Created
February 6, 2019 12:57
-
-
Save costa/f2cd91baf485f03bcee4de4c1fce7815 to your computer and use it in GitHub Desktop.
a starter script for client+server kafka rest proxy certificates+keystores
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash -e | |
INGESTER_DOMAIN_NAME="${INGESTER_DOMAIN_NAME:-$1}" | |
echo "CAUTION should be run from a secure directory" | |
if test -z "$INGESTER_DOMAIN_NAME" | |
then echo "needs INGESTER_DOMAIN_NAME" | |
exit 1 | |
else echo "INGESTER_DOMAIN_NAME=$INGESTER_DOMAIN_NAME" | |
fi | |
read -e -s -p "Enter the CA cert password (6 char min): " CA_PASSWORD | |
echo gotcha | |
read -e -s -p "Enter the (new) client truststore password (6 char min): " CLIENT_TRUSTSTORE_PASSWORD | |
echo gotcha | |
read -e -s -p "Enter the (new) server keystore password (6 char min): " SERVER_KEYSTORE_PASSWORD | |
echo gotcha | |
echo "the above password will be also used as the key.password" | |
if test -z "$CA_PASSWORD" || test -z "$CLIENT_TRUSTSTORE_PASSWORD" || test -z "$SERVER_KEYSTORE_PASSWORD" | |
then echo "needs all the passwords" | |
exit 1 | |
fi | |
KEY_PASSWORD="${KEY_PASS:-${INGESTER_DOMAIN_NAME}#secret}" | |
CERT_VALIDITY_DAYS="${CERT_VALIDITY_DAYS:-365}" | |
echo "The validity of all the certs will be $CERT_VALIDITY_DAYS days" | |
CA_CN="ca.$INGESTER_DOMAIN_NAME" | |
if ! test -f ca-cert | |
then # Create a new CA cert | |
openssl req -new -x509 -keyout ca-key -out ca-cert -days $CERT_VALIDITY_DAYS -passout "pass:$CA_PASSWORD" -subj "/CN=$CA_CN" | |
else echo "Using existing ca-cert" | |
fi | |
# Create a new server cert and a keystore.jks with it within | |
openssl req -new -newkey rsa:2048 -sha256 -keyout server-cert-key -out server-cert-req -passout "pass:$KEY_PASSWORD" -subj "/CN=$INGESTER_DOMAIN_NAME" | |
openssl x509 -req -in server-cert-req -CA ca-cert -CAkey ca-key -CAcreateserial -out signed-server-cert -passin "pass:$CA_PASSWORD" | |
openssl pkcs12 -export -name "$INGESTER_DOMAIN_NAME" -in signed-server-cert -inkey server-cert-key -out server-keystore.p12 -passin "pass:$KEY_PASSWORD" -password "pass:temp" | |
keytool -keystore kafka.server.keystore.jks -alias "$INGESTER_DOMAIN_NAME" -importkeystore -srckeystore server-keystore.p12 -srcstorepass "temp" -deststorepass "$SERVER_KEYSTORE_PASSWORD" -destkeypass "$SERVER_KEYSTORE_PASSWORD" -noprompt | |
rm server-keystore.p12 | |
echo "kafka.server.keystore.jks written successfully" | |
# Create a new client cert and a truststore.jks with it within | |
openssl req -new -newkey rsa:2048 -sha256 -keyout client-cert-key -out client-cert-req -passout "pass:$KEY_PASSWORD" -subj "/CN=acme-client.example.com" | |
openssl x509 -req -in client-cert-req -CA ca-cert -CAkey ca-key -CAcreateserial -out signed-client-cert -passin "pass:$CA_PASSWORD" | |
openssl pkcs12 -export -name "$INGESTER_DOMAIN_NAME" -in signed-client-cert -inkey client-cert-key -out client-keystore.p12 -passin "pass:$KEY_PASSWORD" -password "pass:temp" | |
keytool -keystore kafka.client.truststore.jks -alias "$INGESTER_DOMAIN_NAME" -importkeystore -srckeystore client-keystore.p12 -srcstorepass "temp" -deststorepass "$CLIENT_TRUSTSTORE_PASSWORD" -destkeypass "$KEY_PASSWORD" -noprompt | |
rm client-keystore.p12 | |
echo "kafka.client.truststore.jks written successfully" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment