Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Build a Java Keystore from certificate and private key
#!/bin/ash
#
# Set up HTTPS in OpenCast
# ~~~~~~~~~~~~~~~~~~~~~~~~
set -e
dir_before="$PWD"
# Apply default values to environment variables
OPENCAST_HTTPS_ENABLED=${OPENCAST_HTTPS_ENABLED:=false}
OPENCAST_KEYSTORE_PASSWORD=${OPENCAST_KEYSTORE_PASSWORD:=password}
OPENCAST_KEY_PASSWORD=${OPENCAST_KEY_PASSWORD:=password}
# Ensure the methods required are present
. "${OPENCAST_SCRIPTS}/helper.sh"
# Replace env variables in HTTP(S) Webserver config
opencast_helper_replaceinfile "etc/org.ops4j.pax.web.cfg" \
"OPENCAST_HTTPS_ENABLED" \
"OPENCAST_KEYSTORE_PASSWORD" \
"OPENCAST_KEY_PASSWORD"
# Exit here if HTTPS is disabled
case $OPENCAST_HTTPS_ENABLED in
(false) return 0;;
esac
# Change into the directory containing the certificates and keys
cd $OPENCAST_CONFIG/cert
# Java Server require/ work best with a Java Keystore
# So check whether it exists and if not, attempt to create one (for debugging)
make_new_keystore() {
# Create a new Java keystore
keytool -keystore keystore.jks \
-genkeypair \
-alias serverkey \
-keyalg RSA \
-keypass "$OPENCAST_KEY_PASSWORD" \
-storepass "$OPENCAST_KEYSTORE_PASSWORD" \
-dname "$OPENCAST_CERT_SUBJECT" && \
keytool -keystore keystore.jks \
-list \
-alias serverkey \
-storepass "$OPENCAST_KEYSTORE_PASSWORD"
}
import_keys() {
echo "Obtaining certificate chain for $1"
/usr/local/bin/cert-chain-resolver -s -o "opencast.chain.pem.tmp" "$1"
openssl verify \
-crl_download \
-crl_check \
-x509_strict \
-untrusted "opencast.chain.pem.tmp" \
$1
# Check whether private key is encrypted
# and create p12 keystore
if grep -q "ENCRYPTED" "$2"; then
openssl pkcs12 \
-export \
-inkey "$2" \
-passin "pass:$OPENCAST_KEY_PASSWORD" \
-in "opencast.chain.pem.tmp" \
-name "serverkey" \
-out "opencast.p12" \
-passout "pass:$OPENCAST_KEYSTORE_PASSWORD"
else
openssl pkcs12 \
-export \
-inkey "$2" \
-in "opencast.chain.pem.tmp" \
-name "serverkey" \
-out "opencast.p12" \
-passout "pass:$OPENCAST_KEYSTORE_PASSWORD"
fi
# Import the p12 keystore into a Java keystore
keytool \
-importkeystore \
-srckeystore "opencast.p12" \
-srcstoretype "pkcs12" \
-srcstorepass "$OPENCAST_KEYSTORE_PASSWORD" \
-destkeystore "keystore.jks" \
-storepass "$OPENCAST_KEYSTORE_PASSWORD"
keytool \
-keystore "keystore.jks" \
-list \
-destalias serverkey \
-storepass "$OPENCAST_KEYSTORE_PASSWORD"
ls -la
}
# Look for a Java Keystore
if [ ! -e "keystore.jks" ]; then
echo "No Java Keystore found."
echo "Attempting to load server TLS certificate and private key"
echo "from PEM-encoded files"
PRIVATE_KEY_FILE="$(find . -regex ".*\\.\(cer\|crt\|pem\|key\)" -exec grep -l 'BEGIN .* PRIVATE KEY' {} \;)"
CERTIFICATE_FILE="$(find . -regex ".*\\.\(cer\|crt\|pem\|key\)" -exec grep -l 'BEGIN CERTIFICATE\s*\-' {} \;)"
echo "Private key file(s): ${PRIVATE_KEY_FILE}"
echo "Certificate file(s): ${CERTIFICATE_FILE}"
if [ "${PRIVATE_KEY_FILE}" = "" ] || [ "${PRIVATE_KEY_FILE}" = "" ]; then
echo "Private key or certificate missing. Generating new keypair."
make_new_keystore
else
import_keys ${CERTIFICATE_FILE} ${PRIVATE_KEY_FILE}
fi
fi
cd "$dir_before"
@pawohl

This comment has been minimized.

Copy link
Owner Author

@pawohl pawohl commented Aug 16, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment