summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEndi S. Dewata <edewata@redhat.com>2017-10-20 21:16:52 +0200
committerEndi S. Dewata <edewata@redhat.com>2017-10-20 21:18:08 +0200
commit1adf9a0cac7ff5ddebe30db4c380133ff3718b8a (patch)
treebc82a43cea675b4c76291ba72a903625d0e8f0a3
parent4a2fdc8bd0acb29c650a103f90fb6a2ba0235659 (diff)
downloadpki-dev-1adf9a0cac7ff5ddebe30db4c380133ff3718b8a.zip
pki-dev-1adf9a0cac7ff5ddebe30db4c380133ff3718b8a.tar.gz
pki-dev-1adf9a0cac7ff5ddebe30db4c380133ff3718b8a.tar.xz
Updated CA scripts.
-rwxr-xr-xscripts/ca-admin-init.sh15
-rwxr-xr-xscripts/ca-clone-admin-init.sh13
-rwxr-xr-xscripts/ca-clone-prep.sh6
-rwxr-xr-xscripts/ca-create.sh8
-rwxr-xr-xscripts/ca-existing-certs-create.sh (renamed from scripts/ca-all-existing-create.sh)22
-rwxr-xr-xscripts/ca-existing-export-certs.sh37
-rwxr-xr-xscripts/ca-existing-export-pkcs12.sh (renamed from scripts/ca-all-existing-export.sh)0
-rwxr-xr-xscripts/ca-existing-pkcs12-create.sh (renamed from scripts/ca-existing-create.sh)16
-rwxr-xr-xscripts/ca-external-step1.sh21
-rwxr-xr-xscripts/ca-external-step2.sh27
-rwxr-xr-xscripts/ca-step1.sh37
-rwxr-xr-xscripts/ca-step2.sh42
-rwxr-xr-xscripts/ca-sub-create.sh42
-rwxr-xr-xscripts/ca_signing-cmc-sign.sh3
-rwxr-xr-xscripts/ca_signing-export.sh3
15 files changed, 235 insertions, 57 deletions
diff --git a/scripts/ca-admin-init.sh b/scripts/ca-admin-init.sh
new file mode 100755
index 0000000..814c14b
--- /dev/null
+++ b/scripts/ca-admin-init.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+pki -c Secret.123 client-init --force
+
+pki -c Secret.123 client-cert-import "Root CA Signing Certificate" --ca-cert tmp/external.crt
+
+pki -c Secret.123 client-cert-import "CA Signing Certificate" --ca-server
+
+pki -c Secret.123 client-cert-import \
+ --pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \
+ --pkcs12-password Secret.123
+
+#pki -c Secret.123 pkcs12-import \
+# --pkcs12-file ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \
+# --pkcs12-password Secret.123
diff --git a/scripts/ca-clone-admin-init.sh b/scripts/ca-clone-admin-init.sh
new file mode 100755
index 0000000..eefe7cc
--- /dev/null
+++ b/scripts/ca-clone-admin-init.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+pki -c Secret.123 client-init --force
+
+pki -c Secret.123 client-cert-import "CA Signing Certificate" --ca-server
+
+pki -c Secret.123 client-cert-import \
+ --pkcs12 tmp/ca_admin_cert.p12 \
+ --pkcs12-password Secret.123
+
+#pki -c Secret.123 pkcs12-import \
+# --pkcs12-file tmp/ca_admin_cert.p12 \
+# --pkcs12-password Secret.123
diff --git a/scripts/ca-clone-prep.sh b/scripts/ca-clone-prep.sh
index 378b70e..7808d33 100755
--- a/scripts/ca-clone-prep.sh
+++ b/scripts/ca-clone-prep.sh
@@ -6,11 +6,11 @@ echo $HOSTNAME > tmp/master.txt
grep "internal=" /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2}' > tmp/internal.txt
-PKCS12Export -debug -d /var/lib/pki/pki-tomcat/alias -p tmp/internal.txt -w password.txt -o tmp/ca_backup_keys.p12
-pki pkcs12-cert-find --pkcs12-file tmp/ca_backup_keys.p12 --pkcs12-password-file password.txt
+#PKCS12Export -debug -d /var/lib/pki/pki-tomcat/alias -p tmp/internal.txt -w password.txt -o tmp/ca_backup_keys.p12
+#pki pkcs12-cert-find --pkcs12-file tmp/ca_backup_keys.p12 --pkcs12-password-file password.txt
pki-server ca-clone-prepare --pkcs12-file tmp/ca-certs.p12 --pkcs12-password-file password.txt
pki pkcs12-cert-find --pkcs12-file tmp/ca-certs.p12 --pkcs12-password-file password.txt
#cp ~/.dogtag/pki-tomcat/ca_admin.cert tmp
-#cp ~/.dogtag/pki-tomcat/ca_admin_cert.p12 tmp
+cp ~/.dogtag/pki-tomcat/ca_admin_cert.p12 tmp
diff --git a/scripts/ca-create.sh b/scripts/ca-create.sh
index 009d330..1095700 100755
--- a/scripts/ca-create.sh
+++ b/scripts/ca-create.sh
@@ -13,9 +13,6 @@ pki_admin_nickname=caadmin
pki_admin_password=Secret.123
pki_admin_uid=caadmin
-#pki_backup_keys=True
-#pki_backup_password=Secret.123
-
pki_client_database_password=Secret.123
pki_client_database_purge=False
pki_client_pkcs12_password=Secret.123
@@ -26,9 +23,6 @@ pki_ds_database=ca
pki_security_domain_name=EXAMPLE
-#pki_server_pkcs12_path=pki-server.p12
-#pki_server_pkcs12_password=Secret.123
-
pki_ca_signing_nickname=ca_signing
pki_ocsp_signing_nickname=ca_ocsp_signing
pki_audit_signing_nickname=ca_audit_signing
@@ -41,4 +35,4 @@ pkispawn -f tmp/ca.cfg -s CA
#/bin/cp /root/.dogtag/pki-tomcat/ca_admin.cert .
#/bin/cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 .
#/bin/cp /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf ca_admin_cert.txt
-#echo $HOSTNAME > tmp/master.txt
+echo $HOSTNAME > tmp/ca.hostname
diff --git a/scripts/ca-all-existing-create.sh b/scripts/ca-existing-certs-create.sh
index 98c05d8..646e4dc 100755
--- a/scripts/ca-all-existing-create.sh
+++ b/scripts/ca-existing-certs-create.sh
@@ -2,7 +2,7 @@
mkdir -p tmp
-cat > tmp/ca-all-existing.cfg << EOF
+cat > tmp/ca-existing-certs.cfg << EOF
[DEFAULT]
pki_pin=Secret.123
@@ -28,25 +28,27 @@ pki_token_password=Secret.123
pki_existing=True
pki_ca_signing_nickname=ca_signing
-pki_ca_signing_csr_path=$PWD/tmp/ca_signing.csr
+pki_ca_signing_csr_path=tmp/ca_signing.csr
+pki_ca_signing_cert_path=tmp/ca_signing.crt
pki_ocsp_signing_nickname=ca_ocsp_signing
-pki_ocsp_signing_csr_path=$PWD/tmp/ca_ocsp_signing.csr
+pki_ocsp_signing_csr_path=tmp/ca_ocsp_signing.csr
+pki_ocsp_signing_cert_path=tmp/ca_ocsp_signing.crt
pki_sslserver_nickname=sslserver
-pki_sslserver_csr_path=$PWD/tmp/sslserver.csr
+pki_sslserver_csr_path=tmp/sslserver.csr
+pki_sslserver_cert_path=tmp/sslserver.crt
pki_subsystem_nickname=subsystem
-pki_subsystem_csr_path=$PWD/tmp/subsystem.csr
+pki_subsystem_csr_path=tmp/subsystem.csr
+pki_subsystem_cert_path=tmp/subsystem.crt
pki_audit_signing_nickname=ca_audit_signing
-pki_audit_signing_csr_path=$PWD/tmp/ca_audit_signing.csr
-
-pki_pkcs12_path=$PWD/tmp/ca-certs.p12
-pki_pkcs12_password=Secret.123
+pki_audit_signing_csr_path=tmp/ca_audit_signing.csr
+pki_audit_signing_cert_path=tmp/ca_audit_signing.crt
#pki_serial_number_range_start=6
#pki_request_number_range_start=1
EOF
-pkispawn -f tmp/ca-all-existing.cfg -s CA
+pkispawn -v -f tmp/ca-existing-certs.cfg -s CA
diff --git a/scripts/ca-existing-export-certs.sh b/scripts/ca-existing-export-certs.sh
new file mode 100755
index 0000000..3645488
--- /dev/null
+++ b/scripts/ca-existing-export-certs.sh
@@ -0,0 +1,37 @@
+#!/bin/sh -x
+
+#grep "internal=" /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2}' > tmp/internal.txt
+#PKCS12Export -debug -d /var/lib/pki/pki-tomcat/alias -p tmp/internal.txt -w password.txt -o tmp/ca-certs.p12
+#PKCS12Export -d /var/lib/pki/pki-tomcat/alias -p tmp/internal.txt -w password.txt -o tmp/ca-certs.p12
+
+#pki pkcs12-cert-find --pkcs12-file tmp/ca-certs.p12 --pkcs12-password-file password.txt
+#pki pkcs12-key-find --pkcs12-file tmp/ca-certs.p12 --pkcs12-password-file password.txt
+
+certutil -L -d /var/lib/pki/pki-tomcat/alias -n "ca_signing" -a > tmp/ca_signing.crt
+certutil -L -d /var/lib/pki/pki-tomcat/alias -n "ca_ocsp_signing" -a > tmp/ca_ocsp_signing.crt
+certutil -L -d /var/lib/pki/pki-tomcat/alias -n "ca_audit_signing" -a > tmp/ca_audit_signing.crt
+certutil -L -d /var/lib/pki/pki-tomcat/alias -n "subsystem" -a > tmp/subsystem.crt
+certutil -L -d /var/lib/pki/pki-tomcat/alias -n "sslserver" -a > tmp/sslserver.crt
+
+echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/ca_signing.csr
+sed -n "/^ca.signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/ca_signing.csr
+echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/ca_signing.csr
+
+echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/ca_ocsp_signing.csr
+sed -n "/^ca.ocsp_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/ca_ocsp_signing.csr
+echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/ca_ocsp_signing.csr
+
+echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/sslserver.csr
+sed -n "/^ca.sslserver.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/sslserver.csr
+echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/sslserver.csr
+
+echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/subsystem.csr
+sed -n "/^ca.subsystem.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/subsystem.csr
+echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/subsystem.csr
+
+echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/ca_audit_signing.csr
+sed -n "/^ca.audit_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/ca_audit_signing.csr
+echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/ca_audit_signing.csr
+
+#cp ~/.dogtag/pki-tomcat/ca_admin.cert tmp
+#cp ~/.dogtag/pki-tomcat/ca_admin_cert.p12 tmp
diff --git a/scripts/ca-all-existing-export.sh b/scripts/ca-existing-export-pkcs12.sh
index da2ce2d..da2ce2d 100755
--- a/scripts/ca-all-existing-export.sh
+++ b/scripts/ca-existing-export-pkcs12.sh
diff --git a/scripts/ca-existing-create.sh b/scripts/ca-existing-pkcs12-create.sh
index 823b98e..c7519e8 100755
--- a/scripts/ca-existing-create.sh
+++ b/scripts/ca-existing-pkcs12-create.sh
@@ -27,23 +27,23 @@ pki_token_password=Secret.123
pki_existing=True
+pki_pkcs12_path=tmp/ca-certs.p12
+pki_pkcs12_password=Secret.123
+
pki_ca_signing_nickname=ca_signing
-pki_ca_signing_csr_path=$PWD/tmp/ca_signing.csr
+pki_ca_signing_csr_path=tmp/ca_signing.csr
pki_ocsp_signing_nickname=ca_ocsp_signing
-#pki_ocsp_signing_csr_path=$PWD/tmp/ca_ocsp_signing.csr
+pki_ocsp_signing_csr_path=tmp/ca_ocsp_signing.csr
pki_sslserver_nickname=sslserver
-#pki_sslserver_csr_path=$PWD/tmp/sslserver.csr
+pki_sslserver_csr_path=tmp/sslserver.csr
pki_subsystem_nickname=subsystem
-#pki_subsystem_csr_path=$PWD/tmp/subsystem.csr
+pki_subsystem_csr_path=tmp/subsystem.csr
pki_audit_signing_nickname=ca_audit_signing
-#pki_audit_signing_csr_path=$PWD/tmp/ca_audit_signing.csr
-
-pki_pkcs12_path=$PWD/tmp/ca-certs.p12
-pki_pkcs12_password=Secret.123
+pki_audit_signing_csr_path=tmp/ca_audit_signing.csr
#pki_serial_number_range_start=6
#pki_request_number_range_start=1
diff --git a/scripts/ca-external-step1.sh b/scripts/ca-external-step1.sh
index 85ccfc7..96365de 100755
--- a/scripts/ca-external-step1.sh
+++ b/scripts/ca-external-step1.sh
@@ -4,7 +4,6 @@ mkdir -p tmp
cat > tmp/ca-external-step1.cfg << EOF
[DEFAULT]
-#pki_instance_name=pki-child
pki_pin=Secret.123
[CA]
@@ -31,19 +30,21 @@ pki_token_password=Secret.123
pki_external=True
pki_external_step_two=False
-pki_external_csr_path=$PWD/tmp/ca_signing.csr
-#pki_ca_signing_csr_path=$PWD/tmp/ca_signing.csr
-#pki_ocsp_signing_csr_path=$PWD/tmp/ca_ocsp_signing.csr
-#pki_audit_signing_csr_path=$PWD/tmp/ca_audit_signing.csr
-#pki_sslserver_csr_path=$PWD/tmp/sslserver.csr
-#pki_subsystem_csr_path=$PWD/tmp/subsystem.csr
+#pki_external_csr_path=tmp/ca_signing.csr
+pki_ca_signing_csr_path=tmp/ca_signing.csr
+
+#pki_ca_signing_csr_path=tmp/ca_signing.csr
+#pki_ocsp_signing_csr_path=tmp/ca_ocsp_signing.csr
+#pki_subsystem_csr_path=tmp/subsystem.csr
+#pki_sslserver_csr_path=tmp/sslserver.csr
+#pki_audit_signing_csr_path=tmp/ca_audit_signing.csr
pki_ca_signing_nickname=ca_signing
pki_ocsp_signing_nickname=ca_ocsp_signing
-pki_audit_signing_nickname=ca_audit_signing
-pki_sslserver_nickname=sslserver
pki_subsystem_nickname=subsystem
+pki_sslserver_nickname=sslserver
+pki_audit_signing_nickname=ca_audit_signing
EOF
-pkispawn -f tmp/ca-external-step1.cfg -s CA -v
+pkispawn -f tmp/ca-external-step1.cfg -s CA
diff --git a/scripts/ca-external-step2.sh b/scripts/ca-external-step2.sh
index c94ce19..9e16c46 100755
--- a/scripts/ca-external-step2.sh
+++ b/scripts/ca-external-step2.sh
@@ -4,7 +4,6 @@ mkdir -p tmp
cat > tmp/ca-external-step2.cfg << EOF
[DEFAULT]
-#pki_instance_name=pki-child
pki_pin=Secret.123
[CA]
@@ -30,20 +29,28 @@ pki_token_password=Secret.123
pki_external=True
pki_external_step_two=True
-pki_external_csr_path=$PWD/tmp/ca_signing.csr
-pki_external_ca_cert_path=$PWD/tmp/ca_signing.crt
+
+#pki_external_csr_path=tmp/ca_signing.csr
+pki_ca_signing_csr_path=tmp/ca_signing.csr
+
+#pki_external_ca_cert_path=tmp/ca_signing.crt
+pki_ca_signing_cert_path=tmp/ca_signing.crt
#pki_external_ca_cert_chain_nickname=external
-pki_external_ca_cert_chain_nickname=Root CA Signing Certificate - ROOT
-#pki_external_ca_cert_chain_nickname=External CA - EXTERNAL
-#pki_external_ca_cert_chain_path=$PWD/tmp/cert_chain.p7b
-pki_external_ca_cert_chain_path=$PWD/tmp/external.crt
+#pki_external_ca_cert_chain_nickname=Root CA Signing Certificate - ROOT
+#pki_cert_chain_nickname=Root CA Signing Certificate - ROOT
+
+#pki_external_ca_cert_chain_path=tmp/cert_chain.p7b
+#pki_external_ca_cert_chain_path=tmp/external.crt
+#pki_cert_chain_path=tmp/external.crt
pki_ca_signing_nickname=ca_signing
pki_ocsp_signing_nickname=ca_ocsp_signing
-pki_audit_signing_nickname=ca_audit_signing
-pki_sslserver_nickname=sslserver
pki_subsystem_nickname=subsystem
+pki_sslserver_nickname=sslserver
+pki_audit_signing_nickname=ca_audit_signing
EOF
-pkispawn -f tmp/ca-external-step2.cfg -s CA -v
+pkispawn -f tmp/ca-external-step2.cfg -s CA
+
+echo $HOSTNAME > tmp/ca.hostname
diff --git a/scripts/ca-step1.sh b/scripts/ca-step1.sh
index 77487cf..2c419ae 100755
--- a/scripts/ca-step1.sh
+++ b/scripts/ca-step1.sh
@@ -1,5 +1,36 @@
#!/bin/sh -x
-#pkispawn -v -f ca-step1.cfg -s CA
-pkispawn -v -f ca.cfg -s CA --skip-configuration
-#pkispawn -v -f ca.cfg -s CA --stop-at configuration
+mkdir -p tmp
+
+cat > tmp/ca-step1.cfg << EOF
+[DEFAULT]
+pki_pin=Secret.123
+
+[CA]
+pki_admin_email=caadmin@example.com
+pki_admin_name=caadmin
+pki_admin_nickname=caadmin
+pki_admin_password=Secret.123
+pki_admin_uid=caadmin
+
+pki_client_database_password=Secret.123
+pki_client_database_purge=False
+pki_client_pkcs12_password=Secret.123
+
+pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
+pki_ds_password=Secret.123
+pki_ds_database=ca
+
+pki_security_domain_name=EXAMPLE
+
+pki_ca_signing_nickname=ca_signing
+pki_ocsp_signing_nickname=ca_ocsp_signing
+pki_audit_signing_nickname=ca_audit_signing
+pki_sslserver_nickname=sslserver
+pki_subsystem_nickname=subsystem
+
+pki_skip_configuration=True
+EOF
+
+pkispawn -f tmp/ca-step1.cfg -s CA
+#pkispawn -f tmp/ca.cfg -s CA --skip-configuration
diff --git a/scripts/ca-step2.sh b/scripts/ca-step2.sh
index 2112391..574f6ba 100755
--- a/scripts/ca-step2.sh
+++ b/scripts/ca-step2.sh
@@ -1,5 +1,41 @@
#!/bin/sh -x
-#pkispawn -v -f ca-step2.cfg -s CA
-pkispawn -v -f ca.cfg -s CA --skip-installation
-#pkispawn -v -f ca.cfg -s CA --start-from configuration
+mkdir -p tmp
+
+cat > tmp/ca-step2.cfg << EOF
+[DEFAULT]
+pki_pin=Secret.123
+
+[CA]
+pki_admin_email=caadmin@example.com
+pki_admin_name=caadmin
+pki_admin_nickname=caadmin
+pki_admin_password=Secret.123
+pki_admin_uid=caadmin
+
+pki_client_database_password=Secret.123
+pki_client_database_purge=False
+pki_client_pkcs12_password=Secret.123
+
+pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
+pki_ds_password=Secret.123
+pki_ds_database=ca
+
+pki_security_domain_name=EXAMPLE
+
+pki_ca_signing_nickname=ca_signing
+pki_ocsp_signing_nickname=ca_ocsp_signing
+pki_audit_signing_nickname=ca_audit_signing
+pki_sslserver_nickname=sslserver
+pki_subsystem_nickname=subsystem
+
+pki_skip_installation=True
+EOF
+
+pkispawn -f tmp/ca-step2.cfg -s CA
+#pkispawn -f tmp/ca.cfg -s CA --skip-installation
+
+#/bin/cp /root/.dogtag/pki-tomcat/ca_admin.cert .
+#/bin/cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 .
+#/bin/cp /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf ca_admin_cert.txt
+echo $HOSTNAME > tmp/ca.hostname
diff --git a/scripts/ca-sub-create.sh b/scripts/ca-sub-create.sh
index 049fce8..aa65c1e 100755
--- a/scripts/ca-sub-create.sh
+++ b/scripts/ca-sub-create.sh
@@ -1,3 +1,43 @@
#!/bin/sh -x
-pkispawn -v -f ca-sub.cfg -s CA
+mkdir -p tmp
+
+ISSUING_CA=`cat tmp/root.txt`
+
+cat > tmp/ca-sub.cfg << EOF
+[DEFAULT]
+pki_pin=Secret.123
+
+[CA]
+pki_admin_email=caadmin@example.com
+pki_admin_name=caadmin
+pki_admin_nickname=caadmin
+pki_admin_password=Secret.123
+pki_admin_uid=caadmin
+
+pki_subordinate=True
+pki_issuing_ca_hostname=$ISSUING_CA
+pki_issuing_ca_https_port=8443
+pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=EXAMPLE
+
+pki_client_database_password=Secret.123
+pki_client_database_purge=False
+pki_client_pkcs12_password=Secret.123
+
+pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
+pki_ds_database=ca
+pki_ds_password=Secret.123
+
+pki_security_domain_hostname=$ISSUING_CA
+pki_security_domain_https_port=8443
+pki_security_domain_user=caadmin
+pki_security_domain_password=Secret.123
+
+pki_ca_signing_nickname=ca_signing
+pki_ocsp_signing_nickname=ca_ocsp_signing
+pki_audit_signing_nickname=ca_audit_signing
+pki_sslserver_nickname=sslserver
+pki_subsystem_nickname=subsystem
+EOF
+
+pkispawn -v -f tmp/ca-sub.cfg -s CA
diff --git a/scripts/ca_signing-cmc-sign.sh b/scripts/ca_signing-cmc-sign.sh
index c6b0eb8..5bab7ec 100755
--- a/scripts/ca_signing-cmc-sign.sh
+++ b/scripts/ca_signing-cmc-sign.sh
@@ -59,7 +59,8 @@ tokenname=internal
nickname=caadmin
# CMC servlet path
-servlet=/ca/ee/ca/profileSubmitCMCFullCACert
+#servlet=/ca/ee/ca/profileSubmitCMCFull
+servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caCMCcaCert
# Path for the CMC request.
input=tmp/ca_signing-cmc-request.bin
diff --git a/scripts/ca_signing-export.sh b/scripts/ca_signing-export.sh
index 9e9a70a..d9ad743 100755
--- a/scripts/ca_signing-export.sh
+++ b/scripts/ca_signing-export.sh
@@ -1,3 +1,4 @@
#!/bin/sh
-pki cert-show 0x1 --output tmp/ca_signing.crt
+#pki cert-show 0x1 --output tmp/ca_signing.crt
+pki -d /etc/pki/pki-tomcat/alias -c Secret.123 client-cert-show ca_signing --cert tmp/ca_signing.crt