SSL (RSA) *.keygen.sh tool upgraded. Added PKCS8 pem format. Tested and fixed keygen.properties to run with no warning. Removed 'mqtt' prefix from output files to fix confusion when applying keys for other protocols.

5 years ago · 3f72bc4b54
3 changed files with 53 additions and 9 deletions
--- a/tools/src/main/shell/client.keygen.sh
+++ b/tools/src/main/shell/client.keygen.sh
@ -44,7 +44,8 @@ done

 . $PROPERTIES_FILE

-if [ -f $CLIENT_FILE_PREFIX.jks ] || [ -f $CLIENT_FILE_PREFIX.pub.pem ] || [ -f $CLIENT_FILE_PREFIX.nopass.pem ] || [ -f $CLIENT_FILE_PREFIX.pem ] || [ -f $CLIENT_FILE_PREFIX.p12 ];
+if [ -f $CLIENT_FILE_PREFIX.jks ] || [ -f $CLIENT_FILE_PREFIX.pub.pem ] || [ -f $CLIENT_FILE_PREFIX.nopass.pem ] || \
+   [ -f $CLIENT_FILE_PREFIX.pem ] || [ -f $CLIENT_FILE_PREFIX.p12 ] || [ -f $CLIENT_FILE_PREFIX.pk8.pem ];
 then
 while :
   do
@ -62,6 +63,7 @@ while :
            rm -rf $CLIENT_FILE_PREFIX.nopass.pem
            rm -rf $CLIENT_FILE_PREFIX.pem
            rm -rf $CLIENT_FILE_PREFIX.p12
+            rm -rf $CLIENT_FILE_PREFIX.pk8.pem
            break;
            ;;
        *)  echo "Please reply 'yes' or 'no'"
@ -84,6 +86,8 @@ if [ -z "$OPENSSL_CMD" ]; then
 	exit 0
 fi

+echo "INFO: your hostname is $(hostname)"
+echo "INFO: your CN (domain suffix) for key is $DOMAIN_SUFFIX"
 echo "Generating SSL Key Pair..."

 keytool -genkeypair -v \
@ -112,7 +116,15 @@ echo "Converting pkcs12 to pem"
 openssl pkcs12 -in $CLIENT_FILE_PREFIX.p12 \
  -out $CLIENT_FILE_PREFIX.pem \
  -passin pass:$CLIENT_KEY_PASSWORD \
-  -passout pass:$CLIENT_KEY_PASSWORD \
+  -passout pass:$CLIENT_KEY_PASSWORD
+
+echo "Converting pem to pkcs8"
+openssl pkcs8 \
+  -topk8 \
+  -nocrypt \
+  -in $CLIENT_FILE_PREFIX.pem \
+  -out $CLIENT_FILE_PREFIX.pk8.pem \
+  -passin pass:$CLIENT_KEY_PASSWORD

 echo "Importing server public key to $CLIENT_FILE_PREFIX.jks"
 keytool --importcert \
--- a/tools/src/main/shell/keygen.properties
+++ b/tools/src/main/shell/keygen.properties
@ -1,5 +1,5 @@
 #
-# Copyright © 2016-2017 The Thingsboard Authors
+# Copyright © 2016-2021 The Thingsboard Authors
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@ -18,15 +18,15 @@ DOMAIN_SUFFIX="$(hostname)"
 SUBJECT_ALTERNATIVE_NAMES="ip:127.0.0.1"
 ORGANIZATIONAL_UNIT=Thingsboard
 ORGANIZATION=Thingsboard
-CITY=SF
+CITY="San Francisco"
 STATE_OR_PROVINCE=CA
 TWO_LETTER_COUNTRY_CODE=US

-SERVER_KEYSTORE_PASSWORD=server_ks_password
-SERVER_KEY_PASSWORD=server_key_password
+SERVER_KEYSTORE_PASSWORD=password
+SERVER_KEY_PASSWORD=password

 SERVER_KEY_ALIAS="serveralias"
-SERVER_FILE_PREFIX="mqttserver"
+SERVER_FILE_PREFIX="server"
 SERVER_KEY_ALG="RSA"
 SERVER_KEY_SIZE="2048"
 SERVER_KEYSTORE_DIR="/etc/thingsboard/conf"
@ -35,6 +35,6 @@ CLIENT_KEYSTORE_PASSWORD=password
 CLIENT_KEY_PASSWORD=password

 CLIENT_KEY_ALIAS="clientalias"
-CLIENT_FILE_PREFIX="mqttclient"
+CLIENT_FILE_PREFIX="client"
 CLIENT_KEY_ALG="RSA"
 CLIENT_KEY_SIZE="2048"
--- a/tools/src/main/shell/server.keygen.sh
+++ b/tools/src/main/shell/server.keygen.sh
@ -60,7 +60,8 @@ fi

 . $PROPERTIES_FILE

-if [ -f $SERVER_FILE_PREFIX.jks ] || [ -f $SERVER_FILE_PREFIX.cer ] || [ -f $SERVER_FILE_PREFIX.pub.pem ] || [ -f $SERVER_FILE_PREFIX.pub.der ];
+if [ -f $SERVER_FILE_PREFIX.jks ] || [ -f $SERVER_FILE_PREFIX.cer ] || [ -f $SERVER_FILE_PREFIX.pub.pem ] || \
+   [ -f $SERVER_FILE_PREFIX.p12 ] || [ -f $SERVER_FILE_PREFIX.pem ] || [ -f $SERVER_FILE_PREFIX.pk8.pem ] ;
 then
 while :
   do
@ -76,6 +77,9 @@ while :
            rm -rf $SERVER_FILE_PREFIX.jks
            rm -rf $SERVER_FILE_PREFIX.pub.pem
            rm -rf $SERVER_FILE_PREFIX.cer
+            rm -rf $SERVER_FILE_PREFIX.p12
+            rm -rf $SERVER_FILE_PREFIX.pem
+            rm -rf $SERVER_FILE_PREFIX.pk8.pem
            break;
            ;;
        *)  echo "Please reply 'yes' or 'no'"
@ -84,6 +88,8 @@ while :
    done
 fi

+echo "INFO: your hostname is $(hostname)"
+echo "INFO: your CN (domain suffix) for key is $DOMAIN_SUFFIX"
 echo "Generating SSL Key Pair..."

 EXT=""
@ -121,6 +127,32 @@ keytool -export \
  -storepass $SERVER_KEYSTORE_PASSWORD \
  -keypass $SERVER_KEY_PASSWORD

+echo "Converting keystore to pkcs12"
+keytool -importkeystore  \
+  -srckeystore $SERVER_FILE_PREFIX.jks \
+  -destkeystore $SERVER_FILE_PREFIX.p12 \
+  -srcalias $SERVER_KEY_ALIAS \
+  -srcstoretype jks \
+  -deststoretype pkcs12 \
+  -srcstorepass $SERVER_KEYSTORE_PASSWORD \
+  -deststorepass $SERVER_KEY_PASSWORD \
+  -srckeypass $SERVER_KEY_PASSWORD \
+  -destkeypass $SERVER_KEY_PASSWORD
+
+echo "Converting pkcs12 to pem"
+openssl pkcs12 -in $SERVER_FILE_PREFIX.p12 \
+  -out $SERVER_FILE_PREFIX.pem \
+  -passin pass:$SERVER_KEY_PASSWORD \
+  -passout pass:$SERVER_KEY_PASSWORD
+
+echo "Converting pem to pkcs8"
+openssl pkcs8 \
+  -topk8 \
+  -nocrypt \
+  -in $SERVER_FILE_PREFIX.pem \
+  -out $SERVER_FILE_PREFIX.pk8.pem \
+  -passin pass:$SERVER_KEY_PASSWORD
+
 status=$?
 if [[ $status != 0 ]]; then
    exit $status;