-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathself_signed.sh
124 lines (109 loc) · 4.91 KB
/
self_signed.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
#!/bin/bash
if [ -z "$SERVER_SSL_KEY_PASSWORD" ] || [ -z "$SERVER_SSL_KEY_STORE_PASSWORD" ]
then
echo "Usage:"
echo ""
echo "self_signed.sh [java_home] [hostname] [certificates_directory_path] [cacerts_password]"
echo ""
echo " - java_home is defaulted to $JAVA_HOME"
echo " - hostname is defaulted to $HOSTNAME"
echo " - certificates_directory_path is defaulted to current diretory"
echo " - cacerts_password is defaulted to changeit"
echo ""
echo "SERVER_SSL_KEY_PASSWORD and SERVER_SSL_KEY_STORE_PASSWORD environment variables must be defined"
echo ""
echo "If you have only one JRE / JDK and JAVA_HOME environment variable set:"
echo "./self_signed.sh"
echo ""
echo "If you have several java versions installed, run for each for instance:"
echo "./self_signed.sh \"C:/Java/jdk1.8.0_281\""
echo ""
exit 1
else
echo "#------------------------------------------"
echo "# This is a no-op script"
echo "# Copy / paste output to:"
echo "# - generate certificate files"
echo "# - import certificates into cacerts file"
echo "#------------------------------------------"
echo "SERVER_SSL_KEY_PASSWORD: ${SERVER_SSL_KEY_PASSWORD}"
echo "SERVER_SSL_KEY_STORE_PASSWORD: ${SERVER_SSL_KEY_STORE_PASSWORD}"
if [ $SERVER_SSL_KEY_PASSWORD != $SERVER_SSL_KEY_STORE_PASSWORD ]
then
echo "Due to PCKS12 limitation key and keystore passowrds must be the same"
exit 1
fi
if [ -z "$1" ]
then
if [ -z "$JAVA_HOME" ]
then
echo "ERROR: could not locate JDK / JRE root directory"
exit 1
else
JAVA=$JAVA_HOME
echo "JDK / JRE root directory defaulted to JAVA_HOME. Provide JDK / JRE root directory as 1st command-line argument to change that."
fi
else
JAVA=$1
fi
JAVA=$(echo $JAVA | sed 's/\\/\//g')
echo "JAVA: $JAVA"
if [ -f "${JAVA}/lib/security/cacerts" ]
then
# recent JDKs and JREs style
CACERTS="${JAVA}/lib/security/cacerts"
elif [ -f "${JAVA}/jre/lib/security/cacerts" ]
then
# legacy JDKs style (1.8 and older)
CACERTS="${JAVA}/jre/lib/security/cacerts"
else
echo "ERROR: could not locate cacerts under $JAVA"
exit 1
fi
echo "CACERTS path: $CACERTS"
if [ -z "${2}" ]
then
HOST="$HOSTNAME"
echo "Using HOSTNAME env variable. Override with 2nd command-line argument"
else
HOST="${2}"
fi
echo "HOST (certificate CN): $HOST"
if [ -z "${3}" ]
then
CERTIF_DIR="."
echo "Using current directory as output directory for certificate files. Override with 3rd command-line argument"
else
CERTIF_DIR="${3}"
fi
CERTIF_DIR=$(echo $CERTIF_DIR | sed 's/\\/\//g')
echo "certificates directory path: $CERTIF_DIR"
if [ -z "${4}" ]
then
CACERTS_PASSWORD="changeit"
echo "Using $CACERTS_PASSWORD as cacerts file password. Override with 4th command-line argument"
else
CACERTS_PASSWORD="${4}"
fi
echo "cacerts file password: $CACERTS_PASSWORD"
echo "#------------------------------------------"
echo "self_signed.sh $JAVA $HOST $CERTIF_DIR $CACERTS_PASSWORD"
echo "#------------------------------------------"
fi
echo ""
echo ""
rm -f ${HOST}_self_signed.config;
sed 's/\[hostname\]/'${HOST}'/g' "${CERTIF_DIR}/self_signed_template.config" > "${CERTIF_DIR}/${HOST}_self_signed.config"
echo openssl req -config \"${CERTIF_DIR}/${HOST}_self_signed.config\" -new -keyout \"${CERTIF_DIR}/${HOST}_req_key.pem\" -passout pass:${SERVER_SSL_KEY_PASSWORD} -out \"${CERTIF_DIR}/${HOST}_cert_req.pem\" -reqexts v3_req
echo ""
echo openssl x509 -req -days 365 -extfile \"${CERTIF_DIR}/${HOST}_self_signed.config\" -in \"${CERTIF_DIR}/${HOST}_cert_req.pem\" -extensions v3_req -signkey \"${CERTIF_DIR}/${HOST}_req_key.pem\" -passin pass:${SERVER_SSL_KEY_PASSWORD} -out \"${CERTIF_DIR}/${HOST}_self_signed.crt\"
echo ""
echo openssl x509 -in \"${CERTIF_DIR}/${HOST}_self_signed.crt\" -out \"${CERTIF_DIR}/${HOST}_self_signed.pem\" -outform PEM
echo ""
echo openssl pkcs12 -export -in \"${CERTIF_DIR}/${HOST}_self_signed.crt\" -inkey \"${CERTIF_DIR}/${HOST}_req_key.pem\" -passin pass:${SERVER_SSL_KEY_PASSWORD} -name ${HOST} -out \"${CERTIF_DIR}/${HOST}_self_signed.p12\" -passout pass:${SERVER_SSL_KEY_STORE_PASSWORD}
echo ""
echo \"${JAVA}/bin/keytool\" -importkeystore -srckeystore \"${CERTIF_DIR}/${HOST}_self_signed.p12\" -srckeypass \"${SERVER_SSL_KEY_PASSWORD}\" -srcstorepass \"${SERVER_SSL_KEY_STORE_PASSWORD}\" -srcstoretype pkcs12 -srcalias ${HOST} -destkeystore \"${CERTIF_DIR}/${HOST}_self_signed.jks\" -deststoretype PKCS12 -destkeypass ${SERVER_SSL_KEY_PASSWORD} -deststorepass ${SERVER_SSL_KEY_STORE_PASSWORD} -destalias ${HOST}
echo ""
echo "# Might need to sudo this one"
echo \"${JAVA}/bin/keytool\" -importkeystore -srckeystore \"${CERTIF_DIR}/${HOST}_self_signed.p12\" -srckeypass \"${SERVER_SSL_KEY_PASSWORD}\" -srcstorepass \"${SERVER_SSL_KEY_STORE_PASSWORD}\" -srcstoretype pkcs12 -srcalias ${HOST} -destkeystore \"${CACERTS}\" -deststorepass ${CACERTS_PASSWORD} -destalias ${HOST}
echo ""