When deploying OpenIDM to production or another secured environment, it's of course recommanded to use your own keys, certificates and passwords, rather than using the default ones. With the script below, you can do it all using self-signed certificates. You can then easily derive this script to use your own keys and certificates, if you don't want to use self-signed certificates for example.

The script below is inspired from OpenIDM Shell Client and also has the same requirements. It makes use of jq, that you can download from here:

You'll also need a settings.json and a boot.properties files such as these ones:

settings.json:

{
        "BootPropertiesFile": "/..../boot.properties",
        "CertValidity": "365",
        "KeyAlias": "openidm-keyalias",
        "Keystore": "openidm-keystore.jceks",
        "P12File": "/...../openidm.p12",
        "Password": "MyOpenIdmAdminPassword",
        "PEMFile": "/.../openidm.pem",
        "Port": 8080,
        "ServerFQDN": "openidm.testbed.org", 
        "StorePass": "MyOpenIDMStorePass",
        "ConnectorsTrustedACKeystore": "ConnectorsTrustedACStore.jceks",
        "ConnectorsTrustedACStorePass": "MyTrustedACPass",
        "Truststore": "openidm-truststore.jceks",
        "Username": "MyOpenidmAdmin"
}



boot.properties:

openidm.keystore.type=JCEKS
openidm.keystore.provider=
openidm.keystore.location=security/keystore.jceks
openidm.truststore.location=security/truststore

# Keystore password, adjust to match your keystore and protect this file
openidm.keystore.password=changeit
# optionally use the cli encrypt to obfuscate the password and set 
#openidm.keystore.password=OBF: 
#openidm.keystore.password=CRYPT:

# key in keystore to handle config encryption
openidm.config.crypto.alias=openidm-sym-default
#openidm.script.javascript.debug=transport=socket,suspend=y,address=9888,trace=true
#openidm.script.javascript.sources=/Eclipse/workspace/External JavaScript Source/

# policy enforcement enable/disable
openidm.policy.enforcement.enabled=true

Prod.InstallPath=
Dev.InstallPath=/opt/openidm

setkeys.sh:

#!/bin/sh
#OpenIDM Shell Client
#Generate OpenIDM keys

PreRequisites()
{
# Check that jq util is present
JQ_LOC="$(which jq)"
if [ -z $JQ_LOC  ]; then
   echo "JSON parser jq not found.  Download from http://stedolan.github.com/jq/download/"
   exit 1
fi

# Check that keytool is available
KEYTOOL="$(which keytool)"
if [ -z $KEYTOOL ]; then
   echo "keytool not found, exiting ..."
   exit 2
fi

# Check that OPENIDM_OPTS is defined
if [ -z "$OPENIDM_OPTS" ] ; then
   echo "OPENIDM_OPTS environment variable not defined, exiting ..."
   exit 3
fi

# Check that OpenIDM environment is defined
OPENIDM_ENV=$(echo $OPENIDM_OPTS |awk -F"environment=" '{print $2}'|awk '{print $1}')
if [ -z "$OPENIDM_ENV" ] ; then
   echo "OPENIDM_OPTS must contain a \"-Denvironment=value\" statement exiting ..."
   exit 4
fi

# Check that OpenIDM boot.properties file exists
OPENIDM_PROPERTIES=$(jq '.BootPropertiesFile' settings.json | sed 's/\"//g')
if [ ! -f $OPENIDM_PROPERTIES ] ; then
   echo "$OPENIDM_PROPERTIES file not found, exiting ..."
  exit 5
fi

OPENIDM_INSTALL_PATH=$(grep ^$OPENIDM_ENV.InstallPath $OPENIDM_PROPERTIES |awk -F= '{print $2}')

OPENIDM_SERVER=$(jq '.ServerFQDN' settings.json | sed 's/\"//g')
OPENIDM_SERVER_CERT_PEM=$(jq '.PEMFile' settings.json | sed 's/\"//g')
OPENIDM_SERVER_CERT_P12=$(jq '.P12File' settings.json | sed 's/\"//g')
OPENIDM_SERVER_CERT_VALIDITY=$(jq '.CertValidity' settings.json | sed 's/\"//g')
OPENIDM_KEY_ALIAS=$(jq '.KeyAlias' settings.json | sed 's/\"//g')
OPENIDM_KEYSTORE=$(jq '.Keystore' settings.json | sed 's/\"//g')
OPENIDM_STOREPASS=$(jq '.StorePass' settings.json | sed 's/\"//g')
OPENIDM_TRUSTSTORE=$(jq '.Truststore' settings.json | sed 's/\"//g')
TRUSTED_AC_KEYSTORE=$(jq '.ConnectorsTrustedACKeystore' settings.json | sed 's/\"//g')
TRUSTED_AC_STOREPASS=$(jq '.ConnectorsTrustedACStorePass' settings.json | sed 's/\"//g')

# Remove existing files
if [ -f $OPENIDM_SERVER_CERT_P12 ] ; then
sudo /bin/rm $OPENIDM_SERVER_CERT_P12
fi

if [ -f $OPENIDM_SERVER_CERT_PEM ] ; then
sudo /bin/rm $OPENIDM_SERVER_CERT_PEM
fi

if [ -f $OPENIDM_KEYSTORE ] ; then
sudo /bin/rm $OPENIDM_KEYSTORE
fi

if [ -f $OPENIDM_TRUSTSTORE ] ; then
sudo /bin/rm $OPENIDM_TRUSTSTORE
fi

}


############### Main program #########################

# Check prerequisites
PreRequisites

# Create a symetric key
sudo keytool -genseckey -keystore $OPENIDM_KEYSTORE -storetype JCEKS -storepass $OPENIDM_STOREPASS -keypass $OPENIDM_STOREPASS -alias openidm-SymKey -keyalg AES -keysize 128

# Create an asymetric 2048 bits keypair
sudo keytool -genkeypair -keystore $OPENIDM_KEYSTORE -storetype JCEKS -storepass $OPENIDM_STOREPASS -keypass $OPENIDM_STOREPASS -alias $OPENIDM_KEY_ALIAS -keyalg rsa -keysize 2048 -dname "CN=$OPENIDM_SERVER, O=OpenIDM Self-Signed Certificate"

# Generate the self-signed certificate (valid for $OPENIDM_SERVER_CERT_VALIDITY days)
sudo keytool -selfcert -keystore $OPENIDM_KEYSTORE -storetype JCEKS -storepass $OPENIDM_STOREPASS -keypass $OPENIDM_STOREPASS -alias $OPENIDM_KEY_ALIAS -validity $OPENIDM_SERVER_CERT_VALIDITY

# Display the keystore
keytool -list -keystore $OPENIDM_KEYSTORE -storetype JCEKS -storepass $OPENIDM_STOREPASS

# Create a new JKS truststore from the default one
sudo keytool -importkeystore -srckeystore $OPENIDM_INSTALL_PATH/security/truststore -srcstoretype jceks -destkeystore $OPENIDM_TRUSTSTORE -deststoretype jks -deststorepass $OPENIDM_STOREPASS -srcstorepass changeit

# List the truststore content
#keytool -list -keystore $OPENIDM_TRUSTSTORE -storetype JCEKS -storepass $OPENIDM_STOREPASS

# Generate a PKCS#12 file from the keystore
sudo keytool -importkeystore -srckeystore $OPENIDM_KEYSTORE -srcstoretype jceks -destkeystore $OPENIDM_SERVER_CERT_P12 -deststoretype pkcs12 -deststorepass $OPENIDM_STOREPASS -srcalias $OPENIDM_KEY_ALIAS -destalias $OPENIDM_KEY_ALIAS -srcstorepass $OPENIDM_STOREPASS

sudo chown openidm:openidm $OPENIDM_INSTALL_PATH/security/*

# Export the certificate from the keystore to PEM format
sudo keytool -exportcert -keystore $OPENIDM_KEYSTORE -storetype JCEKS -storepass $OPENIDM_STOREPASS -keypass $OPENIDM_STOREPASS -alias $OPENIDM_KEY_ALIAS -file $OPENIDM_SERVER_CERT_PEM -rfc

# Display the certificate
openssl x509 -text -in $OPENIDM_SERVER_CERT_PEM

# Import Google and .Net connectors certificates in the connectors truststore
#sudo keytool -importcert -keystore $TRUSTED_AC_KEYSTORE -storetype jks -storepass changeit -file /home5/depot/pki/tptakdcwina01-cert.pem -alias tptakdcwina01 -trustcacerts
#sudo keytool -importcert -keystore $TRUSTED_AC_KEYSTORE -storetype jks -storepass changeit -file /home5/depot/pki/tptlmdcwina01-cert.pem -alias tptlmdcwina01 -trustcacerts
#sudo keytool -importcert -keystore $TRUSTED_AC_KEYSTORE -storetype jks -storepass changeit -file /home5/depot/pki/google-cert.pem -alias google-apis

The .pem and PKCS#12 (that Microsoft calls .pfx) files are only needed if you deploy .Net and AD connectors and that you want HTTPS connections from these components to OpenIDM.