summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEndi S. Dewata <edewata@redhat.com>2017-07-21 18:08:26 +0200
committerEndi S. Dewata <edewata@redhat.com>2017-07-21 18:08:38 +0200
commit28c1241fbcc36cf3fdddd50d6978a1885145f713 (patch)
treea296afdbbac9864b50a451dbc6b285d66930f947
parentd62ea0eca2a05a7059f071296250c63e9ea9b347 (diff)
downloadpki-dev-28c1241fbcc36cf3fdddd50d6978a1885145f713.zip
pki-dev-28c1241fbcc36cf3fdddd50d6978a1885145f713.tar.gz
pki-dev-28c1241fbcc36cf3fdddd50d6978a1885145f713.tar.xz
Added standalone KRA scripts.
-rwxr-xr-xscripts/ca_signing-cmc-sign.sh (renamed from scripts/ca-external-cmc-sign.sh)20
-rwxr-xr-xscripts/ca_signing-export.sh3
-rwxr-xr-xscripts/kra-create.sh6
-rwxr-xr-xscripts/kra-standalone-ca-sign.sh12
-rwxr-xr-xscripts/kra-standalone-cmc-sign.sh12
-rwxr-xr-xscripts/kra-standalone-sign.sh75
-rwxr-xr-xscripts/kra-standalone-step1.sh51
-rwxr-xr-xscripts/kra-standalone-step2.sh53
-rw-r--r--scripts/kra.cfg39
-rwxr-xr-xscripts/kra_admin-ca-sign.sh13
-rwxr-xr-xscripts/kra_admin-cmc-sign.sh80
-rwxr-xr-xscripts/kra_audit_signing-ca-sign.sh14
-rwxr-xr-xscripts/kra_audit_signing-cmc-sign.sh80
-rwxr-xr-xscripts/kra_storage-ca-sign.sh13
-rwxr-xr-xscripts/kra_storage-cmc-sign.sh80
-rwxr-xr-xscripts/kra_transport-ca-sign.sh13
-rwxr-xr-xscripts/kra_transport-cmc-sign.sh80
-rwxr-xr-xscripts/sslserver-ca-sign.sh13
-rwxr-xr-xscripts/sslserver-cmc-sign.sh80
-rwxr-xr-xscripts/subsystem-ca-sign.sh13
-rwxr-xr-xscripts/subsystem-cmc-sign.sh80
21 files changed, 687 insertions, 143 deletions
diff --git a/scripts/ca-external-cmc-sign.sh b/scripts/ca_signing-cmc-sign.sh
index da20953..b25c6d9 100755
--- a/scripts/ca-external-cmc-sign.sh
+++ b/scripts/ca_signing-cmc-sign.sh
@@ -2,7 +2,7 @@
mkdir -p tmp
-cat > tmp/cmc-request.cfg << EOF
+cat > tmp/ca_signing-cmc-request.cfg << EOF
# NSS database directory.
dbdir=$HOME/.dogtag/nssdb
@@ -27,12 +27,12 @@ numRequests=1
input=$PWD/tmp/ca_signing.csr
# Path for the CMC request in binary format
-output=$PWD/tmp/cmc-request.bin
+output=$PWD/tmp/ca_signing-cmc-request.bin
EOF
-CMCRequest tmp/cmc-request.cfg
+CMCRequest tmp/ca_signing-cmc-request.cfg
-cat > tmp/cmc-submit.cfg << EOF
+cat > tmp/ca_signing-cmc-submit.cfg << EOF
# PKI server host name.
host=$HOSTNAME
@@ -62,19 +62,19 @@ nickname=caadmin
servlet=/ca/ee/ca/profileSubmitCMCFullCACert
# Path for the CMC request.
-input=tmp/cmc-request.bin
+input=tmp/ca_signing-cmc-request.bin
# Path for the CMC response.
-output=tmp/cmc-response.bin
+output=tmp/ca_signing-cmc-response.bin
EOF
-HttpClient tmp/cmc-submit.cfg
+HttpClient tmp/ca_signing-cmc-submit.cfg
-CMCResponse -d ~/.dogtag/nssdb -i tmp/cmc-response.bin
+CMCResponse -d ~/.dogtag/nssdb -i tmp/ca_signing-cmc-response.bin
-BtoA tmp/cmc-response.bin tmp/cmc-response.b64
+BtoA tmp/ca_signing-cmc-response.bin tmp/ca_signing-cmc-response.b64
echo "-----BEGIN PKCS7-----" > tmp/ca_signing.crt
-cat tmp/cmc-response.b64 >> tmp/ca_signing.crt
+cat tmp/ca_signing-cmc-response.b64 >> tmp/ca_signing.crt
echo "-----END PKCS7-----" >> tmp/ca_signing.crt
pki cert-show --output tmp/external.crt 0x1
diff --git a/scripts/ca_signing-export.sh b/scripts/ca_signing-export.sh
new file mode 100755
index 0000000..9e9a70a
--- /dev/null
+++ b/scripts/ca_signing-export.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+pki cert-show 0x1 --output tmp/ca_signing.crt
diff --git a/scripts/kra-create.sh b/scripts/kra-create.sh
index 488c4b8..d2990dd 100755
--- a/scripts/kra-create.sh
+++ b/scripts/kra-create.sh
@@ -1,6 +1,8 @@
#!/bin/sh -x
-cat > kra.cfg << EOF
+mkdir -p tmp
+
+cat > tmp/kra.cfg << EOF
[KRA]
pki_admin_cert_file=/root/.dogtag/pki-tomcat/ca_admin.cert
#pki_import_admin_cert=False
@@ -49,6 +51,6 @@ pki_ssl_server_nickname=sslserver
pki_subsystem_nickname=subsystem
EOF
-pkispawn -vvv -f kra.cfg -s KRA
+pkispawn -vvv -f tmp/kra.cfg -s KRA
#/bin/cp /var/lib/pki/pki-tomcat/alias/kra_backup_keys.p12 .
diff --git a/scripts/kra-standalone-ca-sign.sh b/scripts/kra-standalone-ca-sign.sh
new file mode 100755
index 0000000..1b53902
--- /dev/null
+++ b/scripts/kra-standalone-ca-sign.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+./ca_signing-export.sh
+
+./kra_admin-ca-sign.sh
+
+./kra_transport-ca-sign.sh
+./kra_storage-ca-sign.sh
+./kra_audit_signing-ca-sign.sh
+
+./sslserver-ca-sign.sh
+./subsystem-ca-sign.sh
diff --git a/scripts/kra-standalone-cmc-sign.sh b/scripts/kra-standalone-cmc-sign.sh
new file mode 100755
index 0000000..7bf7ddb
--- /dev/null
+++ b/scripts/kra-standalone-cmc-sign.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+./ca_signing-export.sh
+
+./kra_admin-ca-sign.sh
+
+./kra_transport-cmc-sign.sh
+./kra_storage-cmc-sign.sh
+./kra_audit_signing-cmc-sign.sh
+
+./sslserver-cmc-sign.sh
+./subsystem-cmc-sign.sh
diff --git a/scripts/kra-standalone-sign.sh b/scripts/kra-standalone-sign.sh
deleted file mode 100755
index 0c6a569..0000000
--- a/scripts/kra-standalone-sign.sh
+++ /dev/null
@@ -1,75 +0,0 @@
-#!/bin/sh
-
-rm -f external_ca.cert
-rm -f kra_admin.cert
-rm -f kra_transport.cert
-rm -f kra_storage.cert
-rm -f kra_sslserver.cert
-rm -f kra_subsystem.cert
-rm -f kra_audit_signing.cert
-
-#### CA Cert ####
-
-pki cert-show --output external_ca.cert 0x1
-#pki cert-show --output external_ca_chain.cert 0x1
-
-#### Admin Cert ####
-
-REQUEST_ID=`pki ca-cert-request-submit --profile caUserCert --csr-file kra_admin.csr --subject uid=kraadmin | grep "Request ID:" | awk -F ': ' '{print $2;}'`
-echo Request ID: $REQUEST_ID
-
-CERT_ID=`pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'`
-echo Certificate ID: $CERT_ID
-
-pki cert-show --output kra_admin.cert $CERT_ID
-
-#### Transport Cert ####
-
-REQUEST_ID=`pki ca-cert-request-submit --profile caTransportCert --csr-file kra_transport.csr | grep "Request ID:" | awk -F ': ' '{print $2;}'`
-echo Request ID: $REQUEST_ID
-
-CERT_ID=`pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'`
-echo Certificate ID: $CERT_ID
-
-pki cert-show --output kra_transport.cert $CERT_ID
-
-#### Storage Cert ####
-
-REQUEST_ID=`pki ca-cert-request-submit --profile caStorageCert --csr-file kra_storage.csr | grep "Request ID:" | awk -F ': ' '{print $2;}'`
-echo Request ID: $REQUEST_ID
-
-CERT_ID=`pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'`
-echo Certificate ID: $CERT_ID
-
-pki cert-show --output kra_storage.cert $CERT_ID
-
-#### Server Cert ####
-
-REQUEST_ID=`pki ca-cert-request-submit --profile caServerCert --csr-file kra_sslserver.csr | grep "Request ID:" | awk -F ': ' '{print $2;}'`
-echo Request ID: $REQUEST_ID
-
-CERT_ID=`pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'`
-echo Certificate ID: $CERT_ID
-
-pki cert-show --output kra_sslserver.cert $CERT_ID
-
-#### Subsystem Cert ####
-
-REQUEST_ID=`pki ca-cert-request-submit --profile caSubsystemCert --csr-file kra_subsystem.csr | grep "Request ID:" | awk -F ': ' '{print $2;}'`
-echo Request ID: $REQUEST_ID
-
-CERT_ID=`pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'`
-echo Certificate ID: $CERT_ID
-
-pki cert-show --output kra_subsystem.cert $CERT_ID
-
-#### Audit Signing Cert ####
-
-REQUEST_ID=`pki ca-cert-request-submit --profile caSignedLogCert --csr-file kra_audit_signing.csr | grep "Request ID:" | awk -F ': ' '{print $2;}'`
-echo Request ID: $REQUEST_ID
-
-CERT_ID=`pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'`
-echo Certificate ID: $CERT_ID
-
-pki cert-show --output kra_audit_signing.cert $CERT_ID
-
diff --git a/scripts/kra-standalone-step1.sh b/scripts/kra-standalone-step1.sh
index 073f9d4..87a649d 100755
--- a/scripts/kra-standalone-step1.sh
+++ b/scripts/kra-standalone-step1.sh
@@ -1,10 +1,45 @@
#!/bin/sh -x
-pkispawn -v -f kra-standalone-step1.cfg -s KRA
-
-cp /etc/pki/pki-tomcat/kra_admin.csr .
-cp /etc/pki/pki-tomcat/kra_transport.csr .
-cp /etc/pki/pki-tomcat/kra_storage.csr .
-cp /etc/pki/pki-tomcat/kra_sslserver.csr .
-cp /etc/pki/pki-tomcat/kra_subsystem.csr .
-cp /etc/pki/pki-tomcat/kra_audit_signing.csr .
+mkdir -p tmp
+
+cat > tmp/kra-standalone-step1.cfg << EOF
+[KRA]
+pki_admin_email=kraadmin@example.com
+pki_admin_name=kraadmin
+pki_admin_nickname=kraadmin
+pki_admin_password=Secret.123
+pki_admin_uid=kraadmin
+
+#pki_backup_keys=True
+#pki_backup_password=Secret.123
+
+pki_client_database_password=Secret.123
+pki_client_database_purge=False
+pki_client_pkcs12_password=Secret.123
+
+pki_ds_base_dn=dc=kra,dc=pki,dc=example,dc=com
+pki_ds_password=Secret.123
+pki_ds_database=kra
+
+pki_security_domain_name=EXAMPLE
+pki_token_password=Secret.123
+
+pki_standalone=True
+pki_external_step_two=False
+
+pki_storage_nickname=storage
+pki_transport_nickname=transport
+pki_audit_signing_nickname=kra_audit_signing
+pki_ssl_server_nickname=sslserver
+pki_subsystem_nickname=subsystem
+pki_cert_chain_nickname=external
+
+pki_external_admin_csr_path=$PWD/tmp/kra_admin.csr
+pki_external_audit_signing_csr_path=$PWD/tmp/kra_audit_signing.csr
+pki_external_sslserver_csr_path=$PWD/tmp/sslserver.csr
+pki_external_storage_csr_path=$PWD/tmp/kra_storage.csr
+pki_external_subsystem_csr_path=$PWD/tmp/subsystem.csr
+pki_external_transport_csr_path=$PWD/tmp/kra_transport.csr
+EOF
+
+pkispawn -v -f tmp/kra-standalone-step1.cfg -s KRA
diff --git a/scripts/kra-standalone-step2.sh b/scripts/kra-standalone-step2.sh
index e58bbfe..e8fd709 100755
--- a/scripts/kra-standalone-step2.sh
+++ b/scripts/kra-standalone-step2.sh
@@ -1,15 +1,50 @@
#!/bin/sh -x
-cp external_ca.cert /etc/pki/pki-tomcat
+mkdir -p tmp
# TODO: should not be required
-cp external_ca_chain.cert /etc/pki/pki-tomcat
+# cp tmp/ca_signing.crt tmp/cert_chain.p7b
-cp kra_admin.cert /etc/pki/pki-tomcat
-cp kra_transport.cert /etc/pki/pki-tomcat
-cp kra_storage.cert /etc/pki/pki-tomcat
-cp kra_sslserver.cert /etc/pki/pki-tomcat
-cp kra_subsystem.cert /etc/pki/pki-tomcat
-cp kra_audit_signing.cert /etc/pki/pki-tomcat
+cat > tmp/kra-standalone-step2.cfg << EOF
+[KRA]
+pki_admin_email=kraadmin@example.com
+pki_admin_name=kraadmin
+pki_admin_nickname=kraadmin
+pki_admin_password=Secret.123
+pki_admin_uid=kraadmin
-pkispawn -v -f kra-standalone-step2.cfg -s KRA
+#pki_backup_keys=True
+#pki_backup_password=Secret.123
+
+pki_client_database_password=Secret.123
+pki_client_database_purge=False
+pki_client_pkcs12_password=Secret.123
+
+pki_ds_base_dn=dc=kra,dc=pki,dc=example,dc=com
+pki_ds_password=Secret.123
+pki_ds_database=kra
+
+pki_security_domain_name=EXAMPLE
+pki_token_password=Secret.123
+
+pki_standalone=True
+pki_external_step_two=True
+
+pki_storage_nickname=storage
+pki_transport_nickname=transport
+pki_audit_signing_nickname=kra_audit_signing
+pki_ssl_server_nickname=sslserver
+pki_subsystem_nickname=subsystem
+pki_cert_chain_nickname=external
+
+pki_external_ca_cert_chain_path=$PWD/tmp/cert_chain.p7b
+pki_external_ca_cert_path=$PWD/tmp/ca_signing.crt
+pki_external_admin_cert_path=$PWD/tmp/kra_admin.crt
+pki_external_storage_cert_path=$PWD/tmp/kra_storage.crt
+pki_external_transport_cert_path=$PWD/tmp/kra_transport.crt
+pki_external_audit_signing_cert_path=$PWD/tmp/kra_audit_signing.crt
+pki_external_sslserver_cert_path=$PWD/tmp/sslserver.crt
+pki_external_subsystem_cert_path=$PWD/tmp/subsystem.crt
+EOF
+
+pkispawn -v -f tmp/kra-standalone-step2.cfg -s KRA
diff --git a/scripts/kra.cfg b/scripts/kra.cfg
deleted file mode 100644
index ca1df6d..0000000
--- a/scripts/kra.cfg
+++ /dev/null
@@ -1,39 +0,0 @@
-[KRA]
-pki_admin_cert_file=/root/.dogtag/pki-tomcat/ca_admin.cert
-#pki_import_admin_cert=False
-#pki_import_admin_pkcs12_file=/root/.dogtag/pki-tomcat/ca_admin_cert.p12
-#pki_import_admin_pkcs12_password=Secret123
-#pki_import_admin_pkcs12_nickname=caadmin
-
-pki_admin_email=kraadmin@example.com
-pki_admin_name=kraadmin
-pki_admin_nickname=kraadmin
-pki_admin_password=Secret123
-pki_admin_uid=kraadmin
-
-#pki_backup_keys=True
-#pki_backup_password=Secret123
-
-pki_client_database_password=Secret123
-pki_client_pkcs12_password=Secret123
-#pki_client_database_purge=False
-
-#pki_clone_pkcs12_password=Secret123
-
-#pki_ds_ldaps_port=636
-#pki_ds_secure_connection=True
-#pki_ds_secure_connection_ca_nickname=Directory Server CA certificate
-#pki_ds_secure_connection_ca_pem_file=dsca.pem
-pki_ds_base_dn=dc=kra,dc=example,dc=com
-pki_ds_password=Secret123
-pki_ds_database=kra
-#pki_ds_database=userRoot
-#pki_ds_create_new_db=False
-#pki_ds_remove_data=True
-
-
-pki_security_domain_name=EXAMPLE
-pki_security_domain_user=caadmin
-pki_security_domain_password=Secret123
-pki_token_password=Secret123
-#pki_share_db=False
diff --git a/scripts/kra_admin-ca-sign.sh b/scripts/kra_admin-ca-sign.sh
new file mode 100755
index 0000000..731a1bb
--- /dev/null
+++ b/scripts/kra_admin-ca-sign.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+CMD="pki ca-cert-request-submit --profile caUserCert --csr-file tmp/kra_admin.csr --subject uid=kraadmin"
+echo $CMD
+REQUEST_ID=`$CMD | grep "Request ID:" | awk -F ': ' '{print $2;}'`
+echo Request ID: $REQUEST_ID
+
+CMD="pki -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID"
+echo $CMD
+CERT_ID=`$CMD | grep "Certificate ID:" | awk -F ': ' '{print $2;}'`
+echo Certificate ID: $CERT_ID
+
+pki cert-show --output tmp/kra_admin.crt $CERT_ID
diff --git a/scripts/kra_admin-cmc-sign.sh b/scripts/kra_admin-cmc-sign.sh
new file mode 100755
index 0000000..9f6730b
--- /dev/null
+++ b/scripts/kra_admin-cmc-sign.sh
@@ -0,0 +1,80 @@
+#!/bin/sh
+
+mkdir -p tmp
+
+cat > tmp/kra_admin-cmc-request.cfg << EOF
+# NSS database directory.
+dbdir=$HOME/.dogtag/nssdb
+
+# NSS database password.
+password=Secret.123
+
+# Token name (default is internal).
+tokenname=internal
+
+# Nickname for agent certificate.
+nickname=caadmin
+
+# Request format: pkcs10 or crmf.
+format=pkcs10
+
+# Total number of PKCS10/CRMF requests.
+numRequests=1
+
+# Path to the PKCS10/CRMF request.
+# The content must be in Base-64 encoded format.
+# Multiple files are supported. They must be separated by space.
+input=$PWD/tmp/kra_admin.csr
+
+# Path for the CMC request in binary format
+output=$PWD/tmp/kra_admin-cmc-request.bin
+EOF
+
+CMCRequest tmp/kra_admin-cmc-request.cfg
+
+cat > tmp/kra_admin-cmc-submit.cfg << EOF
+# PKI server host name.
+host=$HOSTNAME
+
+# PKI server port number.
+port=8443
+
+# Use secure connection.
+# For secure connection with ECC, set environment variable 'export NSS_USE_DECODED_CKA_EC_POINT=1'.
+secure=true
+
+# Use client authentication.
+clientmode=true
+
+# NSS database directory.
+dbdir=$HOME/.dogtag/nssdb
+
+# NSS database password.
+password=Secret.123
+
+# Token name (default: internal).
+tokenname=internal
+
+# Nickname of agent certificate.
+nickname=caadmin
+
+# CMC servlet path
+servlet=/ca/ee/ca/profileSubmitUserSignedCMCFull
+
+# Path for the CMC request.
+input=tmp/kra_admin-cmc-request.bin
+
+# Path for the CMC response.
+output=tmp/kra_admin-cmc-response.bin
+EOF
+
+HttpClient tmp/kra_admin-cmc-submit.cfg
+
+CMCResponse -d ~/.dogtag/nssdb -i tmp/kra_admin-cmc-response.bin
+
+BtoA tmp/kra_admin-cmc-response.bin tmp/kra_admin-cmc-response.b64
+echo "-----BEGIN PKCS7-----" > tmp/kra_admin.crt
+cat tmp/kra_admin-cmc-response.b64 >> tmp/kra_admin.crt
+echo "-----END PKCS7-----" >> tmp/kra_admin.crt
+
+pki cert-show --output tmp/external.crt 0x1
diff --git a/scripts/kra_audit_signing-ca-sign.sh b/scripts/kra_audit_signing-ca-sign.sh
new file mode 100755
index 0000000..185ecc4
--- /dev/null
+++ b/scripts/kra_audit_signing-ca-sign.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+CMD="pki ca-cert-request-submit --profile caSignedLogCert --csr-file tmp/kra_audit_signing.csr"
+echo $CMD
+REQUEST_ID=`$CMD | grep "Request ID:" | awk -F ': ' '{print $2;}'`
+echo Request ID: $REQUEST_ID
+
+CMD="pki -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID"
+echo $CMD
+CERT_ID=`$CMD | grep "Certificate ID:" | awk -F ': ' '{print $2;}'`
+echo Certificate ID: $CERT_ID
+
+pki cert-show --output tmp/kra_audit_signing.crt $CERT_ID
+
diff --git a/scripts/kra_audit_signing-cmc-sign.sh b/scripts/kra_audit_signing-cmc-sign.sh
new file mode 100755
index 0000000..9f7aa34
--- /dev/null
+++ b/scripts/kra_audit_signing-cmc-sign.sh
@@ -0,0 +1,80 @@
+#!/bin/sh
+
+mkdir -p tmp
+
+cat > tmp/kra_audit_signing-cmc-request.cfg << EOF
+# NSS database directory.
+dbdir=$HOME/.dogtag/nssdb
+
+# NSS database password.
+password=Secret.123
+
+# Token name (default is internal).
+tokenname=internal
+
+# Nickname for agent certificate.
+nickname=caadmin
+
+# Request format: pkcs10 or crmf.
+format=pkcs10
+
+# Total number of PKCS10/CRMF requests.
+numRequests=1
+
+# Path to the PKCS10/CRMF request.
+# The content must be in Base-64 encoded format.
+# Multiple files are supported. They must be separated by space.
+input=$PWD/tmp/kra_audit_signing.csr
+
+# Path for the CMC request in binary format
+output=$PWD/tmp/kra_audit_signing-cmc-request.bin
+EOF
+
+CMCRequest tmp/kra_audit_signing-cmc-request.cfg
+
+cat > tmp/kra_audit_signing-cmc-submit.cfg << EOF
+# PKI server host name.
+host=$HOSTNAME
+
+# PKI server port number.
+port=8443
+
+# Use secure connection.
+# For secure connection with ECC, set environment variable 'export NSS_USE_DECODED_CKA_EC_POINT=1'.
+secure=true
+
+# Use client authentication.
+clientmode=true
+
+# NSS database directory.
+dbdir=$HOME/.dogtag/nssdb
+
+# NSS database password.
+password=Secret.123
+
+# Token name (default: internal).
+tokenname=internal
+
+# Nickname of agent certificate.
+nickname=caadmin
+
+# CMC servlet path
+servlet=/ca/ee/ca/profileSubmitCMCFullAuditSigningCert
+
+# Path for the CMC request.
+input=tmp/kra_audit_signing-cmc-request.bin
+
+# Path for the CMC response.
+output=tmp/kra_audit_signing-cmc-response.bin
+EOF
+
+HttpClient tmp/kra_audit_signing-cmc-submit.cfg
+
+CMCResponse -d ~/.dogtag/nssdb -i tmp/kra_audit_signing-cmc-response.bin
+
+BtoA tmp/kra_audit_signing-cmc-response.bin tmp/kra_audit_signing-cmc-response.b64
+echo "-----BEGIN PKCS7-----" > tmp/kra_audit_signing.crt
+cat tmp/kra_audit_signing-cmc-response.b64 >> tmp/kra_audit_signing.crt
+echo "-----END PKCS7-----" >> tmp/kra_audit_signing.crt
+
+pki cert-show --output tmp/external.crt 0x1
diff --git a/scripts/kra_storage-ca-sign.sh b/scripts/kra_storage-ca-sign.sh
new file mode 100755
index 0000000..861cfbf
--- /dev/null
+++ b/scripts/kra_storage-ca-sign.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+CMD="pki ca-cert-request-submit --profile caStorageCert --csr-file tmp/kra_storage.csr"
+echo $CMD
+REQUEST_ID=`$CMD | grep "Request ID:" | awk -F ': ' '{print $2;}'`
+echo Request ID: $REQUEST_ID
+
+CMD="pki -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID"
+echo $CMD
+CERT_ID=`$CMD | grep "Certificate ID:" | awk -F ': ' '{print $2;}'`
+echo Certificate ID: $CERT_ID
+
+pki cert-show --output tmp/kra_storage.crt $CERT_ID
diff --git a/scripts/kra_storage-cmc-sign.sh b/scripts/kra_storage-cmc-sign.sh
new file mode 100755
index 0000000..c8af179
--- /dev/null
+++ b/scripts/kra_storage-cmc-sign.sh
@@ -0,0 +1,80 @@
+#!/bin/sh
+
+mkdir -p tmp
+
+cat > tmp/kra_storage-cmc-request.cfg << EOF
+# NSS database directory.
+dbdir=$HOME/.dogtag/nssdb
+
+# NSS database password.
+password=Secret.123
+
+# Token name (default is internal).
+tokenname=internal
+
+# Nickname for agent certificate.
+nickname=caadmin
+
+# Request format: pkcs10 or crmf.
+format=pkcs10
+
+# Total number of PKCS10/CRMF requests.
+numRequests=1
+
+# Path to the PKCS10/CRMF request.
+# The content must be in Base-64 encoded format.
+# Multiple files are supported. They must be separated by space.
+input=$PWD/tmp/kra_storage.csr
+
+# Path for the CMC request in binary format
+output=$PWD/tmp/kra_storage-cmc-request.bin
+EOF
+
+CMCRequest tmp/kra_storage-cmc-request.cfg
+
+cat > tmp/kra_storage-cmc-submit.cfg << EOF
+# PKI server host name.
+host=$HOSTNAME
+
+# PKI server port number.
+port=8443
+
+# Use secure connection.
+# For secure connection with ECC, set environment variable 'export NSS_USE_DECODED_CKA_EC_POINT=1'.
+secure=true
+
+# Use client authentication.
+clientmode=true
+
+# NSS database directory.
+dbdir=$HOME/.dogtag/nssdb
+
+# NSS database password.
+password=Secret.123
+
+# Token name (default: internal).
+tokenname=internal
+
+# Nickname of agent certificate.
+nickname=caadmin
+
+# CMC servlet path
+servlet=/ca/ee/ca/profileSubmitCMCFullKRAstorageCert
+
+# Path for the CMC request.
+input=tmp/kra_storage-cmc-request.bin
+
+# Path for the CMC response.
+output=tmp/kra_storage-cmc-response.bin
+EOF
+
+HttpClient tmp/kra_storage-cmc-submit.cfg
+
+CMCResponse -d ~/.dogtag/nssdb -i tmp/kra_storage-cmc-response.bin
+
+BtoA tmp/kra_storage-cmc-response.bin tmp/kra_storage-cmc-response.b64
+echo "-----BEGIN PKCS7-----" > tmp/kra_storage.crt
+cat tmp/kra_storage-cmc-response.b64 >> tmp/kra_storage.crt
+echo "-----END PKCS7-----" >> tmp/kra_storage.crt
+
+pki cert-show --output tmp/external.crt 0x1
diff --git a/scripts/kra_transport-ca-sign.sh b/scripts/kra_transport-ca-sign.sh
new file mode 100755
index 0000000..90e9917
--- /dev/null
+++ b/scripts/kra_transport-ca-sign.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+CMD="pki ca-cert-request-submit --profile caTransportCert --csr-file tmp/kra_transport.csr"
+echo $CMD
+REQUEST_ID=`$CMD | grep "Request ID:" | awk -F ': ' '{print $2;}'`
+echo Request ID: $REQUEST_ID
+
+CMD="pki -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID"
+echo $CMD
+CERT_ID=`$CMD | grep "Certificate ID:" | awk -F ': ' '{print $2;}'`
+echo Certificate ID: $CERT_ID
+
+pki cert-show --output tmp/kra_transport.crt $CERT_ID
diff --git a/scripts/kra_transport-cmc-sign.sh b/scripts/kra_transport-cmc-sign.sh
new file mode 100755
index 0000000..3341efd
--- /dev/null
+++ b/scripts/kra_transport-cmc-sign.sh
@@ -0,0 +1,80 @@
+#!/bin/sh
+
+mkdir -p tmp
+
+cat > tmp/kra_transport-cmc-request.cfg << EOF
+# NSS database directory.
+dbdir=$HOME/.dogtag/nssdb
+
+# NSS database password.
+password=Secret.123
+
+# Token name (default is internal).
+tokenname=internal
+
+# Nickname for agent certificate.
+nickname=caadmin
+
+# Request format: pkcs10 or crmf.
+format=pkcs10
+
+# Total number of PKCS10/CRMF requests.
+numRequests=1
+
+# Path to the PKCS10/CRMF request.
+# The content must be in Base-64 encoded format.
+# Multiple files are supported. They must be separated by space.
+input=$PWD/tmp/kra_transport.csr
+
+# Path for the CMC request in binary format
+output=$PWD/tmp/kra_transport-cmc-request.bin
+EOF
+
+CMCRequest tmp/kra_transport-cmc-request.cfg
+
+cat > tmp/kra_transport-cmc-submit.cfg << EOF
+# PKI server host name.
+host=$HOSTNAME
+
+# PKI server port number.
+port=8443
+
+# Use secure connection.
+# For secure connection with ECC, set environment variable 'export NSS_USE_DECODED_CKA_EC_POINT=1'.
+secure=true
+
+# Use client authentication.
+clientmode=true
+
+# NSS database directory.
+dbdir=$HOME/.dogtag/nssdb
+
+# NSS database password.
+password=Secret.123
+
+# Token name (default: internal).
+tokenname=internal
+
+# Nickname of agent certificate.
+nickname=caadmin
+
+# CMC servlet path
+servlet=/ca/ee/ca/profileSubmitCMCFullKRAtransportCert
+
+# Path for the CMC request.
+input=tmp/kra_transport-cmc-request.bin
+
+# Path for the CMC response.
+output=tmp/kra_transport-cmc-response.bin
+EOF
+
+HttpClient tmp/kra_transport-cmc-submit.cfg
+
+CMCResponse -d ~/.dogtag/nssdb -i tmp/kra_transport-cmc-response.bin
+
+BtoA tmp/kra_transport-cmc-response.bin tmp/kra_transport-cmc-response.b64
+echo "-----BEGIN PKCS7-----" > tmp/kra_transport.crt
+cat tmp/kra_transport-cmc-response.b64 >> tmp/kra_transport.crt
+echo "-----END PKCS7-----" >> tmp/kra_transport.crt
+
+pki cert-show --output tmp/external.crt 0x1
diff --git a/scripts/sslserver-ca-sign.sh b/scripts/sslserver-ca-sign.sh
new file mode 100755
index 0000000..8dd728c
--- /dev/null
+++ b/scripts/sslserver-ca-sign.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+CMD="pki ca-cert-request-submit --profile caServerCert --csr-file tmp/sslserver.csr"
+echo $CMD
+REQUEST_ID=`$CMD | grep "Request ID:" | awk -F ': ' '{print $2;}'`
+echo Request ID: $REQUEST_ID
+
+CMD="pki -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID"
+echo $CMD
+CERT_ID=`$CMD | grep "Certificate ID:" | awk -F ': ' '{print $2;}'`
+echo Certificate ID: $CERT_ID
+
+pki cert-show --output tmp/sslserver.crt $CERT_ID
diff --git a/scripts/sslserver-cmc-sign.sh b/scripts/sslserver-cmc-sign.sh
new file mode 100755
index 0000000..bb288ea
--- /dev/null
+++ b/scripts/sslserver-cmc-sign.sh
@@ -0,0 +1,80 @@
+#!/bin/sh
+
+mkdir -p tmp
+
+cat > tmp/sslserver-cmc-request.cfg << EOF
+# NSS database directory.
+dbdir=$HOME/.dogtag/nssdb
+
+# NSS database password.
+password=Secret.123
+
+# Token name (default is internal).
+tokenname=internal
+
+# Nickname for agent certificate.
+nickname=caadmin
+
+# Request format: pkcs10 or crmf.
+format=pkcs10
+
+# Total number of PKCS10/CRMF requests.
+numRequests=1
+
+# Path to the PKCS10/CRMF request.
+# The content must be in Base-64 encoded format.
+# Multiple files are supported. They must be separated by space.
+input=$PWD/tmp/sslserver.csr
+
+# Path for the CMC request in binary format
+output=$PWD/tmp/sslserver-cmc-request.bin
+EOF
+
+CMCRequest tmp/sslserver-cmc-request.cfg
+
+cat > tmp/sslserver-cmc-submit.cfg << EOF
+# PKI server host name.
+host=$HOSTNAME
+
+# PKI server port number.
+port=8443
+
+# Use secure connection.
+# For secure connection with ECC, set environment variable 'export NSS_USE_DECODED_CKA_EC_POINT=1'.
+secure=true
+
+# Use client authentication.
+clientmode=true
+
+# NSS database directory.
+dbdir=$HOME/.dogtag/nssdb
+
+# NSS database password.
+password=Secret.123
+
+# Token name (default: internal).
+tokenname=internal
+
+# Nickname of agent certificate.
+nickname=caadmin
+
+# CMC servlet path
+servlet=/ca/ee/ca/profileSubmitCMCFullServerCert
+
+# Path for the CMC request.
+input=tmp/sslserver-cmc-request.bin
+
+# Path for the CMC response.
+output=tmp/sslserver-cmc-response.bin
+EOF
+
+HttpClient tmp/sslserver-cmc-submit.cfg
+
+CMCResponse -d ~/.dogtag/nssdb -i tmp/sslserver-cmc-response.bin
+
+BtoA tmp/sslserver-cmc-response.bin tmp/sslserver-cmc-response.b64
+echo "-----BEGIN PKCS7-----" > tmp/sslserver.crt
+cat tmp/sslserver-cmc-response.b64 >> tmp/sslserver.crt
+echo "-----END PKCS7-----" >> tmp/sslserver.crt
+
+pki cert-show --output tmp/external.crt 0x1
diff --git a/scripts/subsystem-ca-sign.sh b/scripts/subsystem-ca-sign.sh
new file mode 100755
index 0000000..14cc32a
--- /dev/null
+++ b/scripts/subsystem-ca-sign.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+CMD="pki ca-cert-request-submit --profile caSubsystemCert --csr-file tmp/subsystem.csr"
+echo $CMD
+REQUEST_ID=`$CMD | grep "Request ID:" | awk -F ': ' '{print $2;}'`
+echo Request ID: $REQUEST_ID
+
+CMD="pki -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID"
+echo $CMD
+CERT_ID=`$CMD | grep "Certificate ID:" | awk -F ': ' '{print $2;}'`
+echo Certificate ID: $CERT_ID
+
+pki cert-show --output tmp/subsystem.crt $CERT_ID
diff --git a/scripts/subsystem-cmc-sign.sh b/scripts/subsystem-cmc-sign.sh
new file mode 100755
index 0000000..eb74b7c
--- /dev/null
+++ b/scripts/subsystem-cmc-sign.sh
@@ -0,0 +1,80 @@
+#!/bin/sh
+
+mkdir -p tmp
+
+cat > tmp/subsystem-cmc-request.cfg << EOF
+# NSS database directory.
+dbdir=$HOME/.dogtag/nssdb
+
+# NSS database password.
+password=Secret.123
+
+# Token name (default is internal).
+tokenname=internal
+
+# Nickname for agent certificate.
+nickname=caadmin
+
+# Request format: pkcs10 or crmf.
+format=pkcs10
+
+# Total number of PKCS10/CRMF requests.
+numRequests=1
+
+# Path to the PKCS10/CRMF request.
+# The content must be in Base-64 encoded format.
+# Multiple files are supported. They must be separated by space.
+input=$PWD/tmp/subsystem.csr
+
+# Path for the CMC request in binary format
+output=$PWD/tmp/subsystem-cmc-request.bin
+EOF
+
+CMCRequest tmp/subsystem-cmc-request.cfg
+
+cat > tmp/subsystem-cmc-submit.cfg << EOF
+# PKI server host name.
+host=$HOSTNAME
+
+# PKI server port number.
+port=8443
+
+# Use secure connection.
+# For secure connection with ECC, set environment variable 'export NSS_USE_DECODED_CKA_EC_POINT=1'.
+secure=true
+
+# Use client authentication.
+clientmode=true
+
+# NSS database directory.
+dbdir=$HOME/.dogtag/nssdb
+
+# NSS database password.
+password=Secret.123
+
+# Token name (default: internal).
+tokenname=internal
+
+# Nickname of agent certificate.
+nickname=caadmin
+
+# CMC servlet path
+servlet=/ca/ee/ca/profileSubmitCMCFullSubsystemCert
+
+# Path for the CMC request.
+input=tmp/subsystem-cmc-request.bin
+
+# Path for the CMC response.
+output=tmp/subsystem-cmc-response.bin
+EOF
+
+HttpClient tmp/subsystem-cmc-submit.cfg
+
+CMCResponse -d ~/.dogtag/nssdb -i tmp/subsystem-cmc-response.bin
+
+BtoA tmp/subsystem-cmc-response.bin tmp/subsystem-cmc-response.b64
+echo "-----BEGIN PKCS7-----" > tmp/subsystem.crt
+cat tmp/subsystem-cmc-response.b64 >> tmp/subsystem.crt
+echo "-----END PKCS7-----" >> tmp/subsystem.crt
+
+pki cert-show --output tmp/external.crt 0x1