Add config params for server and client key algs
This change adds new parameters to keygen.properties to allow the configuration of the server and client TLS key algorithms: SERVER_KEY_ALG, SERVER_KEY_SIZE, CLIENT_KEY_ALG, CLIENT_KEY_SIZE Default values for these have been set at RSA and 2048 to preserve previous operation. I have also tested SERVER_KEY_ALG=EC and SERVER_KEY_SIZE=256, along with CLIENT_KEY_ALG=EC and CLIENT_KEY_SIZE=256. Other algorithms and sizes may be supported, YMMV.
This commit is contained in:
Chris Elston
parent
4aa55bccf8
commit
d3f018b0ef
@ -16,7 +16,7 @@
|
||||
#
|
||||
|
||||
usage() {
|
||||
echo "This script generates client public/private rey pair, extracts them to a no-password RSA pem file,"
|
||||
echo "This script generates client public/private key pair, extracts them to a no-password pem file,"
|
||||
echo "and imports server public key to client keystore"
|
||||
echo "usage: ./client.keygen.sh [-p file]"
|
||||
echo " -p | --props | --properties file Properties file. default value is ./keygen.properties"
|
||||
@ -70,6 +70,20 @@ while :
|
||||
done
|
||||
fi
|
||||
|
||||
OPENSSL_CMD=""
|
||||
case $CLIENT_KEY_ALG in
|
||||
RSA)
|
||||
OPENSSL_CMD="rsa"
|
||||
;;
|
||||
EC)
|
||||
OPENSSL_CMD="ec"
|
||||
;;
|
||||
esac
|
||||
if [ -z "$OPENSSL_CMD" ]; then
|
||||
echo "Unexpected CLIENT_KEY_ALG. Exiting."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
echo "Generating SSL Key Pair..."
|
||||
|
||||
keytool -genkeypair -v \
|
||||
@ -77,8 +91,8 @@ keytool -genkeypair -v \
|
||||
-keystore $CLIENT_FILE_PREFIX.jks \
|
||||
-keypass $CLIENT_KEY_PASSWORD \
|
||||
-storepass $CLIENT_KEYSTORE_PASSWORD \
|
||||
-keyalg RSA \
|
||||
-keysize 2048 \
|
||||
-keyalg $CLIENT_KEY_ALG \
|
||||
-keysize $CLIENT_KEY_SIZE\
|
||||
-validity 9999 \
|
||||
-dname "CN=$DOMAIN_SUFFIX, OU=$ORGANIZATIONAL_UNIT, O=$ORGANIZATION, L=$CITY, ST=$STATE_OR_PROVINCE, C=$TWO_LETTER_COUNTRY_CODE"
|
||||
|
||||
@ -110,7 +124,7 @@ keytool --importcert \
|
||||
-noprompt
|
||||
|
||||
echo "Exporting no-password pem certificate"
|
||||
openssl rsa -in $CLIENT_FILE_PREFIX.pem -out $CLIENT_FILE_PREFIX.nopass.pem -passin pass:$CLIENT_KEY_PASSWORD
|
||||
openssl $OPENSSL_CMD -in $CLIENT_FILE_PREFIX.pem -out $CLIENT_FILE_PREFIX.nopass.pem -passin pass:$CLIENT_KEY_PASSWORD
|
||||
tail -n +$(($(grep -m1 -n -e '-----BEGIN CERTIFICATE' $CLIENT_FILE_PREFIX.pem | cut -d: -f1) )) \
|
||||
$CLIENT_FILE_PREFIX.pem >> $CLIENT_FILE_PREFIX.nopass.pem
|
||||
|
||||
|
||||
@ -26,6 +26,8 @@ SERVER_KEY_PASSWORD=server_key_password
|
||||
|
||||
SERVER_KEY_ALIAS="serveralias"
|
||||
SERVER_FILE_PREFIX="mqttserver"
|
||||
SERVER_KEY_ALG="RSA"
|
||||
SERVER_KEY_SIZE="2048"
|
||||
SERVER_KEYSTORE_DIR="/etc/thingsboard/conf"
|
||||
|
||||
CLIENT_KEYSTORE_PASSWORD=password
|
||||
@ -33,4 +35,5 @@ CLIENT_KEY_PASSWORD=password
|
||||
|
||||
CLIENT_KEY_ALIAS="clientalias"
|
||||
CLIENT_FILE_PREFIX="mqttclient"
|
||||
|
||||
CLIENT_KEY_ALG="RSA"
|
||||
CLIENT_KEY_SIZE="2048"
|
||||
|
||||
@ -92,8 +92,8 @@ keytool -genkeypair -v \
|
||||
-keystore $SERVER_FILE_PREFIX.jks \
|
||||
-keypass $SERVER_KEY_PASSWORD \
|
||||
-storepass $SERVER_KEYSTORE_PASSWORD \
|
||||
-keyalg RSA \
|
||||
-keysize 2048 \
|
||||
-keyalg $SERVER_KEY_ALG \
|
||||
-keysize $SERVER_KEY_SIZE \
|
||||
-validity 9999
|
||||
|
||||
status=$?
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user