Created
February 9, 2019 03:38
-
-
Save russau/3b068ed2ad86a9a1d0f0e2368b4aef7f to your computer and use it in GitHub Desktop.
Fix for subjectAltName
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -o nounset \ | |
-o errexit \ | |
-o verbose | |
# -o xtrace | |
# Cleanup files | |
rm -f *.crt *.csr *_creds *.jks *.srl *.key *.pem *.der *.p12 | |
cat >extensions.cnf.template <<EOL | |
[ v3_req ] | |
subjectAltName = DNS:DNS_NAME | |
EOL | |
# Generate CA key | |
openssl req -new -x509 -keyout ca.key -out ca.crt -days 365 -subj '/CN=ca1.test.confluent.io/OU=TEST/O=CONFLUENT/L=PaloAlto/S=Ca/C=US' -passin pass:confluent -passout pass:confluent | |
for i in kafka-1 kafka-2 kafka-3 client | |
do | |
echo "------------------------------- $i -------------------------------" | |
# Create host keystore | |
keytool -genkey -noprompt \ | |
-alias $i \ | |
-dname "CN=$i,OU=TEST,O=CONFLUENT,L=PaloAlto,S=Ca,C=US" \ | |
-ext SAN=DNS:$i \ | |
-keystore kafka.$i.keystore.jks \ | |
-keyalg RSA \ | |
-storepass confluent \ | |
-keypass confluent | |
# Create the certificate signing request (CSR) | |
keytool -keystore kafka.$i.keystore.jks -alias $i -certreq -file $i.csr -storepass confluent -keypass confluent | |
# Sign the host certificate with the certificate authority (CA) | |
sed s/DNS_NAME/$i/ extensions.cnf.template > extensions.cnf | |
openssl x509 -req -CA ca.crt -CAkey ca.key -in $i.csr -out $i-ca1-signed.crt -days 9999 -CAcreateserial -passin pass:confluent -extensions v3_req -extfile $(pwd)/extensions.cnf | |
# Sign and import the CA cert into the keystore | |
keytool -noprompt -keystore kafka.$i.keystore.jks -alias CARoot -import -file ca.crt -storepass confluent -keypass confluent | |
# Sign and import the host certificate into the keystore | |
keytool -noprompt -keystore kafka.$i.keystore.jks -alias $i -import -file $i-ca1-signed.crt -storepass confluent -keypass confluent | |
# Create truststore and import the CA cert | |
keytool -noprompt -keystore kafka.$i.truststore.jks -alias CARoot -import -file ca.crt -storepass confluent -keypass confluent | |
# Save creds | |
echo "confluent" > ${i}_sslkey_creds | |
echo "confluent" > ${i}_keystore_creds | |
echo "confluent" > ${i}_truststore_creds | |
# Create pem files and keys used for Schema Registry HTTPS testing | |
# openssl x509 -noout -modulus -in client.certificate.pem | openssl md5 | |
# openssl rsa -noout -modulus -in client.key | openssl md5 | |
# echo "GET /" | openssl s_client -connect localhost:8082/subjects -cert client.certificate.pem -key client.key -tls1 | |
keytool -export -alias $i -file $i.der -keystore kafka.$i.keystore.jks -storepass confluent | |
openssl x509 -inform der -in $i.der -out $i.certificate.pem | |
keytool -importkeystore -srckeystore kafka.$i.keystore.jks -destkeystore $i.keystore.p12 -deststoretype PKCS12 -deststorepass confluent -srcstorepass confluent -noprompt | |
openssl pkcs12 -in $i.keystore.p12 -nodes -nocerts -out $i.key -passin pass:confluent | |
done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment