Innehållsförteckning |
---|
Generera keystore
Nedan script kan användas för att generera en keystore innehållandes mellanliggande CAs.
Ladda ner SITHS root ca.
Säkerställ att klientcertifikat finns och dess lösenord, uppdatera scriptet med namnen på filerna med era certifikat.
Scriptet genererar 2 keystores i detta fallet, då det finns 2 klientcertifikat (ett för internet och ett för sjunet).
Kodblock | ||||
---|---|---|---|---|
| ||||
rm -rf generated-jks
mkdir generated-jks
rm -rf generated-pem
mkdir generated-pem
echo "=== Export SITHS CA's as PEM ==="
openssl x509 -inform DER -in "../CA/SITHS/SITHS_Type_2_CA_v1.cer" -out generated-pem/siths_type_2_ca_v1.pem -outform PEM
openssl x509 -inform DER -in "../CA/SITHS/SITHS_Root_CA_v1.crt" -out generated-pem/siths_root_ca_v1.pem -outform PEM
# Export P12 Certificate (PEM)
echo "=== Export esb.ntjp.sjunet.org.p12 Certificate (PEM) ==="
openssl pkcs12 -in ../skltp/esb.ntjp.sjunet.org_legitimering_pkcs12_prod.p12 -out generated-pem/esb.ntjp.sjunet.org.p12.crt.pem -nokeys
# Export P12 Certificate (PEM)
echo "=== Export esb.ntjp.se.p12 Certificate (PEM) ==="
openssl pkcs12 -in ../skltp/esb.ntjp.se_legitimering_pkcs12_prod.p12 -out generated-pem/esb.ntjp.se.p12.crt.pem -nokeys
# SITHS TYPE 2 CA V1 + SITHS ROOT V1 (PEM)
echo "=== Create SITHS CA Chain ==="
cat generated-pem/siths_type_2_ca_v1.pem generated-pem/siths_root_ca_v1.pem > generated-pem/ca_chain.pem
# Remove Header.
echo "=== Remove Bag Header from PEM ==="
openssl x509 -in generated-pem/esb.ntjp.sjunet.org.p12.crt.pem -out generated-pem/esb.ntjp.sjunet.org.p12.crt.out.pem
openssl x509 -in generated-pem/esb.ntjp.se.p12.crt.pem -out generated-pem/esb.ntjp.se.p12.crt.out.pem
# Create Complete Certificate Chain.
echo "=== Create Complete Certificate Chain ==="
cat generated-pem/esb.ntjp.sjunet.org.p12.crt.out.pem generated-pem/ca_chain.pem > generated-pem/esb.ntjp.sjunet.org_cert_chain.pem
cat generated-pem/esb.ntjp.se.p12.crt.out.pem generated-pem/ca_chain.pem > generated-pem/esb.ntjp.se_cert_chain.pem
# Import P12 to Keystore
echo "=== Import esb.ntjp.sjunet.org.p12 (alias: esb.ntjp.sjunet.org) to Keystore: esb.ntjp.sjunet.org.jks ==="
keytool -importkeystore -srckeystore ../skltp/esb.ntjp.sjunet.org.p12 -srcalias esb.ntjp.sjunet.org -srcstoretype PKCS12 -destkeystore generated-jks/esb.ntjp.sjunet.org.jks -destalias esb.ntjp.sjunet.org -deststoretype JKS
echo "=== Import esb.ntjp.se.p12 (alias: esb.ntjp.se) to Keystore: esb.ntjp.se.jks ==="
keytool -importkeystore -srckeystore ../skltp/esb.ntjp.se.p12 -srcalias esb.ntjp.se -srcstoretype PKCS12 -destkeystore generated-jks/esb.ntjp.se.jks -destalias esb.ntjp.se -deststoretype JKS
# Import Complete Certifcate Chain
echo "=== Import Complete Certificate Chain to Keystore: esb.ntjp.sjunet.org.jks==="
keytool -import -trustcacerts -keystore generated-jks/esb.ntjp.sjunet.org.jks -alias esb.ntjp.sjunet.org -file generated-pem/esb.ntjp.sjunet.org_cert_chain.pem -noprompt
echo "=== Import Complete Certificate Chain to Keystore: esb.ntjp.se.jks==="
keytool -import -trustcacerts -keystore generated-jks/esb.ntjp.se.jks -alias esb.ntjp.se -file generated-pem/esb.ntjp.se_cert_chain.pem -noprompt
# Change sharing and permissions on JKS files
chmod 444 generated-jks/*.jks |
Installera root certifikat
...