This is an automated email from the ASF dual-hosted git repository. apucher pushed a commit to branch pinot-broker-https-discussion in repository https://gitbox.apache.org/repos/asf/incubator-pinot.git
commit 40096f28f4dfa97b490bb6f231a807d04c935822 Author: Alexander Pucher <[email protected]> AuthorDate: Mon Jan 4 12:06:50 2021 -0800 cert scripts --- create-certs.sh | 46 ++++++++++++++++++++++++++++++++++++++++ push-truststore.sh | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 108 insertions(+) diff --git a/create-certs.sh b/create-certs.sh new file mode 100755 index 0000000..2161e22 --- /dev/null +++ b/create-certs.sh @@ -0,0 +1,46 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" +DOMAIN="192.168.64.82.xip.io" + +KEY_DIR="$DIR/truststore" + +mkdir -p $KEY_DIR +rm $KEY_DIR/*.pem + +echo "1. Generate CA's private key and self-signed certificate" +openssl req -x509 -newkey rsa:4096 -days 365 -nodes -keyout "$KEY_DIR/ca-key.pem" -out "$KEY_DIR/ca-cert.pem" -subj "/C=US/ST=Someplace/L=Somewhere/O=Apache Pinot/OU=Education/CN=*.example.org/[email protected]" + +#echo "CA's self-signed certificate" +#openssl x509 -in "$KEY_DIR/ca-cert.pem" -noout -text + +echo "2. Generate web server's private key and certificate signing request (CSR)" +openssl req -newkey rsa:4096 -nodes -keyout "$KEY_DIR/key.pem" -out "$KEY_DIR/req.pem" -subj "/C=US/ST=Someplace/L=Somewhere/O=Apache Pinot/OU=Education/CN=*.$DOMAIN/[email protected]" + +echo "3. Use CA's private key to sign web server's CSR and get back the signed certificate" +echo "subjectAltName=DNS:*.$DOMAIN,IP:0.0.0.0" > "$KEY_DIR/ext.cnf" +openssl x509 -req -in "$KEY_DIR/req.pem" -days 60 -CA "$KEY_DIR/ca-cert.pem" -CAkey "$KEY_DIR/ca-key.pem" -CAcreateserial -out "$KEY_DIR/cert.pem" -extfile "$KEY_DIR/ext.cnf" + +#echo "Server's signed certificate" +#openssl x509 -in "$KEY_DIR/cert.pem" -noout -text + +echo "Verifying certificate" +openssl verify -CAfile "$KEY_DIR/ca-cert.pem" "$KEY_DIR/cert.pem" + diff --git a/push-truststore.sh b/push-truststore.sh new file mode 100755 index 0000000..5a4ed61 --- /dev/null +++ b/push-truststore.sh @@ -0,0 +1,62 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" +JAVA_HOME="/Library/Java/JavaVirtualMachines/jdk-13.0.2.jdk/Contents/Home" + +CONFIG_DIR="$DIR/truststore" +KEY_TOOL=$JAVA_HOME/bin/keytool +KEYSTORE_PASSWORD="changeit" + +TRUST_STORE=$CONFIG_DIR/generated.truststore.jks +KEY_STORE=$CONFIG_DIR/generated.keystore.jks +P12_STORE=$CONFIG_DIR/generated.key.p12 + +echo "removing any old generated files" +rm -f $TRUST_STORE $KEY_STORE $P12_STORE +echo "writing trust store" + +$KEY_TOOL \ + -noprompt \ + -import \ + -storepass $KEYSTORE_PASSWORD \ + -keystore $TRUST_STORE \ + -storetype PKCS12 \ + -file $CONFIG_DIR/ca-cert.pem +echo "converting key/cert into PKCS12" + +openssl pkcs12 \ + -export \ + -in $CONFIG_DIR/cert.pem \ + -inkey $CONFIG_DIR/key.pem \ + -out $P12_STORE \ + -password pass:$KEYSTORE_PASSWORD \ + -name localhost +echo "writing key store" + +$KEY_TOOL -importkeystore \ + -deststorepass $KEYSTORE_PASSWORD \ + -destkeypass $KEYSTORE_PASSWORD \ + -destkeystore $KEY_STORE \ + -deststoretype PKCS12 \ + -srckeystore $P12_STORE \ + -srcstoretype PKCS12 \ + -srcstorepass $KEYSTORE_PASSWORD \ + -srckeypass $KEYSTORE_PASSWORD \ + -alias localhost --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
