Penyediaan Sijil SSL dengan Keytool
Pakej JAVA
Buat skrip
bashseperti di bawah:/etc/hadoop/keystore/keytool_gen.sh#!/usr/bin/env zsh alias keytool="/usr/lib/jvm/jdk-17.0.16-oracle-x64/bin/keytool" # Configuration ROOT_KEYSTORE="root.jks" CA_KEYSTORE="ca.jks" SERVER_KEYSTORE="server.jks" TRUSTSTORE="truststore.jks" PASSWORD="change-it" # DNS and IP configurations PRIMARY_DNS="single.cluster.vm" #SECONDARY_DNS="" PRIMARY_IP="192.168.122.74" #SECONDARY_IP="" # SAN extension with both DNS names and IP addresses #SAN_EXTENSION="dns:${PRIMARY_DNS},ip:${PRIMARY_IP},dns:${SECONDARY_DNS},ip:${SECONDARY_IP}" SAN_EXTENSION="dns:${PRIMARY_DNS},ip:${PRIMARY_IP}" echo "Starting certificate generation process..." echo "SAN values: ${SAN_EXTENSION}" # Clean up any existing files rm *.csr *.jks *.pem # 1. Generate Root CA (self-signed) echo "Generating Root CA..." keytool -genkeypair -keystore ${ROOT_KEYSTORE} -alias root \ -dname "C=MY, ST=xx, L=xx, O=Hadoop-Root, OU=Root, CN=${PRIMARY_DNS}" \ -keyalg EC -groupname secp256r1 -sigalg SHA256withECDSA \ -storepass ${PASSWORD} \ -ext bc:c -validity 3650 # Export Root CA certificate for client truststore echo "Exporting Root CA certificate..." keytool -keystore ${ROOT_KEYSTORE} -alias root -exportcert -rfc \ -storepass ${PASSWORD} > root.pem # 2. Generate Intermediate CA echo "Generating Intermediate CA..." keytool -genkeypair -keystore ${CA_KEYSTORE} -alias ca \ -dname "C=MY, ST=xx, L=xx, O=Hadoop-CA, OU=CA, CN=${PRIMARY_DNS}" \ -keyalg EC -groupname secp256r1 -sigalg SHA256withECDSA \ -storepass ${PASSWORD} \ -ext bc:c -validity 1825 # Send CSR to Root for signing echo "Creating Intermediate CA CSR..." keytool -keystore ${CA_KEYSTORE} -alias ca -certreq -rfc \ -storepass ${PASSWORD} > ca.csr echo "Signing Intermediate CA certificate with Root CA..." keytool -keystore ${ROOT_KEYSTORE} -alias root -gencert \ -ext BC=0 -infile ca.csr -rfc \ -storepass ${PASSWORD} > ca.pem # Import root + signed certificate back to intermediate keystore echo "Importing certificates to Intermediate CA keystore..." keytool -keystore ${CA_KEYSTORE} -importcert -alias root -file root.pem \ -storepass ${PASSWORD} -noprompt keytool -keystore ${CA_KEYSTORE} -importcert -alias ca -file ca.pem \ -storepass ${PASSWORD} -noprompt # Create truststore for server/client echo "Creating truststore..." keytool -keystore ${TRUSTSTORE} -importcert -alias root -file root.pem \ -storepass ${PASSWORD} -noprompt keytool -keystore ${TRUSTSTORE} -importcert -alias ca -file ca.pem \ -storepass ${PASSWORD} -noprompt # 3. Generate Server Certificate echo "Generating Server Certificate..." keytool -genkeypair -keystore ${SERVER_KEYSTORE} -alias jetty \ -dname "C=MY, ST=xx, L=xx, O=Hadoop-Server, OU=Server, CN=${PRIMARY_DNS}" \ -keyalg EC -groupname secp256r1 -sigalg SHA256withECDSA \ -storepass ${PASSWORD} \ -ext ku:c=digitalSignature,keyEncipherment -ext san=${SAN_EXTENSION} \ -validity 730 # Send CSR to Intermediate for signing echo "Creating Server CSR..." keytool -keystore ${SERVER_KEYSTORE} -alias jetty -certreq -rfc \ -storepass ${PASSWORD} > server.csr echo "Signing Server certificate with Intermediate CA..." keytool -keystore ${CA_KEYSTORE} -alias ca -gencert \ -ext ku:c=digitalSignature,keyEncipherment -ext san=${SAN_EXTENSION} \ -infile server.csr -rfc \ -storepass ${PASSWORD} > server.pem # Create full certificate chain and import back to server keystore echo "Creating certificate chain and importing to server keystore..." cat server.pem ca.pem | keytool -keystore ${SERVER_KEYSTORE} \ -importcert -alias jetty -file server.pem \ -storepass ${PASSWORD} -noprompt # Export certificates from truststore to PEM format echo "Exporting truststore certificates to PEM format..." keytool -keystore ${TRUSTSTORE} -exportcert -alias root -rfc \ -storepass ${PASSWORD} > root-trust.pem keytool -keystore ${TRUSTSTORE} -exportcert -alias ca -rfc \ -storepass ${PASSWORD} > ca-trust.pem cat root-trust.pem ca-trust.pem > ca-bundle.pem echo "Certificate generation completed successfully!" echo "" echo "Generated files:" echo "- Root CA: ${ROOT_KEYSTORE}, root.pem" echo "- Intermediate CA: ${CA_KEYSTORE}, ca.pem" echo "- Server Certificate: ${SERVER_KEYSTORE}, server.pem, fullchain.pem" echo "- Truststore: ${TRUSTSTORE}, ca-bundle.pem" echo "" echo "SAN values included: ${SAN_EXTENSION}"Jadikan dia executable dan jalankannya.
Semakan boleh dibuat dengan menjalankan skrip berikut:
/etc/hadoop/keystore/verification.sh#!/usr/bin/env zsh echo "=== VERIFYING CERTIFICATE CHAIN ===" # 1. Verify Root CA echo -n "Root CA: " openssl verify -CAfile root.pem root.pem # 2. Verify Intermediate CA echo -n "Intermediate CA: " openssl verify -CAfile root.pem ca.pem # 3. Verify Server Certificate with full chain echo -n "Server Certificate: " openssl verify -CAfile root.pem -untrusted ca.pem server.pem # 4. Verify using combined CA bundle echo -n "With combined CA bundle: " openssl verify -CAfile <(cat root.pem ca.pem) server.pem #echo "\n=== TESTING SSL CONNECTION ===" # 5. Test connection (timeout after 10 seconds if fails) #echo "\Q" | openssl s_client -connect single.cluster.vm:9871 \ # -CAfile <(cat root.pem ca.pem) \ # -brief | grep -A0 "Verification" echo "\n=== CHECKING CERTIFICATE DETAILS ===" # 6. Check SAN echo "\n1. Subject Alternative Names:" openssl x509 -in server.pem -noout -ext subjectAltName # 7. Check validity periods echo "\n2. Validity periods:" openssl x509 -in server.pem -text -noout | grep -A2 "Validity"
Rujukan:
Kali terakhir dikemaskini:
