dname "$OPENCAST_CERT_SUBJECT" && \ | |
keytool -keystore keystore.jks \ | |
-list \ | |
-alias serverkey \ | |
-storepass "$OPENCAST_KEYSTORE_PASSWORD" | |
} | |
import_keys() { | |
echo "Obtaining certificate chain for $1" | |
/usr/local/bin/cert-chain-resolver -s -o "opencast.chain.pem.tmp" "$1" | |
openssl verify \ | |
-crl_download \ | |
-crl_check \ | |
-x509_strict \ | |
-untrusted "opencast.chain.pem.tmp" \ | |
$1 | |
# Check whether private key is encrypted | |
# and create p12 keystore | |
if grep -q "ENCRYPTED" "$2"; then | |
openssl pkcs12 \ | |
-export \ | |
-inkey "$2" \ | |
-passin "pass:$OPENCAST_KEY_PASSWORD" \ | |
-in "opencast.chain.pem.tmp" \ | |
-name "serverkey" \ | |
-out "opencast.p12" \ | |
-passout "pass:$OPENCAST_KEYSTORE_PASSWORD" | |
else | |
openssl pkcs12 \ | |
-export \ | |
-inkey "$2" \ | |
-in "opencast.chain.pem.tmp" \ | |
-name "serverkey" \ | |
-out "opencast.p12" \ | |
-passout "pass:$OPENCAST_KEYSTORE_PASSWORD" | |
fi | |
# Import the p12 keystore into a Java keystore | |
keytool \ | |
-importkeystore \ | |
-srckeystore "opencast.p12" \ | |
-srcstoretype "pkcs12" \ | |
-srcstorepass "$OPENCAST_KEYSTORE_PASSWORD" \ | |
-destkeystore "keystore.jks" \ | |
-storepass "$OPENCAST_KEYSTORE_PASSWORD" | |
keytool \ | |
-keystore "keystore.jks" \ | |
-list \ | |
-destalias serverkey \ | |
-storepass "$OPENCAST_KEYSTORE_PASSWORD" | |
ls -la | |
} | |
# Look for a Java Keystore | |
if [ ! -e "keystore.jks" ]; then | |
echo "No Java Keystore found." | |
echo "Attempting to load server TLS certificate and private key" | |
echo "from PEM-encoded files" | |
PRIVATE_KEY_FILE="$(find . -regex ".*\\.\(cer\|crt\|pem\|key\)" -exec grep -l 'BEGIN .* PRIVATE KEY' {} \;)" | |
CERTIFICATE_FILE="$(find . -regex ".*\\.\(cer\|crt\|pem\|key\)" -exec grep -l 'BEGIN CERTIFICATE\s*\-' {} \;)" | |
echo "Private key file(s): ${PRIVATE_KEY_FILE}" | |
echo "Certificate file(s): ${CERTIFICATE_FILE}" | |
if [ "${PRIVATE_KEY_FILE}" = "" ] || [ "${PRIVATE_KEY_FILE}" = "" ]; then | |
echo "Private key or certificate missing. Generating new keypair." | |
make_new_keystore | |
else | |
import_keys ${CERTIFICATE_FILE} ${PRIVATE_KEY_FILE} | |
fi | |
fi | |
cd "$dir_before" | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Requires https://github.com/zakjan/cert-chain-resolver