Generera keystore med mellanliggande CA
Nedan script kan användas för att generera en keystore innehållandes mellanliggande CAs.
Ladda ner SITHS root ca.
Säkerställ att klientcertifikat finns och dess lösenord, uppdatera scriptet med namnen på filerna med era certifikat.
Scriptet genererar 2 keystores i detta fallet, då det finns 2 klientcertifikat (ett för internet och ett för sjunet).
generateKeystore.sh
rm -rf generated-jks mkdir generated-jks rm -rf generated-pem mkdir generated-pem echo "=== Export SITHS CA's as PEM ===" openssl x509 -inform DER -in "../CA/SITHS/SITHS_Type_2_CA_v1.cer" -out generated-pem/siths_type_2_ca_v1.pem -outform PEM openssl x509 -inform DER -in "../CA/SITHS/SITHS_Root_CA_v1.crt" -out generated-pem/siths_root_ca_v1.pem -outform PEM # Export P12 Certificate (PEM) echo "=== Export esb.ntjp.sjunet.org.p12 Certificate (PEM) ===" openssl pkcs12 -in ../skltp/esb.ntjp.sjunet.org_legitimering_pkcs12_prod.p12 -out generated-pem/esb.ntjp.sjunet.org.p12.crt.pem -nokeys # Export P12 Certificate (PEM) echo "=== Export esb.ntjp.se.p12 Certificate (PEM) ===" openssl pkcs12 -in ../skltp/esb.ntjp.se_legitimering_pkcs12_prod.p12 -out generated-pem/esb.ntjp.se.p12.crt.pem -nokeys # SITHS TYPE 2 CA V1 + SITHS ROOT V1 (PEM) echo "=== Create SITHS CA Chain ===" cat generated-pem/siths_type_2_ca_v1.pem generated-pem/siths_root_ca_v1.pem > generated-pem/ca_chain.pem # Remove Header. echo "=== Remove Bag Header from PEM ===" openssl x509 -in generated-pem/esb.ntjp.sjunet.org.p12.crt.pem -out generated-pem/esb.ntjp.sjunet.org.p12.crt.out.pem openssl x509 -in generated-pem/esb.ntjp.se.p12.crt.pem -out generated-pem/esb.ntjp.se.p12.crt.out.pem # Create Complete Certificate Chain. echo "=== Create Complete Certificate Chain ===" cat generated-pem/esb.ntjp.sjunet.org.p12.crt.out.pem generated-pem/ca_chain.pem > generated-pem/esb.ntjp.sjunet.org_cert_chain.pem cat generated-pem/esb.ntjp.se.p12.crt.out.pem generated-pem/ca_chain.pem > generated-pem/esb.ntjp.se_cert_chain.pem # Import P12 to Keystore echo "=== Import esb.ntjp.sjunet.org.p12 (alias: esb.ntjp.sjunet.org) to Keystore: esb.ntjp.sjunet.org.jks ===" keytool -importkeystore -srckeystore ../skltp/esb.ntjp.sjunet.org.p12 -srcalias esb.ntjp.sjunet.org -srcstoretype PKCS12 -destkeystore generated-jks/esb.ntjp.sjunet.org.jks -destalias esb.ntjp.sjunet.org -deststoretype JKS echo "=== Import esb.ntjp.se.p12 (alias: esb.ntjp.se) to Keystore: esb.ntjp.se.jks ===" keytool -importkeystore -srckeystore ../skltp/esb.ntjp.se.p12 -srcalias esb.ntjp.se -srcstoretype PKCS12 -destkeystore generated-jks/esb.ntjp.se.jks -destalias esb.ntjp.se -deststoretype JKS # Import Complete Certifcate Chain echo "=== Import Complete Certificate Chain to Keystore: esb.ntjp.sjunet.org.jks===" keytool -import -trustcacerts -keystore generated-jks/esb.ntjp.sjunet.org.jks -alias esb.ntjp.sjunet.org -file generated-pem/esb.ntjp.sjunet.org_cert_chain.pem -noprompt echo "=== Import Complete Certificate Chain to Keystore: esb.ntjp.se.jks===" keytool -import -trustcacerts -keystore generated-jks/esb.ntjp.se.jks -alias esb.ntjp.se -file generated-pem/esb.ntjp.se_cert_chain.pem -noprompt # Change sharing and permissions on JKS files chmod 444 generated-jks/*.jks
Installera root certifikat
Lägga till root certifikat i truststore
Importera
keytool -import -file rootCertifikat.cer -alias aliasRootCertifikat -storepass password -keystore truststore.jks
-file, root certifikatet som skall installeras
-alias, unikt alias på root ca
-storepass. lösenordet till den truststore som root certifikatet skall installeras till
Verifiera
keytool -v -list -keystore truststore.jks -storepass password
Länkar till några root ca