2016-08-03 17:29:18 -04:00
|
|
|
PASSWORD=changeit
|
|
|
|
KEYSTORE=keystore.jks
|
|
|
|
HOSTNAME=localhost
|
2016-08-04 11:54:02 -04:00
|
|
|
CLIENTNAME=cid
|
2019-02-03 05:06:37 -05:00
|
|
|
CLIENT_PRIVATE_KEY="${CLIENTNAME}_pk"
|
2016-08-07 19:55:42 -04:00
|
|
|
|
2016-08-03 17:29:18 -04:00
|
|
|
# CN = Common Name
|
|
|
|
# OU = Organization Unit
|
|
|
|
# O = Organization Name
|
|
|
|
# L = Locality Name
|
|
|
|
# ST = State Name
|
|
|
|
# C = Country (2-letter Country Code)
|
|
|
|
# E = Email
|
|
|
|
DNAME_CA='CN=Baeldung CA,OU=baeldung.com,O=Baeldung,L=SomeCity,ST=SomeState,C=CC'
|
|
|
|
# For server certificates, the Common Name (CN) must be the hostname
|
|
|
|
DNAME_HOST='CN=$(HOSTNAME),OU=baeldung.com,O=Baeldung,L=SomeCity,ST=SomeState,C=CC'
|
2016-08-04 11:54:02 -04:00
|
|
|
DNAME_CLIENT='CN=$(CLIENTNAME),OU=baeldung.com,O=Baeldung,L=SomeCity,ST=SomeState,C=CC'
|
2016-08-03 17:29:18 -04:00
|
|
|
TRUSTSTORE=truststore.jks
|
|
|
|
|
|
|
|
all: clean create-keystore add-host create-truststore add-client
|
|
|
|
|
|
|
|
create-keystore:
|
|
|
|
# Generate a certificate authority (CA)
|
2018-08-01 19:14:08 -04:00
|
|
|
keytool -genkey -alias ca -ext san=dns:localhost,ip:127.0.0.1 -ext BC=ca:true \
|
2016-08-03 17:29:18 -04:00
|
|
|
-keyalg RSA -keysize 4096 -sigalg SHA512withRSA -keypass $(PASSWORD) \
|
|
|
|
-validity 3650 -dname $(DNAME_CA) \
|
|
|
|
-keystore $(KEYSTORE) -storepass $(PASSWORD)
|
|
|
|
|
|
|
|
add-host:
|
|
|
|
# Generate a host certificate
|
2018-08-01 19:14:08 -04:00
|
|
|
keytool -genkey -alias $(HOSTNAME) -ext san=dns:localhost,ip:127.0.0.1 \
|
2016-08-03 17:29:18 -04:00
|
|
|
-keyalg RSA -keysize 4096 -sigalg SHA512withRSA -keypass $(PASSWORD) \
|
|
|
|
-validity 3650 -dname $(DNAME_HOST) \
|
|
|
|
-keystore $(KEYSTORE) -storepass $(PASSWORD)
|
|
|
|
# Generate a host certificate signing request
|
2018-08-01 19:14:08 -04:00
|
|
|
keytool -certreq -alias $(HOSTNAME) -ext san=dns:localhost,ip:127.0.0.1 -ext BC=ca:true \
|
2016-08-03 17:29:18 -04:00
|
|
|
-keyalg RSA -keysize 4096 -sigalg SHA512withRSA \
|
|
|
|
-validity 3650 -file "$(HOSTNAME).csr" \
|
|
|
|
-keystore $(KEYSTORE) -storepass $(PASSWORD)
|
|
|
|
# Generate signed certificate with the certificate authority
|
2018-08-01 19:14:08 -04:00
|
|
|
keytool -gencert -alias ca -ext san=dns:localhost,ip:127.0.0.1 \
|
2016-08-03 17:29:18 -04:00
|
|
|
-validity 3650 -sigalg SHA512withRSA \
|
|
|
|
-infile "$(HOSTNAME).csr" -outfile "$(HOSTNAME).crt" -rfc \
|
|
|
|
-keystore $(KEYSTORE) -storepass $(PASSWORD)
|
|
|
|
# Import signed certificate into the keystore
|
2018-08-01 19:14:08 -04:00
|
|
|
keytool -import -trustcacerts -alias $(HOSTNAME) -ext san=dns:localhost,ip:127.0.0.1 \
|
2016-08-03 17:29:18 -04:00
|
|
|
-file "$(HOSTNAME).crt" \
|
|
|
|
-keystore $(KEYSTORE) -storepass $(PASSWORD)
|
|
|
|
|
2016-08-04 11:54:02 -04:00
|
|
|
export-authority:
|
|
|
|
# Export certificate authority
|
2018-08-01 19:14:08 -04:00
|
|
|
keytool -export -alias ca -ext san=dns:localhost,ip:127.0.0.1 -file ca.crt -rfc \
|
2016-08-03 17:29:18 -04:00
|
|
|
-keystore $(KEYSTORE) -storepass $(PASSWORD)
|
2016-08-04 11:54:02 -04:00
|
|
|
|
|
|
|
|
|
|
|
create-truststore: export-authority
|
|
|
|
# Import certificate authority into a new truststore
|
2018-08-01 19:14:08 -04:00
|
|
|
keytool -import -trustcacerts -noprompt -alias ca -ext san=dns:localhost,ip:127.0.0.1 -file ca.crt \
|
2016-08-03 17:29:18 -04:00
|
|
|
-keystore $(TRUSTSTORE) -storepass $(PASSWORD)
|
|
|
|
|
|
|
|
add-client:
|
|
|
|
# Generate client certificate
|
2019-02-03 05:06:37 -05:00
|
|
|
keytool -genkey -alias $(CLIENT_PRIVATE_KEY) -ext san=dns:localhost,ip:127.0.0.1 \
|
2016-08-03 17:29:18 -04:00
|
|
|
-keyalg RSA -keysize 4096 -sigalg SHA512withRSA -keypass $(PASSWORD) \
|
2016-08-04 11:54:02 -04:00
|
|
|
-validity 3650 -dname $(DNAME_CLIENT) \
|
2016-08-03 17:29:18 -04:00
|
|
|
-keystore $(TRUSTSTORE) -storepass $(PASSWORD)
|
|
|
|
# Generate a host certificate signing request
|
2019-02-03 05:06:37 -05:00
|
|
|
keytool -certreq -alias $(CLIENT_PRIVATE_KEY) -ext san=dns:localhost,ip:127.0.0.1 -ext BC=ca:true \
|
2016-08-03 17:29:18 -04:00
|
|
|
-keyalg RSA -keysize 4096 -sigalg SHA512withRSA \
|
|
|
|
-validity 3650 -file "$(CLIENTNAME).csr" \
|
|
|
|
-keystore $(TRUSTSTORE) -storepass $(PASSWORD)
|
|
|
|
# Generate signed certificate with the certificate authority
|
2018-08-01 19:14:08 -04:00
|
|
|
keytool -gencert -alias ca -ext san=dns:localhost,ip:127.0.0.1 \
|
2016-08-03 17:29:18 -04:00
|
|
|
-validity 3650 -sigalg SHA512withRSA \
|
|
|
|
-infile "$(CLIENTNAME).csr" -outfile "$(CLIENTNAME).crt" -rfc \
|
|
|
|
-keystore $(KEYSTORE) -storepass $(PASSWORD)
|
|
|
|
# Import signed certificate into the truststore
|
2018-08-01 19:14:08 -04:00
|
|
|
keytool -import -trustcacerts -alias $(CLIENTNAME) -ext san=dns:localhost,ip:127.0.0.1 \
|
2016-08-03 17:29:18 -04:00
|
|
|
-file "$(CLIENTNAME).crt" \
|
|
|
|
-keystore $(TRUSTSTORE) -storepass $(PASSWORD)
|
2016-08-07 19:55:42 -04:00
|
|
|
# Export private certificate for importing into a browser
|
2019-02-03 05:06:37 -05:00
|
|
|
keytool -importkeystore -srcalias $(CLIENT_PRIVATE_KEY) -ext san=dns:localhost,ip:127.0.0.1 \
|
2016-08-07 19:55:42 -04:00
|
|
|
-srckeystore $(TRUSTSTORE) -srcstorepass $(PASSWORD) \
|
|
|
|
-destkeystore "$(CLIENTNAME).p12" -deststorepass $(PASSWORD) \
|
|
|
|
-deststoretype PKCS12
|
2019-02-03 05:06:37 -05:00
|
|
|
# Delete client private key as truststore should not contain any private keys
|
|
|
|
keytool -delete -alias $(CLIENT_PRIVATE_KEY) \
|
|
|
|
-keystore $(TRUSTSTORE) -storepass $(PASSWORD)
|
2016-08-03 17:29:18 -04:00
|
|
|
|
|
|
|
clean:
|
2016-08-04 11:54:02 -04:00
|
|
|
# Remove generated artifacts
|
2018-07-17 15:46:32 -04:00
|
|
|
find . \( -name "$(CLIENTNAME)*" -o -name "$(HOSTNAME)*" -o -name "$(KEYSTORE)" -o -name "$(TRUSTSTORE)" -o -name ca.crt \) -type f -exec rm -f {} \;
|