truststore: ca.crt # Generate a truststore containing a CA cert keytool -importcert -v -trustcacerts -alias root -file ca.crt \ -storepass password -keystore truststore -noprompt ca.crt: ca.key openssl req -subj "/CN=rootCa/OU=Services/O=WMF/C=US/" -x509 \ -new -nodes -days 365 -key ca.key -out ca.crt ca.key: openssl genrsa -out ca.key 2048 help: # Use: `make' to generate a CA-containing truststore # Use: `make ' to generate a new key, and CA-signed cert %: # Generate the node key # # It looks as though a key password is required (if you do not pass the # argument, then keytool prompts for the password on STDIN). Cassandra # it seems, depends upon the key and store passwords being identical, (and # indeed, keytool itself will attempt to use the -storepass when -keypass # is omitted). So much WTF. keytool -genkeypair -dname "cn=$@, ou=Services, o=WMF, c=US" -keyalg RSA \ -alias $@ -validity 365 -storepass password -keypass password \ -keystore $@.kst # Generate a certificate signing request. keytool -certreq --dname "cn=$@, ou=Services, o=WMF, c=US" -alias $@ \ -file $@.csr -keypass password -storepass password -keystore $@.kst # Sign (and verify). openssl x509 -req -in $@.csr -CA ca.crt -CAkey ca.key -CAcreateserial \ -days 365 -out $@.crt openssl verify -CAfile ca.crt $@.crt # Before we can import the signed certificate, the signer must be trusted, # either with a trust entry in this keystore, or with one in the system # truststore, aka 'cacerts', (provided -trustcacerts is passed). keytool -importcert -noprompt -file ca.crt -storepass password \ -keystore $@.kst # Import the CA signed certificate. keytool -importcert -noprompt -file $@.crt -alias $@ -storepass password \ -keystore $@.kst rm $@.csr clean: rm -f *.key *.crt *.csr *.srl *.kst *.p12 truststore