wstrange/djcert.sh

## djcert.sh
#!/bin/bash
# Script to create a self signed CA using cfssl, and create
# server certs for DJ that are signed by this CA.

# Where we store the CA certificates
CA_HOME=~/etc/ca
# Where OpenDJ is insstalled

OPENDJ_HOME=~/packages/opendj

# Where to store intermediate files
TMPDIR=./out

# Clean up any old files...
rm -fr ${TMPDIR}

mkdir -p ${TMPDIR}


KEYSTORE_PIN=`cat ${OPENDJ_HOME}/config/keystore.pin`

# First create a CA
if [ ! -f "$CA_HOME"/ca.pem ];
then
  echo "CA cert not found, creating it in ${CA_HOME}"
  mkdir -p ${CA_HOME}

  # Edit this template for your own needs
  cat > ${TMPDIR}/csr_ca.json <<EOF
  {
    "CN": "ForgeRock Stack CA",
    "key": {
      "algo": "rsa",
      "size": 2048
    },
      "names": [
         {
           "C": "US",
           "L": "San Francisco",
           "O": "ForgeRock",
           "OU": "ForgeRock",
           "ST": "California"
         }
      ]
  }
EOF

  cfssl gencert -initca  ${TMPDIR}/csr_ca.json  | \
    (cd ${CA_HOME};  cfssljson -bare ca)
fi

# Now generate a server certificate for OpenDJs SSL
# Edit this template

cat >${TMPDIR}/csr_opendj.json <<EOF
{
  "hosts": [
        "opendj.example.com",
        "localhost",
        "opendj"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "CN": "localhost",
      "C": "US",
      "L": "San Francisco",
      "O": "ForgeRock",
      "OU": "ForgeRock",
      "ST": "California"
    }
  ]
}
EOF

# This create a server private key 	opendj-key.pem and a public cert opend.pem
# The cert is signed by the CA we created above
cfssl gencert -ca=${CA_HOME}/ca.pem  -ca-key=${CA_HOME}/ca-key.pem -hostname=opendj ${TMPDIR}/csr_opendj.json \
  | cfssljson -bare ${TMPDIR}/opendj

# Concact the PEM files together to import into pkcs12
(cd ${TMPDIR};  cat opendj*pem  > opendj-all.pem )

# Create a pkcs12 file
openssl pkcs12 -export -in ${TMPDIR}/opendj-all.pem -out  ${TMPDIR}/opendj.pkcs12 -password "pass:${KEYSTORE_PIN}"


# Now import the pkcs12 to a JKS keystore format
keytool -importkeystore -srckeystore ${TMPDIR}/opendj.pkcs12 -srcalias '1' -destkeystore ${TMPDIR}/server.jks \
   -storepass "${KEYSTORE_PIN}" -srcstoretype pkcs12 \
   -srcstorepass "${KEYSTORE_PIN}"   -destalias server-cert

# backup keystore
(cd "${OPENDJ_HOME/config}"; cp keystore keystore.bak; cp truststore truststore.bak)

# Replace the server's keystore
cp -f "${TMPDIR}/server.jks" "${OPENDJ_HOME}/config/keystore"

# Now import the  the CA root cert into the truststore -so DJ clients will trust
#  certs that are signed by the same CA

echo "yes" | keytool -importcert -keystore "${OPENDJ_HOME}/config/truststore" -trustcacerts \
    -storepass "${KEYSTORE_PIN}" -file  "${CA_HOME}/ca.pem"

echo "Done"

# You can test out ssl using something like this:
# ldapsearch --baseDN "dc=example,dc=com" -p 1636 -w password --useSSL \
#   -h localhost --bindDN "cn=Directory Manager"  \
#   --trustStorePath config/truststore --trustStorePassword `cat config/keystore.pin` \
#   "(objectclass=*)"
	#!/bin/bash
	# Script to create a self signed CA using cfssl, and create
	# server certs for DJ that are signed by this CA.

	# Where we store the CA certificates
	CA_HOME=~/etc/ca
	# Where OpenDJ is insstalled

	OPENDJ_HOME=~/packages/opendj

	# Where to store intermediate files
	TMPDIR=./out

	# Clean up any old files...
	rm -fr ${TMPDIR}

	mkdir -p ${TMPDIR}


	KEYSTORE_PIN=`cat ${OPENDJ_HOME}/config/keystore.pin`

	# First create a CA
	if [ ! -f "$CA_HOME"/ca.pem ];
	then
	echo "CA cert not found, creating it in ${CA_HOME}"
	mkdir -p ${CA_HOME}

	# Edit this template for your own needs
	cat > ${TMPDIR}/csr_ca.json <<EOF
	{
	"CN": "ForgeRock Stack CA",
	"key": {
	"algo": "rsa",
	"size": 2048
	},
	"names": [
	{
	"C": "US",
	"L": "San Francisco",
	"O": "ForgeRock",
	"OU": "ForgeRock",
	"ST": "California"
	}
	]
	}
	EOF

	cfssl gencert -initca ${TMPDIR}/csr_ca.json \| \
	(cd ${CA_HOME}; cfssljson -bare ca)
	fi

	# Now generate a server certificate for OpenDJs SSL
	# Edit this template

	cat >${TMPDIR}/csr_opendj.json <<EOF
	{
	"hosts": [
	"opendj.example.com",
	"localhost",
	"opendj"
	],
	"key": {
	"algo": "rsa",
	"size": 2048
	},
	"names": [
	{
	"CN": "localhost",
	"C": "US",
	"L": "San Francisco",
	"O": "ForgeRock",
	"OU": "ForgeRock",
	"ST": "California"
	}
	]
	}
	EOF

	# This create a server private key opendj-key.pem and a public cert opend.pem
	# The cert is signed by the CA we created above
	cfssl gencert -ca=${CA_HOME}/ca.pem -ca-key=${CA_HOME}/ca-key.pem -hostname=opendj ${TMPDIR}/csr_opendj.json \
	\| cfssljson -bare ${TMPDIR}/opendj

	# Concact the PEM files together to import into pkcs12
	(cd ${TMPDIR}; cat opendj*pem > opendj-all.pem )

	# Create a pkcs12 file
	openssl pkcs12 -export -in ${TMPDIR}/opendj-all.pem -out ${TMPDIR}/opendj.pkcs12 -password "pass:${KEYSTORE_PIN}"


	# Now import the pkcs12 to a JKS keystore format
	keytool -importkeystore -srckeystore ${TMPDIR}/opendj.pkcs12 -srcalias '1' -destkeystore ${TMPDIR}/server.jks \
	-storepass "${KEYSTORE_PIN}" -srcstoretype pkcs12 \
	-srcstorepass "${KEYSTORE_PIN}" -destalias server-cert

	# backup keystore
	(cd "${OPENDJ_HOME/config}"; cp keystore keystore.bak; cp truststore truststore.bak)

	# Replace the server's keystore
	cp -f "${TMPDIR}/server.jks" "${OPENDJ_HOME}/config/keystore"

	# Now import the the CA root cert into the truststore -so DJ clients will trust
	# certs that are signed by the same CA

	echo "yes" \| keytool -importcert -keystore "${OPENDJ_HOME}/config/truststore" -trustcacerts \
	-storepass "${KEYSTORE_PIN}" -file "${CA_HOME}/ca.pem"

	echo "Done"

	# You can test out ssl using something like this:
	# ldapsearch --baseDN "dc=example,dc=com" -p 1636 -w password --useSSL \
	# -h localhost --bindDN "cn=Directory Manager" \
	# --trustStorePath config/truststore --trustStorePassword `cat config/keystore.pin` \
	# "(objectclass=*)"