etPenguin - Everything Penguin, Inc.

Everything Penguin, Inc.

etPenguin.com

Helping to support the open source community.

Local Sources

/pub

Linux OS

/pub/OS/Linux

Networking

/pub/Networking

Network Services

/pub/NetworkServices

Clustering

DRM

Encryption

Keytool/OpenSSL

Java Samples

Development

Design

C/C++

Java

Perl

Shell

Web / J2EE

Storage

Filesystems

HPC

/pub/Storage

Not Linux ?

BSD

HP-UX

Solaris

Windows

/pub/OS

Security

/pub/Security

Parent Directory

#!/bin/bash
#
# genKeystorePKI.sh
#-------------------------------------------------------------------------------



# execute commands verbosely
# ------------------------------------------------------------------------------
function executioner() {
  echo "Running: $1"
  $1 || { RC=$?; echo "Error: $RC"; echo "Exiting..."; exit $RC; }

} # end function executioner()
# ------------------------------------------------------------------------------



# remove existing keystore ?
# ------------------------------------------------------------------------------
function whackKeyStore() {

  echo
  echo "Check Existing Keystores"
  echo "------------------------"

  # JKS keystore check
  if [ -f keytoolKeystore.jks ]; then
    echo; echo "Previous JKS Keystore exists.  Remove it ??? (y/n)"
    while read line; do
      if [ $line == 'y' ]; then
        echo
        echo "removing JKS keystore..."
        rm -f keytoolKeystore.jks
        break
      elif [ $line == 'n' ]; then
        break
      fi
      echo "Previous JKS Keystore exists.  Remove it ??? (y/n)"
    done
  fi

  # JCEKS keystore check
  if [ -f keytoolKeystore.jceks ]; then
    echo; echo "Previous JCEKS Keystore exists.  Remove it ??? (y/n)"
    while read line; do
      if [ $line == 'y' ]; then
        echo
        echo "removing JKS keystore..."
        rm -f keytoolKeystore.jceks
        break
      elif [ $line == 'n' ]; then
        break
      fi
      echo "Previous JCEKS Keystore exists.  Remove it ??? (y/n)"
    done
  fi

} # end function whackKeyStore()
# ------------------------------------------------------------------------------



# gen public/private keys
# ------------------------------------------------------------------------------
function genKeys() {

  echo
  echo "Create public/private keypairs (and keystore if it does not exist)"
  echo "------------------------------------------------------------------"
  echo
  echo "Also generates an X.509 v1 self-signed certificate, using keystore"
  echo "information including the private key and public key associated with"
  echo "alias. The generated certificate is stored as a single-element"
  echo "certificate chain in the keystore entry identified by alias."
  echo

  echo; echo "Keystore type: JCEKS (c) or JKS (k) ??? (c/k)"
  while read line; do
    if [ $line == 'c' ]; then
      echo
      echo "Using JCEKS type..."
      KEYSTORETYPE=JCEKS
      break
    elif [ $line == 'k' ]; then
      echo
      echo "Using JKS type..."
      KEYSTORETYPE=JKS
      break
    fi
    echo "Keystore type: JCEKS or JKS ??? (c/k)"
  done

  echo "Generating Keys into ${KEYSTORETYPE} keystore..."

  sleep 1

  executioner "keytool -genkey -alias mykey -keyalg RSA -keysize 1024 -dname CN=Brett,OU=Dev,O=ET_Penguin,L=City,S=Colorado,C=US -keystore keytoolKeystore.${KEYSTORETYPE} -storepass 123456 -keypass 123456"

} # end function genKeys()
# ------------------------------------------------------------------------------



# listKeys()
# -----------------------------
function listKeys() {

  echo
  echo "Listing the keystore elements"
  echo "-----------------------------"

  echo
  echo "Verbose format:"
  echo
  sleep 1
  executioner "keytool -list -v -keystore keytoolKeystore.${KEYSTORETYPE} -storepass 123456"

  echo
  echo "RFC format:"
  echo
  sleep 1
  executioner "keytool -list -rfc -keystore keytoolKeystore.${KEYSTORETYPE} -storepass 123456"


  echo
  echo "Exporting the identity cert to 'mykey.crt':"
  echo "-----------------------------------------------"

  sleep 1

  executioner "keytool -export -rfc -file mykey.crt -alias mykey -keystore keytoolKeystore.${KEYSTORETYPE} -storepass 123456"

  echo "Listing the exported certificate"
  echo

  sleep 1

  ls -l mykey.crt
  echo
  echo
  cat mykey.crt
  echo
  echo

  echo
  echo "Your certificate is now in 'mykey.crt' and your public/private keys"
  echo "are in the the keystore under the alias 'mykey'"
  echo

  sleep 1
  
} # end function listKeys()
# ------------------------------------------------------------------------------




# gen a CSR
# ------------------------------------------------------------------------------
function genCSR() {

  echo 
  echo "Certificate Signing Request (CSR)"
  echo "---------------------------------"

  echo "Generate a CSR (c) or do you want to self sign (s) your certificate??? (c/s)"
  while read line; do
    if [ $line == 'c' ]; then
      break 
    elif [ $line == 's' ]; then
      doSelfSigned
      return
    fi
    echo "Generate a CSR or do you want to self sign your certificate??? (c/s)"
  done

  # Gen the CSR
  # --------------------------
  echo "generating the CSR..."
  echo

  sleep 1

  executioner "keytool -certreq -v -alias mykey -file mykey-csr.pem -storepass 123456 -keystore keytoolKeystore.${KEYSTORETYPE}"

  # Display the CSR
  # --------------------------
  echo "here is your CSR"
  echo

  sleep 1

  ls -l mykey-csr.pem
  echo
  echo
  cat mykey-csr.pem
  echo
  echo

  sleep 1

  echo
  echo "After sending in the CSR to a CA, you'll receive a C."
  echo "C = certificate = identity certificate = public-key certificate"
  echo "CSR -> CA -> C (makes CenCe?)"
  echo
  echo "The C contains your public key (identifying you) and is signed"
  echo "with the Digital Signature of a CA."
  echo 
  echo "In some cases, there may be a chain of certificates, with"
  echo "the last being the one that signs your C, and each"
  echo "previous one verifying the authenticity of the subsequent CA"
  echo
  echo "The first one in the chain is the Root CA, and it needs to be trusted"
  echo "by you."
  echo
  echo "Interestingly, the Root identity certificate is self-signed, so" 
  echo "you'll need to manually verify that it in fact is a valid signature."
  echo "This can be done by obtaining that CA's C from a trusted source"
  echo "(its web site, a printed page, etc.)"
  echo 
  echo "Once verified, its time to import the cert(s):"
  echo
  echo
  echo "First you should import the identity cert of the CA:"
  echo "(note - it already may be in the 'cacerts' file)"
  echo "==========================================================="
  echo "Example:"
  echo "keytool -import -v -trustcacerts -alias trusted_ca_1 -file versign_ca.pem -keystore keytoolKeystore.${KEYSTORETYPE} -storepass 123456"
  echo 
  echo 
  echo "Next you'll need to import your newly issued identity cert:"
  echo "(the one that was signed by the newly trusted CA)"
  echo "==========================================================="
  echo "Example:"
  echo "keytool -import -v -alias mykey -file my-signed-cert.pem -keystore keytoolKeystore.${KEYSTORETYPE} -storepass 123456"
  echo
  echo

} # end function genCSR()
# ------------------------------------------------------------------------------



# gen a self-signed cert
# ------------------------------------------------------------------------------
function doSelfSigned() {

  echo
  echo
  echo
  echo
  echo "When the keys were initially generated, the public key was wrapped"
  echo "into an X.509 v1 self-signed certificate and stored as a single-element"
  echo "certificate chain."
  echo
  echo "If you want to run it again to change some values, here is a template"
  echo "for what you would use:"
  echo "keytool -selfcert -alias mykey -dname CN=Brett,OU=Dev,O=ET_Penguin,L=City,S=Colorado,C=US -storepass 123456 -keystore keytoolKeystore.${KEYSTORETYPE}"
  echo
  echo
  echo

} # end function doSelfSigned()
# ------------------------------------------------------------------------------



# main()
# -----------------------------
function main() {

  whackKeyStore
  genKeys && listKeys
  genCSR

} # end function main()
main && exit 0
# ------------------------------------------------------------------------------

Files presented by CGIndex

Other Sites

RFC's

FAQ's

IETF

RFC Sourcebook

Linux

Linux- Intro

Bash - Intro

Bash - Advanced

Command Line

System Administration

Network Administration

Man Pages (& more)

More Guides

Red Hat Manuals

HOWTO's

Reference/Tutorials

C++ @ cppreference

C++ @ cplusplus

CSS @ echoecho

DNS @ Zytrax

HTML @ W3 Schools

Java @ Sun

LDAP @ Zytrax

Linux @ YoLinux

MySQL

NetFilter

Network Protocols

OpenLDAP

Quagga

Samba

Unix Programming

Sponsors:

BrettLee.com

TheFrontOffice.BIZ

ScubaNavigator.com

Nitrox.net

In an effort to provide a service of value to the open source community, I've put together this website that containing many of my notes and references.

This website is not authoritative and it is certainly not without errors; it is a work in progress.

In addition to my contributions you will also find the work of others. Where the work is not mine, I have tried to indicate that, and to reference the source of the work: by citing the original author, retaining the authors' name and license wherever present, or by placing the work in a suitably named URL containg /external/ in the path. If you find any work here that should not be publically available, please send me a note and it will be removed.

As for my contributions, you are free to use any of *MY* notes or code from this website unless specifically instructed otherwise.

Brett Lee, Ph.D., President & CEO
Everything Penguin, Inc.