This content has been marked as final.
Show 1 reply
-
1. Re: Script to create wildcard certificate chain in keystore
mozkill Dec 11, 2008 12:45 PM (in response to mozkill)Here is the raw code for the DOS batch file if you dont want to visit the blog.
@echo off setlocal @rem ------------------------------------------------------------------ @rem This script generates a server certificate suitable to be signed @rem by an authorized CA. If OpenSSL is installed, it can make a @rem signing CA for you. @rem @rem This script requires: OpenSSL, JDK @rem ------------------------------------------------------------------ @rem set JBOSSHOME="C:\Justice\jboss" ::Get the home directory of the most recent JDK start /w regedit /e reg1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Development Kit\%JavaTemp%" type reg1.txt | find "JavaHome" > reg2.txt if errorlevel 1 goto ERROR for /f "tokens=2 delims==" %%x in (reg2.txt) do set JavaTemp=%%~x if errorlevel 1 goto ERROR echo Java home path (per registry) = %JavaTemp% set JAVAHOME=%JavaTemp% set PATH=%PATH%;%JAVAHOME%\bin del reg1.txt reg2.txt echo Detected JDK and added it to PATH. ::Get the home directory of OpenSSL start /w regedit /e reg1.txt "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\%SSLPath%" type reg1.txt | find "OPENSSL_PATH" > reg2.txt if errorlevel 1 goto ERROR for /f "tokens=2 delims==" %%x in (reg2.txt) do set SSLPath=%%~x if errorlevel 1 goto ERROR echo OpenSSL home path (per registry) = %JavaTemp% set OPENSSL_HOME=%SSLPath% set PATH=%PATH%;%OPENSSL_HOME% del reg1.txt reg2.txt echo Detected OpenSSL and added it to PATH. echo %PATH% @rem Create storage directories echo Creating work directories if they do not already exist. mkdir %OPENSSL_HOME%\..\myCerts cd %OPENSSL_HOME%\..\myCerts mkdir private mkdir %OPENSSL_HOME%\..\demoCA cd %OPENSSL_HOME%\..\demoCA mkdir private mkdir newcerts cd %OPENSSL_HOME%\..\ echo Done. @rem Ask to create certificate authority set /P GENERATECA=Do you want to generate you own 10 year Certificate Authority? [y]: if "%GENERATECA%" == "" (set GENERATECA=y) @echo. if "%GENERATECA%" == "y" ( openssl req -config %OPENSSL_HOME%\openssl.cfg -new -x509 -extensions v3_ca -keyout %OPENSSL_HOME%\..\demoCA\private\cakey.pem -out %OPENSSL_HOME%\..\demoCA\cacert.pem -days 1096 ) @ECHO Finished generating a certificate authority. Your site certificate will be signed with this authority. @echo. @rem Ask to create site certificate chain set /P GENCERT=Do you want to generate a site certificate signed by your Certificate Authority? [n]: if "%GENCERT%" == "" (set GENCERT=n) @echo. if "%GENCERT%" == "n" GOTO ERROR @ECHO Generating your server certificate inside a new keystore. @ECHO Enter *.your.domain if you wish to generate a wildcard certificate. keytool -genkey -alias tomcat -keyalg RSA -keystore %OPENSSL_HOME%\..\myCerts\keystore.kdb @ECHO Generating a certificate request that will be used by your certificate authority to sign your cert. keytool -certreq -alias tomcat -keystore %OPENSSL_HOME%\..\myCerts\keystore.kdb -file %OPENSSL_HOME%\..\myCerts\tomcat.csr @ECHO Ready to import the cacert.pem public cert from your self created CA in directory .\demoCA . keytool -import -alias root -keystore %OPENSSL_HOME%\..\myCerts\keystore.kdb -trustcacerts -file %OPENSSL_HOME%\..\demoCA\cacert.pem if exist %OPENSSL_HOME%\..\demoCA\private\cakey.pem ( @rem If you have used this script to create a CA with openssl then this segment will sign the CSR with @rem your certificate authority from .\demoCA\private\demoCA.key and saves it as .\myCerts\tomcat.crt and converts it to DER format. echo Signing CSR and saving tomcat.crt copy /Y %OPENSSL_HOME%\PEM\demoCA\index.txt %OPENSSL_HOME%\..\demoCA copy /Y %OPENSSL_HOME%\PEM\demoCA\serial %OPENSSL_HOME%\..\demoCA openssl ca -config %OPENSSL_HOME%\openssl.cfg -policy policy_anything -out %OPENSSL_HOME%\..\myCerts\tomcat.crt -infiles %OPENSSL_HOME%\..\myCerts\tomcat.csr openssl x509 -in %OPENSSL_HOME%\..\myCerts\tomcat.crt -inform PEM -out %OPENSSL_HOME%\..\myCerts\tomcat.der -outform DER ) @ECHO Ready to import CA signed CSR response into your keystores certificate. keytool -import -alias tomcat -keystore %OPENSSL_HOME%\..\myCerts\keystore.kdb -trustcacerts -file %OPENSSL_HOME%\..\myCerts\tomcat.der @ECHO List the contents. keytool -keystore %OPENSSL_HOME%\..\myCerts\keystore.kdb -list -v @rem Finally, copy the keystore to JBoss. @rem copy keystore.kdb %JBOSSHOME%\bin /y :ERROR echo Ending script. pause