diff --git a/certs/scripts/clean_all.sh b/certs/scripts/clean_all.sh new file mode 100755 index 0000000..4aebec7 --- /dev/null +++ b/certs/scripts/clean_all.sh @@ -0,0 +1,8 @@ +#!/bin/sh +rm -rf testCA +rm ./*.pem +rm ./*.csr +rm ./*.jks +rm ./*.pkcs12 +rm ./*.p12 + diff --git a/certs/scripts/copy-certs-to-helm.sh b/certs/scripts/copy-certs-to-helm.sh new file mode 100755 index 0000000..896374a --- /dev/null +++ b/certs/scripts/copy-certs-to-helm.sh @@ -0,0 +1,50 @@ +#!/bin/bash +# Script to copy certs to the respective folders in wlan-cloud-helm folders. +# Make sure you are in wlan-pki-folder with generated +# Usage: ./copy-certs.sh ${wlan-cloud-helm-dir} +# ./copy-certs.sh $HOME/Tip-Repo/wlan-cloud-helm + +if [[ $# -eq 0 ]] ; +then + echo "*** No Arguments supplied!! Expecting Absolute path of wlan-cloud-helm dir as an argument to the script ***" + echo "*** Usage: ./copy-certs.sh absolute-path-of-wlan-cloud-helm-dir ***" + exit 0 +fi +echo "===============================================" +echo "Copying certs to opensync-gw-cloud certs folder" +cp cacert.pem clientcert.pem clientkey.pem client_keystore.jks server.pkcs12 truststore.jks "$1"/tip-wlan/charts/opensync-gw-cloud/resources/config/certs +echo "================================================" +echo "Copying certs to opensync-gw-static certs folder" +cp client_keystore.jks server.pkcs12 truststore.jks "$1"/tip-wlan/charts/opensync-gw-static/resources/config/certs +echo "==================================================" +echo "Copying certs to opensync-mqtt-broker certs folder" +cp cacert.pem mqttservercert.pem mqttserverkey_dec.pem "$1"/tip-wlan/charts/opensync-mqtt-broker/resources/config/certs/ +echo "=====================================================================" +echo "Copying certs to wlan-integrated-cloud-component-service certs folder" +cp client_keystore.jks server.pkcs12 truststore.jks "$1"/tip-wlan/charts/wlan-integrated-cloud-component-service/resources/config/certs/ +echo "=================================================" +echo "Copying certs to wlan-portal-service certs folder" +cp client_keystore.jks server.pkcs12 truststore.jks "$1"/tip-wlan/charts/wlan-portal-service/resources/config/certs/ +echo "===============================================" +echo "Copying certs to wlan-prov-service certs folder" +cp client_keystore.jks server.pkcs12 truststore.jks cacert.pem postgresclientcert.pem postgresclientkey_dec.pem postgresclient.p12 "$1"/tip-wlan/charts/wlan-prov-service/resources/config/certs/ +echo "==============================================" +echo "Copying certs to wlan-ssc-service certs folder" +cp client_keystore.jks server.pkcs12 kafka-server.pkcs12 truststore.jks cacert.pem cassandraserverkey_dec.pem cassandraservercert.pem cassandra_server_keystore.jks "$1"/tip-wlan/charts/wlan-ssc-service/resources/config/certs/ +echo "==============================================" +echo "Copying certs to wlan-spc-service certs folder" +cp client_keystore.jks server.pkcs12 kafka-server.pkcs12 truststore.jks "$1"/tip-wlan/charts/wlan-spc-service/resources/config/certs/ +echo "=================================================" +echo "Copying certs to wlan-port-forwarding-gateway-service certs folder" +cp client_keystore.jks server.pkcs12 truststore.jks "$1"/tip-wlan/charts/wlan-port-forwarding-gateway-service/resources/config/certs/ +echo "===================================" +echo "Copying certs to kafka certs folder" +cp kafka-server.pkcs12 truststore.jks "$1"/tip-wlan/charts/kafka/resources/config/certs/ +echo "=======================================" +echo "Copying certs to cassandra certs folder" +cp cassandra_server_keystore.jks truststore.jks cacert.pem cassandraserverkey_dec.pem cassandraservercert.pem "$1"/tip-wlan/charts/cassandra/resources/config/certs/ +echo "======================================" +echo "Copying certs to postgres certs folder" +cp cacert.pem postgresclientcert.pem postgresclientkey_dec.pem servercert.pem serverkey_dec.pem "$1"/tip-wlan/charts/postgresql/resources/config/certs/ +echo "========= All Certs Copied ==========" +echo "NOTE: Additional changes are expected in Kafka, Postgres and Cassandra charts before you start deployment. Refer https://telecominfraproject.atlassian.net/wiki/spaces/WIFI/pages/262176803/Pre-requisites+before+deploying+Tip-Wlan+solution" diff --git a/certs/scripts/create-ca.sh b/certs/scripts/create-ca.sh new file mode 100755 index 0000000..70a3219 --- /dev/null +++ b/certs/scripts/create-ca.sh @@ -0,0 +1,20 @@ +#!/bin/sh +BASE_DIR=./testCA + +#create target directories, set permissions +mkdir -p $BASE_DIR/private +chmod go-rx $BASE_DIR/private + +#generate the CA certificate +openssl req -batch -x509 -days 3000 -config openssl-ca.cnf -newkey rsa:4096 -sha256 -out cacert.pem -outform PEM + +#move generated certificates into their proper places +mv cacert.pem $BASE_DIR +mv cakey.pem $BASE_DIR/private + +#init the certificate database files +touch $BASE_DIR/index.txt +echo '01' > $BASE_DIR/serial.txt + +mkdir -p $BASE_DIR/newcerts + diff --git a/certs/scripts/create-cassandra-server-cert-request.sh b/certs/scripts/create-cassandra-server-cert-request.sh new file mode 100755 index 0000000..8593fc4 --- /dev/null +++ b/certs/scripts/create-cassandra-server-cert-request.sh @@ -0,0 +1,2 @@ +#!/bin/sh +openssl req -batch -config openssl-cassandra-server.cnf -newkey rsa:2048 -sha256 -out cassandraservercert.csr -outform PEM diff --git a/certs/scripts/create-client-cert-request.sh b/certs/scripts/create-client-cert-request.sh new file mode 100755 index 0000000..c31f390 --- /dev/null +++ b/certs/scripts/create-client-cert-request.sh @@ -0,0 +1,3 @@ +#!/bin/sh +openssl req -batch -config openssl-client.cnf -newkey rsa:2048 -sha256 -out clientcert.csr -outform PEM -nodes + diff --git a/certs/scripts/create-kafka-server-cert-request.sh b/certs/scripts/create-kafka-server-cert-request.sh new file mode 100755 index 0000000..880b103 --- /dev/null +++ b/certs/scripts/create-kafka-server-cert-request.sh @@ -0,0 +1,2 @@ +#!/bin/sh +openssl req -batch -config openssl-kafka-server.cnf -newkey rsa:2048 -sha256 -out kafkaservercert.csr -outform PEM diff --git a/certs/scripts/create-mqtt-server-cert-request.sh b/certs/scripts/create-mqtt-server-cert-request.sh new file mode 100755 index 0000000..61d5afb --- /dev/null +++ b/certs/scripts/create-mqtt-server-cert-request.sh @@ -0,0 +1,2 @@ +#!/bin/sh +openssl req -batch -config mqtt-server.cnf -newkey rsa:2048 -sha256 -out mqttservercert.csr -outform PEM diff --git a/certs/scripts/create-postgres-client-cert-request.sh b/certs/scripts/create-postgres-client-cert-request.sh new file mode 100755 index 0000000..ab3bbda --- /dev/null +++ b/certs/scripts/create-postgres-client-cert-request.sh @@ -0,0 +1,4 @@ +#!/bin/sh + +openssl req -batch -config postgres-client.cnf -newkey rsa:2048 -sha256 -out postgresclientcert.csr -outform PEM -nodes + diff --git a/certs/scripts/create-server-cert-request.sh b/certs/scripts/create-server-cert-request.sh new file mode 100755 index 0000000..d4efaf0 --- /dev/null +++ b/certs/scripts/create-server-cert-request.sh @@ -0,0 +1,2 @@ +#!/bin/sh +openssl req -batch -config openssl-server.cnf -newkey rsa:2048 -sha256 -out servercert.csr -outform PEM diff --git a/certs/scripts/decrypt-cassandra-server-key.sh b/certs/scripts/decrypt-cassandra-server-key.sh new file mode 100755 index 0000000..5942e8b --- /dev/null +++ b/certs/scripts/decrypt-cassandra-server-key.sh @@ -0,0 +1,4 @@ +#!/bin/sh +echo Generating decrypted version of the cassandra client/server key +openssl rsa -passin pass:mypassword -in cassandraserverkey.pem -out cassandraserverkey_dec.pem + diff --git a/certs/scripts/decrypt-client-key.sh b/certs/scripts/decrypt-client-key.sh new file mode 100755 index 0000000..b361d8f --- /dev/null +++ b/certs/scripts/decrypt-client-key.sh @@ -0,0 +1,4 @@ +#!/bin/sh +echo Generating decrypted version of the client key +openssl rsa -passin pass:mypassword -in clientkey.pem -out clientkey_dec.pem + diff --git a/certs/scripts/decrypt-mqtt-server-key.sh b/certs/scripts/decrypt-mqtt-server-key.sh new file mode 100755 index 0000000..503bbcb --- /dev/null +++ b/certs/scripts/decrypt-mqtt-server-key.sh @@ -0,0 +1,4 @@ +#!/bin/sh +echo Generating decrypted version of the mqtt server key +openssl rsa -passin pass:mypassword -in mqttserverkey.pem -out mqttserverkey_dec.pem + diff --git a/certs/scripts/decrypt-postgres-client-key.sh b/certs/scripts/decrypt-postgres-client-key.sh new file mode 100755 index 0000000..07298d8 --- /dev/null +++ b/certs/scripts/decrypt-postgres-client-key.sh @@ -0,0 +1,4 @@ +#!/bin/sh +echo Generating decrypted version of the client key +openssl rsa -passin pass:mypassword -in postgresclientkey.pem -out postgresclientkey_dec.pem + diff --git a/certs/scripts/decrypt-server-key.sh b/certs/scripts/decrypt-server-key.sh new file mode 100755 index 0000000..c03e2b0 --- /dev/null +++ b/certs/scripts/decrypt-server-key.sh @@ -0,0 +1,4 @@ +#!/bin/sh +echo Generating decrypted version of the server key +openssl rsa -passin pass:mypassword -in serverkey.pem -out serverkey_dec.pem + diff --git a/certs/scripts/generate_all.sh b/certs/scripts/generate_all.sh new file mode 100755 index 0000000..1ce1215 --- /dev/null +++ b/certs/scripts/generate_all.sh @@ -0,0 +1,72 @@ +#!/bin/sh + +echo ==================================================== +echo Cleaning up old files +./clean_all.sh + +echo ==================================================== +echo Creating Certificate Authority +./create-ca.sh +cp testCA/cacert.pem cacert.pem + +echo ==================================================== +echo Creating Generic Server Certificate +./create-server-cert-request.sh +./sign-server-cert-request.sh +./decrypt-server-key.sh + +echo ==================================================== +echo Creating MQTT Server Certificate +./create-mqtt-server-cert-request.sh +./sign-mqtt-server-cert-request.sh +./decrypt-mqtt-server-key.sh + +echo ==================================================== +echo Creating Kafka Server Certificate +./create-kafka-server-cert-request.sh +./sign-kafka-server-cert-request.sh + +echo ==================================================== +echo Creating Cassandra Server Certificate +./create-cassandra-server-cert-request.sh +./sign-cassandra-server-cert-request.sh +./decrypt-cassandra-server-key.sh + +echo ==================================================== +echo Creating Client Certificate +./create-client-cert-request.sh +./sign-client-cert-request.sh +./decrypt-client-key.sh + +echo ==================================================== +echo Creating Postgres Client Certificates +./create-postgres-client-cert-request.sh +./sign-postgres-client-cert-request.sh +./decrypt-postgres-client-key.sh + +echo ==================================================== +echo Verifying Server Certificate +./verify-server.sh servercert.pem + +echo ==================================================== +echo Verifying Client Certificate +./verify-client.sh clientcert.pem + +echo ==================================================== +echo Packaging Server Certificates +./package-server-cert.sh +./package-kafka-server-cert.sh +./package-cassandra-server-cert.sh + +echo ==================================================== +echo Packaging Client Certificates +./package-client-cert.sh +./package-postgres-client-cert.sh + +echo ==================================================== +echo Packaging CA Certificate +./package-ca-cert.sh + +echo ==================================================== +echo All Done + diff --git a/certs/scripts/openssl-ca.cnf b/certs/scripts/openssl-ca.cnf new file mode 100644 index 0000000..2ca5052 --- /dev/null +++ b/certs/scripts/openssl-ca.cnf @@ -0,0 +1,114 @@ +HOME = . +RANDFILE = $ENV::HOME/.rnd + +input_password = mypassword +output_password = mypassword + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +[ CA_default ] + +dir = ./testCA # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +unique_subject = no # Set to 'no' to allow creation of + # several certs with same subject. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/cacert.pem # The CA certificate +serial = $dir/serial.txt # The current serial number +crlnumber = $dir/crlnumber # the current crl number + # must be commented out to leave a V1 CRL +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/cakey.pem # The private key + +default_days = 1000 # How long to certify for +default_crl_days = 30 # How long before next CRL +default_md = sha256 # Use public key default MD +preserve = no # Keep passed DN ordering + + +x509_extensions = ca_extensions # The extensions to add to the cert + +email_in_dn = no # Don't concat the email in the DN +copy_extensions = copy # Required to copy SANs from CSR to cert + +crl_extensions = crl_ext + +#################################################################### +[ req ] +default_bits = 4096 +default_keyfile = cakey.pem +distinguished_name = ca_distinguished_name +x509_extensions = ca_extensions +string_mask = utf8only + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always + +#################################################################### +[ ca_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = CA + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Ontario + +localityName = Locality Name (eg, city) +localityName_default = Ottawa + +organizationName = Organization Name (eg, company) +organizationName_default = ConnectUs Technologies + +organizationalUnitName = Organizational Unit (eg, division) +organizationalUnitName_default = Testing Department + +commonName = Common Name (e.g. server FQDN or YOUR name) +commonName_default = Test CA Not For Deployment + +emailAddress = Email Address +emailAddress_default = test@example.com + +#################################################################### +[ ca_extensions ] + +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always, issuer +basicConstraints = critical, CA:true +keyUsage = keyCertSign, cRLSign + +#################################################################### +[ signing_policy ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ signing_req_server ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +basicConstraints = CA:FALSE +keyUsage = digitalSignature, keyEncipherment + +[ signing_req_client ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +basicConstraints = CA:FALSE +keyUsage = digitalSignature + + +[ policy_match ] +organizationName = match + diff --git a/certs/scripts/package-ca-cert.sh b/certs/scripts/package-ca-cert.sh new file mode 100755 index 0000000..6851f17 --- /dev/null +++ b/certs/scripts/package-ca-cert.sh @@ -0,0 +1,3 @@ +#!/bin/sh +keytool -import -noprompt -file testCA/cacert.pem -alias my_ca -keystore truststore.jks -storepass mypassword + diff --git a/certs/scripts/package-cassandra-server-cert.sh b/certs/scripts/package-cassandra-server-cert.sh new file mode 100755 index 0000000..f999cbf --- /dev/null +++ b/certs/scripts/package-cassandra-server-cert.sh @@ -0,0 +1,5 @@ +#!/bin/sh +openssl pkcs12 -export -in cassandraservercert.pem -inkey cassandraserverkey.pem -passin pass:mypassword -passout pass:mypassword -out cassandra-server.pkcs12 -name 1 -CAfile testCA/cacert.pem -caname root -chain + +keytool -importkeystore -destkeystore cassandra_server_keystore.jks -srckeystore cassandra-server.pkcs12 -srcstoretype pkcs12 -srcstorepass mypassword -deststorepass mypassword -deststoretype JKS -alias 1 + diff --git a/certs/scripts/package-client-cert.sh b/certs/scripts/package-client-cert.sh new file mode 100755 index 0000000..03fc47d --- /dev/null +++ b/certs/scripts/package-client-cert.sh @@ -0,0 +1,5 @@ +#!/bin/sh +openssl pkcs12 -export -in clientcert.pem -inkey clientkey.pem -passin pass:mypassword -passout pass:mypassword -out client.pkcs12 -name clientqrcode -CAfile testCA/cacert.pem -caname root -chain + +keytool -importkeystore -destkeystore client_keystore.jks -srckeystore client.pkcs12 -srcstoretype pkcs12 -srcstorepass mypassword -deststorepass mypassword -deststoretype JKS -alias clientqrcode + diff --git a/certs/scripts/package-kafka-server-cert.sh b/certs/scripts/package-kafka-server-cert.sh new file mode 100755 index 0000000..e346122 --- /dev/null +++ b/certs/scripts/package-kafka-server-cert.sh @@ -0,0 +1,5 @@ +#!/bin/sh +openssl pkcs12 -export -in kafkaservercert.pem -inkey kafkaserverkey.pem -passin pass:mypassword -passout pass:mypassword -out kafka-server.pkcs12 -name 1 -CAfile testCA/cacert.pem -caname root -chain + +keytool -importkeystore -destkeystore kafka_server_keystore.jks -srckeystore kafka-server.pkcs12 -srcstoretype pkcs12 -srcstorepass mypassword -deststorepass mypassword -deststoretype JKS -alias 1 + diff --git a/certs/scripts/package-postgres-client-cert.sh b/certs/scripts/package-postgres-client-cert.sh new file mode 100755 index 0000000..c0c0e67 --- /dev/null +++ b/certs/scripts/package-postgres-client-cert.sh @@ -0,0 +1,2 @@ +#!/bin/sh +openssl pkcs12 -export -in postgresclientcert.pem -inkey postgresclientkey.pem -passin pass:mypassword -passout pass:mypassword -out postgresclient.p12 -name user -CAfile testCA/cacert.pem -caname root -chain diff --git a/certs/scripts/package-server-cert.sh b/certs/scripts/package-server-cert.sh new file mode 100755 index 0000000..ae35074 --- /dev/null +++ b/certs/scripts/package-server-cert.sh @@ -0,0 +1,6 @@ +#!/bin/sh + +openssl pkcs12 -export -in servercert.pem -inkey serverkey.pem -passin pass:mypassword -passout pass:mypassword -out server.pkcs12 -name 1 -CAfile testCA/cacert.pem -caname root -chain + +keytool -importkeystore -destkeystore server_keystore.jks -srckeystore server.pkcs12 -srcstoretype pkcs12 -srcstorepass mypassword -deststorepass mypassword -deststoretype JKS -alias 1 + diff --git a/certs/scripts/show-ca-purpose.sh b/certs/scripts/show-ca-purpose.sh new file mode 100755 index 0000000..9bf6420 --- /dev/null +++ b/certs/scripts/show-ca-purpose.sh @@ -0,0 +1,3 @@ +#!/bin/sh +openssl x509 -purpose -in ./testCA/cacert.pem -inform PEM -noout + diff --git a/certs/scripts/show-ca.sh b/certs/scripts/show-ca.sh new file mode 100755 index 0000000..177369f --- /dev/null +++ b/certs/scripts/show-ca.sh @@ -0,0 +1,2 @@ +#!/bin/sh +openssl x509 -in ./testCA/cacert.pem -text -noout diff --git a/certs/scripts/show-cert-chain.sh b/certs/scripts/show-cert-chain.sh new file mode 100755 index 0000000..be0ea5c --- /dev/null +++ b/certs/scripts/show-cert-chain.sh @@ -0,0 +1,36 @@ +#!/bin/bash + +chain_pem="${1}" + +if [[ ! -f "${chain_pem}" ]]; then + echo "Usage: $0 BASE64_CERTIFICATE_CHAIN_FILE" >&2 + exit 1 +fi + +if ! openssl x509 -in "${chain_pem}" -noout 2>/dev/null ; then + echo "${chain_pem} is not a certificate" >&2 + exit 1 +fi + +awk -F'\n' ' + BEGIN { + showcert = "openssl x509 -noout -subject -issuer" + } + + /-----BEGIN CERTIFICATE-----/ { + printf "%2d: ", ind + } + + { + printf $0"\n" | showcert + } + + /-----END CERTIFICATE-----/ { + close(showcert) + ind ++ + } + ' "${chain_pem}" + +echo +openssl verify -untrusted "${chain_pem}" "${chain_pem}" + diff --git a/certs/scripts/show-client-csr.sh b/certs/scripts/show-client-csr.sh new file mode 100755 index 0000000..82d3e0a --- /dev/null +++ b/certs/scripts/show-client-csr.sh @@ -0,0 +1,3 @@ +#!/bin/sh +openssl req -text -noout -verify -in clientcert.csr + diff --git a/certs/scripts/show-client-purpose.sh b/certs/scripts/show-client-purpose.sh new file mode 100755 index 0000000..6c2f0af --- /dev/null +++ b/certs/scripts/show-client-purpose.sh @@ -0,0 +1,3 @@ +#!/bin/sh +openssl x509 -purpose -in clientcert.pem -inform PEM -noout + diff --git a/certs/scripts/show-server-cert.sh b/certs/scripts/show-server-cert.sh new file mode 100755 index 0000000..93ee258 --- /dev/null +++ b/certs/scripts/show-server-cert.sh @@ -0,0 +1,3 @@ +#!/bin/sh +openssl x509 -in servercert.pem -text -noout + diff --git a/certs/scripts/show-server-csr.sh b/certs/scripts/show-server-csr.sh new file mode 100755 index 0000000..014fecd --- /dev/null +++ b/certs/scripts/show-server-csr.sh @@ -0,0 +1,3 @@ +#!/bin/sh +openssl req -text -noout -verify -in servercert.csr + diff --git a/certs/scripts/show-server-purpose.sh b/certs/scripts/show-server-purpose.sh new file mode 100755 index 0000000..2ee600a --- /dev/null +++ b/certs/scripts/show-server-purpose.sh @@ -0,0 +1,3 @@ +#!/bin/sh +openssl x509 -purpose -in servercert.pem -inform PEM -noout + diff --git a/certs/scripts/sign-cassandra-server-cert-request.sh b/certs/scripts/sign-cassandra-server-cert-request.sh new file mode 100755 index 0000000..b24960e --- /dev/null +++ b/certs/scripts/sign-cassandra-server-cert-request.sh @@ -0,0 +1,3 @@ +#!/bin/sh +openssl ca -batch -key mypassword -config openssl-ca.cnf -policy signing_policy -extensions signing_req_server -out cassandraservercert.pem -infiles cassandraservercert.csr + diff --git a/certs/scripts/sign-client-cert-request.sh b/certs/scripts/sign-client-cert-request.sh new file mode 100755 index 0000000..0d9008d --- /dev/null +++ b/certs/scripts/sign-client-cert-request.sh @@ -0,0 +1,3 @@ +#!/bin/sh +openssl ca -batch -key mypassword -config openssl-ca.cnf -policy signing_policy -extensions signing_req_client -out clientcert.pem -infiles clientcert.csr + diff --git a/certs/scripts/sign-kafka-server-cert-request.sh b/certs/scripts/sign-kafka-server-cert-request.sh new file mode 100755 index 0000000..0b8f862 --- /dev/null +++ b/certs/scripts/sign-kafka-server-cert-request.sh @@ -0,0 +1,3 @@ +#!/bin/sh +openssl ca -batch -key mypassword -config openssl-ca.cnf -policy signing_policy -extensions signing_req_server -out kafkaservercert.pem -infiles kafkaservercert.csr + diff --git a/certs/scripts/sign-mqtt-server-cert-request.sh b/certs/scripts/sign-mqtt-server-cert-request.sh new file mode 100755 index 0000000..347cba4 --- /dev/null +++ b/certs/scripts/sign-mqtt-server-cert-request.sh @@ -0,0 +1,3 @@ +#!/bin/sh +openssl ca -batch -key mypassword -config openssl-ca.cnf -policy signing_policy -extensions signing_req_server -out mqttservercert.pem -infiles mqttservercert.csr + diff --git a/certs/scripts/sign-postgres-client-cert-request.sh b/certs/scripts/sign-postgres-client-cert-request.sh new file mode 100755 index 0000000..c20429c --- /dev/null +++ b/certs/scripts/sign-postgres-client-cert-request.sh @@ -0,0 +1,5 @@ +#!/bin/sh +openssl ca -batch -key mypassword -config openssl-ca.cnf -policy signing_policy -extensions signing_req_client -out postgresclientcert.pem -infiles postgresclientcert.csr + +rm postgresclientcert.csr + diff --git a/certs/scripts/sign-server-cert-request.sh b/certs/scripts/sign-server-cert-request.sh new file mode 100755 index 0000000..af4ed2a --- /dev/null +++ b/certs/scripts/sign-server-cert-request.sh @@ -0,0 +1,3 @@ +#!/bin/sh +openssl ca -batch -key mypassword -config openssl-ca.cnf -policy signing_policy -extensions signing_req_server -out servercert.pem -infiles servercert.csr + diff --git a/certs/scripts/start-test-client.sh b/certs/scripts/start-test-client.sh new file mode 100755 index 0000000..df99866 --- /dev/null +++ b/certs/scripts/start-test-client.sh @@ -0,0 +1,2 @@ +#!/bin/sh +openssl s_client -CAfile ./testCA/cacert.pem -cert clientcert.pem -key clientkey.pem -connect 127.0.0.1:4242 diff --git a/certs/scripts/start-test-server.sh b/certs/scripts/start-test-server.sh new file mode 100755 index 0000000..4d5e9b8 --- /dev/null +++ b/certs/scripts/start-test-server.sh @@ -0,0 +1,2 @@ +#!/bin/sh +openssl s_server -CAfile ./testCA/cacert.pem -cert servercert.pem -key serverkey.pem -port 4242 diff --git a/certs/scripts/verify-client.sh b/certs/scripts/verify-client.sh new file mode 100755 index 0000000..bee5337 --- /dev/null +++ b/certs/scripts/verify-client.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +target_pem="${1}" + +if [[ ! -f "${target_pem}" ]]; then + echo "Usage: $0 BASE64_CERTIFICATE_FILE" >&2 + exit 1 +fi + +openssl x509 -subject -issuer -noout -dates -in "$target_pem" + +openssl verify -purpose sslclient -CAfile ./testCA/cacert.pem "$target_pem" + diff --git a/certs/scripts/verify-server.sh b/certs/scripts/verify-server.sh new file mode 100755 index 0000000..49d2189 --- /dev/null +++ b/certs/scripts/verify-server.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +target_pem="${1}" + +if [[ ! -f "${target_pem}" ]]; then + echo "Usage: $0 BASE64_CERTIFICATE_FILE" >&2 + exit 1 +fi + +openssl x509 -subject -issuer -noout -dates -in "$target_pem" + +openssl verify -purpose sslserver -CAfile ./testCA/cacert.pem "$target_pem" +