1 Reply Latest reply on Dec 11, 2008 12:45 PM by Thunder Williams

    Script to create wildcard certificate chain in keystore for

    Thunder Williams Newbie

      I put together a script to create a wildcard certificate chain in keystore for JBoss on Windows. I thought it might help someone.

      http://codingathome.blogspot.com/2008/12/dos-script-to-create-wildcard.html

        • 1. Re: Script to create wildcard certificate chain in keystore
          Thunder Williams Newbie

          Here is the raw code for the DOS batch file if you dont want to visit the blog.

          @echo off
          setlocal
          @rem ------------------------------------------------------------------
          @rem This script generates a server certificate suitable to be signed
          @rem by an authorized CA. If OpenSSL is installed, it can make a
          @rem signing CA for you.
          @rem
          @rem This script requires: OpenSSL, JDK
          @rem ------------------------------------------------------------------
          
          @rem set JBOSSHOME="C:\Justice\jboss"
          
          ::Get the home directory of the most recent JDK
          start /w regedit /e reg1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Development Kit\%JavaTemp%"
          type reg1.txt | find "JavaHome" > reg2.txt
          if errorlevel 1 goto ERROR
          for /f "tokens=2 delims==" %%x in (reg2.txt) do set JavaTemp=%%~x
          if errorlevel 1 goto ERROR
          echo Java home path (per registry) = %JavaTemp%
          set JAVAHOME=%JavaTemp%
          set PATH=%PATH%;%JAVAHOME%\bin
          del reg1.txt reg2.txt
          echo Detected JDK and added it to PATH.
          
          ::Get the home directory of OpenSSL
          start /w regedit /e reg1.txt "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\%SSLPath%"
          type reg1.txt | find "OPENSSL_PATH" > reg2.txt
          if errorlevel 1 goto ERROR
          for /f "tokens=2 delims==" %%x in (reg2.txt) do set SSLPath=%%~x
          if errorlevel 1 goto ERROR
          echo OpenSSL home path (per registry) = %JavaTemp%
          set OPENSSL_HOME=%SSLPath%
          set PATH=%PATH%;%OPENSSL_HOME%
          del reg1.txt reg2.txt
          echo Detected OpenSSL and added it to PATH.
          echo %PATH%
          
          @rem Create storage directories
          echo Creating work directories if they do not already exist.
          mkdir %OPENSSL_HOME%\..\myCerts
          cd %OPENSSL_HOME%\..\myCerts
          mkdir private
          mkdir %OPENSSL_HOME%\..\demoCA
          cd %OPENSSL_HOME%\..\demoCA
          mkdir private
          mkdir newcerts
          cd %OPENSSL_HOME%\..\
          echo Done.
          
          @rem Ask to create certificate authority
          set /P GENERATECA=Do you want to generate you own 10 year Certificate Authority? [y]:
          if "%GENERATECA%" == "" (set GENERATECA=y)
           @echo.
          if "%GENERATECA%" == "y" (
          openssl req -config %OPENSSL_HOME%\openssl.cfg -new -x509 -extensions v3_ca -keyout %OPENSSL_HOME%\..\demoCA\private\cakey.pem -out %OPENSSL_HOME%\..\demoCA\cacert.pem -days 1096
          )
          @ECHO Finished generating a certificate authority. Your site certificate will be signed with this authority.
           @echo.
          
          @rem Ask to create site certificate chain
          set /P GENCERT=Do you want to generate a site certificate signed by your Certificate Authority? [n]:
          if "%GENCERT%" == "" (set GENCERT=n)
           @echo.
          if "%GENCERT%" == "n" GOTO ERROR
          
          @ECHO Generating your server certificate inside a new keystore.
          @ECHO Enter *.your.domain if you wish to generate a wildcard certificate.
          keytool -genkey -alias tomcat -keyalg RSA -keystore %OPENSSL_HOME%\..\myCerts\keystore.kdb
          
          @ECHO Generating a certificate request that will be used by your certificate authority to sign your cert.
          keytool -certreq -alias tomcat -keystore %OPENSSL_HOME%\..\myCerts\keystore.kdb -file %OPENSSL_HOME%\..\myCerts\tomcat.csr
          
          @ECHO Ready to import the cacert.pem public cert from your self created CA in directory .\demoCA .
          keytool -import -alias root -keystore %OPENSSL_HOME%\..\myCerts\keystore.kdb -trustcacerts -file %OPENSSL_HOME%\..\demoCA\cacert.pem
          
          if exist %OPENSSL_HOME%\..\demoCA\private\cakey.pem (
          @rem If you have used this script to create a CA with openssl then this segment will sign the CSR with
          @rem your certificate authority from .\demoCA\private\demoCA.key and saves it as .\myCerts\tomcat.crt and converts it to DER format.
           echo Signing CSR and saving tomcat.crt
           copy /Y %OPENSSL_HOME%\PEM\demoCA\index.txt %OPENSSL_HOME%\..\demoCA
           copy /Y %OPENSSL_HOME%\PEM\demoCA\serial %OPENSSL_HOME%\..\demoCA
           openssl ca -config %OPENSSL_HOME%\openssl.cfg -policy policy_anything -out %OPENSSL_HOME%\..\myCerts\tomcat.crt -infiles %OPENSSL_HOME%\..\myCerts\tomcat.csr
           openssl x509 -in %OPENSSL_HOME%\..\myCerts\tomcat.crt -inform PEM -out %OPENSSL_HOME%\..\myCerts\tomcat.der -outform DER
          )
          
          @ECHO Ready to import CA signed CSR response into your keystores certificate.
          keytool -import -alias tomcat -keystore %OPENSSL_HOME%\..\myCerts\keystore.kdb -trustcacerts -file %OPENSSL_HOME%\..\myCerts\tomcat.der
          
          @ECHO List the contents.
          keytool -keystore %OPENSSL_HOME%\..\myCerts\keystore.kdb -list -v
          
          @rem Finally, copy the keystore to JBoss.
          @rem copy keystore.kdb %JBOSSHOME%\bin /y
          
          
          :ERROR
          echo Ending script.
          pause