Update PQC demo scripts to take --keystore argument and update cert/key paths

ShreyTandel · ShreyTandel · commit d0e8790795f2 · 2025-10-16T11:30:32.000-07:00
diff --git a/examples/pqc-demo/README.md b/examples/pqc-demo/README.md
@@ -86,20 +86,20 @@ This tutorial showcases the integration of Post-Quantum Cryptography (PQC) in Io
 2. Generate root CA keypair and certificate:
 
     ```
-    trustedge certificate -a QS -g MLDSA_44 -o CA.key -x CA.crt -i ca_csr.cnf -da 3651
+    trustedge certificate -a QS -g MLDSA_44 -o CA.pem -x CA.pem -i ca_csr.cnf -da 3651
     ```
 
 3. Generate Mosquitto MQTT broker server keypair and certificate, signed by the root CA:
 
     ```
-    trustedge certificate -a QS -g MLDSA_44 -o server.key -x server.crt -i server_csr.cnf -da 3651 -sk CA.key -sc CA.crt
+    trustedge certificate -a QS -g MLDSA_44 -o server.pem -x server.pem -i server_csr.cnf -da 3651 -sk CA.pem -sc CA.pem
     ```
 
 4. Verify the Mosquitto MQTT broker server certificate and the root CA certificate:
 
     ```
-    trustedge certificate -pc /etc/digicert/keystore/certs/server.crt
-    trustedge certificate -pc /etc/digicert/keystore/certs/CA.crt
+    trustedge certificate -pc /etc/digicert/keystore/certs/server.pem
+    trustedge certificate -pc /etc/digicert/keystore/certs/CA.pem
     ```
 
 ### Option 2: EST server key generation and certificate issuance
@@ -116,13 +116,14 @@ This tutorial showcases the integration of Post-Quantum Cryptography (PQC) in Io
 2. Generate server key and certificate signed by the root CA:
 
     ```
-    ./est_server_keygen_mldsa --estc-server-dn <server-name> --estc-server-url <url> --estc-user <user> --estc-password <password>
+    ./est_server_keygen_mldsa.sh --estc-server-dn <server-name> --estc-server-url <url> --estc-user <user> --estc-password <password>
     ```
 
 3. Verify server certificate:
 
     ```
-    trustedge certificate -pc /etc/digicert/keystore/certs/mldsa_server_keygen.pem
+    trustedge certificate -pc /etc/digicert/keystore/certs/server.pem
+    trustedge certificate -pc /etc/digicert/keystore/certs/CA.pem
     ```
 
 ## Step 4: Configure and start the MQTT broker
@@ -141,11 +142,8 @@ This tutorial showcases the integration of Post-Quantum Cryptography (PQC) in Io
 
 3. Launch the MQTT broker with TLS 1.3 and ML-DSA credentials:
 
-    > [!NOTE]
-    > If the key and certificate was issued using the EST backend, use mldsa_server_keygen.pem for the key and certificate
-
    ```
-   ./start_broker.sh --cert /etc/digicert/keystore/certs/server.crt --key /etc/digicert/keystore/keys/server.key
+   ./start_broker.sh --keystore /etc/digicert/keystore
    ```
 
     To start the MQTT broker using a locally built Mosquitto (build instructions provided in Appendix), use the following steps:
@@ -165,9 +163,9 @@ This tutorial showcases the integration of Post-Quantum Cryptography (PQC) in Io
     listener 8883 0.0.0.0
     allow_anonymous true
     protocol mqtt
-    cafile /etc/digicert/keystore/certs/server.crt
-    certfile /etc/digicert/keystore/certs/server.crt
-    keyfile /etc/digicert/keystore/keys/server.key
+    cafile /etc/digicert/keystore/certs/server.pem
+    certfile /etc/digicert/keystore/certs/server.pem
+    keyfile /etc/digicert/keystore/keys/server.pem
     ```
 
     Start the broker
@@ -192,12 +190,8 @@ This tutorial showcases the integration of Post-Quantum Cryptography (PQC) in Io
 
 2. Subscribe to topic ```pqc/secure/channel```:
 
-    > [!NOTE]
-    > If the key and certificate was issued using the EST backend, use
-    the EST CA certificate stored in /etc/digicert/keystore/ca - {digest}.pem
-
     ```
-    ./consumer.sh --broker mqtt-pqc-broker --port 8883 --ca-cert /etc/digicert/keystore/certs/CA.crt
+    ./consumer.sh --broker mqtt-pqc-broker --port 8883 --keystore /etc/digicert/keystore
     ```
 
 3. You should see a “Connected” message followed by readiness to receive.
@@ -212,12 +206,8 @@ This tutorial showcases the integration of Post-Quantum Cryptography (PQC) in Io
 
 2. Publish a test message to ```pqc/secure/channel```:
 
-    > [!NOTE]
-    > If the key and certificate was issued using the EST backend, use
-    the EST CA certificate stored in /etc/digicert/keystore/ca - {digest}.pem
-
     ```
-    ./publisher.sh --broker mqtt-pqc-broker --port 8883 --ca-cert /etc/digicert/keystore/certs/CA.crt
+    ./publisher.sh --broker mqtt-pqc-broker --port 8883 --keystore /etc/digicert/keystore
     ```
 
 ## Step 7: Capture and decrypt handshake in Wireshark
diff --git a/examples/pqc-demo/certGeneration.sh b/examples/pqc-demo/certGeneration.sh
@@ -3,12 +3,12 @@ rm -rf /etc/digicert/keystore/keys/*.*
 rm -rf /etc/digicert/keystore/certs/*.*
 
 
-trustedge certificate -a QS -g MLDSA_44 -o CA.key -x CA.crt -i ca_csr.cnf -da 3651 
-trustedge certificate -a QS -g MLDSA_44 -o server.key -x server.crt -i server_csr.cnf -da 3651 -sk CA.key -sc CA.crt
+trustedge certificate -a QS -g MLDSA_44 -o CA.pem -x CA.pem -i ca_csr.cnf -da 3651 
+trustedge certificate -a QS -g MLDSA_44 -o server.pem -x server.pem -i server_csr.cnf -da 3651 -sk CA.pem -sc CA.pem
 
 echo "All TrustEdge Key and Certificates Generated Successfully."
 
 
-trustedge certificate -pc /etc/digicert/keystore/certs/server.crt
+trustedge certificate -pc /etc/digicert/keystore/certs/server.pem
 
-trustedge certificate -pc /etc/digicert/keystore/certs/CA.crt
+trustedge certificate -pc /etc/digicert/keystore/certs/CA.pem
diff --git a/examples/pqc-demo/client_keys.txt b/examples/pqc-demo/client_keys.txt
diff --git a/examples/pqc-demo/consumer.sh b/examples/pqc-demo/consumer.sh
@@ -5,6 +5,8 @@ set -e
 # Set script directory
 SCRIPT_DIR=$( cd $(dirname $0) ; pwd -P )
 
+DEFAULT_CA_FILE="certs/CA.pem"
+
 # Show usage
 function show_usage
 {
@@ -13,7 +15,7 @@ function show_usage
     echo "  --help                 - Show help options"
     echo "  --broker <hostname>    - Broker to connect to"
     echo "  --port <port>          - Broker port"
-    echo "  --ca-cert <path>       - Path to trusted certificate"
+    echo "  --keystore <path>      - Path to keystore (picks up $DEFAULT_CA_FILE by default)"
     echo ""
     if [ -n "$1" ]; then
         echo "$1"
@@ -26,7 +28,7 @@ function show_usage
 
 BROKER=
 BROKER_PORT=
-CA_CERT_FILE=
+KEYSTORE_PATH=
 
 # Parse command line arguments
 while test $# -gt 0
@@ -49,11 +51,11 @@ do
             BROKER_PORT=$2
             shift
             ;;
-        --ca-cert)
+        --keystore)
             if [ -z "$2" ]; then
-                show_usage "Missing --ca-cert argument"
+                show_usage "Missing --keystore argument"
             fi
-            CA_CERT_FILE=$2
+            KEYSTORE_PATH=$2
             shift
             ;;
         *)
@@ -71,14 +73,16 @@ if [ -z "$BROKER_PORT" ]; then
     show_usage "Missing --port argument"
 fi
 
-if [ -z "$CA_CERT_FILE" ]; then
-    show_usage "Missing --ca-cert argument"
+if [ -z "$KEYSTORE_PATH" ]; then
+    show_usage "Missing --keystore argument"
 fi
 
+export ENABLE_SSL_KEYLOG=1
+
 trustedge mqtt \
     --mqtt_servername $BROKER \
     --mqtt_port $BROKER_PORT \
     --mqtt_client_id trustedge_sub_client \
     --mqtt_sub_topic pqc/secure/channel \
-    --ssl_ca_file $CA_CERT_FILE \
+    --ssl_ca_file $KEYSTORE_PATH/$DEFAULT_CA_FILE \
     --mqtt_transport SSL
diff --git a/examples/pqc-demo/est_server_keygen_mldsa.sh b/examples/pqc-demo/est_server_keygen_mldsa.sh
@@ -79,8 +79,8 @@ if [ -n "$ESTC_PASSWORD" ]; then
 fi
 
 # Clean up any existing keys/certs
-rm -f /etc/digicert/keystore/keys/mldsa_server_keygen.*
-rm -f /etc/digicert/keystore/certs/mldsa_server_keygen.*
+rm -f /etc/digicert/keystore/keys/server.*
+rm -f /etc/digicert/keystore/certs/server.*
 
 wget -P /etc/digicert/keystore/ca http://cacerts.digicert.com/DigiCertGlobalRootG2.crt > /dev/null 2>&1
 wget -P /etc/digicert/keystore/ca http://cacerts.digicert.com/DigiCertGlobalRootCA.crt > /dev/null 2>&1
@@ -97,7 +97,18 @@ trustedge certificate est \
     --estc-authentication-mode BASIC \
     --algorithm QS \
     --pq-alg MLDSA_44 \
-    --key-alias mldsa_server_keygen \
+    --key-alias server \
     --csr-conf server_csr.cnf \
     --log-level INFO \
     $ESTC_CRED_ARG
+
+# Loop through CA directory and find parent CA cert
+for file in /etc/digicert/keystore/ca/*; do
+    if ./openssl.sh verify -partial_chain -CAfile "$file" /etc/digicert/keystore/certs/server.pem > /dev/null 2>&1; then
+        cp "$file" /etc/digicert/keystore/certs/CA.pem
+        echo "Parent CA cert: /etc/digicert/keystore/certs/CA.pem"
+        break
+    fi
+done
+
+echo "Generated server certificate: /etc/digicert/keystore/certs/server.pem"
diff --git a/examples/pqc-demo/mosquitto/mosq.conf b/examples/pqc-demo/mosquitto/mosq.conf
@@ -6,6 +6,6 @@ allow_anonymous true
 listener 8883 0.0.0.0
 allow_anonymous true
 protocol mqtt
-cafile /etc/digicert/keystore/certs/server.crt
-certfile /etc/digicert/keystore/certs/server.crt
-keyfile /etc/digicert/keystore/keys/server.key
+cafile /etc/digicert/keystore/certs/server.pem
+certfile /etc/digicert/keystore/certs/server.pem
+keyfile /etc/digicert/keystore/keys/server.pem
diff --git a/examples/pqc-demo/publisher.sh b/examples/pqc-demo/publisher.sh
@@ -5,6 +5,8 @@ set -e
 # Set script directory
 SCRIPT_DIR=$( cd $(dirname $0) ; pwd -P )
 
+DEFAULT_CA_FILE="certs/CA.pem"
+
 # Show usage
 function show_usage
 {
@@ -13,7 +15,7 @@ function show_usage
     echo "  --help                 - Show help options"
     echo "  --broker <hostname>    - Broker to connect to"
     echo "  --port <port>          - Broker port"
-    echo "  --ca-cert <path>       - Path to trusted certificate"
+    echo "  --keystore <path>      - Path to keystore (picks up $DEFAULT_CA_FILE by default)"
     echo ""
     if [ -n "$1" ]; then
         echo "$1"
@@ -26,7 +28,7 @@ function show_usage
 
 BROKER=
 BROKER_PORT=
-CA_CERT_FILE=
+KEYSTORE_PATH=
 
 # Parse command line arguments
 while test $# -gt 0
@@ -49,11 +51,11 @@ do
             BROKER_PORT=$2
             shift
             ;;
-        --ca-cert)
+        --keystore)
             if [ -z "$2" ]; then
-                show_usage "Missing --ca-cert argument"
+                show_usage "Missing --keystore argument"
             fi
-            CA_CERT_FILE=$2
+            KEYSTORE_PATH=$2
             shift
             ;;
         *)
@@ -71,18 +73,20 @@ if [ -z "$BROKER_PORT" ]; then
     show_usage "Missing --port argument"
 fi
 
-if [ -z "$CA_CERT_FILE" ]; then
-    show_usage "Missing --ca-cert argument"
+if [ -z "$KEYSTORE_PATH" ]; then
+    show_usage "Missing --keystore argument"
 fi
 
+export ENABLE_SSL_KEYLOG=1
+
 trustedge mqtt \
     --mqtt_servername $BROKER \
     --mqtt_port $BROKER_PORT \
     --mqtt_client_id trustedge_pub_client \
     --mqtt_pub_topic pqc/secure/channel \
     --mqtt_pub_message "Signature Algorithm > MLDSA" \
     --mqtt_pub_message "Key Exchange > X25519MLKEM768" \
-    --ssl_ca_file $CA_CERT_FILE \
+    --ssl_ca_file $KEYSTORE_PATH/$DEFAULT_CA_FILE \
     --mqtt_transport SSL
 
 sleep 2
@@ -93,5 +97,5 @@ trustedge mqtt \
     --mqtt_client_id trustedge_pub_client \
     --mqtt_pub_topic pqc/secure/channel \
     --mqtt_pub_message "Hello from DigiCert TrustEdge PQC over TLS1.3!!" \
-    --ssl_ca_file $CA_CERT_FILE \
+    --ssl_ca_file $KEYSTORE_PATH/$DEFAULT_CA_FILE \
     --mqtt_transport SSL
diff --git a/examples/pqc-demo/start_broker.sh b/examples/pqc-demo/start_broker.sh
@@ -5,14 +5,16 @@ set -e
 # Set script directory
 SCRIPT_DIR=$( cd $(dirname $0) ; pwd -P )
 
+DEFAULT_KEY_FILE="keys/server.pem"
+DEFAULT_CERT_FILE="certs/server.pem"
+
 # Show usage
 function show_usage
 {
     echo "Usage: $0 [options]"
     echo "Options:"
     echo "  --help                 - Show help options"
-    echo "  --cert <path>          - Path to server certificate"
-    echo "  --key <path>           - Path to server key"
+    echo "  --keystore <path>      - Path to keystore (picks up $DEFAULT_CERT_FILE and $DEFAULT_KEY_FILE by default)"
     echo ""
     if [ -n "$1" ]; then
         echo "$1"
@@ -23,8 +25,7 @@ function show_usage
     fi
 }
 
-CERT_PATH=
-KEY_PATH=
+KEYSTORE_PATH=
 
 # Parse command line arguments
 while test $# -gt 0
@@ -33,18 +34,11 @@ do
         --help)
             show_usage
             ;;
-        --cert)
-            if [ -z "$2" ]; then
-                show_usage "Missing --cert argument"
-            fi
-            CERT_PATH=$2
-            shift
-            ;;
-        --key)
+        --keystore)
             if [ -z "$2" ]; then
-                show_usage "Missing --key argument"
+                show_usage "Missing --keystore argument"
             fi
-            KEY_PATH=$2
+            KEYSTORE_PATH=$2
             shift
             ;;
         *)
@@ -54,12 +48,8 @@ do
     shift
 done
 
-if [ -z "$CERT_PATH" ]; then
-    show_usage "Missing --cert argument"
-fi
-
-if [ -z "$KEY_PATH" ]; then
-    show_usage "Missing --key argument"
+if [ -z "$KEYSTORE_PATH" ]; then
+    show_usage "Missing --keystore argument"
 fi
 
 if [[ "$(uname -m)" == "x86_64" ]]; then
@@ -71,6 +61,9 @@ else
     exit -1
 fi
 
+CERT_PATH=$KEYSTORE_PATH/$DEFAULT_CERT_FILE
+KEY_PATH=$KEYSTORE_PATH/$DEFAULT_KEY_FILE
+
 export OPENSSL_CONF=$SCRIPT_DIR/mosquitto/openssl.cnf
 export OPENSSL_MODULES=$SCRIPT_DIR/mosquitto/$PLATFORM_DIR
 export LD_LIBRARY_PATH=$SCRIPT_DIR/mosquitto/$PLATFORM_DIR:$LD_LIBRARY_PATH
