Last active
June 24, 2016 22:32
-
-
Save wstrange/f2b6642975d869b09f7a1884b9497c36 to your computer and use it in GitHub Desktop.
Create a CA and a server certificate for OpenDJ using cfssl
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Script to create a self signed CA using cfssl, and create | |
# server certs for DJ that are signed by this CA. | |
# Where we store the CA certificates | |
CA_HOME=~/etc/ca | |
# Where OpenDJ is insstalled | |
OPENDJ_HOME=~/packages/opendj | |
# Where to store intermediate files | |
TMPDIR=./out | |
# Clean up any old files... | |
rm -fr ${TMPDIR} | |
mkdir -p ${TMPDIR} | |
KEYSTORE_PIN=`cat ${OPENDJ_HOME}/config/keystore.pin` | |
# First create a CA | |
if [ ! -f "$CA_HOME"/ca.pem ]; | |
then | |
echo "CA cert not found, creating it in ${CA_HOME}" | |
mkdir -p ${CA_HOME} | |
# Edit this template for your own needs | |
cat > ${TMPDIR}/csr_ca.json <<EOF | |
{ | |
"CN": "ForgeRock Stack CA", | |
"key": { | |
"algo": "rsa", | |
"size": 2048 | |
}, | |
"names": [ | |
{ | |
"C": "US", | |
"L": "San Francisco", | |
"O": "ForgeRock", | |
"OU": "ForgeRock", | |
"ST": "California" | |
} | |
] | |
} | |
EOF | |
cfssl gencert -initca ${TMPDIR}/csr_ca.json | \ | |
(cd ${CA_HOME}; cfssljson -bare ca) | |
fi | |
# Now generate a server certificate for OpenDJs SSL | |
# Edit this template | |
cat >${TMPDIR}/csr_opendj.json <<EOF | |
{ | |
"hosts": [ | |
"opendj.example.com", | |
"localhost", | |
"opendj" | |
], | |
"key": { | |
"algo": "rsa", | |
"size": 2048 | |
}, | |
"names": [ | |
{ | |
"CN": "localhost", | |
"C": "US", | |
"L": "San Francisco", | |
"O": "ForgeRock", | |
"OU": "ForgeRock", | |
"ST": "California" | |
} | |
] | |
} | |
EOF | |
# This create a server private key opendj-key.pem and a public cert opend.pem | |
# The cert is signed by the CA we created above | |
cfssl gencert -ca=${CA_HOME}/ca.pem -ca-key=${CA_HOME}/ca-key.pem -hostname=opendj ${TMPDIR}/csr_opendj.json \ | |
| cfssljson -bare ${TMPDIR}/opendj | |
# Concact the PEM files together to import into pkcs12 | |
(cd ${TMPDIR}; cat opendj*pem > opendj-all.pem ) | |
# Create a pkcs12 file | |
openssl pkcs12 -export -in ${TMPDIR}/opendj-all.pem -out ${TMPDIR}/opendj.pkcs12 -password "pass:${KEYSTORE_PIN}" | |
# Now import the pkcs12 to a JKS keystore format | |
keytool -importkeystore -srckeystore ${TMPDIR}/opendj.pkcs12 -srcalias '1' -destkeystore ${TMPDIR}/server.jks \ | |
-storepass "${KEYSTORE_PIN}" -srcstoretype pkcs12 \ | |
-srcstorepass "${KEYSTORE_PIN}" -destalias server-cert | |
# backup keystore | |
(cd "${OPENDJ_HOME/config}"; cp keystore keystore.bak; cp truststore truststore.bak) | |
# Replace the server's keystore | |
cp -f "${TMPDIR}/server.jks" "${OPENDJ_HOME}/config/keystore" | |
# Now import the the CA root cert into the truststore -so DJ clients will trust | |
# certs that are signed by the same CA | |
echo "yes" | keytool -importcert -keystore "${OPENDJ_HOME}/config/truststore" -trustcacerts \ | |
-storepass "${KEYSTORE_PIN}" -file "${CA_HOME}/ca.pem" | |
echo "Done" | |
# You can test out ssl using something like this: | |
# ldapsearch --baseDN "dc=example,dc=com" -p 1636 -w password --useSSL \ | |
# -h localhost --bindDN "cn=Directory Manager" \ | |
# --trustStorePath config/truststore --trustStorePassword `cat config/keystore.pin` \ | |
# "(objectclass=*)" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment