development/ssl/.gitignore
development/ssl/Makefile-openssl
+sign: $(FILE).crt
+ rm -f *.crt *.key *.srl *.csr *.pkcs12
+generate-ca-certificate: $(CA).crt
+generate-private-key: $(FILE).key
+create-public-key: $(FILE).pub
+create-sign-request: $(FILE).csr
+create-key-store: $(FILE).ks.pkcs12
+create-trust-store: $(CA).crt
+ openssl pkcs12 -export -in $(CA).crt -CAfile $(CA).crt -out $(CA).pkcs12 -nokeys -noiter -nomaciter -passout pass:$(PASSWD)
+ openssl req -new -x509 -keyout $(CA).key -out $(CA).crt -days 365 -passout pass:$(CA_PASSWD) -subj "$(SUBJ)"
+ openssl genpkey -algorithm RSA -out $(FILE).key -pkeyopt rsa_keygen_bits:2048
+$(FILE).pub: $(FILE).key
+ openssl x509 -req -days 360 -in client.csr -CA $(CA).crt -CAkey $(CA).key -CAcreateserial -out client.crt
+$(FILE).csr: $(FILE).key
+ openssl req -new -sha256 -key $(FILE).key -out $(FILE).csr -subj "$(SUBJ)"
+$(FILE).crt: $(CA).crt $(FILE).csr
+ openssl x509 -req -days 360 -in $(FILE).csr -CA $(CA).crt -CAkey $(CA).key -out $(FILE).crt -CAcreateserial -passin pass:$(CA_PASSWD)
+$(FILE).ks.pkcs12: $(FILE).key $(FILE).crt $(CA).crt
+ openssl pkcs12 -export -in $(FILE).crt -inkey $(FILE).key -CAfile $(CA).crt -out $(FILE).ks.pkcs12 -noiter -nomaciter -passout pass:$(PASSWD)
development/ssl/README.md
+# Generating SSL certificates
+## Java keytool way (recommended)
+To generate:
+To clean (remove generated files):
+./gen-certs.sh clean
+## OpenSSL way (currently might not work)
+> Add `-f Makefile-openssl` to each command
+Typical usage:
+make FILE=client
+make FILE=server
+or (to generate PKCS12 key and trust stores):
+make create-key-store FILE=client
+make create-key-store FILE=server
+make create-trust-store
+Will generate CA certificate and signed client and server certificates.
+More "low-level" usage:
+make generate-ca-certificate
+make generate-private-key FILE=client
+make sign FILE=client
+# Connecting to a server
+First generate *client* and *server* certificates. Then start a server with it's cert and make ca.crt a trusted certification authority.
+After that you can:
+./connect.sh client localhost:8600 < file_with_a_data_to_be_sent.dat
development/ssl/gen-certs.sh
+#!/usr/bin/env bash
+set -eu -o pipefail -o xtrace
+store_opts="-storetype PKCS12 -storepass ${STORE_PASS} -noprompt"
+function gen_key() {
+ local key_name="$1"
+ local ca="$2"
+ local keystore="-keystore ${key_name}.p12 ${store_opts}"
+ keytool -genkey -alias ${key_name} \
+ ${keystore} \
+ -keyalg RSA \
+ -validity 730 \
+ -keysize 2048 \
+ -dname "${DNAME_PREFIX}-${key_name}"
+ keytool -import -trustcacerts -alias ${ca} -file ${ca}.crt ${keystore}
+ keytool -certreq -alias ${key_name} -keyalg RSA ${keystore} | \
+ keytool -alias ${ca} -gencert -ext "san=dns:${CN_PREFIX}-${ca}" ${store_opts} -keystore ${ca}.p12 | \
+ keytool -alias ${key_name} -importcert ${keystore}
+function gen_ca() {
+ local ca="$1"
+ keytool -genkeypair ${store_opts} -alias ${ca} -dname "${DNAME_PREFIX}-${ca}" -keystore ${ca}.p12
+ keytool -export -alias ${ca} -file ${ca}.crt ${store_opts} -keystore ${ca}.p12
+function gen_truststore() {
+ local trusted_ca="$1"
+ keytool -import -trustcacerts -alias ca -file ${trusted_ca}.crt ${store_opts} -keystore ${TRUST}.p12
+function clean() {
+ rm -f *.crt *.p12
+if [[ $# -eq 0 ]]; then
+ gen_ca ca
+ gen_ca untrustedca
+ gen_truststore ca
+ gen_key client ca
+ gen_key server ca
+ gen_key untrustedclient untrustedca
+elif [[ $1 == "clean" ]]; then
+ clean
+ echo "usage: $0 [clean]"
+ exit 1