connectors/mqtt/src/test/resources/keystores/create-all.sh - incubator-retired-edgent - Git at Google

 #!/bin/sh
 #
 # Licensed to the Apache Software Foundation (ASF) under one or more
 # contributor license agreements.  See the NOTICE file distributed with
 # this work for additional information regarding copyright ownership.
 # The ASF licenses this file to You under the Apache License, Version 2.0
 # (the "License"); you may not use this file except in compliance with
 # the License.  You may obtain a copy of the License at
 #
 #    http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #

 USAGE=`basename $0`

 # Generate the PEM format keys and certificates for the CA, server and client
 # and JKS trust store and key stores for java clients.
 #
 # Consistent with the test's expectations,
 # "passw0rd" is used in all cases where a pass phrase is used.

 # hints:
 # - to see the textual contents of a PEM certificate file:
 #   openssl x509 -text -in server.crt
 #
 # - to see the textual contents of a PEM RSA key file:
 #   openssl rsa -text -in server.key  # will prompt for a pass phrase if encrypted
 #

 set -e
 set -x

 # ================================================================
 # Generating CA, server, and client keys/certificates for use with mosquitto
 # https://mosquitto.org/man/mosquitto-tls-7.html
 #
 # Pay heed to: "It is important to use different certificate subject parameters for your CA, server and clients"

 echo;echo =====  Generating CA, server, and client keys/certificates

 echo;echo =====  Generate encrypted RSA CA key and certificate
 openssl req -new -x509 -days 7300 -passout pass:passw0rd -extensions v3_ca \
     -keyout ca.key -out ca.crt <<xxEOFxx
 US
 MA
 Littleton
 IBM
 Edgent
 My Test Mosquitto CA
 foo@test.org
 xxEOFxx

 echo;echo =====  Generate unencrypted RSA Server key
 openssl genrsa -out server.key 2048

 echo;echo =====  Generate an encrypted server certificate signing request to send to the CA.
 openssl req -new -passout pass:passw0rd -out server.csr -key server.key <<xxEOFxx
 US
 MA
 Littleton
 IBM
 Edgent
 My Test Mosquitto Server
 foo@test.org


 xxEOFxx

 echo;echo =====  Generate the Server cert by signing the certificate request with the CA key
 openssl x509 -req -passin pass:passw0rd -in server.csr -out server.crt \
     -days 7300 -CA ca.crt -CAkey ca.key -CAcreateserial

 echo;echo =====  Generate an unencrypted RSA Client key
 openssl genrsa -out client.key 2048

 echo;echo =====  Generate an encrypted client certificate signing request to send to the CA.
 openssl req -new -passout pass:passw0rd -out client.csr -key client.key <<xxEOFxx
 US
 MA
 Littleton
 IBM
 Edgent
 My Test Mosquitto Client
 foo@test.org


 xxEOFxx

 echo;echo =====  Generate the Client cert by signing the certificate request with the CA key.
 openssl x509 -req -passin pass:passw0rd -in client.csr -out client.crt \
     -days 7300 -CA ca.crt -CAkey ca.key -CAcreateserial

 # ================================================================
 # Create the JKS stores for java clients
 # https://docs.oracle.com/cd/E35976_01/server.740/es_admin/src/tadm_ssl_convert_pem_to_jks.html

 echo;echo =====  Create JKS stores for MqttStreams '(paho client)'

 # Create an empty clientTrustStore.jks
 echo;echo =====  Create clientTrustStore.jks
 echo;echo =====  Create an empty clientTrustStore.jks
 keytool -genkey -keyalg RSA -alias xyzzy \
     -dname 'CN=foo.example.com,L=Melbourne,ST=Victoria,C=AU' \
     -keypass passw0rd -keystore clientTrustStore.jks -storepass passw0rd
 keytool -delete -alias xyzzy \
     -keystore clientTrustStore.jks -storepass passw0rd

 echo;echo =====  Add the CA cert to the clientTrustStore.jks
 keytool -import -v -trustcacerts -alias my-mosquitto-ca -file ca.crt \
     -keystore clientTrustStore.jks -storepass passw0rd <<xxEOFxx
 yes
 xxEOFxx

 echo;echo =====  Add the mosquitto.org cert to clientTrustStore.jks
 keytool -import -v -trustcacerts -alias mosquitto.org -file mosquitto.org.crt \
     -keystore clientTrustStore.jks -storepass passw0rd <<xxEOFxx
 yes
 xxEOFxx

 echo;echo =====  Create clientKeyStore.jks
 echo;echo =====  Create an empty clientKeyStore.jks
 keytool -genkey -keyalg RSA -alias xyzzy \
     -dname 'CN=foo.example.com,L=Melbourne,ST=Victoria,C=AU' \
     -keypass passw0rd -keystore clientKeyStore.jks -storepass passw0rd
 keytool -delete -alias xyzzy \
     -keystore clientKeyStore.jks -storepass passw0rd

 echo;echo  =====  Add the client key to clientKeyStore.jks '(PEM => pkcs12 => jks)'
 openssl pkcs12 -export -out client.p12 -passout pass:passw0rd \
     -passin pass:passw0rd -inkey client.key -in client.crt -certfile ca.crt
 keytool -v -importkeystore \
     -srckeystore client.p12 -srcstorepass passw0rd -srcstoretype PKCS12 \
     -destkeystore clientKeyStore.jks -deststorepass passw0rd -deststoretype JKS

 # show store contents
 echo;echo =====  clientTrustStore
 keytool -list -storepass passw0rd -keystore clientTrustStore.jks
 echo;echo =====  clientKeyStore
 keytool -list -storepass passw0rd -keystore clientKeyStore.jks
	#!/bin/sh
	#
	# Licensed to the Apache Software Foundation (ASF) under one or more
	# contributor license agreements. See the NOTICE file distributed with
	# this work for additional information regarding copyright ownership.
	# The ASF licenses this file to You under the Apache License, Version 2.0
	# (the "License"); you may not use this file except in compliance with
	# the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.
	#

	USAGE=`basename $0`

	# Generate the PEM format keys and certificates for the CA, server and client
	# and JKS trust store and key stores for java clients.
	#
	# Consistent with the test's expectations,
	# "passw0rd" is used in all cases where a pass phrase is used.

	# hints:
	# - to see the textual contents of a PEM certificate file:
	# openssl x509 -text -in server.crt
	#
	# - to see the textual contents of a PEM RSA key file:
	# openssl rsa -text -in server.key # will prompt for a pass phrase if encrypted
	#

	set -e
	set -x

	# ================================================================
	# Generating CA, server, and client keys/certificates for use with mosquitto
	# https://mosquitto.org/man/mosquitto-tls-7.html
	#
	# Pay heed to: "It is important to use different certificate subject parameters for your CA, server and clients"

	echo;echo ===== Generating CA, server, and client keys/certificates

	echo;echo ===== Generate encrypted RSA CA key and certificate
	openssl req -new -x509 -days 7300 -passout pass:passw0rd -extensions v3_ca \
	-keyout ca.key -out ca.crt <<xxEOFxx
	US
	MA
	Littleton
	IBM
	Edgent
	My Test Mosquitto CA
	foo@test.org
	xxEOFxx

	echo;echo ===== Generate unencrypted RSA Server key
	openssl genrsa -out server.key 2048

	echo;echo ===== Generate an encrypted server certificate signing request to send to the CA.
	openssl req -new -passout pass:passw0rd -out server.csr -key server.key <<xxEOFxx
	US
	MA
	Littleton
	IBM
	Edgent
	My Test Mosquitto Server
	foo@test.org


	xxEOFxx

	echo;echo ===== Generate the Server cert by signing the certificate request with the CA key
	openssl x509 -req -passin pass:passw0rd -in server.csr -out server.crt \
	-days 7300 -CA ca.crt -CAkey ca.key -CAcreateserial

	echo;echo ===== Generate an unencrypted RSA Client key
	openssl genrsa -out client.key 2048

	echo;echo ===== Generate an encrypted client certificate signing request to send to the CA.
	openssl req -new -passout pass:passw0rd -out client.csr -key client.key <<xxEOFxx
	US
	MA
	Littleton
	IBM
	Edgent
	My Test Mosquitto Client
	foo@test.org


	xxEOFxx

	echo;echo ===== Generate the Client cert by signing the certificate request with the CA key.
	openssl x509 -req -passin pass:passw0rd -in client.csr -out client.crt \
	-days 7300 -CA ca.crt -CAkey ca.key -CAcreateserial

	# ================================================================
	# Create the JKS stores for java clients
	# https://docs.oracle.com/cd/E35976_01/server.740/es_admin/src/tadm_ssl_convert_pem_to_jks.html

	echo;echo ===== Create JKS stores for MqttStreams '(paho client)'

	# Create an empty clientTrustStore.jks
	echo;echo ===== Create clientTrustStore.jks
	echo;echo ===== Create an empty clientTrustStore.jks
	keytool -genkey -keyalg RSA -alias xyzzy \
	-dname 'CN=foo.example.com,L=Melbourne,ST=Victoria,C=AU' \
	-keypass passw0rd -keystore clientTrustStore.jks -storepass passw0rd
	keytool -delete -alias xyzzy \
	-keystore clientTrustStore.jks -storepass passw0rd

	echo;echo ===== Add the CA cert to the clientTrustStore.jks
	keytool -import -v -trustcacerts -alias my-mosquitto-ca -file ca.crt \
	-keystore clientTrustStore.jks -storepass passw0rd <<xxEOFxx
	yes
	xxEOFxx

	echo;echo ===== Add the mosquitto.org cert to clientTrustStore.jks
	keytool -import -v -trustcacerts -alias mosquitto.org -file mosquitto.org.crt \
	-keystore clientTrustStore.jks -storepass passw0rd <<xxEOFxx
	yes
	xxEOFxx

	echo;echo ===== Create clientKeyStore.jks
	echo;echo ===== Create an empty clientKeyStore.jks
	keytool -genkey -keyalg RSA -alias xyzzy \
	-dname 'CN=foo.example.com,L=Melbourne,ST=Victoria,C=AU' \
	-keypass passw0rd -keystore clientKeyStore.jks -storepass passw0rd
	keytool -delete -alias xyzzy \
	-keystore clientKeyStore.jks -storepass passw0rd

	echo;echo ===== Add the client key to clientKeyStore.jks '(PEM => pkcs12 => jks)'
	openssl pkcs12 -export -out client.p12 -passout pass:passw0rd \
	-passin pass:passw0rd -inkey client.key -in client.crt -certfile ca.crt
	keytool -v -importkeystore \
	-srckeystore client.p12 -srcstorepass passw0rd -srcstoretype PKCS12 \
	-destkeystore clientKeyStore.jks -deststorepass passw0rd -deststoretype JKS

	# show store contents
	echo;echo ===== clientTrustStore
	keytool -list -storepass passw0rd -keystore clientTrustStore.jks
	echo;echo ===== clientKeyStore
	keytool -list -storepass passw0rd -keystore clientKeyStore.jks