Penyediaan Sijil SSL dengan Keytool

Pakej JAVA

Rabu, 27 Ogos 2025

Buat skrip bash seperti di bawah:

/etc/hadoop/keystore/keytool_gen.sh

#!/usr/bin/env zsh

alias keytool="/usr/lib/jvm/jdk-17.0.16-oracle-x64/bin/keytool"

# Configuration
ROOT_KEYSTORE="root.jks"
CA_KEYSTORE="ca.jks"
SERVER_KEYSTORE="server.jks"
TRUSTSTORE="truststore.jks"
PASSWORD="change-it"
CITY="change-it"
STATE="change-it"
COUNTRY="MY"

# DNS and IP configurations
DNS1="single.cluster.vm"
IP1="192.168.122.74"
#DNS2=""
#IP2=""

# SAN extension with both DNS names and IP addresses
#SAN_EXTENSION="dns:$DNS1,ip:$IP1,dns:$DNS2,ip:$IP2"
SAN_EXTENSION="dns:$DNS1,ip:$IP1"

echo "Starting certificate generation process..."
echo "SAN values: $SAN_EXTENSION"

# Clean up any existing files
rm *.csr *.jks *.pem

# 1. Generate Root CA (self-signed)
echo "Generating Root CA..."
keytool -genkeypair -keystore $ROOT_KEYSTORE -alias root \
  -dname "L=$CITY, ST=$STATE, C=$COUNTRY, O=Hadoop-Root, OU=Root, CN=$DNS1" \
  -keyalg EC -groupname secp256r1 -sigalg SHA256withECDSA \
  -storepass $PASSWORD \
  -ext bc:c -validity 3650

# Export Root CA certificate for client truststore
echo "Exporting Root CA certificate..."
keytool -keystore $ROOT_KEYSTORE -alias root -exportcert -rfc \
  -storepass $PASSWORD > root.pem

# 2. Generate Intermediate CA
echo "Generating Intermediate CA..."
keytool -genkeypair -keystore $CA_KEYSTORE -alias ca \
  -dname "L=$CITY, ST=$STATE, C=$COUNTRY, O=Hadoop-CA, OU=CA, CN=$DNS1" \
  -keyalg EC -groupname secp256r1 -sigalg SHA256withECDSA \
  -storepass $PASSWORD \
  -ext bc:c -validity 1825

# Send CSR to Root for signing
echo "Creating Intermediate CA CSR..."
keytool -keystore $CA_KEYSTORE -alias ca -certreq -rfc \
  -storepass $PASSWORD > ca.csr

echo "Signing Intermediate CA certificate with Root CA..."
keytool -keystore $ROOT_KEYSTORE -alias root -gencert \
  -ext BC=0 -infile ca.csr -rfc \
  -storepass $PASSWORD > ca.pem

# Import root + signed certificate back to intermediate keystore
echo "Importing certificates to Intermediate CA keystore..."
keytool -keystore $CA_KEYSTORE -importcert -alias root -file root.pem \
  -storepass $PASSWORD -noprompt
keytool -keystore $CA_KEYSTORE -importcert -alias ca -file ca.pem \
  -storepass $PASSWORD -noprompt

# Create truststore for server/client
echo "Creating truststore..."
keytool -keystore $TRUSTSTORE -importcert -alias root -file root.pem \
  -storepass $PASSWORD -noprompt
keytool -keystore $TRUSTSTORE -importcert -alias ca -file ca.pem \
  -storepass $PASSWORD -noprompt

# 3. Generate Server Certificate
echo "Generating Server Certificate..."
keytool -genkeypair -keystore $SERVER_KEYSTORE -alias jetty \
  -dname "L=$CITY, ST=$STATE, C=$COUNTRY, O=Hadoop-Server, OU=Server, CN=$DNS1" \
  -keyalg EC -groupname secp256r1 -sigalg SHA256withECDSA \
  -storepass $PASSWORD \
  -ext ku:c=digitalSignature,keyEncipherment -ext san=$SAN_EXTENSION \
  -validity 730

# Send CSR to Intermediate for signing
echo "Creating Server CSR..."
keytool -keystore $SERVER_KEYSTORE -alias jetty -certreq -rfc \
  -storepass $PASSWORD > server.csr

echo "Signing Server certificate with Intermediate CA..."
keytool -keystore $CA_KEYSTORE -alias ca -gencert \
  -ext ku:c=digitalSignature,keyEncipherment -ext san=$SAN_EXTENSION \
  -infile server.csr -rfc \
  -storepass $PASSWORD > server.pem

# Create full certificate chain and import back to server keystore
echo "Creating certificate chain and importing to server keystore..."
cat server.pem ca.pem | keytool -keystore $SERVER_KEYSTORE \
  -importcert -alias jetty -file server.pem \
  -storepass $PASSWORD -noprompt

# Export certificates from truststore to PEM format
echo "Exporting truststore certificates to PEM format..."
keytool -keystore $TRUSTSTORE -exportcert -alias root -rfc \
  -storepass $PASSWORD > root-trust.pem
keytool -keystore $TRUSTSTORE -exportcert -alias ca -rfc \
  -storepass $PASSWORD > ca-trust.pem
cat root-trust.pem ca-trust.pem > ca-bundle.pem

echo "Certificate generation completed successfully!"
echo ""
echo "Generated files:"
echo "- Root CA: $ROOT_KEYSTORE, root.pem"
echo "- Intermediate CA: $CA_KEYSTORE, ca.pem"
echo "- Server Certificate: $SERVER_KEYSTORE, server.pem"
echo "- Truststore: $TRUSTSTORE, ca-bundle.pem"
echo ""
echo "SAN values included: $SAN_EXTENSION"

cd ke dalam direktori i.e. /etc/hadoop/keystore, jadikannya executable dan jalankan skrip.

Semakan boleh dibuat dengan menjalankan skrip berikut:

/etc/hadoop/keystore/verification.sh

#!/usr/bin/env zsh

echo "=== VERIFYING CERTIFICATE CHAIN ==="

# 1. Verify Root CA
echo -n "Root CA: "
openssl verify -CAfile root.pem root.pem

# 2. Verify Intermediate CA
echo -n "Intermediate CA: "
openssl verify -CAfile root.pem ca.pem

# 3. Verify Server Certificate with full chain
echo -n "Server Certificate: "
openssl verify -CAfile root.pem -untrusted ca.pem server.pem

# 4. Verify using combined CA bundle
echo -n "With combined CA bundle: "
openssl verify -CAfile <(cat ca-bundle.pem) server.pem

#echo "\n=== TESTING SSL CONNECTION ==="
# 5. Test connection (timeout after 10 seconds if fails)
#echo "\Q" | openssl s_client -connect single.cluster.vm:9871 \
#  -CAfile <(cat ca-bundle.pem) \
#  -brief | grep -A0 "Verification"

echo "\n=== CHECKING CERTIFICATE DETAILS ==="
# 6. Check SAN
echo "\n1. Subject Alternative Names:"
openssl x509 -in server.pem -noout -ext subjectAltName

# 7. Check validity periods
echo "\n2. Validity periods:"
openssl x509 -in server.pem -text -noout | grep -A2 "Validity"

Rujukan:

Lihat juga:

Panduan Hadoop Mod Selamat (Kerberos) pada Nod Tunggal

Kali terakhir dikemaskini: 27 Ogos 2025.

Penyediaan Sijil SSL dengan Keytool

Tentang Blog & Penulis