1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
|
all: step_1 step_2 step_3 step_4 step_5 step_6 step_7 step_8 step_9 step_10 step_11 step_12 step_13 step_14 step_15 \
step_16 step_17 step_18 step_19
.PHONY: all
#Clear certificates
clear:
@echo "Clear certificates"
rm certServiceClient-keystore.jks certServiceServer-keystore.jks root.crt truststore.jks certServiceServer-keystore.p12 \
cmpv2Issuer-cert.pem cmpv2Issuer-key.pem cacert.pem
@echo "#####done#####"
#Generate root private and public keys
step_1:
@echo "Generate root private and public keys"
keytool -genkeypair -v -alias root -keyalg RSA -keysize 4096 -validity 3650 -keystore root-keystore.jks \
-dname "CN=onap.org, OU=ONAP, O=Linux-Foundation, L=San-Francisco, ST=California, C=US" -keypass secret \
-storepass secret -ext BasicConstraints:critical="ca:true"
@echo "#####done#####"
#Export public key as certificate
step_2:
@echo "(Export public key as certificate)"
keytool -exportcert -alias root -keystore root-keystore.jks -storepass secret -file root.crt -rfc
@echo "#####done#####"
#Self-signed root (import root certificate into truststore)
step_3:
@echo "(Self-signed root (import root certificate into truststore))"
keytool -importcert -alias root -keystore truststore.jks -file root.crt -storepass secret -noprompt
@echo "#####done#####"
#Generate certService's client private and public keys
step_4:
@echo "Generate certService's client private and public keys"
keytool -genkeypair -v -alias certServiceClient -keyalg RSA -keysize 2048 -validity 365 \
-keystore certServiceClient-keystore.jks -storetype JKS \
-dname "CN=onap.org,OU=ONAP,O=Linux-Foundation,L=San-Francisco,ST=California,C=US" \
-keypass secret -storepass secret
@echo "####done####"
#Generate certificate signing request for certService's client
step_5:
@echo "Generate certificate signing request for certService's client"
keytool -certreq -keystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -file certServiceClient.csr
@echo "####done####"
#Sign certService's client certificate by root CA
step_6:
@echo "Sign certService's client certificate by root CA"
keytool -gencert -v -validity 365 -keystore root-keystore.jks -storepass secret -alias root \
-infile certServiceClient.csr -outfile certServiceClientByRoot.crt -rfc -ext bc=0 \
-ext ExtendedkeyUsage="serverAuth,clientAuth"
@echo "####done####"
#Import root certificate into client
step_7:
@echo "Import root certificate into intermediate"
cat root.crt >> certServiceClientByRoot.crt
@echo "####done####"
#Import signed certificate into certService's client
step_8:
@echo "Import signed certificate into certService's client"
keytool -importcert -file certServiceClientByRoot.crt -destkeystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -noprompt
@echo "####done####"
#Generate certService private and public keys
step_9:
@echo "Generate certService private and public keys"
keytool -genkeypair -v -alias oom-cert-service -keyalg RSA -keysize 2048 -validity 365 \
-keystore certServiceServer-keystore.jks -storetype JKS \
-dname "CN=onap.org,OU=ONAP,O=Linux-Foundation,L=San-Francisco,ST=California,C=US" \
-keypass secret -storepass secret -ext BasicConstraints:critical="ca:false"
@echo "####done####"
#Generate certificate signing request for certService
step_10:
@echo "Generate certificate signing request for certService"
keytool -certreq -keystore certServiceServer-keystore.jks -alias oom-cert-service -storepass secret -file certServiceServer.csr
@echo "####done####"
#Sign certService certificate by root CA
step_11:
@echo "Sign certService certificate by root CA"
keytool -gencert -v -validity 365 -keystore root-keystore.jks -storepass secret -alias root \
-infile certServiceServer.csr -outfile certServiceServerByRoot.crt -rfc -ext bc=0 \
-ext ExtendedkeyUsage="serverAuth,clientAuth" -ext SubjectAlternativeName:="DNS:oom-cert-service,DNS:localhost"
@echo "####done####"
#Import root certificate into server
step_12:
@echo "Import root certificate into intermediate(server)"
cat root.crt >> certServiceServerByRoot.crt
@echo "####done####"
#Import signed certificate into certService
step_13:
@echo "Import signed certificate into certService"
keytool -importcert -file certServiceServerByRoot.crt -destkeystore certServiceServer-keystore.jks -alias oom-cert-service \
-storepass secret -noprompt
@echo "####done####"
#Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)
step_14:
@echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)"
keytool -importkeystore -srckeystore certServiceServer-keystore.jks -srcstorepass secret \
-destkeystore certServiceServer-keystore.p12 -deststoretype PKCS12 -deststorepass secret
@echo "#####done#####"
#Convert certServiceClient-keystore(.jks) to PCKS12 format(.p12)
step_15:
@echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)"
keytool -importkeystore -srckeystore certServiceClient-keystore.jks -srcstorepass secret \
-destkeystore certServiceClient-keystore.p12 -deststoretype PKCS12 -deststorepass secret
@echo "#####done#####"
#Convert truststore(.jks) to PCKS12 format(.p12)
step_16:
@echo "Convert truststore(.jks) to PCKS12 format(.p12)"
keytool -importkeystore -srckeystore truststore.jks -srcstorepass secret \
-destkeystore truststore.p12 -deststoretype PKCS12 -deststorepass secret
@echo "#####done#####"
#Create CMPv2 Issuer PEM key pair from certServiceClient-keystore(.p12)
step_17:
@echo "Create CMPv2 Issuer key pair from certServiceClient-keystore(.p12)"
openssl pkcs12 -in certServiceServer-keystore.p12 -passin 'pass:secret' -nokeys -out cmpv2Issuer-cert.pem
openssl pkcs12 -in certServiceServer-keystore.p12 -passin 'pass:secret' -nodes -nocerts -out cmpv2Issuer-key.pem
@echo "#####done#####"
#Convert truststore(.p12) to PEM format(.pem)
step_18:
@echo "Create CMPv2 Issuer key pair from certServiceClient-keystore(.p12)"
openssl pkcs12 -in truststore.p12 -passin 'pass:secret' -out cacert.pem
@echo "#####done#####"
#Clear unused certificates
step_19:
@echo "Clear unused certificates"
rm certServiceClientByRoot.crt certServiceClient.csr root-keystore.jks certServiceServerByRoot.crt \
certServiceServer.csr certServiceClient-keystore.p12 truststore.p12
@echo "#####done#####"
|
