-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathx509server_process.sh
More file actions
executable file
·92 lines (80 loc) · 2.58 KB
/
x509server_process.sh
File metadata and controls
executable file
·92 lines (80 loc) · 2.58 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
#!/bin/bash
SERVERNAME=mysecuredserver
CITY=Stockholm
REGION=Stockholm
COUNTRY_CODE=SE
KEY_SIZE=4096
# If you don't have openssl and need a way to generate passwords, flip these two lines.
# LC_ALL=C tr -dc A-Za-z0-9 < /dev/urandom | head -c32 > password_server_$SERVERNAME
echo `openssl rand -base64 10` > password_server_$SERVERNAME
export PW=`cat password_server_$SERVERNAME`
# Create a self signed key pair root CA certificate.
keytool -genkeypair -v \
-alias ${SERVERNAME}ca \
-dname "CN=${SERVERNAME}ca, OU=$SERVERNAME Dev, O=$SERVERNAME, L=$CITY, ST=$REGION, C=$COUNTRY_CODE" \
-keystore ${SERVERNAME}ca.jks \
-keypass:env PW \
-storepass:env PW \
-keyalg RSA \
-keysize $KEY_SIZE \
-ext KeyUsage:critical="keyCertSign" \
-ext BasicConstraints:critical="ca:true" \
-validity 9999
# Export the CA public certificate as $SERVERNAMEca.crt so that it can be used in trust stores.
keytool -export -v \
-alias ${SERVERNAME}ca \
-file ${SERVERNAME}ca.crt \
-keypass:env PW \
-storepass:env PW \
-keystore ${SERVERNAME}ca.jks \
-rfc
# Create a server certificate, tied to $SERVERNAME
keytool -genkeypair -v \
-alias $SERVERNAME \
-dname "CN=$SERVERNAME, OU=$SERVERNAME Dev, O=$SERVERNAME, L=$CITY, ST=$REGION, C=$COUNTRY_CODE" \
-keystore $SERVERNAME.jks \
-keypass:env PW \
-storepass:env PW \
-keyalg RSA \
-keysize $KEY_SIZE \
-validity 385
# Create a certificate signing request for $SERVERNAME
keytool -certreq -v \
-alias $SERVERNAME \
-keypass:env PW \
-storepass:env PW \
-keystore $SERVERNAME.jks \
-file $SERVERNAME.csr
# Tell CA to sign the $SERVERNAME certificate.
# Technically, keyUsage should be digitalSignature for DHE or ECDHE, keyEncipherment for RSA.
keytool -gencert -v \
-alias ${SERVERNAME}ca \
-keypass:env PW \
-storepass:env PW \
-keystore ${SERVERNAME}ca.jks \
-infile $SERVERNAME.csr \
-outfile $SERVERNAME.crt \
-ext KeyUsage:critical="digitalSignature,keyEncipherment" \
-ext EKU="serverAuth" \
-ext SAN="dns:$SERVERNAME,dns:localhost,ip:127.0.0.1" \
-rfc
# Tell $SERVERNAME.jks it can trust $SERVERNAMEca as a signer.
keytool -import -v \
-alias ${SERVERNAME}ca \
-file ${SERVERNAME}ca.crt \
-keystore $SERVERNAME.jks \
-storetype JKS \
-storepass:env PW \
-noprompt
# Import the signed certificate back into $SERVERNAME.jks
keytool -import -v \
-alias $SERVERNAME \
-file $SERVERNAME.crt \
-keystore $SERVERNAME.jks \
-storetype JKS \
-storepass:env PW
# List out the contents of $SERVERNAME.jks just to confirm it.
keytool -list -v \
-keystore $SERVERNAME.jks \
-storepass:env PW
export PW=""