You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pinot.apache.org by ap...@apache.org on 2021/01/05 22:01:38 UTC

[incubator-pinot] 01/07: cert scripts

This is an automated email from the ASF dual-hosted git repository.

apucher pushed a commit to branch pinot-broker-https-discussion
in repository https://gitbox.apache.org/repos/asf/incubator-pinot.git

commit 40096f28f4dfa97b490bb6f231a807d04c935822
Author: Alexander Pucher <al...@alexpucher.com>
AuthorDate: Mon Jan 4 12:06:50 2021 -0800

    cert scripts
---
 create-certs.sh    | 46 ++++++++++++++++++++++++++++++++++++++++
 push-truststore.sh | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 108 insertions(+)

diff --git a/create-certs.sh b/create-certs.sh
new file mode 100755
index 0000000..2161e22
--- /dev/null
+++ b/create-certs.sh
@@ -0,0 +1,46 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+DOMAIN="192.168.64.82.xip.io"
+
+KEY_DIR="$DIR/truststore"
+
+mkdir -p $KEY_DIR
+rm $KEY_DIR/*.pem
+
+echo "1. Generate CA's private key and self-signed certificate"
+openssl req -x509 -newkey rsa:4096 -days 365 -nodes -keyout "$KEY_DIR/ca-key.pem" -out "$KEY_DIR/ca-cert.pem" -subj "/C=US/ST=Someplace/L=Somewhere/O=Apache Pinot/OU=Education/CN=*.example.org/emailAddress=admin@example.org"
+
+#echo "CA's self-signed certificate"
+#openssl x509 -in "$KEY_DIR/ca-cert.pem" -noout -text
+
+echo "2. Generate web server's private key and certificate signing request (CSR)"
+openssl req -newkey rsa:4096 -nodes -keyout "$KEY_DIR/key.pem" -out "$KEY_DIR/req.pem" -subj "/C=US/ST=Someplace/L=Somewhere/O=Apache Pinot/OU=Education/CN=*.$DOMAIN/emailAddress=admin@example.com"
+
+echo "3. Use CA's private key to sign web server's CSR and get back the signed certificate"
+echo "subjectAltName=DNS:*.$DOMAIN,IP:0.0.0.0" > "$KEY_DIR/ext.cnf"
+openssl x509 -req -in "$KEY_DIR/req.pem" -days 60 -CA "$KEY_DIR/ca-cert.pem" -CAkey "$KEY_DIR/ca-key.pem" -CAcreateserial -out "$KEY_DIR/cert.pem" -extfile "$KEY_DIR/ext.cnf"
+
+#echo "Server's signed certificate"
+#openssl x509 -in "$KEY_DIR/cert.pem" -noout -text
+
+echo "Verifying certificate"
+openssl verify -CAfile "$KEY_DIR/ca-cert.pem" "$KEY_DIR/cert.pem"
+
diff --git a/push-truststore.sh b/push-truststore.sh
new file mode 100755
index 0000000..5a4ed61
--- /dev/null
+++ b/push-truststore.sh
@@ -0,0 +1,62 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+JAVA_HOME="/Library/Java/JavaVirtualMachines/jdk-13.0.2.jdk/Contents/Home"
+
+CONFIG_DIR="$DIR/truststore"
+KEY_TOOL=$JAVA_HOME/bin/keytool
+KEYSTORE_PASSWORD="changeit"
+
+TRUST_STORE=$CONFIG_DIR/generated.truststore.jks
+KEY_STORE=$CONFIG_DIR/generated.keystore.jks
+P12_STORE=$CONFIG_DIR/generated.key.p12
+
+echo "removing any old generated files"
+rm -f $TRUST_STORE $KEY_STORE $P12_STORE
+echo "writing trust store"
+
+$KEY_TOOL \
+  -noprompt \
+  -import \
+  -storepass $KEYSTORE_PASSWORD \
+  -keystore $TRUST_STORE \
+  -storetype PKCS12 \
+  -file $CONFIG_DIR/ca-cert.pem
+echo "converting key/cert into PKCS12"
+
+openssl pkcs12 \
+  -export \
+  -in $CONFIG_DIR/cert.pem \
+  -inkey $CONFIG_DIR/key.pem \
+  -out $P12_STORE \
+  -password pass:$KEYSTORE_PASSWORD \
+  -name localhost
+echo "writing key store"
+
+$KEY_TOOL -importkeystore \
+  -deststorepass $KEYSTORE_PASSWORD \
+  -destkeypass $KEYSTORE_PASSWORD \
+  -destkeystore $KEY_STORE \
+  -deststoretype PKCS12 \
+  -srckeystore $P12_STORE \
+  -srcstoretype PKCS12 \
+  -srcstorepass $KEYSTORE_PASSWORD \
+  -srckeypass $KEYSTORE_PASSWORD \
+  -alias localhost


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org
For additional commands, e-mail: commits-help@pinot.apache.org