#!/bin/sh
KEYLENGTH=2048
DAYS=512
HOSTS=$@
PASS=test
CA_CFG=ca.cfg
#create Certificate Authority Key
openssl genrsa -out ca_key.pem $KEYLENGTH
#create Certificate Authoruty Certificate
echo -e "RU\nSpb\nCA\nFAKE CA\nTesters\nCA_example_host\n\n" | \
/usr/bin/openssl req -config $CA_CFG \
-new -x509 -key ca_key.pem -out ca_cert.cer -days $DAYS
for host in $HOSTS
do
#create key
openssl genrsa -out ${host}_key.pem $KEYLENGTH
#create certificate request, $host is used for CN
echo -e "RU\nSpb\nFAKE Organization\nFAKE Unit\nTesters\n$host\n\n\n\n\n" | \
/usr/bin/openssl req -config $CA_CFG -extensions \
v3_ca -new -key ${host}_key.pem -out ${host}_req.pem -days $DAYS
#create certificate from request
openssl x509 -req -in ${host}_req.pem -out ${host}_cert.cer \
-CA ca_cert.cer -extfile $CA_CFG -extensions v3_ca \
-CAkey ca_key.pem -CAcreateserial -days $DAYS
# delete certificate request
rm ${host}_req.pem
#pack key-pair into pfx file with password $PASS
openssl pkcs12 -export -out ${host}.pfx -passout pass:$PASS \
-inkey ${host}_key.pem -in ${host}_cert.cer
#delete non-encrypted key
rm ${host}_key.pem
done
This script creates key and self-signed certificate for certificate authority. For each command-line argument script creates key-pair with certificate signed by previously created certificate authority. Certificates are stored in .cer files, keypaires are stored in .pfx files. .cer and.pfx files could be imported into Windows keystore just with doubleckick on .cer/.pfx file and these files could be imported into java keystore with following commands
keytool -importcert -keystore store.jks -storepass password -file certificate.cer
keytool -importkeystore -destkeystore store.jks -deststorepass password \
-srckeystore keypair.pfx -srcstoretype PKCS12 -srcstorepass password
No comments:
Post a Comment