Created
June 27, 2016 11:15
-
-
Save granella/01ba0944865d99227cf080e97f4b3cb6 to your computer and use it in GitHub Desktop.
Create self-signed certificate with root and ca for development
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| rm *.jks 2> /dev/null | |
| rm *.pem 2> /dev/null | |
| echo "====================================================" | |
| echo "Creating fake third-party chain root -> ca" | |
| echo "====================================================" | |
| # generate private keys (for root and ca) | |
| keytool -genkeypair -alias root -dname "cn=Local Network - Development" -validity 10000 -keyalg RSA -keysize 2048 -ext bc:c -keystore root.jks -keypass password -storepass password | |
| keytool -genkeypair -alias ca -dname "cn=Local Network - Development" -validity 10000 -keyalg RSA -keysize 2048 -ext bc:c -keystore ca.jks -keypass password -storepass password | |
| # generate root certificate | |
| keytool -exportcert -rfc -keystore root.jks -alias root -storepass password > root.pem | |
| # generate a certificate for ca signed by root (root -> ca) | |
| keytool -keystore ca.jks -storepass password -certreq -alias ca \ | |
| | keytool -keystore root.jks -storepass password -gencert -alias root -ext bc=0 -ext san=dns:ca -rfc > ca.pem | |
| # import ca cert chain into ca.jks | |
| keytool -keystore ca.jks -storepass password -importcert -trustcacerts -noprompt -alias root -file root.pem | |
| keytool -keystore ca.jks -storepass password -importcert -alias ca -file ca.pem | |
| echo "====================================================================" | |
| echo "Fake third-party chain generated. Now generating my-keystore.jks ..." | |
| echo "====================================================================" | |
| # generate private keys (for server) | |
| keytool -genkeypair -alias server -dname cn=server -validity 10000 -keyalg RSA -keysize 2048 -keystore my-keystore.jks -keypass password -storepass password | |
| # generate a certificate for server signed by ca (root -> ca -> server) | |
| keytool -keystore my-keystore.jks -storepass password -certreq -alias server \ | |
| | keytool -keystore ca.jks -storepass password -gencert -alias ca -ext ku:c=dig,keyEnc -ext "san=dns:localhost,ip:192.1.1.18" -ext eku=sa,ca -rfc > server.pem | |
| # import server cert chain into my-keystore.jks | |
| keytool -keystore my-keystore.jks -storepass password -importcert -trustcacerts -noprompt -alias root -file root.pem | |
| keytool -keystore my-keystore.jks -storepass password -importcert -alias ca -file ca.pem | |
| keytool -keystore my-keystore.jks -storepass password -importcert -alias server -file server.pem | |
| echo "=================================================" | |
| echo "Keystore generated. Now generating truststore ..." | |
| echo "=================================================" | |
| # import server cert chain into my-truststore.jks | |
| keytool -keystore my-truststore.jks -storepass password -importcert -trustcacerts -noprompt -alias root -file root.pem | |
| keytool -keystore my-truststore.jks -storepass password -importcert -alias ca -file ca.pem | |
| keytool -keystore my-truststore.jks -storepass password -importcert -alias server -file server.pem |
Thanks but why do you use "-ext eku=sa,ca"?
it's is an Extended Key Usage for TLS server authentication
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks but why do you use "-ext eku=sa,ca"?