#!/bin/bash set -euo pipefail BASEDIR=$(dirname "$0") ####################################################### # GENERATE ROOT CA CERTIFICATES for Backend Service 1 # ####################################################### # Generate the root CA private key openssl genrsa -out $BASEDIR/certs/rootCA-service-1.key 2048 # Create and self sign the root CA public key openssl req -x509 -new -nodes \ -key $BASEDIR/certs/rootCA-service-1.key \ -sha256 \ -days 365 \ -subj "/C=US/ST=Washington/L=Seattle/O=Root CA Inc./OU=CA" \ -out $BASEDIR/certs/rootCA-service-1.crt ####################################################### # GENERATE ROOT CA CERTIFICATES for Backend Service 2 # ####################################################### # Generate the root CA private key openssl genrsa -out $BASEDIR/certs/rootCA-service-2.key 2048 # Create and self sign the root CA public key openssl req -x509 -new -nodes \ -key $BASEDIR/certs/rootCA-service-2.key \ -sha256 \ -days 365 \ -subj "/C=US/ST=Ohio/L=Columbus/O=Root CA Inc./OU=CA" \ -out $BASEDIR/certs/rootCA-service-2.crt ########################################### # GENERATE BACKEND SERVICE 1 CERTIFICATES # ########################################### # Create the backend service 1 private key openssl genrsa -out $BASEDIR/certs/backend_service_1.key 2048 # Create the backend service 1 signing request openssl req -new -sha256 \ -key $BASEDIR/certs/backend_service_1.key \ -subj "/C=US/ST=Washington/L=Seattle/O=The Cloud Company/OU=Backend Service 1/CN=backend-service-1.com" \ -out $BASEDIR/certs/backend_service_1.csr # Create the backend service 1 sign public key, by signing the backend service 1 signing request with the root CA private and public key openssl x509 -req \ -in $BASEDIR/certs/backend_service_1.csr \ -days 365 -sha256 \ -CA $BASEDIR/certs/rootCA-service-1.crt \ -CAkey $BASEDIR/certs/rootCA-service-1.key \ -CAserial $BASEDIR/certs/rootCA-service-1.srl \ -CAcreateserial \ -out $BASEDIR/certs/backend_service_1.crt ########################################### # GENERATE BACKEND SERVICE 2 CERTIFICATES # ########################################### # Create the backend service 2 private key openssl genrsa -out $BASEDIR/certs/backend_service_2.key 2048 # Create the backend service 2 signing request openssl req -new -sha256 \ -key $BASEDIR/certs/backend_service_2.key \ -subj "/C=US/ST=Ohio/L=Columbus/O=The Cloud Company/OU=Backend Service 2/CN=backend-service-2.com" \ -out $BASEDIR/certs/backend_service_2.csr # Create the backend service 2 sign public key, by signing the backend service 2 signing request with the root CA private and public key openssl x509 -req \ -in $BASEDIR/certs/backend_service_2.csr \ -days 365 -sha256 \ -CA $BASEDIR/certs/rootCA-service-2.crt \ -CAkey $BASEDIR/certs/rootCA-service-2.key \ -CAserial $BASEDIR/certs/rootCA-service-2.srl \ -CAcreateserial \ -out $BASEDIR/certs/backend_service_2.crt ################################ # GENERATE LAMBDA CERTIFICATES # ################################ # Generate the lambda truststore and import the rootCA-service-1 public key keytool -importcert \ -keystore $BASEDIR/certs/client_truststore.jks \ -storetype JKS \ -file $BASEDIR/certs/rootCA-service-1.crt \ -keypass secret \ -storepass secret \ -alias rootCA-service-1 \ -noprompt keytool -importcert \ -keystore $BASEDIR/certs/client_truststore.jks \ -storetype JKS \ -file $BASEDIR/certs/rootCA-service-2.crt \ -keypass secret \ -storepass secret \ -alias rootCA-service-2 \ -noprompt # Import the signed backend service 1 public key into the lambda truststore keytool -importcert \ -keystore $BASEDIR/certs/client_truststore.jks \ -alias backend_service_1 \ -file $BASEDIR/certs/backend_service_1.crt \ -keypass secret \ -storepass secret \ -noprompt # Import the signed backend service 2 public key into the lambda truststore keytool -importcert \ -keystore $BASEDIR/certs/client_truststore.jks \ -alias backend_service_2 \ -file $BASEDIR/certs/backend_service_2.crt \ -keypass secret \ -storepass secret \ -noprompt # verify the lambda truststore #keytool -list \ # -keystore $BASEDIR/certs/client_truststore.jks \ # -storepass secret \ # -v # Generate the lambda keystore for backend service 1 which contains the rootCA-service-1 certificate keytool -genkeypair \ -keyalg RSA \ -sigalg SHA256withRSA \ -alias lambda \ -keystore $BASEDIR/certs/client_keystore_1.jks \ -storepass secret \ -keypass secret \ -validity 365 \ -keysize 2048 \ -dname "CN=Lambda for Backend Service 1, OU=S-Team, O=The Cloud Company, L=Seattle, S=Washington, C=US" # Create a signing request for the client keystore backend service 1 keytool -certreq \ -keystore $BASEDIR/certs/client_keystore_1.jks \ -sigalg SHA256withRSA \ -alias lambda \ -file $BASEDIR/certs/client_1.csr \ -keypass secret \ -storepass secret # Check the certificate request #openssl req -text -noout \ # -in $BASEDIR/certs/client_1.csr \ # -verify # Sign the signing request with the root CA keys openssl x509 -req \ -CA $BASEDIR/certs/rootCA-service-1.crt \ -CAkey $BASEDIR/certs/rootCA-service-1.key \ -in $BASEDIR/certs/client_1.csr \ -out $BASEDIR/certs/client_1.crt \ -sha256 \ -days 365 \ -CAcreateserial \ -CAserial $BASEDIR/certs/client_1.srl \ # Check the public key #openssl x509 -noout -text \ # -in client_1.crt # Import the rootCA-service-1 public key to the client keystore for backend service 1 keytool -importcert \ -keystore $BASEDIR/certs/client_keystore_1.jks \ -storetype JKS \ -file $BASEDIR/certs/rootCA-service-1.crt \ -keypass secret \ -storepass secret \ -alias rootCA-service-1 \ -noprompt # Import the signed client public key into the lambda keystore for backend service 1 keytool -importcert \ -keystore $BASEDIR/certs/client_keystore_1.jks \ -alias lambda \ -file $BASEDIR/certs/client_1.crt \ -keypass secret \ -storepass secret \ -trustcacerts \ -noprompt # verify the client keystore for backend service 1 #keytool -list \ # -keystore $BASEDIR/certs/client_keystore_1.jks \ # -storepass secret \ # -v # Generate the lambda keystore for backend service 2 which contains the rootCA-service-2 certificate keytool -genkeypair \ -keyalg RSA \ -sigalg SHA256withRSA \ -alias lambda \ -keystore $BASEDIR/certs/client_keystore_2.jks \ -storepass secret \ -keypass secret \ -validity 365 \ -keysize 2048 \ -dname "CN=Lambda for Backend Service 2, OU=S-Team, O=The Cloud Company, L=Columbus, S=Ohio, C=US" # Create s signing request for the client keystore backend service 2 keytool -certreq \ -keystore $BASEDIR/certs/client_keystore_2.jks \ -sigalg SHA256withRSA \ -alias lambda \ -file $BASEDIR/certs/client_2.csr \ -keypass secret \ -storepass secret # Check the certificate request #openssl req -text -noout \ # -in $BASEDIR/certs/client_2.csr \ # -verify # Sign the signing request with the root CA keys openssl x509 -req \ -CA $BASEDIR/certs/rootCA-service-2.crt \ -CAkey $BASEDIR/certs/rootCA-service-2.key \ -in $BASEDIR/certs/client_2.csr \ -out $BASEDIR/certs/client_2.crt \ -sha256 \ -days 365 \ -CAcreateserial \ -CAserial $BASEDIR/certs/client_2.srl \ # Check the public key #openssl x509 -noout -text \ # -in client_2.crt # Import the rootCA-service-2 public key to the client keystore for backend service 2 keytool -importcert \ -keystore $BASEDIR/certs/client_keystore_2.jks \ -storetype JKS \ -file $BASEDIR/certs/rootCA-service-2.crt \ -keypass secret \ -storepass secret \ -alias rootCA-service-2 \ -noprompt # Import the signed client public key into the lambda keystore for backend service 2 keytool -importcert \ -keystore $BASEDIR/certs/client_keystore_2.jks \ -alias lambda \ -file $BASEDIR/certs/client_2.crt \ -keypass secret \ -storepass secret \ -trustcacerts \ -noprompt # verify the client keystore for backend service 2 #keytool -list \ # -keystore $BASEDIR/certs/client_keystore_2.jks \ # -storepass secret \ # -v # Copy the backend_service_1.crt, backend_service_1.key and rootCA-service-1.crt into the backend service 1 module cp $BASEDIR/certs/backend_service_1.crt $BASEDIR/../software/backend-service-1/conf.d/certs/ cp $BASEDIR/certs/backend_service_1.key $BASEDIR/../software/backend-service-1/conf.d/certs/ cp $BASEDIR/certs/rootCA-service-1.crt $BASEDIR/../software/backend-service-1/conf.d/certs/ # Copy the backend_service_2.crt, backend_service_2.key and rootCA-service-2.crt into the backend service 2 module cp $BASEDIR/certs/backend_service_2.crt $BASEDIR/../software/backend-service-2/conf.d/certs/ cp $BASEDIR/certs/backend_service_2.key $BASEDIR/../software/backend-service-2/conf.d/certs/ cp $BASEDIR/certs/rootCA-service-2.crt $BASEDIR/../software/backend-service-2/conf.d/certs/ # Copy the client_keystore_1.jks and client_truststore.jks into the lambda-only module cp $BASEDIR/certs/client_keystore_1.jks $BASEDIR/../software/1-lambda-only/src/main/resources/ cp $BASEDIR/certs/client_truststore.jks $BASEDIR/../software/1-lambda-only/src/main/resources/ # Copy the client_keystore_1.jks and client_truststore.jks into the lambda-layer-service-1-cert module cp $BASEDIR/certs/client_keystore_1.jks $BASEDIR/../software/lambda-layer-service-1-cert/src/main/resources/ cp $BASEDIR/certs/client_truststore.jks $BASEDIR/../software/lambda-layer-service-1-cert/src/main/resources/ # Copy the client_keystore_2.jks and client_truststore.jks into the lambda-layer-service-2-cert module cp $BASEDIR/certs/client_keystore_2.jks $BASEDIR/../software/lambda-layer-service-2-cert/src/main/resources/ cp $BASEDIR/certs/client_truststore.jks $BASEDIR/../software/lambda-layer-service-2-cert/src/main/resources/