summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEndi S. Dewata <edewata@redhat.com>2017-10-20 21:30:52 +0200
committerEndi S. Dewata <edewata@redhat.com>2017-10-20 21:31:27 +0200
commit1cbf6fc8c9381f0835530dc0753f7c7af7502d88 (patch)
tree7c874c3cb422f8719fe49ffbdb67fa0273964bb0
parenta2412da7c00eceb51aa946fcd120ae9441e94e33 (diff)
downloadpki-dev-1cbf6fc8c9381f0835530dc0753f7c7af7502d88.zip
pki-dev-1cbf6fc8c9381f0835530dc0753f7c7af7502d88.tar.gz
pki-dev-1cbf6fc8c9381f0835530dc0753f7c7af7502d88.tar.xz
Added NSSDB scripts.
-rwxr-xr-xscripts/nssdb-admin-cert-del.sh3
-rwxr-xr-xscripts/nssdb-admin-cert-show.sh3
-rwxr-xr-xscripts/nssdb-admin-request.sh15
-rwxr-xr-xscripts/nssdb-admin-sign.sh25
-rwxr-xr-xscripts/nssdb-audit_signing-cert-del.sh3
-rwxr-xr-xscripts/nssdb-audit_signing-cert-show.sh3
-rwxr-xr-xscripts/nssdb-audit_signing-request.sh14
-rwxr-xr-xscripts/nssdb-audit_signing-sign.sh24
-rwxr-xr-xscripts/nssdb-ca_signing-cert-del.sh3
-rwxr-xr-xscripts/nssdb-ca_signing-cert-show.sh3
-rwxr-xr-xscripts/nssdb-ca_signing-create.sh26
-rwxr-xr-xscripts/nssdb-ca_signing-csr-restore.sh16
-rwxr-xr-xscripts/nssdb-ca_signing-request.sh16
-rwxr-xr-xscripts/nssdb-ca_signing-sign.sh26
-rwxr-xr-xscripts/nssdb-create.sh1
-rwxr-xr-xscripts/nssdb-generate-audit_signing-csr.sh21
-rwxr-xr-xscripts/nssdb-generate-random-chain.sh129
-rwxr-xr-xscripts/nssdb-generate-sslserver-csr.sh21
-rwxr-xr-xscripts/nssdb-generate-subsystem-csr.sh21
-rwxr-xr-xscripts/nssdb-kra_storage-cert-del.sh3
-rwxr-xr-xscripts/nssdb-kra_storage-cert-show.sh3
-rwxr-xr-xscripts/nssdb-kra_storage-request.sh15
-rwxr-xr-xscripts/nssdb-kra_storage-sign.sh25
-rwxr-xr-xscripts/nssdb-kra_transport-cert-del.sh3
-rwxr-xr-xscripts/nssdb-kra_transport-cert-show.sh3
-rwxr-xr-xscripts/nssdb-kra_transport-request.sh15
-rwxr-xr-xscripts/nssdb-kra_transport-sign.sh25
-rwxr-xr-xscripts/nssdb-ocsp_signing-cert-del.sh3
-rwxr-xr-xscripts/nssdb-ocsp_signing-cert-show.sh3
-rwxr-xr-xscripts/nssdb-ocsp_signing-request.sh17
-rwxr-xr-xscripts/nssdb-ocsp_signing-sign.sh25
-rwxr-xr-xscripts/nssdb-sslserver-cert-del.sh3
-rwxr-xr-xscripts/nssdb-sslserver-cert-show.sh3
-rwxr-xr-xscripts/nssdb-sslserver-request.sh15
-rwxr-xr-xscripts/nssdb-sslserver-sign.sh25
-rwxr-xr-xscripts/nssdb-subsystem-cert-del.sh3
-rwxr-xr-xscripts/nssdb-subsystem-cert-show.sh3
-rwxr-xr-xscripts/nssdb-subsystem-request.sh15
-rwxr-xr-xscripts/nssdb-subsystem-sign.sh25
39 files changed, 541 insertions, 64 deletions
diff --git a/scripts/nssdb-admin-cert-del.sh b/scripts/nssdb-admin-cert-del.sh
new file mode 100755
index 0000000..7782956
--- /dev/null
+++ b/scripts/nssdb-admin-cert-del.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+certutil -D -d nssdb -n "admin"
diff --git a/scripts/nssdb-admin-cert-show.sh b/scripts/nssdb-admin-cert-show.sh
new file mode 100755
index 0000000..7c2f4af
--- /dev/null
+++ b/scripts/nssdb-admin-cert-show.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+certutil -L -d nssdb -n "admin"
diff --git a/scripts/nssdb-admin-request.sh b/scripts/nssdb-admin-request.sh
new file mode 100755
index 0000000..849f48f
--- /dev/null
+++ b/scripts/nssdb-admin-request.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+certutil -R \
+ -d nssdb \
+ -f nssdb/password.txt \
+ -z nssdb/noise.bin \
+ -s "CN=PKI Adminstrator,E=admin@example.com,OU=pki-tomcat,O=EXAMPLE" \
+ -o nssdb/admin.csr.der \
+ -k rsa \
+ -g 2048 \
+ -Z SHA256 \
+ --keyUsage critical,dataEncipherment,keyEncipherment,digitalSignature,nonRepudiation \
+ --extKeyUsage clientAuth,emailProtection
+
+openssl req -inform der -in nssdb/admin.csr.der -out nssdb/admin.csr
diff --git a/scripts/nssdb-admin-sign.sh b/scripts/nssdb-admin-sign.sh
new file mode 100755
index 0000000..ff85f2e
--- /dev/null
+++ b/scripts/nssdb-admin-sign.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+AKID="`cat nssdb/ca_signing.skid`"
+echo "AKID: ${AKID}"
+
+OCSP="`cat nssdb/ocsp_url`"
+echo "OCSP: ${OCSP}"
+
+echo -e "y\n${AKID}\n\n\n\n2\n7\n${OCSP}\n\n\n\n" | \
+ certutil -C \
+ -d nssdb \
+ -f nssdb/password.txt \
+ -m $RANDOM \
+ -a \
+ -i nssdb/admin.csr \
+ -o nssdb/admin.crt \
+ -c "ca_signing" \
+ -3 \
+ --extAIA \
+ --keyUsage critical,dataEncipherment,keyEncipherment,digitalSignature,nonRepudiation \
+ --extKeyUsage clientAuth,emailProtection
+
+certutil -A -d nssdb -n "admin" -i nssdb/admin.crt -t ",,"
+
+openssl x509 -text -noout -in nssdb/admin.crt
diff --git a/scripts/nssdb-audit_signing-cert-del.sh b/scripts/nssdb-audit_signing-cert-del.sh
new file mode 100755
index 0000000..843dc29
--- /dev/null
+++ b/scripts/nssdb-audit_signing-cert-del.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+certutil -D -d nssdb -n "audit_signing"
diff --git a/scripts/nssdb-audit_signing-cert-show.sh b/scripts/nssdb-audit_signing-cert-show.sh
new file mode 100755
index 0000000..96e8bb6
--- /dev/null
+++ b/scripts/nssdb-audit_signing-cert-show.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+certutil -L -d nssdb -n "audit_signing"
diff --git a/scripts/nssdb-audit_signing-request.sh b/scripts/nssdb-audit_signing-request.sh
new file mode 100755
index 0000000..006d298
--- /dev/null
+++ b/scripts/nssdb-audit_signing-request.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+certutil -R \
+ -d nssdb \
+ -f nssdb/password.txt \
+ -z nssdb/noise.bin \
+ -s "CN=Audit Signing Certificate,OU=pki-tomcat,O=EXAMPLE" \
+ -o nssdb/audit_signing.csr.der \
+ -k rsa \
+ -g 2048 \
+ -Z SHA256 \
+ --keyUsage critical,digitalSignature,nonRepudiation
+
+openssl req -inform der -in nssdb/audit_signing.csr.der -out nssdb/audit_signing.csr
diff --git a/scripts/nssdb-audit_signing-sign.sh b/scripts/nssdb-audit_signing-sign.sh
new file mode 100755
index 0000000..a5f830e
--- /dev/null
+++ b/scripts/nssdb-audit_signing-sign.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+AKID="`cat nssdb/ca_signing.skid`"
+echo "AKID: ${AKID}"
+
+OCSP="`cat nssdb/ocsp_url`"
+echo "OCSP: ${OCSP}"
+
+echo -e "y\n${AKID}\n\n\n\n2\n7\n${OCSP}\n\n\n\n" | \
+ certutil -C \
+ -d nssdb \
+ -f nssdb/password.txt \
+ -m $RANDOM \
+ -a \
+ -i nssdb/audit_signing.csr \
+ -o nssdb/audit_signing.crt \
+ -c "ca_signing" \
+ -3 \
+ --extAIA \
+ --keyUsage critical,digitalSignature,nonRepudiation
+
+certutil -A -d nssdb -n "audit_signing" -i nssdb/audit_signing.crt -t ",,P"
+
+openssl x509 -text -noout -in nssdb/audit_signing.crt
diff --git a/scripts/nssdb-ca_signing-cert-del.sh b/scripts/nssdb-ca_signing-cert-del.sh
new file mode 100755
index 0000000..a400145
--- /dev/null
+++ b/scripts/nssdb-ca_signing-cert-del.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+certutil -D -d nssdb -n "ca_signing"
diff --git a/scripts/nssdb-ca_signing-cert-show.sh b/scripts/nssdb-ca_signing-cert-show.sh
new file mode 100755
index 0000000..6aadf48
--- /dev/null
+++ b/scripts/nssdb-ca_signing-cert-show.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+certutil -L -d nssdb -n "ca_signing"
diff --git a/scripts/nssdb-ca_signing-create.sh b/scripts/nssdb-ca_signing-create.sh
new file mode 100755
index 0000000..b387aca
--- /dev/null
+++ b/scripts/nssdb-ca_signing-create.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+SKID="0x`openssl rand -hex 20`"
+echo $SKID > nssdb/ca_signing.skid
+
+OCSP="http://$HOSTNAME:8080/ca/ocsp"
+echo $OCSP > nssdb/ocsp_url
+
+echo -e "y\n\ny\ny\n${SKID}\n\n\n\n${SKID}\n\n2\n7\n${OCSP}\n\n\n\n" | \
+ certutil -S \
+ -x \
+ -d nssdb \
+ -f nssdb/password.txt \
+ -z nssdb/noise.bin \
+ -n "ca_signing" \
+ -s "CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE" \
+ -t "CT,C,C" \
+ -m $RANDOM \
+ -k rsa \
+ -g 2048 \
+ -Z SHA256 \
+ -2 \
+ -3 \
+ --extAIA \
+ --extSKID \
+ --keyUsage critical,certSigning,crlSigning,digitalSignature,nonRepudiation
diff --git a/scripts/nssdb-ca_signing-csr-restore.sh b/scripts/nssdb-ca_signing-csr-restore.sh
new file mode 100755
index 0000000..d1a7603
--- /dev/null
+++ b/scripts/nssdb-ca_signing-csr-restore.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+echo -e "y\n\ny\n" | \
+ certutil -R \
+ -d nssdb \
+ -f nssdb/password.txt \
+ -z nssdb/noise.bin \
+ -s "CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE" \
+ -o nssdb/ca_signing.csr.der \
+ -k ca_signing \
+ -g 2048 \
+ -Z SHA256 \
+ -2 \
+ --keyUsage critical,certSigning,crlSigning,digitalSignature,nonRepudiation
+
+openssl req -inform der -in nssdb/ca_signing.csr.der -out nssdb/ca_signing.csr
diff --git a/scripts/nssdb-ca_signing-request.sh b/scripts/nssdb-ca_signing-request.sh
new file mode 100755
index 0000000..ad28cd8
--- /dev/null
+++ b/scripts/nssdb-ca_signing-request.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+echo -e "y\n\ny\n" | \
+ certutil -R \
+ -d nssdb \
+ -f nssdb/password.txt \
+ -z nssdb/noise.bin \
+ -s "CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE" \
+ -o nssdb/ca_signing.csr.der \
+ -k rsa \
+ -g 2048 \
+ -Z SHA256 \
+ -2 \
+ --keyUsage critical,certSigning,crlSigning,digitalSignature,nonRepudiation
+
+openssl req -inform der -in nssdb/ca_signing.csr.der -out nssdb/ca_signing.csr
diff --git a/scripts/nssdb-ca_signing-sign.sh b/scripts/nssdb-ca_signing-sign.sh
new file mode 100755
index 0000000..6e5eeae
--- /dev/null
+++ b/scripts/nssdb-ca_signing-sign.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+SKID="0x`openssl rand -hex 20`"
+echo $SKID > nssdb/ca_signing.skid
+
+OCSP="http://$HOSTNAME:8080/ca/ocsp"
+echo $OCSP > nssdb/ocsp_url
+
+echo -e "y\n\ny\ny\n${SKID}\n\n\n\n${SKID}\n\n2\n7\n${OCSP}\n\n\n\n" | \
+ certutil -C \
+ -x \
+ -d nssdb \
+ -f nssdb/password.txt \
+ -m $RANDOM \
+ -a \
+ -i nssdb/ca_signing.csr \
+ -o nssdb/ca_signing.crt \
+ -2 \
+ -3 \
+ --extAIA \
+ --extSKID \
+ --keyUsage critical,certSigning,crlSigning,digitalSignature,nonRepudiation
+
+certutil -A -d nssdb -n "ca_signing" -i nssdb/ca_signing.crt -t "CT,C,C"
+
+openssl x509 -text -noout -in nssdb/ca_signing.crt
diff --git a/scripts/nssdb-create.sh b/scripts/nssdb-create.sh
index 3c02ade..15ea47b 100755
--- a/scripts/nssdb-create.sh
+++ b/scripts/nssdb-create.sh
@@ -3,6 +3,5 @@
rm -rf nssdb
mkdir nssdb
echo Secret.123 > nssdb/password.txt
-#certutil -N -d nssdb
certutil -N -d nssdb -f nssdb/password.txt
openssl rand -out nssdb/noise.bin 2048
diff --git a/scripts/nssdb-generate-audit_signing-csr.sh b/scripts/nssdb-generate-audit_signing-csr.sh
deleted file mode 100755
index d04d0be..0000000
--- a/scripts/nssdb-generate-audit_signing-csr.sh
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/sh
-
-certutil -R \
- -d nssdb \
- -h internal \
- -f nssdb/password.txt \
- -z nssdb/noise.bin \
- -s "CN=Audit Signing Certificate,OU=pki-tomcat,O=EXAMPLE" \
- -o audit_signing.csr.der
-
-openssl req -inform der -in audit_signing.csr.der -out audit_signing.csr
-
-#BtoA audit_signing.csr.der audit_signing.csr.pem
-#echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > audit_signing.csr
-#cat audit_signing.csr.pem >> audit_signing.csr
-#echo "-----END NEW CERTIFICATE REQUEST-----" >> audit_signing.csr
-
-rm audit_signing.csr.der
-#rm audit_signing.csr.pem
-
-openssl req -text -noout -in audit_signing.csr
diff --git a/scripts/nssdb-generate-random-chain.sh b/scripts/nssdb-generate-random-chain.sh
new file mode 100755
index 0000000..2ea0466
--- /dev/null
+++ b/scripts/nssdb-generate-random-chain.sh
@@ -0,0 +1,129 @@
+#!/bin/sh
+
+################################################################################
+# CA Level 1
+################################################################################
+
+LEVEL1_SKID="0x`openssl rand -hex 20`"
+OCSP="http://$HOSTNAME:8080/ca/ocsp"
+
+echo -e "y\n\ny\ny\n${LEVEL1_SKID}\n\n\n\n${LEVEL1_SKID}\n\n2\n7\n${OCSP}\n\n\n\n" | \
+ certutil -S \
+ -x \
+ -d nssdb \
+ -f nssdb/password.txt \
+ -z nssdb/noise.bin \
+ -n "level1" \
+ -s "CN=Level 1 CA Signing Certificate,O=EXAMPLE" \
+ -t "CT,C,C" \
+ -m $RANDOM \
+ -k rsa \
+ -g 2048 \
+ -Z SHA256 \
+ -2 \
+ -3 \
+ --extAIA \
+ --extSKID \
+ --keyUsage critical,certSigning,crlSigning,digitalSignature,nonRepudiation
+
+certutil -L -d nssdb -n "level1" -a > nssdb/level1.crt
+
+################################################################################
+# CA Level 2
+################################################################################
+
+echo -e "y\n\ny\n" | \
+ certutil -R \
+ -d nssdb \
+ -f nssdb/password.txt \
+ -z nssdb/noise.bin \
+ -s "CN=Level 2 CA Signing Certificate,O=EXAMPLE" \
+ -o nssdb/level2.csr.der \
+ -k rsa \
+ -g 2048 \
+ -Z SHA256 \
+ -2 \
+ --keyUsage critical,certSigning,crlSigning,digitalSignature,nonRepudiation
+
+openssl req -inform der -in nssdb/level2.csr.der -out nssdb/level2.csr
+
+LEVEL2_SKID="0x`openssl rand -hex 20`"
+
+echo -e "y\n\ny\ny\n${LEVEL1_SKID}\n\n\n\n${LEVEL2_SKID}\n\n2\n7\n${OCSP}\n\n\n\n" | \
+ certutil -C \
+ -d nssdb \
+ -f nssdb/password.txt \
+ -m $RANDOM \
+ -a \
+ -i nssdb/level2.csr \
+ -o nssdb/level2.crt \
+ -c "level1" \
+ -2 \
+ -3 \
+ --extAIA \
+ --extSKID \
+ --keyUsage critical,certSigning,crlSigning,digitalSignature,nonRepudiation
+
+certutil -A -d nssdb -n "level2" -i nssdb/level2.crt -t "CT,C,C"
+
+################################################################################
+# CA Level 3
+################################################################################
+
+echo -e "y\n\ny\n" | \
+ certutil -R \
+ -d nssdb \
+ -f nssdb/password.txt \
+ -z nssdb/noise.bin \
+ -s "CN=Level 3 CA Signing Certificate,O=EXAMPLE" \
+ -o nssdb/level3.csr.der \
+ -k rsa \
+ -g 2048 \
+ -Z SHA256 \
+ -2 \
+ --keyUsage critical,certSigning,crlSigning,digitalSignature,nonRepudiation
+
+openssl req -inform der -in nssdb/level3.csr.der -out nssdb/level3.csr
+
+LEVEL3_SKID="0x`openssl rand -hex 20`"
+
+echo -e "y\n\ny\ny\n${LEVEL2_SKID}\n\n\n\n${LEVEL3_SKID}\n\n2\n7\n${OCSP}\n\n\n\n" | \
+ certutil -C \
+ -d nssdb \
+ -f nssdb/password.txt \
+ -m $RANDOM \
+ -a \
+ -i nssdb/level3.csr \
+ -o nssdb/level3.crt \
+ -c "level2" \
+ -2 \
+ -3 \
+ --extAIA \
+ --extSKID \
+ --keyUsage critical,certSigning,crlSigning,digitalSignature,nonRepudiation
+
+certutil -A -d nssdb -n "level3" -i nssdb/level3.crt -t "CT,C,C"
+
+################################################################################
+# Cert Chain
+################################################################################
+
+# complete chain
+openssl crl2pkcs7 -nocrl -certfile nssdb/level1.crt -certfile nssdb/level2.crt -certfile nssdb/level3.crt -out nssdb/cert_chain.p7b
+
+# out of order chain
+#openssl crl2pkcs7 -nocrl -certfile nssdb/level2.crt -certfile nssdb/level3.crt -certfile nssdb/level1.crt -out nssdb/cert_chain.p7b
+
+# root cert only
+#openssl crl2pkcs7 -nocrl -certfile nssdb/level1.crt -out nssdb/cert_chain.p7b
+
+# leaf cert only
+#openssl crl2pkcs7 -nocrl -certfile nssdb/level3.crt -out nssdb/cert_chain.p7b
+
+# broken chain
+#openssl crl2pkcs7 -nocrl -certfile nssdb/level3.crt -certfile nssdb/level1.crt -out nssdb/cert_chain.p7b
+
+# duplicate cert
+#openssl crl2pkcs7 -nocrl -certfile nssdb/level1.crt -certfile nssdb/level2.crt -certfile nssdb/level2.crt -out nssdb/cert_chain.p7b
+
+openssl pkcs7 -print_certs -in nssdb/cert_chain.p7b
diff --git a/scripts/nssdb-generate-sslserver-csr.sh b/scripts/nssdb-generate-sslserver-csr.sh
deleted file mode 100755
index f9d6ab1..0000000
--- a/scripts/nssdb-generate-sslserver-csr.sh
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/sh
-
-certutil -R \
- -d nssdb \
- -h internal \
- -f nssdb/password.txt \
- -z nssdb/noise.bin \
- -s "CN=$HOSTNAME,OU=pki-tomcat,O=EXAMPLE" \
- -o sslserver.csr.der
-
-openssl req -inform der -in sslserver.csr.der -out sslserver.csr
-
-#BtoA sslserver.csr.der sslserver.csr.pem
-#echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > sslserver.csr
-#cat sslserver.csr.pem >> sslserver.csr
-#echo "-----END NEW CERTIFICATE REQUEST-----" >> sslserver.csr
-
-rm sslserver.csr.der
-#rm sslserver.csr.pem
-
-openssl req -text -noout -in sslserver.csr
diff --git a/scripts/nssdb-generate-subsystem-csr.sh b/scripts/nssdb-generate-subsystem-csr.sh
deleted file mode 100755
index 73f2cdb..0000000
--- a/scripts/nssdb-generate-subsystem-csr.sh
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/sh
-
-certutil -R \
- -d nssdb \
- -h internal \
- -f nssdb/password.txt \
- -z nssdb/noise.bin \
- -s "CN=Subsystem Certificate,OU=pki-tomcat,O=EXAMPLE" \
- -o subsystem.csr.der
-
-openssl req -inform der -in subsystem.csr.der -out subsystem.csr
-
-#BtoA subsystem.csr.der subsystem.csr.pem
-#echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > subsystem.csr
-#cat subsystem.csr.pem >> subsystem.csr
-#echo "-----END NEW CERTIFICATE REQUEST-----" >> subsystem.csr
-
-rm subsystem.csr.der
-#rm subsystem.csr.pem
-
-openssl req -text -noout -in subsystem.csr
diff --git a/scripts/nssdb-kra_storage-cert-del.sh b/scripts/nssdb-kra_storage-cert-del.sh
new file mode 100755
index 0000000..f0284c6
--- /dev/null
+++ b/scripts/nssdb-kra_storage-cert-del.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+certutil -D -d nssdb -n "kra_storage"
diff --git a/scripts/nssdb-kra_storage-cert-show.sh b/scripts/nssdb-kra_storage-cert-show.sh
new file mode 100755
index 0000000..113f377
--- /dev/null
+++ b/scripts/nssdb-kra_storage-cert-show.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+certutil -L -d nssdb -n "kra_storage"
diff --git a/scripts/nssdb-kra_storage-request.sh b/scripts/nssdb-kra_storage-request.sh
new file mode 100755
index 0000000..c4f3c2b
--- /dev/null
+++ b/scripts/nssdb-kra_storage-request.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+certutil -R \
+ -d nssdb \
+ -f nssdb/password.txt \
+ -z nssdb/noise.bin \
+ -s "CN=DRM Storage Certificate,OU=pki-tomcat,O=EXAMPLE" \
+ -o nssdb/kra_storage.csr.der \
+ -k rsa \
+ -g 2048 \
+ -Z SHA256 \
+ --keyUsage critical,dataEncipherment,keyEncipherment,digitalSignature,nonRepudiation \
+ --extKeyUsage clientAuth
+
+openssl req -inform der -in nssdb/kra_storage.csr.der -out nssdb/kra_storage.csr
diff --git a/scripts/nssdb-kra_storage-sign.sh b/scripts/nssdb-kra_storage-sign.sh
new file mode 100755
index 0000000..0ce337d
--- /dev/null
+++ b/scripts/nssdb-kra_storage-sign.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+AKID="`cat nssdb/ca_signing.skid`"
+echo "AKID: ${AKID}"
+
+OCSP="`cat nssdb/ocsp_url`"
+echo "OCSP: ${OCSP}"
+
+echo -e "y\n${AKID}\n\n\n\n2\n7\n${OCSP}\n\n\n\n" | \
+ certutil -C \
+ -d nssdb \
+ -f nssdb/password.txt \
+ -m $RANDOM \
+ -a \
+ -i nssdb/kra_storage.csr \
+ -o nssdb/kra_storage.crt \
+ -c "ca_signing" \
+ -3 \
+ --extAIA \
+ --keyUsage critical,dataEncipherment,keyEncipherment,digitalSignature,nonRepudiation \
+ --extKeyUsage clientAuth
+
+certutil -A -d nssdb -n "kra_storage" -i nssdb/kra_storage.crt -t ",,"
+
+openssl x509 -text -noout -in nssdb/kra_storage.crt
diff --git a/scripts/nssdb-kra_transport-cert-del.sh b/scripts/nssdb-kra_transport-cert-del.sh
new file mode 100755
index 0000000..0c866b1
--- /dev/null
+++ b/scripts/nssdb-kra_transport-cert-del.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+certutil -D -d nssdb -n "kra_transport"
diff --git a/scripts/nssdb-kra_transport-cert-show.sh b/scripts/nssdb-kra_transport-cert-show.sh
new file mode 100755
index 0000000..7981e0b
--- /dev/null
+++ b/scripts/nssdb-kra_transport-cert-show.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+certutil -L -d nssdb -n "kra_transport"
diff --git a/scripts/nssdb-kra_transport-request.sh b/scripts/nssdb-kra_transport-request.sh
new file mode 100755
index 0000000..24e8932
--- /dev/null
+++ b/scripts/nssdb-kra_transport-request.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+certutil -R \
+ -d nssdb \
+ -f nssdb/password.txt \
+ -z nssdb/noise.bin \
+ -s "CN=DRM Transport Certificate,OU=pki-tomcat,O=EXAMPLE" \
+ -o nssdb/kra_transport.csr.der \
+ -k rsa \
+ -g 2048 \
+ -Z SHA256 \
+ --keyUsage critical,dataEncipherment,keyEncipherment,digitalSignature,nonRepudiation \
+ --extKeyUsage clientAuth
+
+openssl req -inform der -in nssdb/kra_transport.csr.der -out nssdb/kra_transport.csr
diff --git a/scripts/nssdb-kra_transport-sign.sh b/scripts/nssdb-kra_transport-sign.sh
new file mode 100755
index 0000000..30855df
--- /dev/null
+++ b/scripts/nssdb-kra_transport-sign.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+AKID="`cat nssdb/ca_signing.skid`"
+echo "AKID: ${AKID}"
+
+OCSP="`cat nssdb/ocsp_url`"
+echo "OCSP: ${OCSP}"
+
+echo -e "y\n${AKID}\n\n\n\n2\n7\n${OCSP}\n\n\n\n" | \
+ certutil -C \
+ -d nssdb \
+ -f nssdb/password.txt \
+ -m $RANDOM \
+ -a \
+ -i nssdb/kra_transport.csr \
+ -o nssdb/kra_transport.crt \
+ -c "ca_signing" \
+ -3 \
+ --extAIA \
+ --keyUsage critical,dataEncipherment,keyEncipherment,digitalSignature,nonRepudiation \
+ --extKeyUsage clientAuth
+
+certutil -A -d nssdb -n "kra_transport" -i nssdb/kra_transport.crt -t ",,"
+
+openssl x509 -text -noout -in nssdb/kra_transport.crt
diff --git a/scripts/nssdb-ocsp_signing-cert-del.sh b/scripts/nssdb-ocsp_signing-cert-del.sh
new file mode 100755
index 0000000..4f0ef06
--- /dev/null
+++ b/scripts/nssdb-ocsp_signing-cert-del.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+certutil -D -d nssdb -n "ocsp_signing"
diff --git a/scripts/nssdb-ocsp_signing-cert-show.sh b/scripts/nssdb-ocsp_signing-cert-show.sh
new file mode 100755
index 0000000..f1760d8
--- /dev/null
+++ b/scripts/nssdb-ocsp_signing-cert-show.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+certutil -L -d nssdb -n "ocsp_signing"
diff --git a/scripts/nssdb-ocsp_signing-request.sh b/scripts/nssdb-ocsp_signing-request.sh
new file mode 100755
index 0000000..d6af7fe
--- /dev/null
+++ b/scripts/nssdb-ocsp_signing-request.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+certutil -R \
+ -d nssdb \
+ -f nssdb/password.txt \
+ -z nssdb/noise.bin \
+ -s "CN=OCSP Signing Certificate,OU=pki-tomcat,O=EXAMPLE" \
+ -o nssdb/ocsp_signing.csr.der \
+ -k rsa \
+ -g 2048 \
+ -Z SHA256 \
+ --extKeyUsage ocspResponder \
+ --extGeneric 1.3.6.1.5.5.7.48.1.5:not-critical:/dev/null
+
+openssl req -inform der -in nssdb/ocsp_signing.csr.der -out nssdb/ocsp_signing.csr
+
+openssl req -text -noout -in nssdb/ocsp_signing.csr
diff --git a/scripts/nssdb-ocsp_signing-sign.sh b/scripts/nssdb-ocsp_signing-sign.sh
new file mode 100755
index 0000000..4478c40
--- /dev/null
+++ b/scripts/nssdb-ocsp_signing-sign.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+AKID="`cat nssdb/ca_signing.skid`"
+echo "AKID: ${AKID}"
+
+OCSP="`cat nssdb/ocsp_url`"
+echo "OCSP: ${OCSP}"
+
+echo -e "y\n${AKID}\n\n\n\n2\n7\n${OCSP}\n\n\n\n" | \
+ certutil -C \
+ -d nssdb \
+ -f nssdb/password.txt \
+ -m $RANDOM \
+ -a \
+ -i nssdb/ocsp_signing.csr \
+ -o nssdb/ocsp_signing.crt \
+ -c "ca_signing" \
+ -3 \
+ --extAIA \
+ --extKeyUsage ocspResponder \
+ --extGeneric 1.3.6.1.5.5.7.48.1.5:not-critical:/dev/null
+
+certutil -A -d nssdb -n "ocsp_signing" -i nssdb/ocsp_signing.crt -t ",,"
+
+openssl x509 -text -noout -in nssdb/ocsp_signing.crt
diff --git a/scripts/nssdb-sslserver-cert-del.sh b/scripts/nssdb-sslserver-cert-del.sh
new file mode 100755
index 0000000..4ace26f
--- /dev/null
+++ b/scripts/nssdb-sslserver-cert-del.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+certutil -D -d nssdb -n "sslserver"
diff --git a/scripts/nssdb-sslserver-cert-show.sh b/scripts/nssdb-sslserver-cert-show.sh
new file mode 100755
index 0000000..7fa8b8e
--- /dev/null
+++ b/scripts/nssdb-sslserver-cert-show.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+certutil -L -d nssdb -n "sslserver"
diff --git a/scripts/nssdb-sslserver-request.sh b/scripts/nssdb-sslserver-request.sh
new file mode 100755
index 0000000..5f3657c
--- /dev/null
+++ b/scripts/nssdb-sslserver-request.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+certutil -R \
+ -d nssdb \
+ -f nssdb/password.txt \
+ -z nssdb/noise.bin \
+ -s "CN=$HOSTNAME,OU=pki-tomcat,O=EXAMPLE" \
+ -o nssdb/sslserver.csr.der \
+ -k rsa \
+ -g 2048 \
+ -Z SHA256 \
+ --keyUsage critical,dataEncipherment,keyEncipherment,digitalSignature,nonRepudiation \
+ --extKeyUsage serverAuth
+
+openssl req -inform der -in nssdb/sslserver.csr.der -out nssdb/sslserver.csr
diff --git a/scripts/nssdb-sslserver-sign.sh b/scripts/nssdb-sslserver-sign.sh
new file mode 100755
index 0000000..7eff977
--- /dev/null
+++ b/scripts/nssdb-sslserver-sign.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+AKID="`cat nssdb/ca_signing.skid`"
+echo "AKID: ${AKID}"
+
+OCSP="`cat nssdb/ocsp_url`"
+echo "OCSP: ${OCSP}"
+
+echo -e "y\n${AKID}\n\n\n\n2\n7\n${OCSP}\n\n\n\n" | \
+ certutil -C \
+ -d nssdb \
+ -f nssdb/password.txt \
+ -m $RANDOM \
+ -a \
+ -i nssdb/sslserver.csr \
+ -o nssdb/sslserver.crt \
+ -c "ca_signing" \
+ -3 \
+ --extAIA \
+ --keyUsage critical,dataEncipherment,keyEncipherment,digitalSignature,nonRepudiation \
+ --extKeyUsage serverAuth
+
+certutil -A -d nssdb -n "sslserver" -i nssdb/sslserver.crt -t ",,"
+
+openssl x509 -text -noout -in nssdb/sslserver.crt
diff --git a/scripts/nssdb-subsystem-cert-del.sh b/scripts/nssdb-subsystem-cert-del.sh
new file mode 100755
index 0000000..0b238bf
--- /dev/null
+++ b/scripts/nssdb-subsystem-cert-del.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+certutil -D -d nssdb -n "subsystem"
diff --git a/scripts/nssdb-subsystem-cert-show.sh b/scripts/nssdb-subsystem-cert-show.sh
new file mode 100755
index 0000000..bfe9e1b
--- /dev/null
+++ b/scripts/nssdb-subsystem-cert-show.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+certutil -L -d nssdb -n "subsystem"
diff --git a/scripts/nssdb-subsystem-request.sh b/scripts/nssdb-subsystem-request.sh
new file mode 100755
index 0000000..ed37cfc
--- /dev/null
+++ b/scripts/nssdb-subsystem-request.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+certutil -R \
+ -d nssdb \
+ -f nssdb/password.txt \
+ -z nssdb/noise.bin \
+ -s "CN=Subsystem Certificate,OU=pki-tomcat,O=EXAMPLE" \
+ -o nssdb/subsystem.csr.der \
+ -k rsa \
+ -g 2048 \
+ -Z SHA256 \
+ --keyUsage critical,dataEncipherment,keyEncipherment,digitalSignature,nonRepudiation \
+ --extKeyUsage clientAuth,serverAuth
+
+openssl req -inform der -in nssdb/subsystem.csr.der -out nssdb/subsystem.csr
diff --git a/scripts/nssdb-subsystem-sign.sh b/scripts/nssdb-subsystem-sign.sh
new file mode 100755
index 0000000..9edf060
--- /dev/null
+++ b/scripts/nssdb-subsystem-sign.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+AKID="`cat nssdb/ca_signing.skid`"
+echo "AKID: ${AKID}"
+
+OCSP="`cat nssdb/ocsp_url`"
+echo "OCSP: ${OCSP}"
+
+echo -e "y\n${AKID}\n\n\n\n2\n7\n${OCSP}\n\n\n\n" | \
+ certutil -C \
+ -d nssdb \
+ -f nssdb/password.txt \
+ -m $RANDOM \
+ -a \
+ -i nssdb/subsystem.csr \
+ -o nssdb/subsystem.crt \
+ -c "ca_signing" \
+ -3 \
+ --extAIA \
+ --keyUsage critical,dataEncipherment,keyEncipherment,digitalSignature,nonRepudiation \
+ --extKeyUsage clientAuth,serverAuth
+
+certutil -A -d nssdb -n "subsystem" -i nssdb/subsystem.crt -t ",,"
+
+openssl x509 -text -noout -in nssdb/subsystem.crt