blob: 91d8cf35b25b35697a0e07ae47f4f2b087afc3d0 [file] [log] [blame]
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
# The various PKCS12 SSL stores and certificates were created with the following commands:
# Seems to require the JDK8 keytool.
# Clean up existing files
# -----------------------
rm -f *.crt *.csr *.keystore *.truststore
# Create a key and self-signed certificate for the CA, to sign certificate requests and use for trust:
# ----------------------------------------------------------------------------------------------------
keytool -storetype jks -keystore ca-jks.keystore -storepass password -keypass password -alias ca -genkey -dname "O=My Trusted Inc.,CN=my-ca.org" -validity 9999 -ext bc:c=ca:true
keytool -storetype jks -keystore ca-jks.keystore -storepass password -alias ca -exportcert -rfc > ca.crt
# Create a key pair for the server, and sign it with the CA:
# ----------------------------------------------------------
keytool -storetype jks -keystore server-jks.keystore -storepass password -keypass password -alias server -genkey -dname "O=Server,CN=localhost" -validity 9999 -ext bc=ca:false -ext eku=sA
keytool -storetype jks -keystore server-jks.keystore -storepass password -alias server -certreq -file server.csr
keytool -storetype jks -keystore ca-jks.keystore -storepass password -alias ca -gencert -rfc -infile server.csr -outfile server.crt -validity 9999 -ext bc=ca:false -ext eku=sA
keytool -storetype jks -keystore server-jks.keystore -storepass password -keypass password -importcert -alias ca -file ca.crt -noprompt
keytool -storetype jks -keystore server-jks.keystore -storepass password -keypass password -importcert -alias server -file server.crt
# Create trust store for the server, import the CA cert:
# -------------------------------------------------------
keytool -storetype jks -keystore server-jks.truststore -storepass password -keypass password -importcert -alias ca -file ca.crt -noprompt
# Create a key pair for a client, and sign it with the CA:
# ----------------------------------------------------------
keytool -storetype jks -keystore client-jks.keystore -storepass password -keypass password -alias client -genkey -dname "O=Client,CN=client" -validity 9999 -ext bc=ca:false -ext eku=cA
keytool -storetype jks -keystore client-jks.keystore -storepass password -alias client -certreq -file client.csr
keytool -storetype jks -keystore ca-jks.keystore -storepass password -alias ca -gencert -rfc -infile client.csr -outfile client.crt -validity 9999 -ext bc=ca:false -ext eku=cA
keytool -storetype jks -keystore client-jks.keystore -storepass password -keypass password -importcert -alias ca -file ca.crt -noprompt
keytool -storetype jks -keystore client-jks.keystore -storepass password -keypass password -importcert -alias client -file client.crt
# Create trust store for the client, import the CA cert:
# -------------------------------------------------------
keytool -storetype jks -keystore client-jks.truststore -storepass password -keypass password -importcert -alias ca -file ca.crt -noprompt