Skip to content

Instantly share code, notes, and snippets.

@somera

somera/generate-certificate-chain.sh

Forked from granella/generate-certificate-chain.sh
Created May 27, 2023 18:02
Show Gist options
  • Save somera/af10867e57078ebb7e9e3bd778e6295f to your computer and use it in GitHub Desktop.
Save somera/af10867e57078ebb7e9e3bd778e6295f to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @granella granella created this gist Jun 27, 2016.
    56 changes: 56 additions & 0 deletions generate-certificate-chain.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,56 @@
    #!/bin/bash

    rm *.jks 2> /dev/null
    rm *.pem 2> /dev/null

    echo "===================================================="
    echo "Creating fake third-party chain root -> ca"
    echo "===================================================="

    # generate private keys (for root and ca)

    keytool -genkeypair -alias root -dname "cn=Local Network - Development" -validity 10000 -keyalg RSA -keysize 2048 -ext bc:c -keystore root.jks -keypass password -storepass password
    keytool -genkeypair -alias ca -dname "cn=Local Network - Development" -validity 10000 -keyalg RSA -keysize 2048 -ext bc:c -keystore ca.jks -keypass password -storepass password

    # generate root certificate

    keytool -exportcert -rfc -keystore root.jks -alias root -storepass password > root.pem

    # generate a certificate for ca signed by root (root -> ca)

    keytool -keystore ca.jks -storepass password -certreq -alias ca \
    | keytool -keystore root.jks -storepass password -gencert -alias root -ext bc=0 -ext san=dns:ca -rfc > ca.pem

    # import ca cert chain into ca.jks

    keytool -keystore ca.jks -storepass password -importcert -trustcacerts -noprompt -alias root -file root.pem
    keytool -keystore ca.jks -storepass password -importcert -alias ca -file ca.pem

    echo "===================================================================="
    echo "Fake third-party chain generated. Now generating my-keystore.jks ..."
    echo "===================================================================="

    # generate private keys (for server)

    keytool -genkeypair -alias server -dname cn=server -validity 10000 -keyalg RSA -keysize 2048 -keystore my-keystore.jks -keypass password -storepass password

    # generate a certificate for server signed by ca (root -> ca -> server)

    keytool -keystore my-keystore.jks -storepass password -certreq -alias server \
    | keytool -keystore ca.jks -storepass password -gencert -alias ca -ext ku:c=dig,keyEnc -ext "san=dns:localhost,ip:192.1.1.18" -ext eku=sa,ca -rfc > server.pem

    # import server cert chain into my-keystore.jks

    keytool -keystore my-keystore.jks -storepass password -importcert -trustcacerts -noprompt -alias root -file root.pem
    keytool -keystore my-keystore.jks -storepass password -importcert -alias ca -file ca.pem
    keytool -keystore my-keystore.jks -storepass password -importcert -alias server -file server.pem

    echo "================================================="
    echo "Keystore generated. Now generating truststore ..."
    echo "================================================="

    # import server cert chain into my-truststore.jks

    keytool -keystore my-truststore.jks -storepass password -importcert -trustcacerts -noprompt -alias root -file root.pem
    keytool -keystore my-truststore.jks -storepass password -importcert -alias ca -file ca.pem
    keytool -keystore my-truststore.jks -storepass password -importcert -alias server -file server.pem