Skip to content

Commit 69e0b17

Browse files
author
Derrek Young
committed
Big refactor. Added unit tests for quicker development. Moved common logic to a separate script. More thorough error checking.
1 parent 97eb01d commit 69e0b17

21 files changed

+937
-428
lines changed

.gitignore

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,3 @@
11

22
dist/
3+
test/tmp/

README.md

Lines changed: 11 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,7 @@
11
# AppD-SSL-Cert-Utils
22

3-
ATTENTION:
4-
* These are **unofficial** utilities so consider them to be Beta--not GA
5-
* Your mileage may vary
6-
* Thar be dragons
7-
* Etcetera, etcetera
3+
ATTENTION:
4+
* These are **unofficial** utilities so consider them to be Beta--not GA. If unsure, bring in your AppDynamics representative.
85

96
## Description
107
Totally unofficial SSL utils to ease working with SSL certificates in AppD.
@@ -22,6 +19,13 @@ Download the latest release from the Releases page:
2219
https://github.com/derrekyoung/AppD-SSL-Cert-Utils/releases/latest
2320

2421
## Usage
25-
Run either `./controller-ssl-certs-util.sh` or `./eum-ssl-certs-util.sh` and then use the interactive command line.
22+
Always follow the official AppDynamics documentation at https://docs.appdynamics.com
2623

27-
No parameters are passed in. Always follow the official AppDynamics documentation. In general, you'll need to create a CSR and then import the cert. If you have an internal CA, you'll need to import the root and/or intermediate certs.
24+
The basic flow is to
25+
- Create a Certificate Signing Request (CSR)
26+
- Send that CSR to your CA
27+
- They'll send back to you a signed certificate
28+
- You'll then need to import your signed certificate
29+
- IF you have an internal CA, then you'll first need to import your root cert, cert chain and/or intermediate cert. The exact steps depend on your organization and environment.
30+
31+
Run either `./controller-ssl-certs-util.sh` or `./eum-ssl-certs-util.sh` and then use the interactive command line. No parameters are passed in.

build.sh

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
#!/bin/bash
22

3-
VERSION="0.8-BETA"
3+
VERSION="1.0-BETA"
44

55

66
################################################
@@ -26,6 +26,8 @@ dist()
2626

2727
cp controller-ssl-certs-util.sh $DIST_DIR/$DIST_TOP_FOLDER/controller-ssl-certs-util-$VERSION.sh
2828
cp eum-ssl-certs-util.sh $DIST_DIR/$DIST_TOP_FOLDER/eum-ssl-certs-util-$VERSION.sh
29+
cp ssl-certs-util-common.sh $DIST_DIR/$DIST_TOP_FOLDER/ssl-certs-util-common.sh
30+
cp README.md $DIST_DIR/$DIST_TOP_FOLDER/README.md
2931

3032
echo "Creating the Zip file..."
3133

controller-ssl-certs-util.sh

Lines changed: 41 additions & 161 deletions
Original file line numberDiff line numberDiff line change
@@ -1,21 +1,31 @@
11
#!/bin/bash
22
#--------------------------------------------------------------------------------------------------
3-
# A Linux script to help working with SSL certificates. It's not a total replacement for keytool.
4-
# Think of this as the Basic interface to keystores and keytool is the Advanced one.
3+
# A Linux script to help working with SSL certificates in the CONTROLLER. (If you want EUM certs,
4+
# then use the other script.)
5+
# This is not a total replacement for keytool. Think of this as the Basic interface to keystores
6+
# and keytool is the Advanced one.
57
#
6-
# Generate new certs, import them, list keystore contents and disable the HTTP port.
7-
#
8-
# Version: 0.8
8+
# Generate new certs, import them, and list keystore contents.
99
#
1010
#--------------------------------------------------------------------------------------------------
1111

1212
# Edit the following parameter to suit your environment
1313
CONTROLLER_HOME=/opt/AppDynamics/Controller
1414

1515

16-
################################################
16+
17+
###################################################################################################
1718
# Do not edit below this line
18-
DATETIME=`date +%Y%m%d%H%M`
19+
###################################################################################################
20+
21+
source ./ssl-certs-util-common.sh
22+
if [ ! -f "./ssl-certs-util-common.sh" ]; then
23+
echo "ERROR: File not found, ssl-certs-util-common.sh. This file must be in the same directory as this script."
24+
exit 1
25+
fi
26+
27+
28+
DATETIME=$(date +%Y%m%d%H%M)
1929
CSR="./$HOSTNAME-$DATETIME.csr"
2030

2131
SIGNED_CERT_ALIAS_NAME="s1as"
@@ -27,197 +37,67 @@ KEYTOOL_HOME=$CONTROLLER_HOME/jre/bin
2737
KEYTOOL=$KEYTOOL_HOME/keytool
2838
KEYSTORE_BACKUP="./$KEYSTORE_NAME-$DATETIME.bak"
2939

30-
#1
31-
generate-csr()
40+
controller-generate-csr()
3241
{
3342
echo "Generating a new Certificate Signing Request..."
3443

35-
#########################################
36-
# Backup the keystore
37-
if [ -f $KEYSTORE_PATH ]; then
38-
echo "Creating backup keystore $KEYSTORE_BACKUP"
39-
cp $KEYSTORE_PATH $KEYSTORE_BACKUP
40-
41-
if [ $? -gt 0 ] ; then
42-
echo "ERROR: unable to create the backup keystore"
43-
exit 1
44-
fi
45-
fi
46-
47-
#########################################
48-
# Delete the existing $SIGNED_CERT_ALIAS_NAME
49-
echo "Deleting $SIGNED_CERT_ALIAS_NAME in $KEYSTORE_PATH "
50-
$KEYTOOL -delete -alias $SIGNED_CERT_ALIAS_NAME -keystore $KEYSTORE_PATH -storepass $KEYSTORE_PASSWORD
51-
52-
if [ $? -gt 0 ] ; then
53-
echo "ERROR: unable to delete the alias"
54-
exit 1
55-
fi
56-
57-
#########################################
58-
# Generate the keypair
59-
echo "Generating the new keypair in $KEYSTORE_PATH "
60-
$KEYTOOL -genkeypair -alias $SIGNED_CERT_ALIAS_NAME -keyalg RSA -keystore $KEYSTORE_PATH -keysize 2048 -validity 1825 -storepass $KEYSTORE_PASSWORD
61-
62-
if [ $? -gt 0 ] ; then
63-
echo "ERROR: unable to generate the keypair"
64-
exit 1
65-
fi
66-
67-
68-
#########################################
69-
# Generate the CSR
70-
echo "Generating the Certificate Signing Request at $CSR "
71-
$KEYTOOL -certreq -alias $SIGNED_CERT_ALIAS_NAME -keystore $KEYSTORE_PATH -storepass $KEYSTORE_PASSWORD -file $CSR
72-
73-
if [ $? -gt 0 ] ; then
74-
echo "ERROR: unable to generate the CSR"
75-
exit 1
76-
fi
77-
78-
#########################################
79-
echo " "
80-
echo "Finished. CSR generated at $CSR"
81-
echo "Send this CSR to your Certificate Authority for signing, then import the signed cert. You may need to first import the CA's chain or root cert, depending on your setup. Contact your company's PKI team for guidance. "
82-
}
83-
84-
#2
85-
import-signed-cert()
86-
{
87-
echo "Importing a signed certificate..."
88-
read -rp $'Certificate filename: ' cert
89-
90-
validate-certificate $cert
91-
92-
echo "Importing $cert into $KEYSTORE_PATH for alias $SIGNED_CERT_ALIAS_NAME"
93-
$KEYTOOL -import -trustcacerts -keystore $KEYSTORE_PATH -file $cert -alias $SIGNED_CERT_ALIAS_NAME -storepass $KEYSTORE_PASSWORD
94-
95-
if [ $? -gt 0 ] ; then
96-
echo "ERROR: unable to import the certificate"
97-
exit 1
98-
fi
99-
100-
echo "Finished"
101-
}
102-
103-
#3
104-
import-cert-chain()
105-
{
106-
echo "Importing a root or intermediate certificate..."
107-
read -rp $'Certificate filename: ' cert
44+
keystore-backup-existing-keystore "$KEYSTORE_PATH" "$KEYSTORE_BACKUP"
10845

109-
validate-certificate $cert
46+
keystore-delete-alias "$KEYSTORE_PATH" "$KEYSTORE_PASSWORD" "$KEYTOOL" "$SIGNED_CERT_ALIAS_NAME"
11047

111-
local alias=$(get-alias $cert)
48+
keystore-create-keypair "$KEYSTORE_PATH" "$KEYSTORE_PASSWORD" "$KEYTOOL" "$SIGNED_CERT_ALIAS_NAME"
11249

113-
echo "Importing $cert into $KEYSTORE_PATH for alias $alias"
114-
$KEYTOOL -import -trustcacerts -keystore $KEYSTORE_PATH -file $cert -alias $alias -storepass $KEYSTORE_PASSWORD
50+
keystore-create-csr "$KEYSTORE_PATH" "$KEYSTORE_PASSWORD" "$KEYTOOL" "$SIGNED_CERT_ALIAS_NAME" "$CSR"
11551

116-
if [ $? -gt 0 ] ; then
117-
echo "ERROR: unable to import the certificate"
118-
exit 1
119-
fi
120-
121-
echo "Finished"
122-
}
123-
124-
#4
125-
list()
126-
{
127-
$KEYTOOL -list -keystore $KEYSTORE_PATH -storepass $KEYSTORE_PASSWORD | more
128-
}
129-
130-
get-alias()
131-
{
132-
local fullfile=$1
133-
local filename="${fullfile##*/}"
134-
local alias=$(echo $filename | cut -f 1 -d '.') #File name without the extension
135-
136-
echo "$alias"
137-
}
138-
139-
validate-certificate()
140-
{
141-
local cert=$1
142-
143-
if [ -z "$cert" ]; then
144-
echo "Required: certificate file name"
145-
exit 1
146-
fi
147-
148-
if [[ $cert == *.p12 || $cert == *.P12 ]]; then
149-
echo "ERROR: This script does not support p12 certificates. Please refer to the official docs."
150-
echo " "
151-
echo "https://docs.appdynamics.com/display/latest/Controller+SSL+and+Certificates"
152-
exit 1
153-
fi
154-
155-
if [ ! -f $cert ]; then
156-
echo "ERROR: File not found, $1"
157-
exit 1
158-
fi
159-
}
160-
161-
validate-install()
162-
{
163-
if [ ! -d "$CONTROLLER_HOME" ]; then
164-
echo "ERROR: Unable to find $CONTROLLER_HOME. Set the variable in this script."
165-
exit 1
166-
fi
167-
if [ ! -d "$KEYTOOL_HOME" ]; then
168-
echo "ERROR: Unable to find $KEYTOOL_HOME. Set the variable in this script."
169-
exit 1
170-
fi
171-
if [ ! -d "$CONFIG_HOME" ]; then
172-
echo "ERROR: Unable to find $CONFIG_HOME. Set the variable in this script."
173-
exit 1
174-
fi
52+
echo " "
53+
echo "Finished. CSR generated at $CSR"
54+
echo "Send this CSR to your Certificate Authority for signing, then import the signed cert that they return. You may need to first import the CA's chain or root cert, depending on your setup. Contact your company's PKI team for guidance."
17555
}
17656

177-
disclaimer-controller()
57+
controller-disclaimer()
17858
{
17959
echo " "
18060
echo "This script helps working with SSL certificates, but it's not a total replacement for keytool."
18161
echo "Think of this as the Basic interface to keystores and keytool is the Advanced one."
18262
echo "Read the full Controller+SSL docs at "
18363
echo " "
184-
echo "https://docs.appdynamics.com/display/latest/Controller+SSL+and+Certificates "
64+
echo "https://docs.appdynamics.com/display/latest/Controller+SSL+and+Certificates"
18565
echo " "
18666
echo "ATTENTION: This is an *unofficial* script; it is not GA. Read the docs above."
18767
echo " "
18868
read -p "Press [Enter] to continue..."
18969
echo " "
19070
}
19171

192-
main-controller()
72+
controller-main()
19373
{
19474
while true; do
19575
echo "[1] Generate a certificate signing request"
19676
echo "[2] Import a root or intermediate certificate"
19777
echo "[3] Import a signed certificate"
19878
echo "[4] List the contents of the keystore"
19979
echo "[x] Exit"
200-
read -p "Choose an option: " option
80+
read -p "Choose an option: " option
20181

20282
case "$option" in
20383
1)
204-
generate-csr
205-
exit
84+
controller-generate-csr
85+
exit 0
20686
;;
20787
2)
208-
import-cert-chain
209-
exit
88+
keystore-import-cert-chain "$KEYSTORE_PATH" "$KEYSTORE_PASSWORD" "$KEYTOOL"
89+
exit 0
21090
;;
21191
3)
212-
import-signed-cert
213-
exit
92+
keystore-import-signed-cert "$KEYSTORE_PATH" "$KEYSTORE_PASSWORD" "$KEYTOOL" "$SIGNED_CERT_ALIAS_NAME"
93+
exit 0
21494
;;
21595
4)
216-
list
217-
exit
96+
keystore-list "$KEYSTORE_PATH" "$KEYSTORE_PASSWORD" "$KEYTOOL"
97+
exit 0
21898
;;
21999
q|quit|x|exit)
220-
exit
100+
exit 0
221101
;;
222102
*)
223103
echo " "
@@ -228,6 +108,6 @@ main-controller()
228108
done
229109
}
230110

231-
disclaimer-controller
232-
validate-install
233-
main-controller
111+
controller-disclaimer
112+
validate-dirs $CONTROLLER_HOME $CONFIG_HOME $KEYTOOL_HOME
113+
controller-main

0 commit comments

Comments
 (0)