Commit e6056ec8a069112af006d2ad1070ee4bc93eb57c
Committed by
GitHub
GitHub
Merge pull request #3951 from cdelston0/master
Add support for generating server and client keys with alternative TLS algorithms
Showing
3 changed files
with
24 additions
and
7 deletions
| ... | ... | @@ -16,7 +16,7 @@ |
| 16 | 16 | # |
| 17 | 17 | |
| 18 | 18 | usage() { |
| 19 | - echo "This script generates client public/private rey pair, extracts them to a no-password RSA pem file," | |
| 19 | + echo "This script generates client public/private key pair, extracts them to a no-password pem file," | |
| 20 | 20 | echo "and imports server public key to client keystore" |
| 21 | 21 | echo "usage: ./client.keygen.sh [-p file]" |
| 22 | 22 | echo " -p | --props | --properties file Properties file. default value is ./keygen.properties" |
| ... | ... | @@ -70,6 +70,20 @@ while : |
| 70 | 70 | done |
| 71 | 71 | fi |
| 72 | 72 | |
| 73 | +OPENSSL_CMD="" | |
| 74 | +case $CLIENT_KEY_ALG in | |
| 75 | +RSA) | |
| 76 | + OPENSSL_CMD="rsa" | |
| 77 | + ;; | |
| 78 | +EC) | |
| 79 | + OPENSSL_CMD="ec" | |
| 80 | + ;; | |
| 81 | +esac | |
| 82 | +if [ -z "$OPENSSL_CMD" ]; then | |
| 83 | + echo "Unexpected CLIENT_KEY_ALG. Exiting." | |
| 84 | + exit 0 | |
| 85 | +fi | |
| 86 | + | |
| 73 | 87 | echo "Generating SSL Key Pair..." |
| 74 | 88 | |
| 75 | 89 | keytool -genkeypair -v \ |
| ... | ... | @@ -77,8 +91,8 @@ keytool -genkeypair -v \ |
| 77 | 91 | -keystore $CLIENT_FILE_PREFIX.jks \ |
| 78 | 92 | -keypass $CLIENT_KEY_PASSWORD \ |
| 79 | 93 | -storepass $CLIENT_KEYSTORE_PASSWORD \ |
| 80 | - -keyalg RSA \ | |
| 81 | - -keysize 2048 \ | |
| 94 | + -keyalg $CLIENT_KEY_ALG \ | |
| 95 | + -keysize $CLIENT_KEY_SIZE\ | |
| 82 | 96 | -validity 9999 \ |
| 83 | 97 | -dname "CN=$DOMAIN_SUFFIX, OU=$ORGANIZATIONAL_UNIT, O=$ORGANIZATION, L=$CITY, ST=$STATE_OR_PROVINCE, C=$TWO_LETTER_COUNTRY_CODE" |
| 84 | 98 | |
| ... | ... | @@ -110,7 +124,7 @@ keytool --importcert \ |
| 110 | 124 | -noprompt |
| 111 | 125 | |
| 112 | 126 | echo "Exporting no-password pem certificate" |
| 113 | -openssl rsa -in $CLIENT_FILE_PREFIX.pem -out $CLIENT_FILE_PREFIX.nopass.pem -passin pass:$CLIENT_KEY_PASSWORD | |
| 127 | +openssl $OPENSSL_CMD -in $CLIENT_FILE_PREFIX.pem -out $CLIENT_FILE_PREFIX.nopass.pem -passin pass:$CLIENT_KEY_PASSWORD | |
| 114 | 128 | tail -n +$(($(grep -m1 -n -e '-----BEGIN CERTIFICATE' $CLIENT_FILE_PREFIX.pem | cut -d: -f1) )) \ |
| 115 | 129 | $CLIENT_FILE_PREFIX.pem >> $CLIENT_FILE_PREFIX.nopass.pem |
| 116 | 130 | ... | ... |
| ... | ... | @@ -26,6 +26,8 @@ SERVER_KEY_PASSWORD=server_key_password |
| 26 | 26 | |
| 27 | 27 | SERVER_KEY_ALIAS="serveralias" |
| 28 | 28 | SERVER_FILE_PREFIX="mqttserver" |
| 29 | +SERVER_KEY_ALG="RSA" | |
| 30 | +SERVER_KEY_SIZE="2048" | |
| 29 | 31 | SERVER_KEYSTORE_DIR="/etc/thingsboard/conf" |
| 30 | 32 | |
| 31 | 33 | CLIENT_KEYSTORE_PASSWORD=password |
| ... | ... | @@ -33,4 +35,5 @@ CLIENT_KEY_PASSWORD=password |
| 33 | 35 | |
| 34 | 36 | CLIENT_KEY_ALIAS="clientalias" |
| 35 | 37 | CLIENT_FILE_PREFIX="mqttclient" |
| 36 | - | |
| 38 | +CLIENT_KEY_ALG="RSA" | |
| 39 | +CLIENT_KEY_SIZE="2048" | ... | ... |
| ... | ... | @@ -92,8 +92,8 @@ keytool -genkeypair -v \ |
| 92 | 92 | -keystore $SERVER_FILE_PREFIX.jks \ |
| 93 | 93 | -keypass $SERVER_KEY_PASSWORD \ |
| 94 | 94 | -storepass $SERVER_KEYSTORE_PASSWORD \ |
| 95 | - -keyalg RSA \ | |
| 96 | - -keysize 2048 \ | |
| 95 | + -keyalg $SERVER_KEY_ALG \ | |
| 96 | + -keysize $SERVER_KEY_SIZE \ | |
| 97 | 97 | -validity 9999 |
| 98 | 98 | |
| 99 | 99 | status=$? | ... | ... |