X-Git-Url: https://gerrit.o-ran-sc.org/r/gitweb?a=blobdiff_plain;f=service-exposure%2Fcerts%2Fserver_certs.sh;h=15cccb7465b8a6017a49861f20a6e9995e2f6059;hb=d03286355ba8f11aacabbee178fe5cb084be7b51;hp=c399033f7e6c802108f7e53b922da5a85fb50459;hpb=28fa9fbfee514da8c85171facbabe6747f499988;p=nonrtric.git

diff --git a/service-exposure/certs/server_certs.sh b/service-exposure/certs/server_certs.sh
old mode 100644
new mode 100755
index c399033f..15cccb74
--- a/service-exposure/certs/server_certs.sh
+++ b/service-exposure/certs/server_certs.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 #
 # ============LICENSE_START=======================================================
-#  Copyright (C) 2022 Nordix Foundation.
+#  Copyright (C) 2022-2023 Nordix Foundation.
 # ================================================================================
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -20,22 +20,51 @@
 #
 
 
-CA_SUBJECT="/C=IE/ST=/L=/O=/OU=Keycloak/CN=localhost/emailAddress=ca@mail.com"
-SERVER_SUBJECT="/C=IE/ST=/L=/O=/OU=Keycloak/CN=localhost/emailAddress=server@mail.com"
+CA_SUBJECT="/C=IE/ST=Dublin/L=Dublin/O=Keycloak/OU=Keycloak/CN=localhost/emailAddress=ca@mail.com"
+SERVER_SUBJECT="/C=IE/ST=Dublin/L=Dublin/O=Keycloak/OU=Keycloak/CN=localhost/emailAddress=server@mail.com"
 PW=changeit
+CERTNAME=tls
+CANAME=rootCA
+IP=$(minikube ip)
+DAYS=3650
+TRUSTSTORE=server.truststore
+KEYSTORE=server.keystore
+STORETYPE=PKCS12
 
+rm $TRUSTSTORE $KEYSTORE ${CANAME}.key ${CANAME}.crt ${CERTNAME}.key ${CERTNAME}.csr ${CERTNAME}.crt ${CERTNAME}.p12 2>/dev/null
 echo $PW > secretfile.txt
 
-openssl req -x509 -sha256 -days 3650 -newkey rsa:4096 -keyout rootCA.key -subj "$CA_SUBJECT" -passout file:secretfile.txt -out rootCA.crt
+openssl req -x509 -sha256 -days $DAYS -newkey rsa:4096 -keyout ${CANAME}.key -subj "$CA_SUBJECT" -passout file:secretfile.txt -out ${CANAME}.crt
 
-openssl req -new -newkey rsa:4096 -keyout tls.key -subj "$SERVER_SUBJECT" -out tls.csr -nodes
+openssl req -new -newkey rsa:4096 -keyout ${CERTNAME}.key -subj "$SERVER_SUBJECT" -out ${CERTNAME}.csr -nodes
 
-echo "authorityKeyIdentifier=keyid,issuer" > openssl.ext
-echo "basicConstraints=CA:FALSE" >> openssl.ext
-echo "subjectAltName = @alt_names" >> openssl.ext
-echo "[alt_names]" >> openssl.ext
-echo "DNS.1 = localhost" >> openssl.ext
+echo "subjectKeyIdentifier   = hash" > x509.ext
+echo "authorityKeyIdentifier = keyid:always,issuer:always" >> x509.ext
+echo "basicConstraints       = CA:TRUE" >> x509.ext
+echo "keyUsage               = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign" >> x509.ext
+echo "subjectAltName         = DNS.1:localhost, IP.1:127.0.0.1, DNS.2:minikube, IP.2:${IP}, DNS.3:keycloak.default, DNS.4:keycloak.est.tech, DNS.5:keycloak" >> x509.ext
+echo "issuerAltName          = issuer:copy" >> x509.ext
+echo "[ ca ]" >> x509.ext
+echo "# X509 extensions for a ca" >> x509.ext
+echo "keyUsage                = critical, cRLSign, keyCertSign" >> x509.ext
+echo "basicConstraints        = CA:TRUE, pathlen:0" >> x509.ext
+echo "subjectKeyIdentifier    = hash" >> x509.ext
+echo "authorityKeyIdentifier  = keyid:always,issuer:always" >> x509.ext
+echo "" >> x509.ext
+echo "[ server ]" >> x509.ext
+echo "# X509 extensions for a server" >> x509.ext
+echo "keyUsage                = critical,digitalSignature,keyEncipherment" >> x509.ext
+echo "extendedKeyUsage        = serverAuth,clientAuth" >> x509.ext
+echo "basicConstraints        = critical,CA:FALSE" >> x509.ext
+echo "subjectKeyIdentifier    = hash" >> x509.ext
+echo "authorityKeyIdentifier  = keyid,issuer:always" >> x509.ext 
 
-openssl x509 -req -CA rootCA.crt -CAkey rootCA.key -in tls.csr -passin file:secretfile.txt -out tls.crt -days 365 -CAcreateserial -ext openssl.ext
+openssl x509 -req -CA ${CANAME}.crt -CAkey ${CANAME}.key -in ${CERTNAME}.csr -passin file:secretfile.txt -out ${CERTNAME}.crt -days $DAYS -CAcreateserial -extfile x509.ext
 
-rm secretfile.txt openssl.ext 2>/dev/null
+keytool -import -trustcacerts -file ${CANAME}.crt -keystore $TRUSTSTORE -storepass $PW  -storetype $STORETYPE -noprompt
+
+openssl pkcs12 -export -clcerts -in ${CERTNAME}.crt -inkey ${CERTNAME}.key -passout file:secretfile.txt -out ${CERTNAME}.p12
+
+keytool -importkeystore -srckeystore ${CERTNAME}.p12 -srcstorepass $PW -srcstoretype $STORETYPE -destkeystore $KEYSTORE -deststorepass $PW -deststoretype $STORETYPE 
+
+rm secretfile.txt x509.ext 2>/dev/null