-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcreate-tls-assets.sh
executable file
·364 lines (349 loc) · 17.3 KB
/
create-tls-assets.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
#!/bin/bash
function yellow() { printf "\x1b[38;5;227m%s\e[0m " "${@}"; printf "\n"; }
function warn() { printf "\x1b[38;5;208m%s\e[0m " "${@}"; printf "\n"; }
function green() { printf "\x1b[38;5;048m%s\e[0m " "${@}"; printf "\n"; }
function red() { printf "\x1b[38;5;196m%s\e[0m " "${@}"; printf "\n"; }
which cfssl > /dev/null 2>&1
lt="$?"
if [[ "${lt}" -ne 0 ]]; then
red "please install cfssl and retry"
exit 1
fi
which keytool > /dev/null 2>&1
lt="$?"
if [[ "${lt}" -ne 0 ]]; then
red "please install keytool and retry"
exit 1
fi
which openssl > /dev/null 2>&1
lt="$?"
if [[ "${lt}" -ne 0 ]]; then
red "please install openssl and retry"
exit 1
fi
which uuidgen > /dev/null 2>&1
lt="$?"
if [[ "${lt}" -ne 0 ]]; then
red "please install uuidgen and retry"
exit 1
fi
PATH_TO_CA_CONFIG="../ca/cfssl-ca.json"
PATH_TO_CA_FILE="../ca/ca.pem"
PATH_TO_CA_KEY="../ca/ca-key.pem"
# note: each time you run this tool, it will roll the passwords if you do not set them
# ahead of time
if [[ "${PASSWORD_SERVER_KEYSTORE}" == "" ]]; then
new_pw=$(uuidgen | sed -e 's/-//g')
export PASSWORD_SERVER_KEYSTORE="${new_pw}"
fi
if [[ "${PASSWORD_CLIENT_KEYSTORE}" == "" ]]; then
new_pw=$(uuidgen | sed -e 's/-//g')
export PASSWORD_CLIENT_KEYSTORE="${new_pw}"
fi
if [[ "${PASSWORD_PEER_KEYSTORE}" == "" ]]; then
new_pw=$(uuidgen | sed -e 's/-//g')
export PASSWORD_PEER_KEYSTORE="${new_pw}"
fi
function build_ca() {
if [[ ! -e ./ca/ca-key.pem ]] && [[ ! -e ./ca/ca.pem ]] && [[ ! -e ./ca/ca.csr ]]; then
cd ./ca || return
rm ./*.p12 ./*.txt ./*.pem ./*.csr ./*.pkcs12 ./*.jks > /dev/null 2>&1
yellow "generating new certificate authority ca_file=${PATH_TO_CA_FILE} key=${PATH_TO_CA_KEY}"
cfssl gencert -initca cfssl-ca.json | cfssljson -bare ca
lt="$?"
if [[ "${lt}" -ne 0 ]]; then
red "${tls_name} - failed to generate ca with: cfssl gencert -initca cfssl-ca.json | cfssljson -bare ca"
exit 1
fi
cd ..
else
green "not recreating CA pem and key - if you want to recreate the ca: rm -f ./ca/ca-key.pem ./ca/ca.pem ./ca/ca.csr"
fi
}
function build_tls_asset() {
tls_name="${1}"
echo "removing previous ${tls_name} assets"
rm ./*.p12 ./*.txt ./*.pem ./*.csr ./*.pkcs12 ./*.jks > /dev/null 2>&1
path_to_tls_config="./cfssl-server-csr.json"
echo "generating ${tls_name} - server"
cfssl gencert -ca "${PATH_TO_CA_FILE}" -ca-key "${PATH_TO_CA_KEY}" -config "${PATH_TO_CA_CONFIG}" -profile server "${path_to_tls_config}" | cfssljson -bare server
lt="$?"
if [[ "${lt}" -ne 0 ]]; then
red "${tls_name} - failed to generate server with: cfssl gencert -ca ${PATH_TO_CA_FILE} -ca-key ${PATH_TO_CA_KEY} -config ${PATH_TO_CA_CONFIG} -profile server ${path_to_tls_config} | cfssljson -bare server"
exit 1
fi
echo "generating ${tls_name} - peer"
cfssl gencert -ca "${PATH_TO_CA_FILE}" -ca-key "${PATH_TO_CA_KEY}" -config "${PATH_TO_CA_CONFIG}" -profile server "${path_to_tls_config}" | cfssljson -bare peer
lt="$?"
if [[ "${lt}" -ne 0 ]]; then
red "${tls_name} - failed to generate peer with: cfssl gencert -ca ${PATH_TO_CA_FILE} -ca-key ${PATH_TO_CA_KEY} -config ${PATH_TO_CA_CONFIG} -profile server ${path_to_tls_config} | cfssljson -bare peer"
exit 1
fi
echo "generating ${tls_name} - client"
cfssl gencert -ca "${PATH_TO_CA_FILE}" -ca-key "${PATH_TO_CA_KEY}" -config "${PATH_TO_CA_CONFIG}" -profile client "${path_to_tls_config}" | cfssljson -bare client
lt="$?"
if [[ "${lt}" -ne 0 ]]; then
red "${tls_name} - failed to generate client with: cfssl gencert -ca ${PATH_TO_CA_FILE} -ca-key ${PATH_TO_CA_KEY} -config ${PATH_TO_CA_CONFIG} -profile client ${path_to_tls_config} | cfssljson -bare client"
exit 1
fi
echo "generating ${tls_name} - server pkcs12 keystore"
# no intermediate certs assume this is coming soon
cat ./server.pem "${PATH_TO_CA_FILE}" > ./server-cert-chain.pem
vc="openssl pkcs12 -export -certfile ${PATH_TO_CA_FILE} -in ./server-cert-chain.pem -inkey ./server-key.pem -name ${tls_name} -out server-keystore.p12 -passout pass:${PASSWORD_SERVER_KEYSTORE} -passin pass:${PASSWORD_SERVER_KEYSTORE} "
eval "${vc}"
lt="$?"
if [[ "${lt}" -ne 0 ]]; then
red "${tls_name} - failed to create server pkcs12 keystore file with command: ${vc} - stopping"
exit 1
fi
echo "verifying ${tls_name} - server pkcs12 keystore"
vc="keytool -list -storetype PKCS12 -keystore ./server-keystore.p12 -storepass ${PASSWORD_SERVER_KEYSTORE}"
eval "${vc}"
lt="$?"
if [[ "${lt}" -ne 0 ]]; then
red "${tls_name} - failed to verify server pkcs12 keystore file with command: ${vc} - stopping"
exit 1
fi
echo "generating ${tls_name} - server pkcs12 truststore"
vc="keytool -importcert -storetype PKCS12 -keystore server-truststore.p12 -storepass ${PASSWORD_SERVER_KEYSTORE} -alias CARoot -file ./server-cert-chain.pem -noprompt"
eval "${vc}"
lt="$?"
if [[ "${lt}" -ne 0 ]]; then
red "${tls_name} - failed to generate server pkcs12 truststore file with command: ${vc} - stopping"
exit 1
fi
echo "verifiying ${tls_name} - server pkcs12 truststore"
vc="keytool -list -storetype PKCS12 -keystore server-truststore.p12 -storepass ${PASSWORD_SERVER_KEYSTORE}"
eval "${vc}"
lt="$?"
if [[ "${lt}" -ne 0 ]]; then
red "${tls_name} - failed to verify server pkcs12 truststore file with command: ${vc} - stopping"
exit 1
fi
echo "creating ${tls_name} - server password file"
echo "${PASSWORD_SERVER_KEYSTORE}" > ./server-keystore-password.txt
lt="$?"
if [[ "${lt}" -ne 0 ]]; then
red "${tls_name} - failed to create server keystore password file with command: ${vc} - stopping"
exit 1
fi
echo "generating ${tls_name} - client pkcs12 keystore"
# no intermediate certs assume this is coming soon
cat ./client.pem "${PATH_TO_CA_FILE}" > ./client-cert-chain.pem
vc="openssl pkcs12 -export -certfile ${PATH_TO_CA_FILE} -in ./client-cert-chain.pem -inkey ./client-key.pem -name ${tls_name} -out client-keystore.p12 -passout pass:${PASSWORD_CLIENT_KEYSTORE} -passin pass:${PASSWORD_CLIENT_KEYSTORE} "
eval "${vc}"
lt="$?"
if [[ "${lt}" -ne 0 ]]; then
red "${tls_name} - failed to create client pkcs12 file with command: ${vc} - stopping"
exit 1
fi
echo "verifying ${tls_name} - client pkcs12 keystore"
vc="keytool -list -storetype PKCS12 -keystore ./client-keystore.p12 -storepass ${PASSWORD_CLIENT_KEYSTORE}"
eval "${vc}"
lt="$?"
if [[ "${lt}" -ne 0 ]]; then
red "${tls_name} - failed to verify client pkcs12 keystore file with command: ${vc} - stopping"
exit 1
fi
echo "generating ${tls_name} - client pkcs12 truststore"
vc="keytool -importcert -storetype PKCS12 -keystore client-truststore.p12 -storepass ${PASSWORD_CLIENT_KEYSTORE} -alias CARoot -file ./client-cert-chain.pem -noprompt"
eval "${vc}"
lt="$?"
if [[ "${lt}" -ne 0 ]]; then
red "${tls_name} - failed to generate client pkcs12 truststore file with command: ${vc} - stopping"
exit 1
fi
echo "verifiying ${tls_name} - client pkcs12 truststore"
vc="keytool -list -storetype PKCS12 -keystore client-truststore.p12 -storepass ${PASSWORD_CLIENT_KEYSTORE}"
eval "${vc}"
lt="$?"
if [[ "${lt}" -ne 0 ]]; then
red "${tls_name} - failed to verify client pkcs12 truststore file with command: ${vc} - stopping"
exit 1
fi
echo "creating ${tls_name} - client password file"
echo "${PASSWORD_CLIENT_KEYSTORE}" > ./client-keystore-password.txt
lt="$?"
if [[ "${lt}" -ne 0 ]]; then
red "${tls_name} - failed to create client keystore password file with command: ${vc} - stopping"
exit 1
fi
echo "generating ${tls_name} - peer pkcs12 keystore"
# no intermediate certs assume this is coming soon
cat ./peer.pem "${PATH_TO_CA_FILE}" > ./peer-cert-chain.pem
vc="openssl pkcs12 -export -certfile ${PATH_TO_CA_FILE} -in ./peer-cert-chain.pem -inkey ./peer-key.pem -name ${tls_name} -out peer-keystore.p12 -passout pass:${PASSWORD_PEER_KEYSTORE} -passin pass:${PASSWORD_PEER_KEYSTORE} "
eval "${vc}"
lt="$?"
if [[ "${lt}" -ne 0 ]]; then
red "${tls_name} - failed to create peer pkcs12 file with command: ${vc} - stopping"
exit 1
fi
echo "verifying ${tls_name} - peer pkcs12 keystore"
vc="keytool -list -storetype PKCS12 -keystore ./peer-keystore.p12 -storepass ${PASSWORD_PEER_KEYSTORE}"
eval "${vc}"
lt="$?"
if [[ "${lt}" -ne 0 ]]; then
red "${tls_name} - failed to verify peer pkcs12 keystore file with command: ${vc} - stopping"
exit 1
fi
echo "generating ${tls_name} - peer pkcs12 truststore"
vc="keytool -importcert -storetype PKCS12 -keystore peer-truststore.p12 -storepass ${PASSWORD_PEER_KEYSTORE} -alias CARoot -file ./peer-cert-chain.pem -noprompt"
eval "${vc}"
lt="$?"
if [[ "${lt}" -ne 0 ]]; then
red "${tls_name} - failed to generate peer pkcs12 truststore file with command: ${vc} - stopping"
exit 1
fi
echo "verifiying ${tls_name} - peer pkcs12 truststore"
vc="keytool -list -storetype PKCS12 -keystore peer-truststore.p12 -storepass ${PASSWORD_PEER_KEYSTORE}"
eval "${vc}"
lt="$?"
if [[ "${lt}" -ne 0 ]]; then
red "${tls_name} - failed to verify peer pkcs12 truststore file with command: ${vc} - stopping"
exit 1
fi
echo "creating ${tls_name} - peer password file"
echo "${PASSWORD_PEER_KEYSTORE}" > ./peer-keystore-password.txt
lt="$?"
if [[ "${lt}" -ne 0 ]]; then
red "${tls_name} - failed to create peer keystore password file with command: ${vc} - stopping"
exit 1
fi
# server jks
yellow "converting ${tls_name} - pkcs12 server-keystore.p12 to jks server-keystore.jks"
vc="keytool -importkeystore -deststorepass ${PASSWORD_SERVER_KEYSTORE} -destkeypass ${PASSWORD_SERVER_KEYSTORE} -destkeystore server-keystore.jks -srckeystore server-keystore.p12 -srcstoretype PKCS12 -srcstorepass ${PASSWORD_SERVER_KEYSTORE} -alias ${tls_name}"
eval "${vc}"
lt="$?"
if [[ "${lt}" -ne 0 ]]; then
red "${tls_name} - failed to convert pkcs12 keystore to jks keystore command: ${vc} - stopping"
exit 1
fi
echo "${PASSWORD_SERVER_KEYSTORE}" > ./server-jks-keystore-password.txt
lt="$?"
if [[ "${lt}" -ne 0 ]]; then
red "${tls_name} - failed to create server jks keystore password file with command: ${vc} - stopping"
exit 1
fi
yellow "import ${tls_name} - keystore jks with alias=CARoot and CA=${PATH_TO_CA_FILE}"
vc="keytool -keystore server-keystore.jks -noprompt -alias CARoot -import -file ${PATH_TO_CA_FILE} -storepass ${PASSWORD_SERVER_KEYSTORE} -keypass ${PASSWORD_SERVER_KEYSTORE}"
eval "${vc}"
lt="$?"
if [[ "${lt}" -ne 0 ]]; then
red "${tls_name} - failed to import CA=${PATH_TO_CA_FILE} with command: ${vc} - stopping"
echo -e "\nkeytool -exportcert -alias CARoot -keystore ${PATH_TO_CA_FILE} -storepass ${PASSWORD_SERVER_KEYSTORE}\n"
exit 1
fi
yellow "import ${tls_name} - keystore jks chain alias=${tls_name} and CA=${PATH_TO_CA_FILE}"
vc="keytool -keystore server-keystore.jks -noprompt -alias ${tls_name} -import -file server-cert-chain.pem -storepass ${PASSWORD_SERVER_KEYSTORE} -keypass ${PASSWORD_SERVER_KEYSTORE}"
eval "${vc}"
lt="$?"
if [[ "${lt}" -ne 0 ]]; then
red "${tls_name} - failed to import server cert chain into jks file with command: ${vc} - stopping"
echo -e "\nkeytool -exportcert -alias ${tls_name} -keystore ./server-keystore.jks -storepass ${PASSWORD_SERVER_KEYSTORE}\n"
exit 1
fi
yellow "creating ${tls_name} - truststore jks with alias=CARoot and CA=${PATH_TO_CA_FILE}"
vc="keytool -keystore server-truststore.jks -noprompt -alias CARoot -import -file ${PATH_TO_CA_FILE} -storepass ${PASSWORD_SERVER_KEYSTORE} -keypass ${PASSWORD_SERVER_KEYSTORE}"
eval "${vc}"
lt="$?"
if [[ "${lt}" -ne 0 ]]; then
red "${tls_name} - failed to create server truststore jks file with command: ${vc} - stopping"
exit 1
fi
# client jks
yellow "converting ${tls_name} - pkcs12 client-keystore.p12 to jks client-keystore.jks"
vc="keytool -importkeystore -deststorepass ${PASSWORD_CLIENT_KEYSTORE} -destkeypass ${PASSWORD_CLIENT_KEYSTORE} -destkeystore client-keystore.jks -srckeystore client-keystore.p12 -srcstoretype PKCS12 -srcstorepass ${PASSWORD_CLIENT_KEYSTORE} -alias ${tls_name}"
eval "${vc}"
lt="$?"
if [[ "${lt}" -ne 0 ]]; then
red "${tls_name} - failed to convert pkcs12 keystore to jks keystore command: ${vc} - stopping"
exit 1
fi
echo "${PASSWORD_CLIENT_KEYSTORE}" > ./client-jks-keystore-password.txt
lt="$?"
if [[ "${lt}" -ne 0 ]]; then
red "${tls_name} - failed to create client jks keystore password file with command: ${vc} - stopping"
exit 1
fi
yellow "import ${tls_name} - keystore jks with alias=CARoot and CA=${PATH_TO_CA_FILE}"
vc="keytool -keystore client-keystore.jks -noprompt -alias CARoot -import -file ${PATH_TO_CA_FILE} -storepass ${PASSWORD_CLIENT_KEYSTORE} -keypass ${PASSWORD_CLIENT_KEYSTORE}"
eval "${vc}"
lt="$?"
if [[ "${lt}" -ne 0 ]]; then
red "${tls_name} - failed to import CA=${PATH_TO_CA_FILE} with command: ${vc} - stopping"
echo -e "\nkeytool -exportcert -alias CARoot -keystore ${PATH_TO_CA_FILE} -storepass ${PASSWORD_CLIENT_KEYSTORE}\n"
exit 1
fi
yellow "import ${tls_name} - keystore jks chain alias=${tls_name} and CA=${PATH_TO_CA_FILE}"
vc="keytool -keystore client-keystore.jks -noprompt -alias ${tls_name} -import -file client-cert-chain.pem -storepass ${PASSWORD_CLIENT_KEYSTORE} -keypass ${PASSWORD_CLIENT_KEYSTORE}"
eval "${vc}"
lt="$?"
if [[ "${lt}" -ne 0 ]]; then
red "${tls_name} - failed to import client cert chain into jks file with command: ${vc} - stopping"
echo -e "\nkeytool -exportcert -alias ${tls_name} -keystore ./client-keystore.jks -storepass ${PASSWORD_CLIENT_KEYSTORE}\n"
exit 1
fi
yellow "creating ${tls_name} - truststore jks with alias=CARoot and CA=${PATH_TO_CA_FILE}"
vc="keytool -keystore client-truststore.jks -noprompt -alias CARoot -import -file ${PATH_TO_CA_FILE} -storepass ${PASSWORD_CLIENT_KEYSTORE} -keypass ${PASSWORD_CLIENT_KEYSTORE}"
eval "${vc}"
lt="$?"
if [[ "${lt}" -ne 0 ]]; then
red "${tls_name} - failed to create client truststore jks file with command: ${vc} - stopping"
exit 1
fi
# peer jks
yellow "converting ${tls_name} - pkcs12 peer-keystore.p12 to jks peer-keystore.jks"
vc="keytool -importkeystore -deststorepass ${PASSWORD_PEER_KEYSTORE} -destkeypass ${PASSWORD_PEER_KEYSTORE} -destkeystore peer-keystore.jks -srckeystore peer-keystore.p12 -srcstoretype PKCS12 -srcstorepass ${PASSWORD_PEER_KEYSTORE} -alias ${tls_name}"
eval "${vc}"
lt="$?"
if [[ "${lt}" -ne 0 ]]; then
red "${tls_name} - failed to convert pkcs12 keystore to jks keystore command: ${vc} - stopping"
exit 1
fi
echo "${PASSWORD_PEER_KEYSTORE}" > ./peer-jks-keystore-password.txt
lt="$?"
if [[ "${lt}" -ne 0 ]]; then
red "${tls_name} - failed to create peer jks keystore password file with command: ${vc} - stopping"
exit 1
fi
yellow "import ${tls_name} - keystore jks with alias=CARoot and CA=${PATH_TO_CA_FILE}"
vc="keytool -keystore peer-keystore.jks -noprompt -alias CARoot -import -file ${PATH_TO_CA_FILE} -storepass ${PASSWORD_PEER_KEYSTORE} -keypass ${PASSWORD_PEER_KEYSTORE}"
eval "${vc}"
lt="$?"
if [[ "${lt}" -ne 0 ]]; then
red "${tls_name} - failed to import CA=${PATH_TO_CA_FILE} with command: ${vc} - stopping"
echo -e "\nkeytool -exportcert -alias CARoot -keystore ${PATH_TO_CA_FILE} -storepass ${PASSWORD_PEER_KEYSTORE}\n"
exit 1
fi
yellow "import ${tls_name} - keystore jks chain alias=${tls_name} and CA=${PATH_TO_CA_FILE}"
vc="keytool -keystore peer-keystore.jks -noprompt -alias ${tls_name} -import -file peer-cert-chain.pem -storepass ${PASSWORD_PEER_KEYSTORE} -keypass ${PASSWORD_PEER_KEYSTORE}"
eval "${vc}"
lt="$?"
if [[ "${lt}" -ne 0 ]]; then
red "${tls_name} - failed to import peer cert chain into jks file with command: ${vc} - stopping"
echo -e "\nkeytool -exportcert -alias ${tls_name} -keystore ./peer-keystore.jks -storepass ${PASSWORD_PEER_KEYSTORE}\n"
exit 1
fi
yellow "creating ${tls_name} - truststore jks with alias=CARoot and CA=${PATH_TO_CA_FILE}"
vc="keytool -keystore peer-truststore.jks -noprompt -alias CARoot -import -file ${PATH_TO_CA_FILE} -storepass ${PASSWORD_PEER_KEYSTORE} -keypass ${PASSWORD_PEER_KEYSTORE}"
eval "${vc}"
lt="$?"
if [[ "${lt}" -ne 0 ]]; then
red "${tls_name} - failed to create peer truststore jks file with command: ${vc} - stopping"
exit 1
fi
}
function build_all_assets() {
tls_assets=$(ls ./*/cfssl-server-csr.json)
for tls_asset in ${tls_assets}; do
asset_name=$(dirname "${tls_asset}" | sed -e 's|\.\/||g')
yellow "building: ${asset_name}"
cd "${asset_name}" || red "failed to change to asset dir: ${asset_name}"
build_tls_asset "${asset_name}"
cd ..
done
}
build_ca
build_all_assets
green "done"
exit 0