1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
|
CERTS_DIR = resources
CURRENT_DIR := ${CURDIR}
DOCKER_CONTAINER = generate-certs
DOCKER_EXEC = docker exec ${DOCKER_CONTAINER}
all: start_docker \
clear_all \
root_generate_keys \
root_create_certificate \
root_self_sign_certificate \
client_generate_keys \
client_generate_csr \
client_sign_certificate_by_root \
client_import_root_certificate \
client_convert_certificate_to_jks \
server_generate_keys \
server_generate_csr \
server_sign_certificate_by_root \
server_import_root_certificate \
server_convert_certificate_to_jks \
server_convert_certificate_to_p12 \
convert_truststore_to_p12 \
convert_truststore_to_pem \
server_export_certificate_to_pem \
server_export_key_to_pem \
clear_unused_files \
stop_docker
.PHONY: all
# Starts docker container for generating certificates - deletes first, if already running
start_docker:
@make stop_docker
$(eval REPOSITORY := $(shell cat ./values.yaml | grep -i "^[ \t]*repository" -m1 | xargs | cut -d ' ' -f2))
$(eval JAVA_IMAGE := $(shell cat ./values.yaml | grep -i "^[ \t]*certificateGenerationImage" -m1 | xargs | cut -d ' ' -f2))
$(eval FULL_JAVA_IMAGE := $(REPOSITORY)/$(JAVA_IMAGE))
$(eval USERNAME :=$(shell id -u))
$(eval GROUP :=$(shell id -g))
docker run --rm --name ${DOCKER_CONTAINER} --user "$(USERNAME):$(GROUP)" --mount type=bind,source=${CURRENT_DIR}/${CERTS_DIR},target=/certs -w /certs --entrypoint "sh" -td $(FULL_JAVA_IMAGE)
# Stops docker container for generating certificates. 'true' is used to return 0 status code, if container is already deleted
stop_docker:
docker rm ${DOCKER_CONTAINER} -f 1>/dev/null || true
#Clear all files related to certificates
clear_all:
@make clear_existing_certificates
@make clear_unused_files
#Clear certificates
clear_existing_certificates:
@echo "Clear certificates"
${DOCKER_EXEC} rm -f certServiceClient-keystore.jks certServiceServer-keystore.jks root.crt truststore.jks certServiceServer-keystore.p12 truststore.pem certServiceServer-cert.pem certServiceServer-key.pem
@echo "#####done#####"
#Generate root private and public keys
root_generate_keys:
@echo "Generate root private and public keys"
${DOCKER_EXEC} keytool -genkeypair -v -alias root -keyalg RSA -keysize 4096 -validity 3650 -keystore root-keystore.jks \
-dname "CN=root.com, OU=Root Org, O=Root Company, L=Wroclaw, ST=Dolny Slask, C=PL" -keypass secret \
-storepass secret -ext BasicConstraints:critical="ca:true"
@echo "#####done#####"
#Export public key as certificate
root_create_certificate:
@echo "(Export public key as certificate)"
${DOCKER_EXEC} keytool -exportcert -alias root -keystore root-keystore.jks -storepass secret -file root.crt -rfc
@echo "#####done#####"
#Self-signed root (import root certificate into truststore)
root_self_sign_certificate:
@echo "(Self-signed root (import root certificate into truststore))"
${DOCKER_EXEC} keytool -importcert -alias root -keystore truststore.jks -file root.crt -storepass secret -noprompt
@echo "#####done#####"
#Generate certService's client private and public keys
client_generate_keys:
@echo "Generate certService's client private and public keys"
${DOCKER_EXEC} keytool -genkeypair -v -alias certServiceClient -keyalg RSA -keysize 2048 -validity 365 \
-keystore certServiceClient-keystore.jks -storetype JKS \
-dname "CN=certServiceClient.com,OU=certServiceClient company,O=certServiceClient org,L=Wroclaw,ST=Dolny Slask,C=PL" \
-keypass secret -storepass secret
@echo "####done####"
#Generate certificate signing request for certService's client
client_generate_csr:
@echo "Generate certificate signing request for certService's client"
${DOCKER_EXEC} keytool -certreq -keystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -file certServiceClient.csr
@echo "####done####"
#Sign certService's client certificate by root CA
client_sign_certificate_by_root:
@echo "Sign certService's client certificate by root CA"
${DOCKER_EXEC} keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceClient.csr \
-outfile certServiceClientByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth"
@echo "####done####"
#Import root certificate into client
client_import_root_certificate:
@echo "Import root certificate into intermediate"
${DOCKER_EXEC} sh -c "cat root.crt >> certServiceClientByRoot.crt"
@echo "####done####"
#Import signed certificate into certService's client
client_convert_certificate_to_jks:
@echo "Import signed certificate into certService's client"
${DOCKER_EXEC} keytool -importcert -file certServiceClientByRoot.crt -destkeystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -noprompt
@echo "####done####"
#Generate certService private and public keys
server_generate_keys:
@echo "Generate certService private and public keys"
${DOCKER_EXEC} keytool -genkeypair -v -alias oom-cert-service -keyalg RSA -keysize 2048 -validity 365 \
-keystore certServiceServer-keystore.jks -storetype JKS \
-dname "CN=oom-cert-service,OU=certServiceServer company,O=certServiceServer org,L=Wroclaw,ST=Dolny Slask,C=PL" \
-keypass secret -storepass secret -ext BasicConstraints:critical="ca:false"
@echo "####done####"
#Generate certificate signing request for certService
server_generate_csr:
@echo "Generate certificate signing request for certService"
${DOCKER_EXEC} keytool -certreq -keystore certServiceServer-keystore.jks -alias oom-cert-service -storepass secret -file certServiceServer.csr
@echo "####done####"
#Sign certService certificate by root CA
server_sign_certificate_by_root:
@echo "Sign certService certificate by root CA"
${DOCKER_EXEC} keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceServer.csr \
-outfile certServiceServerByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth" \
-ext SubjectAlternativeName:="DNS:oom-cert-service,DNS:localhost"
@echo "####done####"
#Import root certificate into server
server_import_root_certificate:
@echo "Import root certificate into intermediate(server)"
${DOCKER_EXEC} sh -c "cat root.crt >> certServiceServerByRoot.crt"
@echo "####done####"
#Import signed certificate into certService
server_convert_certificate_to_jks:
@echo "Import signed certificate into certService"
${DOCKER_EXEC} keytool -importcert -file certServiceServerByRoot.crt -destkeystore certServiceServer-keystore.jks -alias oom-cert-service \
-storepass secret -noprompt
@echo "####done####"
#Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)
server_convert_certificate_to_p12:
@echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)"
${DOCKER_EXEC} keytool -importkeystore -srckeystore certServiceServer-keystore.jks -srcstorepass secret \
-destkeystore certServiceServer-keystore.p12 -deststoretype PKCS12 -deststorepass secret
@echo "#####done#####"
#Convert truststore(.jks) to PCKS12 format(.p12)
convert_truststore_to_p12:
@echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)"
${DOCKER_EXEC} keytool -importkeystore -srckeystore truststore.jks -srcstorepass secret \
-destkeystore truststore.p12 -deststoretype PKCS12 -deststorepass secret
@echo "#####done#####"
#Convert truststore(.p12) to PEM format(.pem)
convert_truststore_to_pem:
@echo "Convert certServiceServer-keystore(.p12) to PEM format(.pem)"
${DOCKER_EXEC} openssl pkcs12 -nodes -in truststore.p12 -out truststore.pem -passin pass:secret
@echo "#####done#####"
#Export certificates from certServiceServer-keystore(.p12) to PEM format(.pem)
server_export_certificate_to_pem:
@echo "Export certificates from certServiceClient-keystore(.p12) to PEM format(.pem)"
${DOCKER_EXEC} openssl pkcs12 -in certServiceServer-keystore.p12 -passin 'pass:secret' -nodes -nokeys -out certServiceServer-cert.pem
@echo "#####done#####"
#Export keys from certServiceServer-keystore(.p12) to PEM format(.pem)
server_export_key_to_pem:
@echo "Export keys from certServiceClient-keystore(.p12) to PEM format(.pem)"
${DOCKER_EXEC} openssl pkcs12 -in certServiceServer-keystore.p12 -passin 'pass:secret' -nodes -nocerts -out certServiceServer-key.pem
@echo "#####done#####"
#Clear unused certificates
clear_unused_files:
@echo "Clear unused certificates"
${DOCKER_EXEC} rm -f certServiceClientByRoot.crt certServiceClient.csr root-keystore.jks certServiceServerByRoot.crt certServiceServer.csr truststore.p12
@echo "#####done#####"
|
