https://janikvonrotz.ch/tags/keytool/ Recent content in Keytool on Janik von Rotz Hugo en Thu, 07 Mar 2019 10:23:04 +0100 https://janikvonrotz.ch/2019/03/07/generate-pem-key-and-truststores-with-puppet/ Thu, 07 Mar 2019 10:23:04 +0100 https://janikvonrotz.ch/2019/03/07/generate-pem-key-and-truststores-with-puppet/ <p>This post is a follow-up of <a href="https://janikvonrotz.ch/2019/01/30/generate-pkcs12-key-and-truststores-with-puppet/">Generate pkcs12 key- and truststores with Puppet</a>.<br> In this post we are going to create <a href="https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail">PEM</a> key- and truststores with Puppet.</p> <p>PEM files are base64 encoded <a href="https://en.wikipedia.org/wiki/X.509">X.509</a> certificates. Enclosed between <code>-----BEGIN CERTIFICATE-----</code> and <code>-----END CERTIFICATE-----</code> multiple PEM files can be concatinated into key- and truststores. And that is exactly what we are going to do using a Puppet manifest.</p> <p>For the example use case multiple certificate files are required. Using the commands from the <a href="https://janikvonrotz.ch/2019/01/21/create-a-certificate-authority-ca-and-sign-server-certificates-without-prompting-using-openssl/">Create a certificate authority and sign server certificates without prompting using openssl</a> post the following files must be provided:</p> <ul> <li>localhost_cert.pem</li> <li>localhost_key.pem</li> <li>example.com_cert.pem</li> <li>ca_cert.pem</li> </ul> <p>The certificates will be concatinated into the following stores:</p> <ul> <li>webservice-keystore.pem <ul> <li>localhost - private key entry</li> </ul> </li> <li>webservice-truststore.pem <ul> <li>ca - trusted cert entry</li> </ul> </li> <li>custom-truststore.pem <ul> <li>example.com - trusted cert entry</li> <li>ca - trusted cert entry</li> </ul> </li> </ul> <p>All the files are processed in <code>/var/tmp/certificates</code>.</p> <p>The manifest file is defined as followed:</p> <p><strong>modules/certbox/manifests/init.pp</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-rb" data-lang="rb"><span style="display:flex;"><span><span style="color:#66d9ef">class</span> certbox ( </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> String $host <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;localhost&#39;</span>, </span></span><span style="display:flex;"><span> String $cert_dir <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;/var/tmp/certificates&#39;</span>, </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> String $server_ca_cert <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;${cert_dir}/ca_cert.pem&#34;</span>, </span></span><span style="display:flex;"><span> String $server_cn <span style="color:#f92672">=</span> $host, </span></span><span style="display:flex;"><span> String $server_cert <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;${cert_dir}/${host}_cert.pem&#34;</span>, </span></span><span style="display:flex;"><span> String $server_key <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;${cert_dir}/${host}_key.pem&#34;</span>, </span></span><span style="display:flex;"><span> String $server_key_pass <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;password&#39;</span>, </span></span><span style="display:flex;"><span> String $server_keystore <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;${cert_dir}/webservice-keystore.pem&#34;</span>, </span></span><span style="display:flex;"><span> String $server_truststore <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;${cert_dir}/webservice-truststore.pem&#34;</span>, </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> Array $custom_trust_entries <span style="color:#f92672">=</span> <span style="color:#f92672">[</span> </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> cn <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#39;example.com&#39;</span>, </span></span><span style="display:flex;"><span> cert <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#39;example.com_cert.pem&#39;</span> </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> cn <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#39;ca&#39;</span>, </span></span><span style="display:flex;"><span> cert <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#39;ca_cert.pem&#39;</span> </span></span><span style="display:flex;"><span> }, </span></span><span style="display:flex;"><span> <span style="color:#f92672">]</span>, </span></span><span style="display:flex;"><span> String $custom_truststore <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;${cert_dir}/custom-truststore.pem&#34;</span>, </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> String $owner <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;root&#39;</span>, </span></span><span style="display:flex;"><span> String $group <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;root&#39;</span>, </span></span><span style="display:flex;"><span> String $file_read_mode <span style="color:#f92672">=</span> <span style="color:#e6db74">&#39;a=,ug+r&#39;</span>, </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>) { </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># component-wide defaulting of the exec path attribute</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">Exec</span> { </span></span><span style="display:flex;"><span> path <span style="color:#f92672">=&gt;</span> <span style="color:#f92672">[</span><span style="color:#e6db74">&#39;/usr/bin&#39;</span>, <span style="color:#e6db74">&#39;/bin&#39;</span><span style="color:#f92672">]</span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># create copy of sever cert, if file state changes notify keystore assemble task</span> </span></span><span style="display:flex;"><span> file { <span style="color:#e6db74">&#34;${server_cert}.tmp&#34;</span>: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">ensure</span> <span style="color:#f92672">=&gt;</span> file, </span></span><span style="display:flex;"><span> owner <span style="color:#f92672">=&gt;</span> $owner, </span></span><span style="display:flex;"><span> group <span style="color:#f92672">=&gt;</span> $group, </span></span><span style="display:flex;"><span> mode <span style="color:#f92672">=&gt;</span> $file_read_mode, </span></span><span style="display:flex;"><span> source <span style="color:#f92672">=&gt;</span> $server_cert, </span></span><span style="display:flex;"><span> notify <span style="color:#f92672">=&gt;</span> <span style="color:#66d9ef">Exec</span><span style="color:#f92672">[</span><span style="color:#e6db74">&#34;certbox - create server keystore&#34;</span><span style="color:#f92672">]</span>, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># check if keystore file does not exist and notify creation task</span> </span></span><span style="display:flex;"><span> exec { <span style="color:#e6db74">&#34;certbox - check if server keystore exists&#34;</span>: </span></span><span style="display:flex;"><span> onlyif <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;test ! -f $server_keystore&#34;</span>, </span></span><span style="display:flex;"><span> command <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#39;echo &#34;File does not exist.&#34;&#39;</span>, </span></span><span style="display:flex;"><span> notify <span style="color:#f92672">=&gt;</span> <span style="color:#66d9ef">Exec</span><span style="color:#f92672">[</span><span style="color:#e6db74">&#34;certbox - create server keystore&#34;</span><span style="color:#f92672">]</span>, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># create server keystore if temporary file state changed</span> </span></span><span style="display:flex;"><span> exec { <span style="color:#e6db74">&#34;certbox - create server keystore&#34;</span>: </span></span><span style="display:flex;"><span> refreshonly <span style="color:#f92672">=&gt;</span> <span style="color:#66d9ef">true</span>, </span></span><span style="display:flex;"><span> command <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;cat ${server_cert} &gt; ${server_keystore}; cat ${server_key} &gt;&gt; ${server_keystore}&#34;</span>, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># ensure server keystore file permissions</span> </span></span><span style="display:flex;"><span> file { $server_keystore: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">ensure</span> <span style="color:#f92672">=&gt;</span> file, </span></span><span style="display:flex;"><span> owner <span style="color:#f92672">=&gt;</span> $owner, </span></span><span style="display:flex;"><span> group <span style="color:#f92672">=&gt;</span> $group, </span></span><span style="display:flex;"><span> mode <span style="color:#f92672">=&gt;</span> $file_read_mode, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> file { <span style="color:#e6db74">&#34;${server_ca_cert}.tmp&#34;</span>: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">ensure</span> <span style="color:#f92672">=&gt;</span> file, </span></span><span style="display:flex;"><span> owner <span style="color:#f92672">=&gt;</span> $owner, </span></span><span style="display:flex;"><span> group <span style="color:#f92672">=&gt;</span> $group, </span></span><span style="display:flex;"><span> mode <span style="color:#f92672">=&gt;</span> $file_read_mode, </span></span><span style="display:flex;"><span> source <span style="color:#f92672">=&gt;</span> $server_ca_cert, </span></span><span style="display:flex;"><span> notify <span style="color:#f92672">=&gt;</span> <span style="color:#66d9ef">Exec</span><span style="color:#f92672">[</span><span style="color:#e6db74">&#34;certbox - create server truststore&#34;</span><span style="color:#f92672">]</span>, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> exec { <span style="color:#e6db74">&#34;certbox - check if server truststore exists&#34;</span>: </span></span><span style="display:flex;"><span> onlyif <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;test ! -f $server_truststore&#34;</span>, </span></span><span style="display:flex;"><span> command <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#39;echo &#34;File does not exist.&#34;&#39;</span>, </span></span><span style="display:flex;"><span> notify <span style="color:#f92672">=&gt;</span> <span style="color:#66d9ef">Exec</span><span style="color:#f92672">[</span><span style="color:#e6db74">&#34;certbox - create server truststore&#34;</span><span style="color:#f92672">]</span>, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> exec { <span style="color:#e6db74">&#34;certbox - create server truststore&#34;</span>: </span></span><span style="display:flex;"><span> refreshonly <span style="color:#f92672">=&gt;</span> <span style="color:#66d9ef">true</span>, </span></span><span style="display:flex;"><span> command <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;cat ${server_ca_cert} &gt; ${server_truststore}&#34;</span>, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> file { $server_truststore: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">ensure</span> <span style="color:#f92672">=&gt;</span> file, </span></span><span style="display:flex;"><span> owner <span style="color:#f92672">=&gt;</span> $owner, </span></span><span style="display:flex;"><span> group <span style="color:#f92672">=&gt;</span> $group, </span></span><span style="display:flex;"><span> mode <span style="color:#f92672">=&gt;</span> $file_read_mode, </span></span><span style="display:flex;"><span> notify <span style="color:#f92672">=&gt;</span> <span style="color:#66d9ef">Exec</span><span style="color:#f92672">[</span><span style="color:#e6db74">&#34;certbox - create server truststore&#34;</span><span style="color:#f92672">]</span>, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># create copy for each ca truststore entry</span> </span></span><span style="display:flex;"><span> $custom_trust_entries<span style="color:#f92672">.</span>each <span style="color:#f92672">|</span> Integer $index, <span style="color:#66d9ef">Hash</span> $entry <span style="color:#f92672">|</span> { </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> file { <span style="color:#e6db74">&#34;${cert_dir}/${entry[&#39;cert&#39;]}.ca_trust.icam.tmp&#34;</span>: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">ensure</span> <span style="color:#f92672">=&gt;</span> file, </span></span><span style="display:flex;"><span> owner <span style="color:#f92672">=&gt;</span> $owner, </span></span><span style="display:flex;"><span> group <span style="color:#f92672">=&gt;</span> $group, </span></span><span style="display:flex;"><span> mode <span style="color:#f92672">=&gt;</span> $file_read_mode, </span></span><span style="display:flex;"><span> source <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;${cert_dir}/${entry[&#39;cert&#39;]}&#34;</span>, </span></span><span style="display:flex;"><span> notify <span style="color:#f92672">=&gt;</span> <span style="color:#f92672">[</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">Exec</span><span style="color:#f92672">[</span><span style="color:#e6db74">&#34;certbox - cleanup ca truststore&#34;</span><span style="color:#f92672">]</span>, </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">Exec</span><span style="color:#f92672">[</span><span style="color:#e6db74">&#34;certbox - add pem ${entry[&#39;cn&#39;]} to ca truststore&#34;</span><span style="color:#f92672">]]</span>, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> exec { <span style="color:#e6db74">&#34;certbox - check if ca truststore for ${entry[&#39;cn&#39;]} exists&#34;</span>: </span></span><span style="display:flex;"><span> onlyif <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;test ! -f $custom_truststore&#34;</span>, </span></span><span style="display:flex;"><span> command <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#39;echo &#34;File does not exist.&#34;&#39;</span>, </span></span><span style="display:flex;"><span> notify <span style="color:#f92672">=&gt;</span> <span style="color:#66d9ef">Exec</span><span style="color:#f92672">[</span><span style="color:#e6db74">&#34;certbox - add pem ${entry[&#39;cn&#39;]} to ca truststore&#34;</span><span style="color:#f92672">]</span>, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># reset ca truststore if temporary entry file state changed</span> </span></span><span style="display:flex;"><span> exec { <span style="color:#e6db74">&#34;certbox - cleanup ca truststore&#34;</span>: </span></span><span style="display:flex;"><span> refreshonly <span style="color:#f92672">=&gt;</span> <span style="color:#66d9ef">true</span>, </span></span><span style="display:flex;"><span> command <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;echo &gt; ${custom_truststore}&#34;</span>, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># add ca truststore entry if temporary entry file state changed</span> </span></span><span style="display:flex;"><span> $custom_trust_entries<span style="color:#f92672">.</span>each <span style="color:#f92672">|</span> Integer $index, <span style="color:#66d9ef">Hash</span> $entry <span style="color:#f92672">|</span> { </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> exec { <span style="color:#e6db74">&#34;certbox - add pem ${entry[&#39;cn&#39;]} to ca truststore&#34;</span>: </span></span><span style="display:flex;"><span> refreshonly <span style="color:#f92672">=&gt;</span> <span style="color:#66d9ef">true</span>, </span></span><span style="display:flex;"><span> command <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;echo &gt;&gt; ${custom_truststore};cat ${cert_dir}/${entry[&#39;cert&#39;]} &gt;&gt; ${custom_truststore}&#34;</span>, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> file { $custom_truststore: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">ensure</span> <span style="color:#f92672">=&gt;</span> file, </span></span><span style="display:flex;"><span> owner <span style="color:#f92672">=&gt;</span> $owner, </span></span><span style="display:flex;"><span> group <span style="color:#f92672">=&gt;</span> $group, </span></span><span style="display:flex;"><span> mode <span style="color:#f92672">=&gt;</span> $file_read_mode, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>This manifest checks if the source PEM files have changed or the target stores does not exist. If one of these cases apply the manifests creates the key- or truststore. Finally, it sets the file mode and ownership.</p> <p>To apply the manifest with Puppet run the following command:</p> <p><code>sudo puppet apply --modulepath=modules/ -e &quot;include certbox&quot;</code></p> <p>To verify if the files have been assembled correctly use this keytool commands:</p> <p><code>sudo keytool -printcert -file /var/tmp/certificates/custom-truststore.pem</code></p> <p>Let me know if this post helped you to resolve a particular use case.</p> https://janikvonrotz.ch/2019/01/30/generate-pkcs12-key-and-truststores-with-puppet/ Wed, 30 Jan 2019 11:16:52 +0100 https://janikvonrotz.ch/2019/01/30/generate-pkcs12-key-and-truststores-with-puppet/ <p>In <a href="https://janikvonrotz.ch/2019/01/22/create-pkcs12-key-and-truststore-with-keytool-and-openssl/">my last post</a> I have showed how to generate pkcs12 key- and truststores using openssl and keytool.</p> <p>For this post we assume that we want to automate the store assembling with Puppet. <a href="https://puppet.com/">Puppet</a> is a configuration management tool that shares many ideas with <a href="https://www.ansible.com/">Ansible</a>. In the world of Puppet you define a <a href="https://puppet.com/docs/puppet/5.5/lang_summary.html#files">manifest file</a> that describes a state of how a file, service or any type of resource should look like. Puppet applies these manifests and makes sure that the targeted system reaches the defined state.</p> <p>Using Puppets <a href="https://puppet.com/docs/puppet/5.3/types/exec.html">exec resource</a> we are going to define key- and truststores using openssl and keytool.</p> <p>Our manifest assure that the stores are assembled as defined. Puppet will be able to detect deltas and act accordingly.</p> <p>For our use-case we assume we have generate multiple certificates under <code>/var/tmp/certificates</code>:</p> <ul> <li>localhost_cert.pem</li> <li>localhost_key.pem</li> <li>example.com_cert.pem</li> <li>example.com_key.pem</li> <li>ca_cert.pem</li> </ul> <p>Our fictive webservice requires a key- and truststore containing the provided certificates and keys:</p> <ul> <li>webservice-keystore.pkcs12 <ul> <li>ca - trusted cert entry</li> <li>localhost - private key entry</li> <li>example.com - private key entry</li> </ul> </li> <li>webservice-truststore.pkcs12 <ul> <li>ca - trusted cert entry</li> </ul> </li> </ul> <p>Puppet is installed on our system and we are ready to declare and apply our manifest file.</p> <p>Our Puppet module will be called <em>certbox</em>. Modules must follow a strict naming and folder structure.</p> <p>Below is a copy-and-paste definition for our Puppet module. Create the manifest file and folders as showed.</p> <p><strong>modules/certbox/manifests/init.pp</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-rb" data-lang="rb"><span style="display:flex;"><span><span style="color:#66d9ef">class</span> certbox ( </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> String $certDir <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;/var/tmp/certificates&#34;</span>, </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> String $caCert <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;$certDir/ca_cert.pem&#34;</span>, </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> String $cn1 <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;localhost&#34;</span>, </span></span><span style="display:flex;"><span> String $cert1 <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;$certDir/${cn1}_cert.pem&#34;</span>, </span></span><span style="display:flex;"><span> String $key1 <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;$certDir/${cn1}_key.pem&#34;</span>, </span></span><span style="display:flex;"><span> String $keyPassword1 <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;password&#34;</span>, </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> String $cn2 <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;example.com&#34;</span>, </span></span><span style="display:flex;"><span> String $tmpKeystore2 <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;$certDir/$cn2.pkcs12&#34;</span>, </span></span><span style="display:flex;"><span> String $cert2 <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;$certDir/${cn2}_cert.pem&#34;</span>, </span></span><span style="display:flex;"><span> String $key2 <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;$certDir/${cn2}_key.pem&#34;</span>, </span></span><span style="display:flex;"><span> String $keyPassword2 <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;password&#34;</span>, </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> String $keystore <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;$certDir/webservice-keystore.pkcs12&#34;</span>, </span></span><span style="display:flex;"><span> String $truststore <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;$certDir/webservice-truststore.pkcs12&#34;</span>, </span></span><span style="display:flex;"><span> String $keystorePassword <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;password&#34;</span>, </span></span><span style="display:flex;"><span> String $truststorePassword <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;password&#34;</span>, </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> String $owner <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;root&#34;</span>, </span></span><span style="display:flex;"><span> String $group <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;root&#34;</span>, </span></span><span style="display:flex;"><span> String $fileReadMode <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;a=,ug+r&#34;</span>, </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>) { </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> exec { <span style="color:#e6db74">&#34;remove keystore for $cn1 if password changed or is empty&#34;</span>: </span></span><span style="display:flex;"><span> onlyif <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;/bin/keytool -list -storetype PKCS12 -keystore $keystore -storepass $keystorePass | grep &#39;password was incorrect</span><span style="color:#ae81ff">\\</span><span style="color:#e6db74">|file exists, but is empty&#39;&#34;</span>, </span></span><span style="display:flex;"><span> command <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;/bin/rm $keystore1&#34;</span>, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> exec { <span style="color:#e6db74">&#34;create pkcs12 keystore for $cn1&#34;</span>: </span></span><span style="display:flex;"><span> onlyif <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;/bin/keytool -list -keystore $keystore -storepass $keystorePassword | grep $(openssl x509 -noout -fingerprint -sha1 -in $cert1 | cut -f2 -d </span><span style="color:#ae81ff">\&#34;</span><span style="color:#e6db74">=</span><span style="color:#ae81ff">\&#34;</span><span style="color:#e6db74">);test $? -eq 1&#34;</span>, </span></span><span style="display:flex;"><span> command <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;/bin/openssl pkcs12 -export -in $cert1 -inkey $key1 -passin pass:$keyPassword1 -certfile $caCert -out $keystore -passout pass:$keystorePassword -name $cn1&#34;</span>, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> exec { <span style="color:#e6db74">&#34;remove keystore for $cn2 if password changed or is empty&#34;</span>: </span></span><span style="display:flex;"><span> onlyif <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;/bin/keytool -list -storetype PKCS12 -keystore $tmpKeystore2 -storepass $keystorePass | grep &#39;password was incorrect</span><span style="color:#ae81ff">\\</span><span style="color:#e6db74">|file exists, but is empty&#39;&#34;</span>, </span></span><span style="display:flex;"><span> command <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;/bin/rm $tmpKeystore2&#34;</span>, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> exec { <span style="color:#e6db74">&#34;create pkcs12 keystore for $cn2&#34;</span>: </span></span><span style="display:flex;"><span> onlyif <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;/bin/keytool -list -keystore $tmpKeystore2 -storepass $keystorePassword | grep $(openssl x509 -noout -fingerprint -sha1 -in $cert2 | cut -f2 -d </span><span style="color:#ae81ff">\&#34;</span><span style="color:#e6db74">=</span><span style="color:#ae81ff">\&#34;</span><span style="color:#e6db74">);test $? -eq 1&#34;</span>, </span></span><span style="display:flex;"><span> command <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;/bin/openssl pkcs12 -in $cert2 -inkey $key2 -passin pass:$keyPassword2 -export -out $tmpKeystore2 -passout pass:$keystorePassword -name $cn2&#34;</span>, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> exec { <span style="color:#e6db74">&#34;merge $cn2 into $cn1 keystore&#34;</span>: </span></span><span style="display:flex;"><span> onlyif <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;/bin/keytool -list -keystore $keystore -storepass $keystorePassword | grep $(openssl x509 -noout -fingerprint -sha1 -in $cert2 | cut -f2 -d </span><span style="color:#ae81ff">\&#34;</span><span style="color:#e6db74">=</span><span style="color:#ae81ff">\&#34;</span><span style="color:#e6db74">);test $? -eq 1&#34;</span>, </span></span><span style="display:flex;"><span> command <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;/bin/keytool -importkeystore -storetype PKCS12 -destkeystore $keystore -deststorepass $keystorePassword -destkeypass $keystorePassword \ </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> -srckeystore $tmpKeystore2 -srcstoretype PKCS12 -srcstorepass $keystorePassword -alias $cn2 -noprompt&#34;</span>, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> file { $keystore: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">ensure</span> <span style="color:#f92672">=&gt;</span> file, </span></span><span style="display:flex;"><span> owner <span style="color:#f92672">=&gt;</span> $owner, </span></span><span style="display:flex;"><span> group <span style="color:#f92672">=&gt;</span> $group, </span></span><span style="display:flex;"><span> mode <span style="color:#f92672">=&gt;</span> $fileReadMode, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> exec { <span style="color:#e6db74">&#34;remove truststore for $cn1 if password changed&#34;</span>: </span></span><span style="display:flex;"><span> onlyif <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;/bin/keytool -list -storetype PKCS12 -keystore $truststore -storepass $truststorePass | grep &#39;password was incorrect&#39;&#34;</span>, </span></span><span style="display:flex;"><span> command <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;/bin/rm $truststore&#34;</span>, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> exec { <span style="color:#e6db74">&#34;create pkcs12 truststore&#34;</span>: </span></span><span style="display:flex;"><span> onlyif <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;/bin/keytool -list -keystore $truststore -storepass $truststorePassword | grep $(openssl x509 -noout -fingerprint -sha1 -in $caCert | cut -f2 -d </span><span style="color:#ae81ff">\&#34;</span><span style="color:#e6db74">=</span><span style="color:#ae81ff">\&#34;</span><span style="color:#e6db74">);test $? -eq 1&#34;</span>, </span></span><span style="display:flex;"><span> command <span style="color:#f92672">=&gt;</span> <span style="color:#e6db74">&#34;/bin/keytool -importcert -storetype PKCS12 -keystore $truststore -storepass $truststorePassword -alias ca -file $caCert -noprompt&#34;</span>, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> file { $truststore: </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">ensure</span> <span style="color:#f92672">=&gt;</span> file, </span></span><span style="display:flex;"><span> owner <span style="color:#f92672">=&gt;</span> $owner, </span></span><span style="display:flex;"><span> group <span style="color:#f92672">=&gt;</span> $group, </span></span><span style="display:flex;"><span> mode <span style="color:#f92672">=&gt;</span> $fileReadMode, </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p><strong>Edit 1:</strong> Compare sha1 of cert to assert if import should be executed.<br> <strong>Edit 2:</strong> On create keystore check not if store file already exist, but check if cert in keystore matches the sha1. The check should also act as expected if file does not exist.<br> <strong>Edit 3:</strong> Remove the create empty truststore task. If the truststore file does not exist, the keytool import command will create the file.<br> <strong>Edit 4:</strong> Added exec task that remove the store file if the password has changed.</p> <p>The manifest is kept fairly simple. However, you might ask why we have to merge our second certificate from a pkcs12 store. The answer is a bit more complicated. The openssl and keytool utilities help generating and managing key material. They provide similar tasks, but differ heavy in specific features. Here are the most important differences:</p> <ul> <li>Openssl cannot manipulate existing pkcs12 stores.</li> <li>Openssl cannot create pkcs12 with multiple certificates and keys.</li> <li>Keytool cannot import certificates and keys into an existing pkcs12 store, however, it can import a pkcs12 store into an existing one.</li> <li>Keytool cannot create pkcs12 stores from a certificate and key.</li> </ul> <p>Hope this helps to understand the design decisions made here much better.</p> <p>To apply the manifest with Puppet run the following command:</p> <p><code>sudo puppet apply --modulepath=modules/ -e &quot;include certbox&quot;</code></p> <p>At this point Puppet should create the key- and truststores.</p> <p>If you ended up with an error or faced some other issues let me know!</p> https://janikvonrotz.ch/2019/01/22/create-pkcs12-key-and-truststore-with-keytool-and-openssl/ Tue, 22 Jan 2019 14:05:15 +0100 https://janikvonrotz.ch/2019/01/22/create-pkcs12-key-and-truststore-with-keytool-and-openssl/ <p>In my <a href="https://janikvonrotz.ch/2019/01/21/create-a-certificate-authority-ca-and-sign-server-certificates-without-prompting-using-openssl/">last post</a> I&rsquo;ve showed you how to create a custom certificate authority and sign a server cert using openssl without user interaction.</p> <p>For this post I assume that we want to set up a webservice that requires a <a href="https://en.wikipedia.org/wiki/PKCS_12">pkcs12</a> keystore. Using openssl and the java keytool we are going to create a pkcs12 store and add our ca cert, server cert and server key. Further, we assume that the application also requires a truststore containing the ca cert only.</p> <p>Make sure to walk through the last post before getting started.</p> <p>Configure new environment variables.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>APPLICATION_NAME<span style="color:#f92672">=</span>webservice </span></span><span style="display:flex;"><span>KEYSTORE_PASSWORD<span style="color:#f92672">=</span>password </span></span><span style="display:flex;"><span>TRUSTSTORE_PASSWORD<span style="color:#f92672">=</span>password </span></span><span style="display:flex;"><span>SERVER_CERT_PASSWORD<span style="color:#f92672">=</span>password </span></span><span style="display:flex;"><span>SERVER_CERT_CN<span style="color:#f92672">=</span>localhost </span></span></code></pre></div><p>Create the pkcs12 store containing the server cert and the ca trust.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>openssl pkcs12 -in <span style="color:#e6db74">${</span>SERVER_CERT_CN<span style="color:#e6db74">}</span>_cert.pem -inkey <span style="color:#e6db74">${</span>SERVER_CERT_CN<span style="color:#e6db74">}</span>_key.pem -passin pass:$SERVER_CERT_PASSWORD -certfile ca_cert.pem <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -export -out <span style="color:#e6db74">${</span>APPLICATION_NAME<span style="color:#e6db74">}</span>_<span style="color:#e6db74">${</span>SERVER_CERT_CN<span style="color:#e6db74">}</span>-keystore.pkcs12 -passout pass:$KEYSTORE_PASSWORD -name $SERVER_CERT_CN </span></span></code></pre></div><p>Show the content of keystore.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>keytool -list -storetype PKCS12 -keystore $APPLICATION_NAME-keystore.pkcs12 <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -storepass $KEYSTORE_PASSWORD </span></span></code></pre></div><p>Openssl cannot create a pkcs12 store from cert without key. This is why we create the truststore with the keytool.</p> <p>Create a pkcs12 truststore containing the ca cert.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>keytool -importcert -storetype PKCS12 -keystore $APPLICATION_NAME-truststore.pkcs12 <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -storepass $TRUSTSTORE_PASSWORD -alias ca -file ca_cert.pem -noprompt </span></span></code></pre></div><p>Show the content of the truststore.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>keytool -list -storetype PKCS12 -keystore $APPLICATION_NAME-truststore.pkcs12 <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -storepass $TRUSTSTORE_PASSWORD </span></span></code></pre></div><p><strong>Edit 1</strong>: Removed keystore ca import step. The openssl <em>certfile</em> parameter accepts a bundled .pem containing trusted certs.<br> <strong>Edit 2</strong>: Removed the create empty truststore step. Keytool will create the truststore file if it does not exist.</p> <p>Not sure if it is a bug that openssl cannot create pkcs12 stores from certs without keys. Nonetheless, the two step workflow is a convenient solution. Openssl creates the initial pkcs12 store and the keytool manipulates the store as required.</p> <p><strong>Note</strong>: It seems you cannot import a certificate and its key with keytool. So you need to create the store with openssl in order to import the key.</p> <p>Source: <a href="https://stackoverflow.com/questions/906402/how-to-import-an-existing-x509-certificate-and-private-key-in-java-keystore-to-u">Stackoverflow - How to import an existing x509 certificate and private key in Java keystore to use in SSL?</a></p> https://janikvonrotz.ch/2019/01/21/create-a-certificate-authority-ca-and-sign-server-certificates-without-prompting-using-openssl/ Mon, 21 Jan 2019 16:20:35 +0100 https://janikvonrotz.ch/2019/01/21/create-a-certificate-authority-ca-and-sign-server-certificates-without-prompting-using-openssl/ <p>Most of the times people want to get a certificate for the hostname <em>localhost</em>, <a href="https://letsencrypt.org/docs/certificates-for-localhost/">let&rsquo;s encrypt wrote a nice post</a> about this, but sometimes people want a certificate for any hostname. And further, signed by a custom CA and if possible should the key material be generated without user interaction. In this post I have covered the less likely case.</p> <p>Below you&rsquo;ll find a list of bash commands. You can copy and paste all of them into a bash script or run each command at a time in the shell.</p> <p>Set environment variables for key material configuration.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>CA_CERT_PASSWORD<span style="color:#f92672">=</span>password </span></span><span style="display:flex;"><span>SERVER_CERT_PASSWORD<span style="color:#f92672">=</span>password </span></span><span style="display:flex;"><span>SERVER_CERT_CN<span style="color:#f92672">=</span>localhost </span></span><span style="display:flex;"><span>SERVER_ALT_NAME<span style="color:#f92672">=</span>localhost </span></span></code></pre></div><p>Create the CA key.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>openssl genrsa -des3 -passout pass:$CA_CERT_PASSWORD -out ca_key.pem <span style="color:#ae81ff">4096</span> </span></span></code></pre></div><p>Create the CA certificate.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>openssl req -x509 -new -nodes -key ca_key.pem -passin pass:$CA_CERT_PASSWORD -sha256 -days <span style="color:#ae81ff">1825</span> -out ca_cert.pem <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -subj <span style="color:#e6db74">&#34;/C=CH/ST=Bern/L=Bern/O=AdNovum AG/CN=ca&#34;</span> </span></span></code></pre></div><p>Create the server key.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>openssl genrsa -des3 -passout pass:$SERVER_CERT_PASSWORD -out <span style="color:#e6db74">${</span>SERVER_CERT_CN<span style="color:#e6db74">}</span>_key.pem <span style="color:#ae81ff">2048</span> </span></span></code></pre></div><p>Create the server certificate signing request.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>openssl req -new -key <span style="color:#e6db74">${</span>SERVER_CERT_CN<span style="color:#e6db74">}</span>_key.pem -passin pass:$SERVER_CERT_PASSWORD -out <span style="color:#e6db74">${</span>SERVER_CERT_CN<span style="color:#e6db74">}</span>.csr <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -subj <span style="color:#e6db74">&#34;/CN=</span>$SERVER_CERT_CN<span style="color:#e6db74">&#34;</span> </span></span></code></pre></div><p>Create server certificate extension configuration.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>cat &gt; ./<span style="color:#e6db74">${</span>SERVER_CERT_CN<span style="color:#e6db74">}</span>.cnf <span style="color:#e6db74">&lt;&lt;EOT </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">authorityKeyIdentifier=keyid,issuer </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">keyUsage=digitalSignature </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">extendedKeyUsage=serverAuth </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">subjectAltName = @alt_names </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">[alt_names] </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">DNS.1 = $SERVER_ALT_NAME </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">EOT</span> </span></span></code></pre></div><p>Sign the server certificate signing request.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>openssl x509 -req -in <span style="color:#e6db74">${</span>SERVER_CERT_CN<span style="color:#e6db74">}</span>.csr -CA ca_cert.pem -CAkey ca_key.pem -passin pass:$CA_CERT_PASSWORD -CAcreateserial <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -out <span style="color:#e6db74">${</span>SERVER_CERT_CN<span style="color:#e6db74">}</span>_cert.pem -days <span style="color:#ae81ff">1825</span> -sha256 -extfile <span style="color:#e6db74">${</span>SERVER_CERT_CN<span style="color:#e6db74">}</span>.cnf </span></span></code></pre></div><p>To create additional server certificates use the snippet below.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>CA_CERT_PASSWORD<span style="color:#f92672">=</span>password </span></span><span style="display:flex;"><span>SERVER_CERT_PASSWORD<span style="color:#f92672">=</span>password </span></span><span style="display:flex;"><span>SERVER_CERT_CN<span style="color:#f92672">=</span>hostname </span></span><span style="display:flex;"><span>SERVER_ALT_NAME<span style="color:#f92672">=</span>hostname </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>openssl genrsa -des3 -passout pass:$SERVER_CERT_PASSWORD -out <span style="color:#e6db74">${</span>SERVER_CERT_CN<span style="color:#e6db74">}</span>_key.pem <span style="color:#ae81ff">2048</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>openssl req -new -key <span style="color:#e6db74">${</span>SERVER_CERT_CN<span style="color:#e6db74">}</span>_key.pem -passin pass:$SERVER_CERT_PASSWORD -out <span style="color:#e6db74">${</span>SERVER_CERT_CN<span style="color:#e6db74">}</span>.csr <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -subj <span style="color:#e6db74">&#34;/CN=</span>$SERVER_CERT_CN<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>cat &gt; ./<span style="color:#e6db74">${</span>SERVER_CERT_CN<span style="color:#e6db74">}</span>.cnf <span style="color:#e6db74">&lt;&lt;EOT </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">authorityKeyIdentifier=keyid,issuer </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">keyUsage=digitalSignature </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">extendedKeyUsage=serverAuth </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">subjectAltName = @alt_names </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">[alt_names] </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">DNS.1 = $SERVER_ALT_NAME </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">EOT</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>openssl x509 -req -in <span style="color:#e6db74">${</span>SERVER_CERT_CN<span style="color:#e6db74">}</span>.csr -CA ca_cert.pem -CAkey ca_key.pem -passin pass:$CA_CERT_PASSWORD -CAcreateserial <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> -out <span style="color:#e6db74">${</span>SERVER_CERT_CN<span style="color:#e6db74">}</span>_cert.pem -days <span style="color:#ae81ff">1825</span> -sha256 -extfile <span style="color:#e6db74">${</span>SERVER_CERT_CN<span style="color:#e6db74">}</span>.cnf </span></span></code></pre></div>