Commit 3f72bc4b54cf7713f87bde3dcf1fa36b40ef3ce8
Committed by
Andrew Shvayka
Andrew Shvayka
1 parent
c5c8fbd3
SSL (RSA) *.keygen.sh tool upgraded. Added PKCS8 pem format. Tested and fixed ke…
…ygen.properties to run with no warning. Removed 'mqtt' prefix from output files to fix confusion when applying keys for other protocols.
Showing
3 changed files
with
53 additions
and
9 deletions
| @@ -44,7 +44,8 @@ done | @@ -44,7 +44,8 @@ done | ||
| 44 | 44 | ||
| 45 | . $PROPERTIES_FILE | 45 | . $PROPERTIES_FILE |
| 46 | 46 | ||
| 47 | -if [ -f $CLIENT_FILE_PREFIX.jks ] || [ -f $CLIENT_FILE_PREFIX.pub.pem ] || [ -f $CLIENT_FILE_PREFIX.nopass.pem ] || [ -f $CLIENT_FILE_PREFIX.pem ] || [ -f $CLIENT_FILE_PREFIX.p12 ]; | 47 | +if [ -f $CLIENT_FILE_PREFIX.jks ] || [ -f $CLIENT_FILE_PREFIX.pub.pem ] || [ -f $CLIENT_FILE_PREFIX.nopass.pem ] || \ |
| 48 | + [ -f $CLIENT_FILE_PREFIX.pem ] || [ -f $CLIENT_FILE_PREFIX.p12 ] || [ -f $CLIENT_FILE_PREFIX.pk8.pem ]; | ||
| 48 | then | 49 | then |
| 49 | while : | 50 | while : |
| 50 | do | 51 | do |
| @@ -62,6 +63,7 @@ while : | @@ -62,6 +63,7 @@ while : | ||
| 62 | rm -rf $CLIENT_FILE_PREFIX.nopass.pem | 63 | rm -rf $CLIENT_FILE_PREFIX.nopass.pem |
| 63 | rm -rf $CLIENT_FILE_PREFIX.pem | 64 | rm -rf $CLIENT_FILE_PREFIX.pem |
| 64 | rm -rf $CLIENT_FILE_PREFIX.p12 | 65 | rm -rf $CLIENT_FILE_PREFIX.p12 |
| 66 | + rm -rf $CLIENT_FILE_PREFIX.pk8.pem | ||
| 65 | break; | 67 | break; |
| 66 | ;; | 68 | ;; |
| 67 | *) echo "Please reply 'yes' or 'no'" | 69 | *) echo "Please reply 'yes' or 'no'" |
| @@ -84,6 +86,8 @@ if [ -z "$OPENSSL_CMD" ]; then | @@ -84,6 +86,8 @@ if [ -z "$OPENSSL_CMD" ]; then | ||
| 84 | exit 0 | 86 | exit 0 |
| 85 | fi | 87 | fi |
| 86 | 88 | ||
| 89 | +echo "INFO: your hostname is $(hostname)" | ||
| 90 | +echo "INFO: your CN (domain suffix) for key is $DOMAIN_SUFFIX" | ||
| 87 | echo "Generating SSL Key Pair..." | 91 | echo "Generating SSL Key Pair..." |
| 88 | 92 | ||
| 89 | keytool -genkeypair -v \ | 93 | keytool -genkeypair -v \ |
| @@ -112,7 +116,15 @@ echo "Converting pkcs12 to pem" | @@ -112,7 +116,15 @@ echo "Converting pkcs12 to pem" | ||
| 112 | openssl pkcs12 -in $CLIENT_FILE_PREFIX.p12 \ | 116 | openssl pkcs12 -in $CLIENT_FILE_PREFIX.p12 \ |
| 113 | -out $CLIENT_FILE_PREFIX.pem \ | 117 | -out $CLIENT_FILE_PREFIX.pem \ |
| 114 | -passin pass:$CLIENT_KEY_PASSWORD \ | 118 | -passin pass:$CLIENT_KEY_PASSWORD \ |
| 115 | - -passout pass:$CLIENT_KEY_PASSWORD \ | 119 | + -passout pass:$CLIENT_KEY_PASSWORD |
| 120 | + | ||
| 121 | +echo "Converting pem to pkcs8" | ||
| 122 | +openssl pkcs8 \ | ||
| 123 | + -topk8 \ | ||
| 124 | + -nocrypt \ | ||
| 125 | + -in $CLIENT_FILE_PREFIX.pem \ | ||
| 126 | + -out $CLIENT_FILE_PREFIX.pk8.pem \ | ||
| 127 | + -passin pass:$CLIENT_KEY_PASSWORD | ||
| 116 | 128 | ||
| 117 | echo "Importing server public key to $CLIENT_FILE_PREFIX.jks" | 129 | echo "Importing server public key to $CLIENT_FILE_PREFIX.jks" |
| 118 | keytool --importcert \ | 130 | keytool --importcert \ |
| 1 | # | 1 | # |
| 2 | -# Copyright © 2016-2017 The Thingsboard Authors | 2 | +# Copyright © 2016-2021 The Thingsboard Authors |
| 3 | # | 3 | # |
| 4 | # Licensed under the Apache License, Version 2.0 (the "License"); | 4 | # Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | # you may not use this file except in compliance with the License. | 5 | # you may not use this file except in compliance with the License. |
| @@ -18,15 +18,15 @@ DOMAIN_SUFFIX="$(hostname)" | @@ -18,15 +18,15 @@ DOMAIN_SUFFIX="$(hostname)" | ||
| 18 | SUBJECT_ALTERNATIVE_NAMES="ip:127.0.0.1" | 18 | SUBJECT_ALTERNATIVE_NAMES="ip:127.0.0.1" |
| 19 | ORGANIZATIONAL_UNIT=Thingsboard | 19 | ORGANIZATIONAL_UNIT=Thingsboard |
| 20 | ORGANIZATION=Thingsboard | 20 | ORGANIZATION=Thingsboard |
| 21 | -CITY=SF | 21 | +CITY="San Francisco" |
| 22 | STATE_OR_PROVINCE=CA | 22 | STATE_OR_PROVINCE=CA |
| 23 | TWO_LETTER_COUNTRY_CODE=US | 23 | TWO_LETTER_COUNTRY_CODE=US |
| 24 | 24 | ||
| 25 | -SERVER_KEYSTORE_PASSWORD=server_ks_password | ||
| 26 | -SERVER_KEY_PASSWORD=server_key_password | 25 | +SERVER_KEYSTORE_PASSWORD=password |
| 26 | +SERVER_KEY_PASSWORD=password | ||
| 27 | 27 | ||
| 28 | SERVER_KEY_ALIAS="serveralias" | 28 | SERVER_KEY_ALIAS="serveralias" |
| 29 | -SERVER_FILE_PREFIX="mqttserver" | 29 | +SERVER_FILE_PREFIX="server" |
| 30 | SERVER_KEY_ALG="RSA" | 30 | SERVER_KEY_ALG="RSA" |
| 31 | SERVER_KEY_SIZE="2048" | 31 | SERVER_KEY_SIZE="2048" |
| 32 | SERVER_KEYSTORE_DIR="/etc/thingsboard/conf" | 32 | SERVER_KEYSTORE_DIR="/etc/thingsboard/conf" |
| @@ -35,6 +35,6 @@ CLIENT_KEYSTORE_PASSWORD=password | @@ -35,6 +35,6 @@ CLIENT_KEYSTORE_PASSWORD=password | ||
| 35 | CLIENT_KEY_PASSWORD=password | 35 | CLIENT_KEY_PASSWORD=password |
| 36 | 36 | ||
| 37 | CLIENT_KEY_ALIAS="clientalias" | 37 | CLIENT_KEY_ALIAS="clientalias" |
| 38 | -CLIENT_FILE_PREFIX="mqttclient" | 38 | +CLIENT_FILE_PREFIX="client" |
| 39 | CLIENT_KEY_ALG="RSA" | 39 | CLIENT_KEY_ALG="RSA" |
| 40 | CLIENT_KEY_SIZE="2048" | 40 | CLIENT_KEY_SIZE="2048" |
| @@ -60,7 +60,8 @@ fi | @@ -60,7 +60,8 @@ fi | ||
| 60 | 60 | ||
| 61 | . $PROPERTIES_FILE | 61 | . $PROPERTIES_FILE |
| 62 | 62 | ||
| 63 | -if [ -f $SERVER_FILE_PREFIX.jks ] || [ -f $SERVER_FILE_PREFIX.cer ] || [ -f $SERVER_FILE_PREFIX.pub.pem ] || [ -f $SERVER_FILE_PREFIX.pub.der ]; | 63 | +if [ -f $SERVER_FILE_PREFIX.jks ] || [ -f $SERVER_FILE_PREFIX.cer ] || [ -f $SERVER_FILE_PREFIX.pub.pem ] || \ |
| 64 | + [ -f $SERVER_FILE_PREFIX.p12 ] || [ -f $SERVER_FILE_PREFIX.pem ] || [ -f $SERVER_FILE_PREFIX.pk8.pem ] ; | ||
| 64 | then | 65 | then |
| 65 | while : | 66 | while : |
| 66 | do | 67 | do |
| @@ -76,6 +77,9 @@ while : | @@ -76,6 +77,9 @@ while : | ||
| 76 | rm -rf $SERVER_FILE_PREFIX.jks | 77 | rm -rf $SERVER_FILE_PREFIX.jks |
| 77 | rm -rf $SERVER_FILE_PREFIX.pub.pem | 78 | rm -rf $SERVER_FILE_PREFIX.pub.pem |
| 78 | rm -rf $SERVER_FILE_PREFIX.cer | 79 | rm -rf $SERVER_FILE_PREFIX.cer |
| 80 | + rm -rf $SERVER_FILE_PREFIX.p12 | ||
| 81 | + rm -rf $SERVER_FILE_PREFIX.pem | ||
| 82 | + rm -rf $SERVER_FILE_PREFIX.pk8.pem | ||
| 79 | break; | 83 | break; |
| 80 | ;; | 84 | ;; |
| 81 | *) echo "Please reply 'yes' or 'no'" | 85 | *) echo "Please reply 'yes' or 'no'" |
| @@ -84,6 +88,8 @@ while : | @@ -84,6 +88,8 @@ while : | ||
| 84 | done | 88 | done |
| 85 | fi | 89 | fi |
| 86 | 90 | ||
| 91 | +echo "INFO: your hostname is $(hostname)" | ||
| 92 | +echo "INFO: your CN (domain suffix) for key is $DOMAIN_SUFFIX" | ||
| 87 | echo "Generating SSL Key Pair..." | 93 | echo "Generating SSL Key Pair..." |
| 88 | 94 | ||
| 89 | EXT="" | 95 | EXT="" |
| @@ -121,6 +127,32 @@ keytool -export \ | @@ -121,6 +127,32 @@ keytool -export \ | ||
| 121 | -storepass $SERVER_KEYSTORE_PASSWORD \ | 127 | -storepass $SERVER_KEYSTORE_PASSWORD \ |
| 122 | -keypass $SERVER_KEY_PASSWORD | 128 | -keypass $SERVER_KEY_PASSWORD |
| 123 | 129 | ||
| 130 | +echo "Converting keystore to pkcs12" | ||
| 131 | +keytool -importkeystore \ | ||
| 132 | + -srckeystore $SERVER_FILE_PREFIX.jks \ | ||
| 133 | + -destkeystore $SERVER_FILE_PREFIX.p12 \ | ||
| 134 | + -srcalias $SERVER_KEY_ALIAS \ | ||
| 135 | + -srcstoretype jks \ | ||
| 136 | + -deststoretype pkcs12 \ | ||
| 137 | + -srcstorepass $SERVER_KEYSTORE_PASSWORD \ | ||
| 138 | + -deststorepass $SERVER_KEY_PASSWORD \ | ||
| 139 | + -srckeypass $SERVER_KEY_PASSWORD \ | ||
| 140 | + -destkeypass $SERVER_KEY_PASSWORD | ||
| 141 | + | ||
| 142 | +echo "Converting pkcs12 to pem" | ||
| 143 | +openssl pkcs12 -in $SERVER_FILE_PREFIX.p12 \ | ||
| 144 | + -out $SERVER_FILE_PREFIX.pem \ | ||
| 145 | + -passin pass:$SERVER_KEY_PASSWORD \ | ||
| 146 | + -passout pass:$SERVER_KEY_PASSWORD | ||
| 147 | + | ||
| 148 | +echo "Converting pem to pkcs8" | ||
| 149 | +openssl pkcs8 \ | ||
| 150 | + -topk8 \ | ||
| 151 | + -nocrypt \ | ||
| 152 | + -in $SERVER_FILE_PREFIX.pem \ | ||
| 153 | + -out $SERVER_FILE_PREFIX.pk8.pem \ | ||
| 154 | + -passin pass:$SERVER_KEY_PASSWORD | ||
| 155 | + | ||
| 124 | status=$? | 156 | status=$? |
| 125 | if [[ $status != 0 ]]; then | 157 | if [[ $status != 0 ]]; then |
| 126 | exit $status; | 158 | exit $status; |