forge.sh
3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
#!/bin/sh
#
# Commands
#
openssl_req () {
echo openssl req -config openssl.cnf $@
openssl req -config openssl.cnf $@
}
openssl_ca () {
echo openssl ca -config openssl.cnf -batch -startdate 700101000000Z -days 21900 $@
openssl ca -config openssl.cnf -batch -startdate 700101000000Z -days 21900 $@
}
#
# CA directory structure
#
ca_dir () {
test -d "$1" && return
mkdir $1 $1/certs $1/private $1/crl $1/newcerts $1/req
touch $1/index.txt
echo 00 > $1/serial
echo 00 > $1/crlnumber
}
ca_dir ca-master
#
# The CA
#
test -f ca-master/ca-master.crt || {
# Make key and request
openssl_req -extensions v3_ca -new -newkey rsa:2048 -nodes \
-keyout ca-master/private/ca-master.key -out ca-master/req/ca-master.csr \
-subj "/C=FI/ST=Tampere/L=Tampere/O=Bortal/CN=CA"
# Make self signed CA
openssl ca -config openssl.cnf -batch -startdate 700101000000Z -days 21900 \
-selfsign -in ca-master/req/ca-master.csr -out ca-master/ca-master.crt \
-keyfile ca-master/private/ca-master.key || exit 1
# Make CA bundle keystore
rm -f cacerts.jks
openssl x509 -outform der -in ca-master/ca-master.crt -out ca-master/ca-master.der
keytool -import -keystore cacerts.jks -storepass changeit -file ca-master/ca-master.der -noprompt -trustcacerts -alias bortalca
}
#
# Certificates signed by CA
#
master_signed_cert () {
_base=$1 ; shift
test -f ca-master/certs/$_base.crt && return
# Create
openssl_req -new -newkey rsa:2048 -nodes \
-keyout ca-master/private/$_base.key \
-out ca-master/req/$_base.csr \
-subj "/C=FI/ST=Tampere/L=Tampere/O=Bortal/CN=$_base"
# Sign
openssl_ca -name CA_master $@ \
-in ca-master/req/$_base.csr \
-out ca-master/certs/$_base.crt
# Convert to PKCS#12 for import to keystore/browser
openssl pkcs12 -export -passout pass:changeit \
-in ca-master/certs/$_base.crt \
-inkey ca-master/private/$_base.key \
-out ca-master/certs/$_base.p12
}
#Certificates signed by master CA - with custom common name
#also create a .pem file for both private key and cert
master_signed_cert_cn () {
_base=$1 ; shift
_cn=$1 ; shift
test -f ca-master/private/$_base.pem && return
# Generate key and certificate request
openssl_req -new -newkey rsa:2048 -nodes \
-keyout ca-master/private/$_base.key \
-out ca-master/req/$_base.csr \
-subj "/C=FI/ST=Tampere/L=Tampere/O=Bortal/CN=$_cn"
# Sign with CA
openssl_ca -name CA_master $@ \
-in ca-master/req/$_base.csr \
-out ca-master/certs/$_base.crt
# Convert to PKCS#12 for import to keystore/browser
openssl pkcs12 -export -passout pass:changeit -in ca-master/certs/$_base.crt -inkey ca-master/private/$_base.key -out ca-master/certs/$_base.p12
}
master_signed_cert_cn s1as bortal-server -extensions srv_cert
rm -f keystore.jks
keytool -importkeystore -srckeystore ca-master/certs/s1as.p12 -destkeystore keystore.jks -srcstorepass changeit -deststorepass changeit -srcstoretype pkcs12 -alias 1 -destalias s1as
master_signed_cert terminal -extensions client_cert