nhtzr · July 16, 2018 21:47
diff --git a/client.sh b/client.sh
 curl -vv https://localhost:8443 --cert-type P12 --cert "client.p12":"changeit" --cacert ca.crt
diff --git a/Makefile b/Makefile
 KEYSTORE=keystore.jks
 TRUSTSTORE=truststore.jks
 PASSWORD=changeit

 HOSTNAME=localhost
 CLIENTNAME=client

 # CN = Common Name
 # OU = Organization Unit
 # O  = Organization Name
 # L  = Locality Name
 # ST = State Name
 # C  = Country (2-letter Country Code)
 # E  = Email

 OU=OU
 O=O
 L=L
 ST=ST
 C=CC

 DNAME_CA='CN=$(HOSTNAME),OU=$(OU),O=$(O),L=$(L),ST=$(ST),C=$(C)'
 DNAME_HOST='CN=$(HOSTNAME),OU=$(OU),O=$(O),L=$(L),ST=$(ST),C=$(C)'
 DNAME_CLIENT='CN=$(CLIENTNAME),OU=$(OU),O=$(O),L=$(L),ST=$(ST),C=$(C)'

 all:	clean create-keystore add-host create-truststore add-client

 create-keystore:
 	# Generate a certificate authority (CA)
 	keytool -genkey -alias ca -ext BC=ca:true \
 	    -keyalg RSA -keysize 4096 -sigalg SHA512withRSA -keypass $(PASSWORD) \
 	    -validity 3650 -dname $(DNAME_CA) \
 	    -keystore $(KEYSTORE) -storepass $(PASSWORD)

 add-host:
 	# Generate a host certificate
 	keytool -genkey -alias $(HOSTNAME) \
 	    -keyalg RSA -keysize 4096 -sigalg SHA512withRSA -keypass $(PASSWORD) \
 	    -validity 3650 -dname $(DNAME_HOST) \
 	    -keystore $(KEYSTORE) -storepass $(PASSWORD)
 	# Generate a host certificate signing request
 	keytool -certreq -alias $(HOSTNAME) -ext BC=ca:true \
 	    -keyalg RSA -keysize 4096 -sigalg SHA512withRSA \
 	    -validity 3650 -file "$(HOSTNAME).csr" \
 	    -keystore $(KEYSTORE) -storepass $(PASSWORD)
 	# Generate signed certificate with the certificate authority
 	keytool -gencert -alias ca \
 	    -validity 3650 -sigalg SHA512withRSA \
 	    -infile "$(HOSTNAME).csr" -outfile "$(HOSTNAME).crt" -rfc \
 	    -keystore $(KEYSTORE) -storepass $(PASSWORD)
 	# Import signed certificate into the keystore
 	keytool -import -trustcacerts -alias $(HOSTNAME) \
 	    -file "$(HOSTNAME).crt" \
 	    -keystore $(KEYSTORE) -storepass $(PASSWORD)

 export-authority:
 	# Export certificate authority
 	keytool -export -alias ca -file ca.crt -rfc \
 	    -keystore $(KEYSTORE) -storepass $(PASSWORD)


 create-truststore: export-authority
 	# Import certificate authority into a new truststore
 	keytool -import -trustcacerts -noprompt -alias ca -file ca.crt \
 	    -keystore $(TRUSTSTORE) -storepass $(PASSWORD)

 add-client:
 	# Generate client certificate
 	keytool -genkey -alias $(CLIENTNAME) \
 	    -keyalg RSA -keysize 4096 -sigalg SHA512withRSA -keypass $(PASSWORD) \
 	    -validity 3650 -dname $(DNAME_CLIENT) \
 	    -keystore $(TRUSTSTORE) -storepass $(PASSWORD)
 	# Generate a host certificate signing request
 	keytool -certreq -alias $(CLIENTNAME) -ext BC=ca:true \
 	    -keyalg RSA -keysize 4096 -sigalg SHA512withRSA \
 	    -validity 3650 -file "$(CLIENTNAME).csr" \
 	    -keystore $(TRUSTSTORE) -storepass $(PASSWORD)
 	# Generate signed certificate with the certificate authority
 	keytool -gencert -alias ca \
 	    -validity 3650 -sigalg SHA512withRSA \
 	    -infile "$(CLIENTNAME).csr" -outfile "$(CLIENTNAME).crt" -rfc \
 	    -keystore $(KEYSTORE) -storepass $(PASSWORD)
 	# Import signed certificate into the truststore
 	keytool -import -trustcacerts -alias $(CLIENTNAME) \
 	    -file "$(CLIENTNAME).crt" \
 	    -keystore $(TRUSTSTORE) -storepass $(PASSWORD)
 	# Export private certificate for importing into a browser
 	keytool -importkeystore -srcalias $(CLIENTNAME) \
 	    -srckeystore $(TRUSTSTORE) -srcstorepass $(PASSWORD) \
 	    -destkeystore "$(CLIENTNAME).p12" -deststorepass $(PASSWORD) \
 	    -deststoretype PKCS12

 clean:
 	# Remove generated artifacts
 	find . ! -name Makefile -type f -exec rm -f {} \;
diff --git a/server.xml b/server.xml
 <!-- This is a tomcat 8.5 -->
 <?xml version="1.0" encoding="UTF-8"?>
 <Server port="8005" shutdown="SHUTDOWN">
  <!-- lots of stuff -->
  <Service name="Catalina">
    <!-- this is the change -->
    <Connector
      SSLEnabled="true"
      clientAuth="required"
      keystoreFile="${my.keystore}"
      keystorePass="${my.keystorePass}"
      keystoreType="JKS"
      port="8443"
      protocol="HTTP/1.1"
      scheme="https"
      secure="true"
      sslProtocol="TLS"
      truststoreFile="${my.truststore}"
      truststorePass="${my.truststorePass}"
      truststoreType="JKS"
    />
    <!-- everything else as is --> 
  </Service>
 </Server>
diff --git a/setenv.sh b/setenv.sh
 # HTTPS configuration
 TRUST_STORE=${TRUST_STORE:-truststore.jks}
 KEY_STORE=${KEY_STORE:-keystore.jks}
 TRUST_STORE_PASS=${TRUST_STORE_PASS:-changeit}
 KEY_STORE_PASS=${KEY_STORE_PASS:-changeit}
 CLIENT_AUTH=${CLIENT_AUTH:-none}
 # ^ Options are: none, optional, optionalNoCA, required
 export CATALINA_OPTS="${CATALINA_OPTS} -Dmy.truststore=${TRUST_STORE}"
 export CATALINA_OPTS="${CATALINA_OPTS} -Dmy.truststorePass=${TRUST_STORE_PASS}"
 export CATALINA_OPTS="${CATALINA_OPTS} -Dmy.keystore=${KEY_STORE}"
 export CATALINA_OPTS="${CATALINA_OPTS} -Dmy.keystorePass=${KEY_STORE_PASS}"
 export CATALINA_OPTS="${CATALINA_OPTS} -Dmy.clientAuth=${CLIENT_AUTH}"
	KEYSTORE=keystore.jks
	TRUSTSTORE=truststore.jks
	PASSWORD=changeit

	HOSTNAME=localhost
	CLIENTNAME=client

	# CN = Common Name
	# OU = Organization Unit
	# O = Organization Name
	# L = Locality Name
	# ST = State Name
	# C = Country (2-letter Country Code)
	# E = Email

	OU=OU
	O=O
	L=L
	ST=ST
	C=CC

	DNAME_CA='CN=$(HOSTNAME),OU=$(OU),O=$(O),L=$(L),ST=$(ST),C=$(C)'
	DNAME_HOST='CN=$(HOSTNAME),OU=$(OU),O=$(O),L=$(L),ST=$(ST),C=$(C)'
	DNAME_CLIENT='CN=$(CLIENTNAME),OU=$(OU),O=$(O),L=$(L),ST=$(ST),C=$(C)'

	all: clean create-keystore add-host create-truststore add-client

	create-keystore:
	# Generate a certificate authority (CA)
	keytool -genkey -alias ca -ext BC=ca:true \
	-keyalg RSA -keysize 4096 -sigalg SHA512withRSA -keypass $(PASSWORD) \
	-validity 3650 -dname $(DNAME_CA) \
	-keystore $(KEYSTORE) -storepass $(PASSWORD)

	add-host:
	# Generate a host certificate
	keytool -genkey -alias $(HOSTNAME) \
	-keyalg RSA -keysize 4096 -sigalg SHA512withRSA -keypass $(PASSWORD) \
	-validity 3650 -dname $(DNAME_HOST) \
	-keystore $(KEYSTORE) -storepass $(PASSWORD)
	# Generate a host certificate signing request
	keytool -certreq -alias $(HOSTNAME) -ext BC=ca:true \
	-keyalg RSA -keysize 4096 -sigalg SHA512withRSA \
	-validity 3650 -file "$(HOSTNAME).csr" \
	-keystore $(KEYSTORE) -storepass $(PASSWORD)
	# Generate signed certificate with the certificate authority
	keytool -gencert -alias ca \
	-validity 3650 -sigalg SHA512withRSA \
	-infile "$(HOSTNAME).csr" -outfile "$(HOSTNAME).crt" -rfc \
	-keystore $(KEYSTORE) -storepass $(PASSWORD)
	# Import signed certificate into the keystore
	keytool -import -trustcacerts -alias $(HOSTNAME) \
	-file "$(HOSTNAME).crt" \
	-keystore $(KEYSTORE) -storepass $(PASSWORD)

	export-authority:
	# Export certificate authority
	keytool -export -alias ca -file ca.crt -rfc \
	-keystore $(KEYSTORE) -storepass $(PASSWORD)


	create-truststore: export-authority
	# Import certificate authority into a new truststore
	keytool -import -trustcacerts -noprompt -alias ca -file ca.crt \
	-keystore $(TRUSTSTORE) -storepass $(PASSWORD)

	add-client:
	# Generate client certificate
	keytool -genkey -alias $(CLIENTNAME) \
	-keyalg RSA -keysize 4096 -sigalg SHA512withRSA -keypass $(PASSWORD) \
	-validity 3650 -dname $(DNAME_CLIENT) \
	-keystore $(TRUSTSTORE) -storepass $(PASSWORD)
	# Generate a host certificate signing request
	keytool -certreq -alias $(CLIENTNAME) -ext BC=ca:true \
	-keyalg RSA -keysize 4096 -sigalg SHA512withRSA \
	-validity 3650 -file "$(CLIENTNAME).csr" \
	-keystore $(TRUSTSTORE) -storepass $(PASSWORD)
	# Generate signed certificate with the certificate authority
	keytool -gencert -alias ca \
	-validity 3650 -sigalg SHA512withRSA \
	-infile "$(CLIENTNAME).csr" -outfile "$(CLIENTNAME).crt" -rfc \
	-keystore $(KEYSTORE) -storepass $(PASSWORD)
	# Import signed certificate into the truststore
	keytool -import -trustcacerts -alias $(CLIENTNAME) \
	-file "$(CLIENTNAME).crt" \
	-keystore $(TRUSTSTORE) -storepass $(PASSWORD)
	# Export private certificate for importing into a browser
	keytool -importkeystore -srcalias $(CLIENTNAME) \
	-srckeystore $(TRUSTSTORE) -srcstorepass $(PASSWORD) \
	-destkeystore "$(CLIENTNAME).p12" -deststorepass $(PASSWORD) \
	-deststoretype PKCS12

	clean:
	# Remove generated artifacts
	find . ! -name Makefile -type f -exec rm -f {} \;
	<!-- This is a tomcat 8.5 -->
	<?xml version="1.0" encoding="UTF-8"?>
	<Server port="8005" shutdown="SHUTDOWN">
	<!-- lots of stuff -->
	<Service name="Catalina">
	<!-- this is the change -->
	<Connector
	SSLEnabled="true"
	clientAuth="required"
	keystoreFile="${my.keystore}"
	keystorePass="${my.keystorePass}"
	keystoreType="JKS"
	port="8443"
	protocol="HTTP/1.1"
	scheme="https"
	secure="true"
	sslProtocol="TLS"
	truststoreFile="${my.truststore}"
	truststorePass="${my.truststorePass}"
	truststoreType="JKS"
	/>
	<!-- everything else as is -->
	</Service>
	</Server>
	# HTTPS configuration
	TRUST_STORE=${TRUST_STORE:-truststore.jks}
	KEY_STORE=${KEY_STORE:-keystore.jks}
	TRUST_STORE_PASS=${TRUST_STORE_PASS:-changeit}
	KEY_STORE_PASS=${KEY_STORE_PASS:-changeit}
	CLIENT_AUTH=${CLIENT_AUTH:-none}
	# ^ Options are: none, optional, optionalNoCA, required
	export CATALINA_OPTS="${CATALINA_OPTS} -Dmy.truststore=${TRUST_STORE}"
	export CATALINA_OPTS="${CATALINA_OPTS} -Dmy.truststorePass=${TRUST_STORE_PASS}"
	export CATALINA_OPTS="${CATALINA_OPTS} -Dmy.keystore=${KEY_STORE}"
	export CATALINA_OPTS="${CATALINA_OPTS} -Dmy.keystorePass=${KEY_STORE_PASS}"
	export CATALINA_OPTS="${CATALINA_OPTS} -Dmy.clientAuth=${CLIENT_AUTH}"