Penyediaan Sijil SSL dengan Keytool

Wed, 27 Aug 2025 12:37:07 +0800

Buat skrip bash seperti di bawah:

/etc/hadoop/keystore/keytool_gen.sh

#!/bin/sh

alias keytool="/usr/lib/jvm/jdk-17.x.xx-oracle-x64/bin/keytool"

# Configuration
ROOT_KEYSTORE="root.jks"
CA_KEYSTORE="ca.jks"
SERVER_KEYSTORE="server.jks"
TRUSTSTORE="truststore.jks"
PASSWORD="change-it"
CITY="change-it"
STATE="change-it"
COUNTRY="MY"

# DNS and IP configurations
DNS1="single.cluster.vm"
IP1="192.168.122.74"
#DNS2=""
#IP2=""

# SAN extension with both DNS names and IP addresses
#SAN_EXTENSION="dns:$DNS1,ip:$IP1,dns:$DNS2,ip:$IP2"
SAN_EXTENSION="dns:$DNS1,ip:$IP1"

echo "Starting certificate generation process..."
echo "SAN values: $SAN_EXTENSION"

# Clean up any existing files
rm *.csr *.jks *.pem

# 1. Generate Root CA (self-signed)
echo "Generating Root CA..."
keytool -genkeypair -keystore $ROOT_KEYSTORE -alias root \
 -dname "L=$CITY, ST=$STATE, C=$COUNTRY, O=Hadoop-Root, OU=Root, CN=$DNS1" \
 -keyalg EC -groupname secp256r1 -sigalg SHA256withECDSA \
 -storepass $PASSWORD \
 -ext bc:c -validity 3650

# Export Root CA certificate for client truststore
echo "Exporting Root CA certificate..."
keytool -keystore $ROOT_KEYSTORE -alias root -exportcert -rfc \
 -storepass $PASSWORD > root.pem

# 2. Generate Intermediate CA
echo "Generating Intermediate CA..."
keytool -genkeypair -keystore $CA_KEYSTORE -alias ca \
 -dname "L=$CITY, ST=$STATE, C=$COUNTRY, O=Hadoop-CA, OU=CA, CN=$DNS1" \
 -keyalg EC -groupname secp256r1 -sigalg SHA256withECDSA \
 -storepass $PASSWORD \
 -ext bc:c -validity 1825

# Send CSR to Root for signing
echo "Creating Intermediate CA CSR..."
keytool -keystore $CA_KEYSTORE -alias ca -certreq -rfc \
 -storepass $PASSWORD > ca.csr

echo "Signing Intermediate CA certificate with Root CA..."
keytool -keystore $ROOT_KEYSTORE -alias root -gencert \
 -ext BC=0 -infile ca.csr -rfc \
 -storepass $PASSWORD > ca.pem

# Import root + signed certificate back to intermediate keystore
echo "Importing certificates to Intermediate CA keystore..."
keytool -keystore $CA_KEYSTORE -importcert -alias root -file root.pem \
 -storepass $PASSWORD -noprompt
keytool -keystore $CA_KEYSTORE -importcert -alias ca -file ca.pem \
 -storepass $PASSWORD -noprompt

# Create truststore for server/client
echo "Creating truststore..."
keytool -keystore $TRUSTSTORE -importcert -alias root -file root.pem \
 -storepass $PASSWORD -noprompt
keytool -keystore $TRUSTSTORE -importcert -alias ca -file ca.pem \
 -storepass $PASSWORD -noprompt

# 3. Generate Server Certificate
echo "Generating Server Certificate..."
keytool -genkeypair -keystore $SERVER_KEYSTORE -alias jetty \
 -dname "L=$CITY, ST=$STATE, C=$COUNTRY, O=Hadoop-Server, OU=Server, CN=$DNS1" \
 -keyalg EC -groupname secp256r1 -sigalg SHA256withECDSA \
 -storepass $PASSWORD \
 -ext ku:c=digitalSignature,keyEncipherment -ext san=$SAN_EXTENSION \
 -validity 730

# Send CSR to Intermediate for signing
echo "Creating Server CSR..."
keytool -keystore $SERVER_KEYSTORE -alias jetty -certreq -rfc \
 -storepass $PASSWORD > server.csr

echo "Signing Server certificate with Intermediate CA..."
keytool -keystore $CA_KEYSTORE -alias ca -gencert \
 -ext ku:c=digitalSignature,keyEncipherment -ext san=$SAN_EXTENSION \
 -infile server.csr -rfc \
 -storepass $PASSWORD > server.pem

# Create full certificate chain and import back to server keystore
echo "Creating certificate chain and importing to server keystore..."
cat server.pem ca.pem | keytool -keystore $SERVER_KEYSTORE \
 -importcert -alias jetty -file server.pem \
 -storepass $PASSWORD -noprompt

# Export certificates from truststore to PEM format
echo "Exporting truststore certificates to PEM format..."
keytool -keystore $TRUSTSTORE -exportcert -alias root -rfc \
 -storepass $PASSWORD > root-trust.pem
keytool -keystore $TRUSTSTORE -exportcert -alias ca -rfc \
 -storepass $PASSWORD > ca-trust.pem
cat root-trust.pem ca-trust.pem > ca-bundle.pem

echo "Certificate generation completed successfully!"
echo ""
echo "Generated files:"
echo "- Root CA: $ROOT_KEYSTORE, root.pem"
echo "- Intermediate CA: $CA_KEYSTORE, ca.pem"
echo "- Server Certificate: $SERVER_KEYSTORE, server.pem"
echo "- Truststore: $TRUSTSTORE, ca-bundle.pem"
echo ""
echo "SAN values included: $SAN_EXTENSION"

cd ke dalam direktori i.e. /etc/hadoop/keystore, jadikannya executable dan jalankan skrip.

Jana Sijil HTTPS untuk Domain yang Berasaskan 'localhost'

Mon, 28 Jul 2025 12:40:49 +0800

Panduan ini diadaptasi daripada “How to create an HTTPS certificate for localhost domains”, bertujuan mengaktifkan sokongan HTTPS pada domain yang menghala ke alamat IP 127.0.0.1, iaitu localhost, audio.loc dan laravel.loc.

Semua fail berkaitan pensijilan ini disimpan dalam satu direktori khas: /etc/nginx/ssl.

Sila ubah nilai negara, negeri, bandar dan nama entiti dalam parameter pensijilan mengikut keperluan anda.

Persediaan Direktori

Cipta direktori dan tukar ke dalamnya:

bash

mkdir -p /etc/nginx/ssl && cd /etc/nginx/ssl

Sijil Akar (Root CA)

Cipta fail konfigurasi dengan entri berikut:

SSL/TLS on weblog_Raihan

Penyediaan Sijil SSL dengan Keytool

Jana Sijil HTTPS untuk Domain yang Berasaskan 'localhost'

Persediaan Direktori

Sijil Akar (Root CA)