|Most Shared

Snake Oil PKI scripts tech shell devops linux
17 Jul 2015at Alpharetta

We run many services hosted on many servers and TLS would be required for the communication between themselves and their clients. We cannot be buying certificates from root CAs like VeriSign for services running within our firewall, so enter Snake-Oil authority, which can act as signing authority within your company. Given a snake oil CA, you can automate the pki essentials creation using the below script. This is something we use in a Jenkins job, where given a server domain name and the requested key & store passwords, you will get a package signed by the snake-oil CA.

#!/bin/bash

#your service hosting server details
domain=$1
key_password=$2
store_password=$3
commonname=$domain

#your predefined snake oil authority:
#with a key and certificate valid for long time say 10 yrs created using openssl with all FauxSign details
#the sequence file tracks all the csrs received.
#the snake-oil-client.jks contains the chain of trust root certificate, similar to the ones preset in your browser of jdk cacerts.

ca_cert=snake-oil-ca.crt
ca_key=snake-oil-ca.key
ca_seq_file=snake-oil.seq
ca_password=snake-oil-key-password
ca_client=snake-oil-client.jks

#your company details for your server certificate
country=US
state=GA
locality=Atlanta
organization=VectorClocks
organizationalunit=Software Engineering
email=vector.clocks@vijayrc.com

#creating the server key
printf "generating key request for $domain..."
openssl genrsa -des3 -passout pass:$key_password -out $domain.key 2048 -noout

printf "removing passphrase from key"
openssl rsa -in $domain.key -passin pass:$key_password -out $domain.key

printf "-------server key--------"
cat $domain.key

#creating the csr to ask snake-oil-authority to give a certificate authorised by the same
printf "creating csr.."
openssl req -new
    -key $domain.key
    -out $domain.csr
    -passin pass:$key_password
    -subj "/C=$country/ST=$state/L=$locality/O=$organization/OU=$organizationalunit/CN=$commonname/emailAddress=$email"

printf "-------server csr--------"
cat $domain.csr

#creating server certificate for CSR valid for 1 year
openssl x509 -req -days 365 -in $domain.csr
    -CA $ca_cert
    -CAkey $ca_key
    -CAcreateserial
    -CAserial $ca_seq_file
    -out $domain.crt
    -passin pass:$ca_password

printf "---server certificate----"
cat $domain.crt

#importing server certificate into keystore, this is needed for java based services, httpd can directly take domain crt & key files.
openssl pkcs12 -export
    -in $domain.crt
    -inkey $domain.key
    -certfile $domain.crt
    -name $domain
    -out $domain.p12
    -password pass:$key_password

keytool -importkeystore
    -srckeystore $domain.p12
    -srcstoretype pkcs12
    -srcstorepass $key_password
    -destkeystore $domain.jks
    -deststoretype JKS
    -storepass $store_password
    -keypass $key_password -noprompt

printf "---server jks ready----"
keytool -list -v
    -keystore $domain.jks
    -alias $domain
    -storepass $store_password

#package it
#put the $domain.jks $domain.crt $domain.key on the server side
#give the $ca-client.jks to your service clients

tar -cf $domain.tar $domain.jks $domain.crt $domain.key $ca-client.jks
printf "archived for consumer = $domain.tar"

    
comments powered by Disqus

All content except noted photos and videos copyright © Vijayaraj Chakravarthy. All rights reserved. *Any images or videos not listed as mine are copyright to their respective owners and were used under creative common license or fair use standards. If a photo or video is your material and you do not wish it to be on the site, please email me vijayrc@outlook.com and I will remove it immediately.