61 lines
3.6 KiB
Bash
61 lines
3.6 KiB
Bash
# #!/bin/sh
|
|
|
|
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./cert/identity-svc-server.key -out ./cert/identity-svc-server.cert \
|
|
-addext "subjectAltName = DNS:identity-svc"
|
|
# ^^ GENERATE CERT FOR BACKEND SERVICE (on client side - in traefik - we dont need DNS domain... for now...)
|
|
|
|
|
|
# if [ -z "$SERVICE" ]; then echo "set SERVICE var"; exit 1; fi
|
|
# if [ -z "$CA_ROOT" ]; then echo "set CA_ROOT var"; exit 1; fi
|
|
# if [ -z "$DOMAIN" ]; then echo "set DOMAIN var"; exit 1; fi
|
|
|
|
# PASSWORD=V3ryS3cr3tP4ssw0rd
|
|
|
|
# # sample for registry server (with api-gateway-svc as a client) but using FDN...
|
|
# # keytool -genkey -alias api-registry-svc -dname cn=$DOMAIN -validity 365 -keystore tmp/api-registry-svc.p12 -keyalg RSA -keysize 2048 -storepass $PASSWORD -ext "SAN:c=DNS:registry.egommerce.local,IP:127.0.0.1"
|
|
# # keytool -genkey -alias myClientCertificate -dname cn=$DOMAIN -validity 365 -keystore tmp/myClientCertificate.p12 -keyalg RSA -keysize 2048 -storepass $PASSWORD -ext "SAN:c=DNS:registry.egommerce.local,IP:127.0.0.1"
|
|
|
|
# # keytool -export -alias myClientCertificate -file tmp/myClientCertificate.crt -keystore tmp/myClientCertificate.p12 -storepass $PASSWORD
|
|
# # keytool -export -alias api-registry-svc -file tmp/api-registry-svc.crt -keystore tmp/api-registry-svc.p12 -storepass $PASSWORD
|
|
|
|
# # keytool -import -alias myClientCertificate -file tmp/myClientCertificate.crt -keystore tmp/api-registry-svc.p12 -storepass $PASSWORD # aka myCertificate.p12
|
|
|
|
# # echo "Done."
|
|
# # exit 0
|
|
|
|
# if [ -d "$SERVICE" ]; then
|
|
# echo "$SERVICE directory exists... Quitting."
|
|
# exit 1;
|
|
# fi
|
|
|
|
# if [ ! -f "$SERVICE" ]; then
|
|
# mkdir -p $SERVICE
|
|
# fi
|
|
|
|
# echo "===================================================================="
|
|
# echo "Fake third-party chain generated. Now generating keystore.p12 ..."
|
|
# echo "===================================================================="
|
|
|
|
# # generate private keys (for server)
|
|
# keytool -genkeypair -alias $SERVICE -dname cn=$DOMAIN -validity 365 -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -keypass $PASSWORD -storepass $PASSWORD
|
|
|
|
# # generate a certificate for server signed by ca (root -> ca -> server)
|
|
# keytool -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -storepass $PASSWORD -certreq -alias $SERVICE \
|
|
# | keytool -storetype PKCS12 -keystore "$CA_ROOT/ca.p12" -storepass $PASSWORD -gencert -alias ca -ext ku:c=dig,keyEnc -ext "SAN:c=DNS:$DOMAIN,IP:127.0.0.1" -ext eku=sa,ca -rfc > "$SERVICE/$SERVICE.pem"
|
|
|
|
# # import server cert chain into ${SERVICE}.p12
|
|
# keytool -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -storepass $PASSWORD -importcert -trustcacerts -noprompt -alias root -file "$CA_ROOT/root.pem"
|
|
# keytool -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -storepass $PASSWORD -importcert -alias ca -file "$CA_ROOT/ca.pem"
|
|
# keytool -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -storepass $PASSWORD -importcert -alias $SERVICE -file "$SERVICE/$SERVICE.pem"
|
|
|
|
|
|
# # DEPRECATED - duplicated above section...
|
|
# # echo "================================================="
|
|
# # echo "Keystore generated. Now generating truststore ..."
|
|
# # echo "================================================="
|
|
|
|
# # import server cert chain into my-truststore.p12
|
|
# # keytool -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -storepass $PASSWORD -importcert -trustcacerts -noprompt -alias root -file "$CA_ROOT/root.pem"
|
|
# # keytool -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -storepass $PASSWORD -importcert -alias ca -file "$CA_ROOT/ca.pem"
|
|
# # keytool -storetype PKCS12 -keystore "$SERVICE/keystore.p12" -storepass $PASSWORD -importcert -alias $SERVICE -file "$SERVICE/$SERVICE.pem"
|