TLS configuration for Artemis System Service

efConnectionVars:
    ACTIVEMQ_SSL_VERIFY_HOST: "true"
    ACTIVEMQ_SSL_TRUST_ALL: "false"

### create script to generate certs
vi generate-ssl.sh

#!/bin/bash

set -e

PASSWORD=password
DAYS=36500
KEYSIZE=2048

# 1) Create a root CA
# -------------------
echo ">> Generating root CA (ca.key + ca.crt)..."
openssl req -new -x509 -days $DAYS -nodes \
  -keyout ca.key -out ca.crt \
  -subj "/CN=MyCA" \
  -sha256

# 2) Broker: Keystore + Truststore with serverAuth EKU
# -----------------------------------------------------
# a) Create OpenSSL config for SAN and serverAuth
cat > broker-openssl.cnf <<EOF
[ v3_req ]
subjectAltName = IP:<your_ip_address>
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
EOF

echo ">> Generating broker keystore (broker.ks)..."
keytool -genkeypair \
  -alias broker -keyalg RSA -keysize $KEYSIZE \
  -dname "CN=broker" \
  -keypass $PASSWORD -storepass $PASSWORD \
  -keystore broker.ks -validity $DAYS

echo ">> Generating broker CSR (broker.csr)..."
keytool -certreq \
  -alias broker -keystore broker.ks \
  -file broker.csr -storepass $PASSWORD

echo ">> Signing broker CSR with SAN & EKU (broker.crt)..."
openssl x509 -req -in broker.csr \
  -CA ca.crt -CAkey ca.key -CAcreateserial \
  -out broker.crt -days $DAYS -sha256 \
  -extfile broker-openssl.cnf -extensions v3_req

echo ">> Importing CA into broker keystore..."
keytool -import -trustcacerts -alias ca \
  -file ca.crt -keystore broker.ks -storepass $PASSWORD -noprompt

echo ">> Importing broker cert into broker keystore..."
keytool -import -alias broker \
  -file broker.crt -keystore broker.ks -storepass $PASSWORD -noprompt

echo ">> Generating broker truststore (broker.ts)..."
keytool -import -trustcacerts -alias ca \
  -file ca.crt -keystore broker.ts -storepass $PASSWORD -noprompt

# 3) Client: PEM cert + key with clientAuth EKU
# ----------------------------------------------
# a) Create OpenSSL config for clientAuth
cat > client-openssl.cnf <<EOF
[ v3_req ]
keyUsage = digitalSignature
extendedKeyUsage = clientAuth
subjectAltName = DNS:client
EOF

echo ">> Generating client private key (client.key)..."
openssl genrsa -out client.key $KEYSIZE

echo ">> Generating client CSR (client.csr)..."
openssl req -new -key client.key \
  -out client.csr -subj "/CN=client" \
  -sha256

echo ">> Signing client CSR with EKU clientAuth (client.crt)..."
openssl x509 -req -in client.csr \
  -CA ca.crt -CAkey ca.key -CAcreateserial \
  -out client.crt -days $DAYS -sha256 \
  -extfile client-openssl.cnf -extensions v3_req

# b) Combine key + cert + CA into single client.pem

echo ">> Combining client.key + client.crt + CA into client.pem..."
cat client.key client.crt ca.crt > client.pem

# 4) Cleanup intermediate files
# ------------------------------
echo ">> Cleaning up temporary files..."
rm -f broker.csr client.csr broker-openssl.cnf client-openssl.cnf *.srl

# 5) Summary
# ----------
echo "\n>> Done. Artifacts generated:"
echo "   - broker.ks     (JKS keystore with broker key & cert)"
echo "   - broker.ts     (JKS truststore with CA cert)"
echo "   - client.key    (PEM private key for client)"
echo "   - client.crt    (PEM client certificate)"
echo "   - client.pem    (PEM full chain: key+cert+CA)"
echo "   - ca.crt        (PEM CA certificate)"

chmod +x generate-ssl.sh

./generate-ssl.sh

sudo cp broker.ks broker.ts /var/lib/artemis-instance/etc/

sudo systemctl restart artemis

cat <filename> | base64 -w0; echo

vi ./activemq-tls.yaml

apiVersion: v1
data:
  broker.ts: <broker.ts_base64_string>
  broker.ks: <broker.ks_base64_string>
  ca.crt: <ca.crt_base64_string>
  tls.crt: <client.crt_base64_string>
  tls.key: <client.key_base64_string>
kind: Secret
metadata:
  name: activemq-tls
  namespace: expertflow
type: kubernetes.io/tls

### Delete AMQ TLS Secret
kubectl delete secret activemq-tls -n ef-external

### Create Secret
kubectl apply -f pre-deployment/static-tls/activemq-tls.yaml