Created
May 2, 2025 05:45
-
-
Save tristantarrant/6b993e6f11d28ef7691e9a292cea1987 to your computer and use it in GitHub Desktop.
Infinispan Certificate Wizard
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| DEFAULT_PASSWORD="secret" | |
| DEFAULT_CA_DN="CN=CA,OU=Infinispan,O=JBoss,L=Red Hat" | |
| DEFAULT_SERVER_DN="CN=Server,OU=Infinispan,O=JBoss,L=Red Hat" | |
| DEFAULT_NODE_DN="CN=Node,OU=Infinispan,O=JBoss,L=Red Hat" | |
| DEFAULT_NODE_ID=node | |
| DEFAULT_CLIENT_DN="CN=Client,OU=Infinispan,O=JBoss,L=Red Hat" | |
| DEFAULT_CLIENT_ID=client | |
| VALIDITY_DAYS=365 | |
| KEY_SIZE=2048 | |
| KEY_ALGORITHM=RSA | |
| STORE_TYPE=pkcs12 | |
| # determine the size of the terminal | |
| read HEIGHT WIDTH <<EOF | |
| `stty size` | |
| EOF | |
| if [ "$WIDTH" = "" ]; then | |
| WIDTH=80 | |
| HEIGHT=25 | |
| fi | |
| # set the size of the dialog | |
| WIDTH=$(($WIDTH-1)) | |
| HEIGHT=$(($HEIGHT-7)) | |
| # Arguments: | |
| # 1 certificate dn | |
| # 2 filename | |
| # 3 alias | |
| # 4 password | |
| # 5 DNS | |
| function generate_and_sign_certificate() { | |
| rm -f "$2" | |
| # Generate a certificate and store it in the server keystore | |
| keytool -validity "$VALIDITY_DAYS" -keyalg "$KEY_ALGORITHM" -keysize "$KEY_SIZE" -noprompt -storepass "$4" -storetype "$STORE_TYPE" -genkeypair -alias "$3" -dname "$1" -keystore "$2" | |
| # Generate a Certificate Signing Request (CSR) for the server certificate so it can be signed by the CA | |
| keytool -validity "$VALIDITY_DAYS" -keyalg "$KEY_ALGORITHM" -keysize "$KEY_SIZE" -noprompt -storepass "$4" -storetype "$STORE_TYPE" -certreq -alias "$3" -dname "$1" -keystore "$2" -file certificate.csr | |
| # Sign the server certificate with the CA | |
| keytool -validity "$VALIDITY_DAYS" -keyalg "$KEY_ALGORITHM" -keysize "$KEY_SIZE" -noprompt -storepass "$4" -storetype "$STORE_TYPE" -gencert -alias ca -keystore ca.p12 -infile certificate.csr -outfile certificate.cer -ext "san=dns:$5" | |
| # Import the CA to the keystore | |
| keytool -validity "$VALIDITY_DAYS" -keyalg "$KEY_ALGORITHM" -keysize "$KEY_SIZE" -noprompt -storepass "$4" -storetype "$STORE_TYPE" -importcert -alias ca -keystore "$2" -file ca.cer | |
| # Import the signed certificate to the keystore | |
| keytool -validity "$VALIDITY_DAYS" -keyalg "$KEY_ALGORITHM" -keysize "$KEY_SIZE" -noprompt -storepass "$4" -storetype "$STORE_TYPE" -importcert -alias "$3" -keystore "$2" -file certificate.cer | |
| } | |
| CA_DN=$(whiptail --inputbox "Certificate Authority DN" $HEIGHT $WIDTH "$DEFAULT_CA_DN" 3>&1 1>&2 2>&3) | |
| CA_PASSWORD=$(whiptail --passwordbox "Certificate Authority password" $HEIGHT $WIDTH "$DEFAULT_PASSWORD" 3>&1 1>&2 2>&3) | |
| # Generate the CA | |
| rm -f ca.p12 ca.pem ca.cer | |
| keytool -validity "$VALIDITY_DAYS" -keyalg "$KEY_ALGORITHM" -keysize "$KEY_SIZE" -noprompt -storepass "$CA_PASSWORD" -storetype "$STORE_TYPE" -genkeypair -alias ca -keystore ca.p12 -ext bc:c -dname "$CA_DN" | |
| openssl pkcs12 -in ca.p12 -out ca.pem -password "pass:$CA_PASSWORD" -passout "pass:$CA_PASSWORD" | |
| # Extract the CA cert so it can be imported in other stores | |
| keytool -validity "$VALIDITY_DAYS" -keyalg "$KEY_ALGORITHM" -keysize "$KEY_SIZE" -noprompt -storepass "$CA_PASSWORD" -storetype "$STORE_TYPE" -exportcert -alias ca -keystore ca.p12 -file ca.cer | |
| SERVER_DN=$(whiptail --inputbox "Server endpoint DN" $HEIGHT $WIDTH "$DEFAULT_SERVER_DN" 3>&1 1>&2 2>&3) | |
| SERVER_PASSWORD=$(whiptail --passwordbox "Server endpoint password" $HEIGHT $WIDTH "$DEFAULT_PASSWORD" 3>&1 1>&2 2>&3) | |
| SERVER_DNS=$(whiptail --inputbox "Server DNS name" $HEIGHT $WIDTH "localhost" 3>&1 1>&2 2>&3) | |
| generate_and_sign_certificate "$SERVER_DN" server_key.p12 server "$SERVER_PASSWORD" "$SERVER_DNS" | |
| openssl pkcs12 -in server_key.p12 -out server.pem -password "pass:$SERVER_PASSWORD" -passout "pass:$SERVER_PASSWORD" | |
| # Import the CA to the server trust store | |
| keytool -validity "$VALIDITY_DAYS" -keyalg "$KEY_ALGORITHM" -keysize "$KEY_SIZE" -noprompt -storepass "$SERVER_PASSWORD" -storetype "$STORE_TYPE" -importcert -alias ca -keystore server_trust.p12 -file ca.cer | |
| # Import the CA to the cluster trust store | |
| keytool -validity "$VALIDITY_DAYS" -keyalg "$KEY_ALGORITHM" -keysize "$KEY_SIZE" -noprompt -storepass "$SERVER_PASSWORD" -storetype "$STORE_TYPE" -importcert -alias ca -keystore cluster_trust.p12 -file ca.cer | |
| INDEX=1 | |
| while : ; do | |
| NODE_ID=$(whiptail --inputbox "Cluster node $INDEX ID" $HEIGHT $WIDTH "$DEFAULT_NODE_ID$INDEX" 3>&1 1>&2 2>&3) | |
| NODE_DN=$(whiptail --inputbox "Cluster node $NODE_ID DN" $HEIGHT $WIDTH "$DEFAULT_NODE_DN" 3>&1 1>&2 2>&3) | |
| NODE_PASSWORD=$(whiptail --passwordbox "Cluster node $NODE_ID password" $HEIGHT $WIDTH "$DEFAULT_PASSWORD" 3>&1 1>&2 2>&3) | |
| NODE_DNS=$(whiptail --inputbox "Cluster node $NODE_ID DNS name" $HEIGHT $WIDTH "localhost" 3>&1 1>&2 2>&3) | |
| generate_and_sign_certificate "$NODE_DN" "${NODE_ID}_key.p12" "$NODE_ID" "$NODE_PASSWORD" "$NODE_DNS" | |
| openssl pkcs12 -in "${NODE_ID}_key.p12" -out "${NODE_ID}.pem" -password "pass:$NODE_PASSWORD" -passout "pass:$NODE_PASSWORD" | |
| # Import the node certificate to the cluster truststore | |
| keytool -validity "$VALIDITY_DAYS" -keyalg "$KEY_ALGORITHM" -keysize "$KEY_SIZE" -noprompt -storepass "$SERVER_PASSWORD" -storetype "$STORE_TYPE" -importcert -alias "$NODE_ID" -keystore cluster_trust.p12 -file certificate.cer | |
| CONTINUE=$(whiptail --yesno "Add another cluster node ?" $HEIGHT $WIDTH 3>&1 1>&2 2>&3; echo $?) | |
| [[ $CONTINUE == 0 ]] || break | |
| ((INDEX++)) | |
| done | |
| INDEX=1 | |
| while : ; do | |
| CLIENT_ID=$(whiptail --inputbox "Client $INDEX ID" $HEIGHT $WIDTH "$DEFAULT_CLIENT_ID$INDEX" 3>&1 1>&2 2>&3) | |
| CLIENT_DN=$(whiptail --inputbox "Client $CLIENT_ID DN" $HEIGHT $WIDTH "$DEFAULT_CLIENT_DN" 3>&1 1>&2 2>&3) | |
| CLIENT_PASSWORD=$(whiptail --passwordbox "Client $CLIENT_ID password" $HEIGHT $WIDTH "$DEFAULT_PASSWORD" 3>&1 1>&2 2>&3) | |
| CLIENT_DNS=$(whiptail --inputbox "Client $CLIENT_ID DNS name" $HEIGHT $WIDTH "localhost" 3>&1 1>&2 2>&3) | |
| generate_and_sign_certificate "$CLIENT_DN" "${CLIENT_ID}_key.p12" "$CLIENT_ID" "$CLIENT_PASSWORD" "$CLIENT_DNS" | |
| openssl pkcs12 -in "${CLIENT_ID}_key.p12" -out "${CLIENT_ID}.pem" -password "pass:$CLIENT_PASSWORD" -passout "pass:$CLIENT_PASSWORD" | |
| # Import the client certificate to the server truststore | |
| keytool -validity "$VALIDITY_DAYS" -keyalg "$KEY_ALGORITHM" -keysize "$KEY_SIZE" -noprompt -storepass "$SERVER_PASSWORD" -storetype "$STORE_TYPE" -importcert -alias "$CLIENT_ID" -keystore server_trust.p12 -file certificate.cer | |
| # Import the CA to the client trust store | |
| keytool -validity "$VALIDITY_DAYS" -keyalg "$KEY_ALGORITHM" -keysize "$KEY_SIZE" -noprompt -storepass "$CLIENT_PASSWORD" -storetype "$STORE_TYPE" -importcert -alias ca -keystore "${CLIENT_ID}_trust.p12" -file ca.cer | |
| CONTINUE=$(whiptail --yesno "Add another client ?" $HEIGHT $WIDTH 3>&1 1>&2 2>&3; echo $?) | |
| [[ $CONTINUE == 0 ]] || break | |
| ((INDEX++)) | |
| done | |
| # Remove intermediate files | |
| rm -f *.cer *.csr |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment