Created
July 12, 2017 13:08
-
-
Save tylert/015d6718150b50a0ff9d2897dc9ce744 to your computer and use it in GitHub Desktop.
Fix the localhost self-signed certificates for IoT 3.0.0
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # Replace self-signed localhost certificate with a self-signed development one. | |
| # Works for 3.0.0 IoT Server. | |
| # https://docs.wso2.com/display/IoTS300/Configuring+WSO2+IoT+Server+with+the+IP | |
| # https://docs.wso2.com/display/IoTS300/General+iOS+Server+Configurations | |
| hostname="${1}" | |
| if [ "${hostname}" == "" ]; then | |
| hostname='test1.example.foo' | |
| fi | |
| echo "Generating certificates for '${hostname}'" | |
| cat << EOF > openssl.cnf | |
| [ v3_req ] | |
| # Extensions to add to a certificate request | |
| basicConstraints=CA:TRUE | |
| keyUsage = digitalSignature, keyEncipherment | |
| [ v3_ca ] | |
| # Extensions for a typical CA | |
| # PKIX recommendation. | |
| subjectKeyIdentifier=hash | |
| authorityKeyIdentifier=keyid:always,issuer | |
| # This is what PKIX recommends but some broken software chokes on critical | |
| # extensions. | |
| basicConstraints = critical,CA:true | |
| # So we do this instead. | |
| #basicConstraints = CA:true | |
| # Key usage: this is typical for a CA certificate. However since it will | |
| # prevent it being used as an test self-signed certificate it is best | |
| # left out by default. | |
| keyUsage = digitalSignature, keyCertSign, cRLSign | |
| EOF | |
| # Do the CA stuff | |
| openssl genpkey -algorithm RSA -out ca_private.key \ | |
| -pkeyopt rsa_keygen_bits:4096 | |
| openssl req -new -key ca_private.key -out ca.csr \ | |
| -subj "/C=CA/ST=Ontario/L=Ottawa/O=Blabla CA/OU=CA Department/CN=${hostname}" | |
| openssl x509 -req -days 365 -in ca.csr -signkey ca_private.key -out ca.crt \ | |
| -extensions v3_ca -extfile openssl.cnf | |
| openssl rsa -in ca_private.key -text > ca_private.pem | |
| openssl x509 -in ca.crt -out ca_cert.pem | |
| # Do the RA stuff | |
| openssl genpkey -algorithm RSA -out ra_private.key \ | |
| -pkeyopt rsa_keygen_bits:4096 | |
| openssl req -new -key ra_private.key -out ra.csr \ | |
| -subj "/C=CA/ST=Ontario/L=Ottawa/O=Blabla RA/OU=RA Department/CN=${hostname}" | |
| openssl x509 -req -days 365 -in ra.csr -CA ca.crt -CAkey ca_private.key \ | |
| -set_serial 02 -out ra.crt -extensions v3_req -extfile openssl.cnf | |
| openssl rsa -in ra_private.key -text > ra_private.pem | |
| openssl x509 -in ra.crt -out ra_cert.pem | |
| # Do the IA stuff | |
| openssl genpkey -algorithm RSA -out ia_private.key \ | |
| -pkeyopt rsa_keygen_bits:4096 | |
| openssl req -new -key ia_private.key -out ia.csr \ | |
| -subj "/C=CA/ST=Ontario/L=Ottawa/O=Blabla IA/OU=IA Department/CN=${hostname}" | |
| openssl x509 -req -days 730 -in ia.csr -CA ca_cert.pem -CAkey ca_private.pem \ | |
| -set_serial 044324343 -out ia.crt | |
| # Finalize the certs | |
| openssl pkcs12 -export -out keystore.p12 -inkey ia_private.key -in ia.crt \ | |
| -CAfile ca_cert.pem -name 'wso2carbon' -password pass:wso2carbon | |
| openssl pkcs12 -export -out ca.p12 -inkey ca_private.pem -in ca_cert.pem \ | |
| -name 'cacert' -password pass:cacert | |
| openssl pkcs12 -export -out ra.p12 -inkey ra_private.pem -in ra_cert.pem \ | |
| -chain -CAfile ca_cert.pem -name 'racert' -password pass:racert | |
| # Grab the existing keystores to be fixed (it is assumed that they're all the same) | |
| cp --verbose $(find wso2iot* -name 'client-truststore.jks' | head -1) . | |
| cp --verbose $(find wso2iot* -name 'wso2carbon.jks' | head -1) . | |
| cp --verbose $(find wso2iot* -name 'wso2certs.jks' | head -1) . | |
| # Patch the keystores | |
| keytool -importkeystore -noprompt \ | |
| -srckeystore keystore.p12 -srcstoretype PKCS12 -srcstorepass wso2carbon \ | |
| -destkeystore client-truststore.jks -deststorepass wso2carbon | |
| keytool -importkeystore -noprompt \ | |
| -srckeystore keystore.p12 -srcstoretype PKCS12 -srcstorepass wso2carbon \ | |
| -destkeystore wso2carbon.jks -deststorepass wso2carbon | |
| keytool -importkeystore -noprompt \ | |
| -srckeystore ca.p12 -srcstoretype PKCS12 -srcstorepass cacert \ | |
| -destkeystore wso2certs.jks -deststorepass wso2carbon | |
| keytool -importkeystore -noprompt \ | |
| -srckeystore ra.p12 -srcstoretype PKCS12 -srcstorepass racert \ | |
| -destkeystore wso2certs.jks -deststorepass wso2carbon | |
| # Put the repaired keystores back (overwrite the existing ones) | |
| for target in $(find wso2iot* -name 'client-truststore.jks'); do | |
| cp --verbose client-truststore.jks ${target} | |
| done | |
| for target in $(find wso2iot* -name 'wso2carbon.jks'); do | |
| cp --verbose wso2carbon.jks ${target} | |
| done | |
| for target in $(find wso2iot* -name 'wso2certs.jks'); do | |
| cp --verbose wso2certs.jks ${target} | |
| done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment