Create a gist now

Instantly share code, notes, and snippets.

@wstrange /djcert.sh
Last active Jun 24, 2016

What would you like to do?
Create a CA and a server certificate for OpenDJ using cfssl
#!/bin/bash
# Script to create a self signed CA using cfssl, and create
# server certs for DJ that are signed by this CA.
# Where we store the CA certificates
CA_HOME=~/etc/ca
# Where OpenDJ is insstalled
OPENDJ_HOME=~/packages/opendj
# Where to store intermediate files
TMPDIR=./out
# Clean up any old files...
rm -fr ${TMPDIR}
mkdir -p ${TMPDIR}
KEYSTORE_PIN=`cat ${OPENDJ_HOME}/config/keystore.pin`
# First create a CA
if [ ! -f "$CA_HOME"/ca.pem ];
then
echo "CA cert not found, creating it in ${CA_HOME}"
mkdir -p ${CA_HOME}
# Edit this template for your own needs
cat > ${TMPDIR}/csr_ca.json <<EOF
{
"CN": "ForgeRock Stack CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "San Francisco",
"O": "ForgeRock",
"OU": "ForgeRock",
"ST": "California"
}
]
}
EOF
cfssl gencert -initca ${TMPDIR}/csr_ca.json | \
(cd ${CA_HOME}; cfssljson -bare ca)
fi
# Now generate a server certificate for OpenDJs SSL
# Edit this template
cat >${TMPDIR}/csr_opendj.json <<EOF
{
"hosts": [
"opendj.example.com",
"localhost",
"opendj"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"CN": "localhost",
"C": "US",
"L": "San Francisco",
"O": "ForgeRock",
"OU": "ForgeRock",
"ST": "California"
}
]
}
EOF
# This create a server private key opendj-key.pem and a public cert opend.pem
# The cert is signed by the CA we created above
cfssl gencert -ca=${CA_HOME}/ca.pem -ca-key=${CA_HOME}/ca-key.pem -hostname=opendj ${TMPDIR}/csr_opendj.json \
| cfssljson -bare ${TMPDIR}/opendj
# Concact the PEM files together to import into pkcs12
(cd ${TMPDIR}; cat opendj*pem > opendj-all.pem )
# Create a pkcs12 file
openssl pkcs12 -export -in ${TMPDIR}/opendj-all.pem -out ${TMPDIR}/opendj.pkcs12 -password "pass:${KEYSTORE_PIN}"
# Now import the pkcs12 to a JKS keystore format
keytool -importkeystore -srckeystore ${TMPDIR}/opendj.pkcs12 -srcalias '1' -destkeystore ${TMPDIR}/server.jks \
-storepass "${KEYSTORE_PIN}" -srcstoretype pkcs12 \
-srcstorepass "${KEYSTORE_PIN}" -destalias server-cert
# backup keystore
(cd "${OPENDJ_HOME/config}"; cp keystore keystore.bak; cp truststore truststore.bak)
# Replace the server's keystore
cp -f "${TMPDIR}/server.jks" "${OPENDJ_HOME}/config/keystore"
# Now import the the CA root cert into the truststore -so DJ clients will trust
# certs that are signed by the same CA
echo "yes" | keytool -importcert -keystore "${OPENDJ_HOME}/config/truststore" -trustcacerts \
-storepass "${KEYSTORE_PIN}" -file "${CA_HOME}/ca.pem"
echo "Done"
# You can test out ssl using something like this:
# ldapsearch --baseDN "dc=example,dc=com" -p 1636 -w password --useSSL \
# -h localhost --bindDN "cn=Directory Manager" \
# --trustStorePath config/truststore --trustStorePassword `cat config/keystore.pin` \
# "(objectclass=*)"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment