1 Reply Latest reply on Dec 11, 2008 12:45 PM by mozkill

    Script to create wildcard certificate chain in keystore for

    mozkill
    mozkill Dec 11, 2008 3:25 AM

      I put together a script to create a wildcard certificate chain in keystore for JBoss on Windows. I thought it might help someone.

      http://codingathome.blogspot.com/2008/12/dos-script-to-create-wildcard.html

      • 2179 Views
      • Tags:
        • 1. Re: Script to create wildcard certificate chain in keystore
          mozkill
          mozkill Dec 11, 2008 12:45 PM (in response to mozkill)

          Here is the raw code for the DOS batch file if you dont want to visit the blog.

          @echo off
setlocal
@rem ------------------------------------------------------------------
@rem This script generates a server certificate suitable to be signed
@rem by an authorized CA. If OpenSSL is installed, it can make a
@rem signing CA for you.
@rem
@rem This script requires: OpenSSL, JDK
@rem ------------------------------------------------------------------

@rem set JBOSSHOME="C:\Justice\jboss"

::Get the home directory of the most recent JDK
start /w regedit /e reg1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Development Kit\%JavaTemp%"
type reg1.txt | find "JavaHome" > reg2.txt
if errorlevel 1 goto ERROR
for /f "tokens=2 delims==" %%x in (reg2.txt) do set JavaTemp=%%~x
if errorlevel 1 goto ERROR
echo Java home path (per registry) = %JavaTemp%
set JAVAHOME=%JavaTemp%
set PATH=%PATH%;%JAVAHOME%\bin
del reg1.txt reg2.txt
echo Detected JDK and added it to PATH.

::Get the home directory of OpenSSL
start /w regedit /e reg1.txt "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\%SSLPath%"
type reg1.txt | find "OPENSSL_PATH" > reg2.txt
if errorlevel 1 goto ERROR
for /f "tokens=2 delims==" %%x in (reg2.txt) do set SSLPath=%%~x
if errorlevel 1 goto ERROR
echo OpenSSL home path (per registry) = %JavaTemp%
set OPENSSL_HOME=%SSLPath%
set PATH=%PATH%;%OPENSSL_HOME%
del reg1.txt reg2.txt
echo Detected OpenSSL and added it to PATH.
echo %PATH%

@rem Create storage directories
echo Creating work directories if they do not already exist.
mkdir %OPENSSL_HOME%\..\myCerts
cd %OPENSSL_HOME%\..\myCerts
mkdir private
mkdir %OPENSSL_HOME%\..\demoCA
cd %OPENSSL_HOME%\..\demoCA
mkdir private
mkdir newcerts
cd %OPENSSL_HOME%\..\
echo Done.

@rem Ask to create certificate authority
set /P GENERATECA=Do you want to generate you own 10 year Certificate Authority? [y]:
if "%GENERATECA%" == "" (set GENERATECA=y)
 @echo.
if "%GENERATECA%" == "y" (
openssl req -config %OPENSSL_HOME%\openssl.cfg -new -x509 -extensions v3_ca -keyout %OPENSSL_HOME%\..\demoCA\private\cakey.pem -out %OPENSSL_HOME%\..\demoCA\cacert.pem -days 1096
)
@ECHO Finished generating a certificate authority. Your site certificate will be signed with this authority.
 @echo.

@rem Ask to create site certificate chain
set /P GENCERT=Do you want to generate a site certificate signed by your Certificate Authority? [n]:
if "%GENCERT%" == "" (set GENCERT=n)
 @echo.
if "%GENCERT%" == "n" GOTO ERROR

@ECHO Generating your server certificate inside a new keystore.
@ECHO Enter *.your.domain if you wish to generate a wildcard certificate.
keytool -genkey -alias tomcat -keyalg RSA -keystore %OPENSSL_HOME%\..\myCerts\keystore.kdb

@ECHO Generating a certificate request that will be used by your certificate authority to sign your cert.
keytool -certreq -alias tomcat -keystore %OPENSSL_HOME%\..\myCerts\keystore.kdb -file %OPENSSL_HOME%\..\myCerts\tomcat.csr

@ECHO Ready to import the cacert.pem public cert from your self created CA in directory .\demoCA .
keytool -import -alias root -keystore %OPENSSL_HOME%\..\myCerts\keystore.kdb -trustcacerts -file %OPENSSL_HOME%\..\demoCA\cacert.pem

if exist %OPENSSL_HOME%\..\demoCA\private\cakey.pem (
@rem If you have used this script to create a CA with openssl then this segment will sign the CSR with
@rem your certificate authority from .\demoCA\private\demoCA.key and saves it as .\myCerts\tomcat.crt and converts it to DER format.
 echo Signing CSR and saving tomcat.crt
 copy /Y %OPENSSL_HOME%\PEM\demoCA\index.txt %OPENSSL_HOME%\..\demoCA
 copy /Y %OPENSSL_HOME%\PEM\demoCA\serial %OPENSSL_HOME%\..\demoCA
 openssl ca -config %OPENSSL_HOME%\openssl.cfg -policy policy_anything -out %OPENSSL_HOME%\..\myCerts\tomcat.crt -infiles %OPENSSL_HOME%\..\myCerts\tomcat.csr
 openssl x509 -in %OPENSSL_HOME%\..\myCerts\tomcat.crt -inform PEM -out %OPENSSL_HOME%\..\myCerts\tomcat.der -outform DER
)

@ECHO Ready to import CA signed CSR response into your keystores certificate.
keytool -import -alias tomcat -keystore %OPENSSL_HOME%\..\myCerts\keystore.kdb -trustcacerts -file %OPENSSL_HOME%\..\myCerts\tomcat.der

@ECHO List the contents.
keytool -keystore %OPENSSL_HOME%\..\myCerts\keystore.kdb -list -v

@rem Finally, copy the keystore to JBoss.
@rem copy keystore.kdb %JBOSSHOME%\bin /y


:ERROR
echo Ending script.
pause


            • Actions