summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEndi S. Dewata <edewata@redhat.com>2017-07-12 17:28:37 +0200
committerEndi S. Dewata <edewata@redhat.com>2017-07-12 17:28:37 +0200
commit3190be941ce9bb8b05b1bf9d49aa95480c1ba77b (patch)
tree33b37845f9a405ef9ce4b8396ac8f180e5794154
parentda5d725379fff33a445c0b0a5c510b62e2485c88 (diff)
downloadpki-dev-3190be941ce9bb8b05b1bf9d49aa95480c1ba77b.tar.gz
pki-dev-3190be941ce9bb8b05b1bf9d49aa95480c1ba77b.tar.xz
pki-dev-3190be941ce9bb8b05b1bf9d49aa95480c1ba77b.zip
Updated CA scripts.
-rwxr-xr-xscripts/ca-admin-setup.sh15
-rwxr-xr-xscripts/ca-cert-find.sh3
-rwxr-xr-xscripts/ca-clone-configure.sh66
-rwxr-xr-xscripts/ca-clone-create.sh63
-rwxr-xr-xscripts/ca-clone-import.sh5
-rwxr-xr-xscripts/ca-clone-prep.sh17
-rwxr-xr-xscripts/ca-clone-remove.sh7
-rwxr-xr-xscripts/ca-clone-restart.sh4
-rwxr-xr-xscripts/ca-clone-start.sh3
-rwxr-xr-xscripts/ca-clone-stop.sh3
-rwxr-xr-xscripts/ca-create.sh8
-rwxr-xr-xscripts/ca-csr-dump.sh3
-rwxr-xr-xscripts/ca-customize.sh5
-rwxr-xr-xscripts/ca-existing-create.sh9
-rwxr-xr-xscripts/ca-existing-export.sh12
-rwxr-xr-xscripts/ca-export.sh33
-rwxr-xr-xscripts/ca-external-nss-sign.sh67
-rwxr-xr-xscripts/ca-external-step1.sh28
-rwxr-xr-xscripts/ca-external-step2.sh13
-rwxr-xr-xscripts/ca-hsm-fips-enable.sh3
-rwxr-xr-xscripts/ca-keys.sh7
-rwxr-xr-xscripts/ca-level3-step1.sh19
-rwxr-xr-xscripts/ca-level3-step2.sh7
-rwxr-xr-xscripts/ca-lunasa-clone-create.sh7
-rwxr-xr-xscripts/ca-lunasa-create.sh8
-rwxr-xr-xscripts/ca-lunasa-external-step1.sh19
-rwxr-xr-xscripts/ca-lunasa-external-step2.sh10
-rwxr-xr-xscripts/ca-merged-create.sh2
-rwxr-xr-xscripts/ca-nfast-create-step1.sh9
-rwxr-xr-xscripts/ca-nfast-create-step2.sh9
-rwxr-xr-xscripts/ca-nfast-create.sh3
-rwxr-xr-xscripts/ca-nfast-external-step1.sh19
-rwxr-xr-xscripts/ca-nfast-external-step2.sh10
-rwxr-xr-xscripts/ca-p12-create.sh19
-rwxr-xr-xscripts/ca-p12-export.sh64
-rwxr-xr-xscripts/ca-remove.sh2
-rwxr-xr-xscripts/ca-renew-step1.sh10
-rwxr-xr-xscripts/ca-renew-step2.sh66
-rwxr-xr-xscripts/ca-renew-step3.sh8
-rwxr-xr-xscripts/ca-restore.sh18
-rwxr-xr-xscripts/ca-ssl-create.sh8
-rwxr-xr-xscripts/ca-step1.sh5
-rwxr-xr-xscripts/ca-step2.sh5
-rwxr-xr-xscripts/ca-sub-create.sh3
-rwxr-xr-xscripts/ca-sub-lunasa-create.sh3
-rwxr-xr-xscripts/ca-sub-nfast-step1.sh3
-rwxr-xr-xscripts/ca-sub-nfast-step2.sh3
-rwxr-xr-xscripts/ca-sub-nfast.sh3
-rwxr-xr-xscripts/ca-sub-remove.sh6
-rwxr-xr-xscripts/ca-sub-step1.sh3
-rwxr-xr-xscripts/ca-sub-step2.sh3
-rwxr-xr-xscripts/ca-tomcat7-create.sh39
-rwxr-xr-xscripts/ca-tomcat8-create.sh39
-rwxr-xr-xscripts/ca-tomcat85-create.sh39
-rwxr-xr-xscripts/ca-tps-remove.sh13
-rw-r--r--scripts/ca.cfg36
-rwxr-xr-xscripts/ca_signing-generate-csr.sh24
-rwxr-xr-xscripts/caext-create.sh3
-rwxr-xr-xscripts/caext-remove.sh6
-rwxr-xr-xscripts/cassl-create.sh8
60 files changed, 911 insertions, 24 deletions
diff --git a/scripts/ca-admin-setup.sh b/scripts/ca-admin-setup.sh
new file mode 100755
index 0000000..c7f4953
--- /dev/null
+++ b/scripts/ca-admin-setup.sh
@@ -0,0 +1,15 @@
+#!/bin/sh -x
+
+pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret123 -n caadmin ca-user-add causer --fullName "CA Admin"
+pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret123 -n caadmin ca-group-member-add "Administrators" causer
+
+REQUEST_ID=`pki -c Secret123 client-cert-request uid=causer | grep "Request ID:" | awk -F ': ' '{print $2;}'`
+echo Request ID: $REQUEST_ID
+
+CERT_ID=`pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'`
+echo Certificate ID: $CERT_ID
+
+pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret123 -n caadmin ca-user-cert-add causer --serial $CERT_ID
+pki -c Secret123 client-cert-import causer --serial $CERT_ID
+
+pki -c Secret123 client-cert-show causer --pkcs12 causer.p12 --pkcs12-password Secret123
diff --git a/scripts/ca-cert-find.sh b/scripts/ca-cert-find.sh
new file mode 100755
index 0000000..3992d10
--- /dev/null
+++ b/scripts/ca-cert-find.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+curl http://$HOSTNAME:8080/ca/rest/certs | xmllint --format -
diff --git a/scripts/ca-clone-configure.sh b/scripts/ca-clone-configure.sh
new file mode 100755
index 0000000..4c3d55b
--- /dev/null
+++ b/scripts/ca-clone-configure.sh
@@ -0,0 +1,66 @@
+#!/bin/sh -x
+
+PKI_DEV_SRC=`cd .. ; pwd`
+
+INSTANCE_NAME=pki-caclone
+PASSWORD=Secret123
+PIN=`grep preop.pin= /var/lib/$INSTANCE_NAME/conf/CS.cfg | awk -F= '{ print $2; }'`
+
+REALM=EXAMPLE-COM
+CERTS=$PKI_DEV_SRC/certs/caclone
+rm -rf $CERTS
+mkdir -p $CERTS
+
+./ca-clone-certs.sh
+
+pkisilent ConfigureCA \
+ -cs_hostname "$HOSTNAME" \
+ -cs_port "9444" \
+ -preop_pin "$PIN" \
+ -client_certdb_dir "$CERTS" \
+ -client_certdb_pwd "$PASSWORD" \
+ -token_name "internal" \
+ -domain_name "$REALM" \
+ -subsystem_name "Certificate Authority Clone" \
+ -clone "true" \
+ -clone_uri "https://$HOSTNAME:9443" \
+ -clone_p12_file "ca-server-certs.p12" \
+ -clone_p12_password "$PASSWORD" \
+ -sd_hostname "$HOSTNAME" \
+ -sd_admin_port 9443 \
+ -sd_ssl_port 9443 \
+ -sd_agent_port 9443 \
+ -sd_admin_name "caadmin" \
+ -sd_admin_password "$PASSWORD" \
+ -ldap_host "localhost" \
+ -ldap_port "390" \
+ -base_dn "dc=ca,dc=example,dc=com" \
+ -db_name "example.com-$INSTANCE_NAME" \
+ -bind_dn "cn=Directory Manager" \
+ -bind_password "$PASSWORD" \
+ -remove_data "true" \
+ -key_type rsa \
+ -key_size 2048 \
+ -key_algorithm SHA256withRSA \
+ -signing_signingalgorithm SHA256withRSA \
+ -save_p12 true \
+ -backup_fname "$CERTS/caclone-server-certs.p12" \
+ -backup_pwd "$PASSWORD" \
+ -ca_sign_cert_subject_name "CN=Certificate Authority,O=$REALM" \
+ -ca_ocsp_cert_subject_name "CN=OCSP Signing Certificate,O=$REALM" \
+ -ca_server_cert_subject_name "CN=$HOSTNAME,O=$REALM" \
+ -ca_subsystem_cert_subject_name "CN=CA Subsystem Certificate,O=$REALM" \
+ -ca_audit_signing_cert_subject_name "CN=CA Audit Signing Certificate,O=$REALM" \
+ -admin_user "caadmin" \
+ -agent_name "caadmin" \
+ -admin_email "caadmin@example.com" \
+ -admin_password "$PASSWORD" \
+ -agent_key_size 2048 \
+ -agent_key_type rsa \
+ -agent_cert_subject "CN=caadmin,UID=caadmin,E=caadmin@example.com,O=$REALM"
+
+
+echo $PASSWORD > "$CERTS/password.txt"
+PKCS12Export -d "$CERTS" -o "$CERTS/caclone-client-certs.p12" -p "$CERTS/password.txt" -w "$CERTS/password.txt"
+
+systemctl restart pki-cad@$INSTANCE_NAME.service
diff --git a/scripts/ca-clone-create.sh b/scripts/ca-clone-create.sh
new file mode 100755
index 0000000..b890789
--- /dev/null
+++ b/scripts/ca-clone-create.sh
@@ -0,0 +1,63 @@
+#!/bin/sh -x
+
+MASTER=`cat master.txt`
+
+/bin/cp ca_backup_keys.p12 /tmp
+/bin/cp ca_admin.cert /tmp
+/bin/cp ca_admin_cert.p12 /tmp
+
+cat > ca-clone.cfg << EOF
+#[DEFAULT]
+#pki_pin=Secret.123
+
+[CA]
+pki_admin_email=caadmin@example.com
+pki_admin_name=caadmin
+pki_admin_nickname=caadmin
+pki_admin_password=Secret.123
+pki_admin_uid=caadmin
+
+pki_client_database_password=Secret.123
+pki_client_pkcs12_password=Secret.123
+
+pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
+pki_ds_database=ca
+pki_ds_password=Secret.123
+
+#pki_ds_secure_connection=True
+#pki_ds_ldaps_port=636
+#pki_ds_secure_connection_ca_nickname=$MASTER
+#pki_ds_secure_connection_ca_pem_file=$MASTER.crt
+
+pki_security_domain_hostname=$MASTER
+pki_security_domain_user=caadmin
+pki_security_domain_password=Secret.123
+
+pki_clone=True
+pki_clone_replicate_schema=True
+pki_clone_uri=https://$MASTER:8443
+
+# PKI 9
+#pki_ca_signing_nickname=caSigningCert cert-pki-ca
+#pki_ocsp_signing_nickname=ocspSigningCert cert-pki-ca
+#pki_audit_signing_nickname=auditSigningCert cert-pki-ca
+#pki_ssl_server_nickname=Server-Cert cert-pki-ca
+#pki_subsystem_nickname=subsystemCert cert-pki-ca
+
+# PKI 10
+pki_ca_signing_nickname=ca_signing
+pki_ocsp_signing_nickname=ca_ocsp_signing
+pki_audit_signing_nickname=ca_audit_signing
+pki_ssl_server_nickname=sslserver
+pki_subsystem_nickname=subsystem
+
+# Dogtag 10.2 only
+pki_clone_pkcs12_password=Secret.123
+pki_clone_pkcs12_path=/tmp/ca_backup_keys.p12
+
+# Dogtag 10.3 only
+#pki_server_pkcs12_path=pki-server.p12
+#pki_server_pkcs12_password=Secret.123
+EOF
+
+pkispawn -vvv -f ca-clone.cfg -s CA
diff --git a/scripts/ca-clone-import.sh b/scripts/ca-clone-import.sh
new file mode 100755
index 0000000..5914b7c
--- /dev/null
+++ b/scripts/ca-clone-import.sh
@@ -0,0 +1,5 @@
+#!/bin/sh -x
+
+cp /home/edewata/ca_backup_keys.p12 /tmp
+cp /home/edewata/ca_admin.cert /tmp
+cp /home/edewata/ca_admin_cert.p12 /tmp
diff --git a/scripts/ca-clone-prep.sh b/scripts/ca-clone-prep.sh
new file mode 100755
index 0000000..ffd5538
--- /dev/null
+++ b/scripts/ca-clone-prep.sh
@@ -0,0 +1,17 @@
+#!/bin/sh -x
+
+echo $HOSTNAME > master.txt
+
+grep "internal=" /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2}' > internal.txt
+echo Secret.123 > password.txt
+
+PKCS12Export -debug -d /var/lib/pki/pki-tomcat/alias -p internal.txt -w password.txt -o ca_backup_keys.p12
+
+pki pkcs12-cert-find --pkcs12-file ca_backup_keys.p12 --pkcs12-password Secret.123
+
+pki-server ca-clone-prepare --pkcs12-file pki-server.p12 --pkcs12-password Secret.123
+
+pki pkcs12-cert-find --pkcs12-file pki-server.p12 --pkcs12-password Secret.123
+
+cp ~/.dogtag/pki-tomcat/ca_admin.cert .
+cp ~/.dogtag/pki-tomcat/ca_admin_cert.p12 .
diff --git a/scripts/ca-clone-remove.sh b/scripts/ca-clone-remove.sh
new file mode 100755
index 0000000..7e98422
--- /dev/null
+++ b/scripts/ca-clone-remove.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+SRC_DIR=`cd ../.. ; pwd`
+#INSTANCE_NAME=pki-clone
+INSTANCE_NAME=pki-tomcat
+
+pkidestroy -v -s CA -i $INSTANCE_NAME
diff --git a/scripts/ca-clone-restart.sh b/scripts/ca-clone-restart.sh
new file mode 100755
index 0000000..9c158d7
--- /dev/null
+++ b/scripts/ca-clone-restart.sh
@@ -0,0 +1,4 @@
+#!/bin/sh -x
+
+./ca-clone-stop.sh
+./ca-clone-start.sh
diff --git a/scripts/ca-clone-start.sh b/scripts/ca-clone-start.sh
new file mode 100755
index 0000000..9ebfd59
--- /dev/null
+++ b/scripts/ca-clone-start.sh
@@ -0,0 +1,3 @@
+#!/bin/sh -x
+
+systemctl start pki-tomcatd@ca-clone.service
diff --git a/scripts/ca-clone-stop.sh b/scripts/ca-clone-stop.sh
new file mode 100755
index 0000000..63e7b51
--- /dev/null
+++ b/scripts/ca-clone-stop.sh
@@ -0,0 +1,3 @@
+#!/bin/sh -x
+
+systemctl stop pki-tomcatd@ca-clone.service
diff --git a/scripts/ca-create.sh b/scripts/ca-create.sh
index 42b4105..48c5342 100755
--- a/scripts/ca-create.sh
+++ b/scripts/ca-create.sh
@@ -1,4 +1,8 @@
#!/bin/sh -x
-mkdir -p build
-pkispawn -v -f ca.cfg -s CA 2>&1 | tee build/ca-create.log
+pkispawn -vv -f ca.cfg -s CA
+
+#/bin/cp /root/.dogtag/pki-tomcat/ca_admin.cert .
+#/bin/cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 .
+#/bin/cp /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf ca_admin_cert.txt
+#echo $HOSTNAME > master.txt
diff --git a/scripts/ca-csr-dump.sh b/scripts/ca-csr-dump.sh
new file mode 100755
index 0000000..177d356
--- /dev/null
+++ b/scripts/ca-csr-dump.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+openssl req -text -noout -in /tmp/ca_signing.csr
diff --git a/scripts/ca-customize.sh b/scripts/ca-customize.sh
new file mode 100755
index 0000000..1bae37e
--- /dev/null
+++ b/scripts/ca-customize.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+sed -i "s/startTime=60/startTime=0/" /var/lib/pki/pki-tomcat/ca/profiles/ca/caSignedLogCert.cfg
+
+./tomcat-restart.sh
diff --git a/scripts/ca-existing-create.sh b/scripts/ca-existing-create.sh
new file mode 100755
index 0000000..a3b5a88
--- /dev/null
+++ b/scripts/ca-existing-create.sh
@@ -0,0 +1,9 @@
+#!/bin/sh -x
+
+rm -rf /tmp/ca_signing.csr
+rm -rf /tmp/ca.p12
+
+/bin/cp ca_signing.csr /tmp
+/bin/cp ca.p12 /tmp
+
+pkispawn -v -f ca-existing.cfg -s CA
diff --git a/scripts/ca-existing-export.sh b/scripts/ca-existing-export.sh
new file mode 100755
index 0000000..fdefc58
--- /dev/null
+++ b/scripts/ca-existing-export.sh
@@ -0,0 +1,12 @@
+#!/bin/sh -x
+
+rm -rf ca_signing.csr
+rm -rf ca.p12
+
+pki-server subsystem-cert-export ca signing \
+ --csr-file ca_signing.csr \
+ --pkcs12-file ca.p12 \
+ --pkcs12-password-file password.txt
+
+pki pkcs12-cert-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt
+pki pkcs12-key-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt
diff --git a/scripts/ca-export.sh b/scripts/ca-export.sh
new file mode 100755
index 0000000..351f68f
--- /dev/null
+++ b/scripts/ca-export.sh
@@ -0,0 +1,33 @@
+#!/bin/sh -x
+
+grep "internal=" /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2}' > internal.txt
+#PKCS12Export -debug -d /var/lib/pki/pki-tomcat/alias -p internal.txt -w password.txt -o ca_backup_keys.p12
+PKCS12Export -d /var/lib/pki/pki-tomcat/alias -p internal.txt -w password.txt -o ca_backup_keys.p12
+
+pki pkcs12-cert-find --pkcs12-file ca_backup_keys.p12 --pkcs12-password-file password.txt
+pki pkcs12-key-find --pkcs12-file ca_backup_keys.p12 --pkcs12-password-file password.txt
+
+echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_signing.csr
+sed -n "/^ca.signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> ca_signing.csr
+echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_signing.csr
+
+echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_ocsp_signing.csr
+sed -n "/^ca.ocsp_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> ca_ocsp_signing.csr
+echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_ocsp_signing.csr
+
+echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > sslserver.csr
+sed -n "/^ca.sslserver.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> sslserver.csr
+echo "-----END NEW CERTIFICATE REQUEST-----" >> sslserver.csr
+
+echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > subsystem.csr
+sed -n "/^ca.subsystem.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> subsystem.csr
+echo "-----END NEW CERTIFICATE REQUEST-----" >> subsystem.csr
+
+echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_audit_signing.csr
+sed -n "/^ca.audit_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> ca_audit_signing.csr
+echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_audit_signing.csr
+
+#pki-server ca-clone-prepare --pkcs12-file ca_backup_keys.p12 --pkcs12-password-file password.txt
+
+cp ~/.dogtag/pki-tomcat/ca_admin.cert .
+cp ~/.dogtag/pki-tomcat/ca_admin_cert.p12 .
diff --git a/scripts/ca-external-nss-sign.sh b/scripts/ca-external-nss-sign.sh
new file mode 100755
index 0000000..f8b4bc9
--- /dev/null
+++ b/scripts/ca-external-nss-sign.sh
@@ -0,0 +1,67 @@
+#!/bin/sh
+
+rm -rf external
+mkdir external
+certutil -N -d external -f password.txt
+openssl rand -out external/noise.bin 2048
+
+echo "## Generating external CA certificate..."
+
+#ROOTCA_SKID="0x847bb8664d7a32f182974ca861fb26867ecb42cd"
+ROOTCA_SKID="0x`openssl rand -hex 20`"
+
+echo -e "y\n\ny\n${ROOTCA_SKID}\n\n" | \
+ certutil -S \
+ -d external \
+ -f password.txt \
+ -z external/noise.bin \
+ -n "External CA" \
+ -s "CN=External CA,O=EXTERNAL" \
+ -x \
+ -t "CTu,Cu,Cu" \
+ -m $RANDOM\
+ -2 \
+ --keyUsage digitalSignature,nonRepudiation,certSigning,crlSigning,critical \
+ --extSKID
+
+# --keyUsage certSigning \
+# --nsCertType sslCA,smimeCA,objectSigningCA
+echo "## Exporting external CA certificate..."
+
+certutil -L -d external -n "External CA" -a > external.crt
+
+echo "## Signing the CA signing certificate..."
+
+#SUBCA_SKID="0x7d34de0374bcb294d5447479060266a52310e9ce"
+SUBCA_SKID="0x`openssl rand -hex 20`"
+SUBCA_OCSP="http://$HOSTNAME:8080/ca/ocsp"
+
+echo -e "y\n\ny\ny\n${ROOTCA_SKID}\n\n\n\n${SUBCA_SKID}\n\n2\n7\n${SUBCA_OCSP}\n\n\n\n" | \
+ certutil -C \
+ -d external \
+ -f password.txt \
+ -m $RANDOM \
+ -a \
+ -i ca_signing.csr \
+ -o ca_signing.crt \
+ -c "External CA" \
+ --extSKID \
+ -2 -3 \
+ --keyUsage digitalSignature,nonRepudiation,certSigning,crlSigning,critical \
+ --extAIA \
+ --extSKID
+
+echo "## Generating certificate chain..."
+
+certutil -A -d external -n "CA Signing Certificate" -t "CT,C,C" -a -i ca_signing.crt
+
+openssl crl2pkcs7 -nocrl -certfile external.crt -out cert_chain.p7b
+#openssl crl2pkcs7 -nocrl -certfile external.crt -certfile ca_signing.crt -out cert_chain.p7b
+
+#certutil -C \
+# -d external \
+# -f password.txt \
+# -m $RANDOM \
+# -a -i ca_signing.csr \
+# -o ca_signing.crt \
+# -c "External CA"
diff --git a/scripts/ca-external-step1.sh b/scripts/ca-external-step1.sh
new file mode 100755
index 0000000..19eca2b
--- /dev/null
+++ b/scripts/ca-external-step1.sh
@@ -0,0 +1,28 @@
+#!/bin/sh -x
+
+rm -f /tmp/ca_signing.csr
+rm -f /tmp/ca_ocsp_signing.csr
+rm -f /tmp/ca_audit_signing.csr
+rm -f /tmp/sslserver.csr
+rm -f /tmp/subsystem.csr
+
+rm -r /tmp/external.crt
+rm -r /tmp/cert_chain.p7b
+rm -f /tmp/ca_signing.crt
+
+rm -f /tmp/example.crt
+rm -f /tmp/example2.crt
+rm -f /tmp/example.p7
+rm -f /tmp/example2.p7
+rm -f /tmp/example.p7b
+rm -f /tmp/example2.p7b
+rm -f /tmp/example3.csr
+rm -f /tmp/example3.crt
+
+pkispawn -vv -f ca-external-step1.cfg -s CA
+
+/bin/cp -f /tmp/ca_signing.csr .
+/bin/cp -f /tmp/ca_ocsp_signing.csr .
+/bin/cp -f /tmp/ca_audit_signing.csr .
+/bin/cp -f /tmp/sslserver.csr .
+/bin/cp -f /tmp/subsystem.csr .
diff --git a/scripts/ca-external-step2.sh b/scripts/ca-external-step2.sh
new file mode 100755
index 0000000..801bd1f
--- /dev/null
+++ b/scripts/ca-external-step2.sh
@@ -0,0 +1,13 @@
+#!/bin/sh -x
+
+cp ca_signing.crt /tmp
+cp external.crt /tmp
+cp cert_chain.p7b /tmp
+
+#cp level1.crt /tmp
+#cp level2.crt /tmp
+
+#cp example.crt /tmp
+#cp example2.p7b /tmp
+
+pkispawn -vv -f ca-external-step2.cfg -s CA
diff --git a/scripts/ca-hsm-fips-enable.sh b/scripts/ca-hsm-fips-enable.sh
new file mode 100755
index 0000000..b767b84
--- /dev/null
+++ b/scripts/ca-hsm-fips-enable.sh
@@ -0,0 +1,3 @@
+#!/bin/sh -x
+
+modutil -dbdir /var/lib/pki/pki-tomcat/alias/ -fips true
diff --git a/scripts/ca-keys.sh b/scripts/ca-keys.sh
new file mode 100755
index 0000000..52b71c4
--- /dev/null
+++ b/scripts/ca-keys.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+NSSDB_PASSWORD=`grep internal= /var/lib/pki/pki-tomcat/conf/password.conf | awk -F = '{ print $2; }'`
+
+echo $NSSDB_PASSWORD > /var/lib/pki/pki-tomcat/alias/password.txt
+
+certutil -K -d /var/lib/pki/pki-tomcat/alias -f /var/lib/pki/pki-tomcat/alias/password.txt
diff --git a/scripts/ca-level3-step1.sh b/scripts/ca-level3-step1.sh
new file mode 100755
index 0000000..43b2bcd
--- /dev/null
+++ b/scripts/ca-level3-step1.sh
@@ -0,0 +1,19 @@
+#!/bin/sh -x
+
+rm -f /tmp/ca_signing.csr
+rm -r /tmp/external.crt
+rm -r /tmp/cert_chain.p7b
+rm -f /tmp/ca_signing.crt
+
+rm -f /tmp/example.crt
+rm -f /tmp/example2.crt
+rm -f /tmp/example.p7
+rm -f /tmp/example2.p7
+rm -f /tmp/example.p7b
+rm -f /tmp/example2.p7b
+rm -f /tmp/example3.csr
+rm -f /tmp/example3.crt
+
+pkispawn -vv -f ca-level3-step1.cfg -s CA
+
+/bin/cp -f /tmp/ca_signing.csr .
diff --git a/scripts/ca-level3-step2.sh b/scripts/ca-level3-step2.sh
new file mode 100755
index 0000000..2d7f09a
--- /dev/null
+++ b/scripts/ca-level3-step2.sh
@@ -0,0 +1,7 @@
+#!/bin/sh -x
+
+cp ca_signing.crt /tmp
+cp external.crt /tmp
+cp cert_chain.p7b /tmp
+
+pkispawn -vv -f ca-level3-step2.cfg -s CA
diff --git a/scripts/ca-lunasa-clone-create.sh b/scripts/ca-lunasa-clone-create.sh
new file mode 100755
index 0000000..0f5c76e
--- /dev/null
+++ b/scripts/ca-lunasa-clone-create.sh
@@ -0,0 +1,7 @@
+#!/bin/sh -x
+
+#/bin/cp ca_backup_keys.p12 /tmp
+#/bin/cp ca_admin.cert /tmp
+#/bin/cp ca_admin_cert.p12 /tmp
+
+pkispawn -vvv -f ca-lunasa-clone.cfg -s CA
diff --git a/scripts/ca-lunasa-create.sh b/scripts/ca-lunasa-create.sh
new file mode 100755
index 0000000..d4e50f8
--- /dev/null
+++ b/scripts/ca-lunasa-create.sh
@@ -0,0 +1,8 @@
+#!/bin/sh -x
+
+pkispawn -vv -f ca-lunasa.cfg -s CA
+
+/bin/cp /root/.dogtag/pki-tomcat/ca_admin.cert .
+/bin/cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 .
+/bin/cp /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf ca_admin_cert.txt
+echo $HOSTNAME > master.txt
diff --git a/scripts/ca-lunasa-external-step1.sh b/scripts/ca-lunasa-external-step1.sh
new file mode 100755
index 0000000..934b78e
--- /dev/null
+++ b/scripts/ca-lunasa-external-step1.sh
@@ -0,0 +1,19 @@
+#!/bin/sh -x
+
+rm -f /tmp/ca_signing.csr
+rm -r /tmp/external.crt
+rm -r /tmp/cert_chain.p7b
+rm -f /tmp/ca_signing.crt
+
+rm -f /tmp/example.crt
+rm -f /tmp/example2.crt
+rm -f /tmp/example.p7
+rm -f /tmp/example2.p7
+rm -f /tmp/example.p7b
+rm -f /tmp/example2.p7b
+rm -f /tmp/example3.csr
+rm -f /tmp/example3.crt
+
+pkispawn -vv -f ca-lunasa-external-step1.cfg -s CA
+
+/bin/cp -f /tmp/ca_signing.csr .
diff --git a/scripts/ca-lunasa-external-step2.sh b/scripts/ca-lunasa-external-step2.sh
new file mode 100755
index 0000000..c6f3004
--- /dev/null
+++ b/scripts/ca-lunasa-external-step2.sh
@@ -0,0 +1,10 @@
+#!/bin/sh -x
+
+cp ca_signing.crt /tmp
+cp external.crt /tmp
+cp cert_chain.p7b /tmp
+
+#cp example.crt /tmp
+#cp example2.p7b /tmp
+
+pkispawn -vv -f ca-lunasa-external-step2.cfg -s CA
diff --git a/scripts/ca-merged-create.sh b/scripts/ca-merged-create.sh
index 0f6aee7..e2f6435 100755
--- a/scripts/ca-merged-create.sh
+++ b/scripts/ca-merged-create.sh
@@ -1,3 +1,3 @@
#!/bin/sh -x
-pkispawn -v -f ca-merged.cfg -s CA -v 2>&1 | tee build/ca-merged-create.log
+pkispawn -v -f ca-merged.cfg -s CA -v
diff --git a/scripts/ca-nfast-create-step1.sh b/scripts/ca-nfast-create-step1.sh
new file mode 100755
index 0000000..483fdbb
--- /dev/null
+++ b/scripts/ca-nfast-create-step1.sh
@@ -0,0 +1,9 @@
+#!/bin/sh -x
+
+#pkispawn -vv -f ca-nfast-step1.cfg -s CA
+pkispawn -vv -f ca-nfast.cfg -s CA --skip-configuration
+
+#/bin/cp /root/.dogtag/pki-tomcat/ca_admin.cert .
+#/bin/cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 .
+#/bin/cp /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf ca_admin_cert.txt
+#echo $HOSTNAME > master.txt
diff --git a/scripts/ca-nfast-create-step2.sh b/scripts/ca-nfast-create-step2.sh
new file mode 100755
index 0000000..8afa365
--- /dev/null
+++ b/scripts/ca-nfast-create-step2.sh
@@ -0,0 +1,9 @@
+#!/bin/sh -x
+
+#pkispawn -vv -f ca-nfast-step2.cfg -s CA
+pkispawn -vv -f ca-nfast.cfg -s CA --skip-installation
+
+#/bin/cp /root/.dogtag/pki-tomcat/ca_admin.cert .
+#/bin/cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 .
+#/bin/cp /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf ca_admin_cert.txt
+#echo $HOSTNAME > master.txt
diff --git a/scripts/ca-nfast-create.sh b/scripts/ca-nfast-create.sh
new file mode 100755
index 0000000..b0e914f
--- /dev/null
+++ b/scripts/ca-nfast-create.sh
@@ -0,0 +1,3 @@
+#!/bin/sh -x
+
+pkispawn -vv -f ca-nfast.cfg -s CA
diff --git a/scripts/ca-nfast-external-step1.sh b/scripts/ca-nfast-external-step1.sh
new file mode 100755
index 0000000..8cb4448
--- /dev/null
+++ b/scripts/ca-nfast-external-step1.sh
@@ -0,0 +1,19 @@
+#!/bin/sh -x
+
+rm -f /tmp/ca_signing.csr
+rm -r /tmp/external.crt
+rm -r /tmp/cert_chain.p7b
+rm -f /tmp/ca_signing.crt
+
+rm -f /tmp/example.crt
+rm -f /tmp/example2.crt
+rm -f /tmp/example.p7
+rm -f /tmp/example2.p7
+rm -f /tmp/example.p7b
+rm -f /tmp/example2.p7b
+rm -f /tmp/example3.csr
+rm -f /tmp/example3.crt
+
+pkispawn -vv -f ca-nfast-external-step1.cfg -s CA
+
+/bin/cp -f /tmp/ca_signing.csr .
diff --git a/scripts/ca-nfast-external-step2.sh b/scripts/ca-nfast-external-step2.sh
new file mode 100755
index 0000000..6b877d8
--- /dev/null
+++ b/scripts/ca-nfast-external-step2.sh
@@ -0,0 +1,10 @@
+#!/bin/sh -x
+
+cp ca_signing.crt /tmp
+cp external.crt /tmp
+cp cert_chain.p7b /tmp
+
+#cp example.crt /tmp
+#cp example2.p7b /tmp
+
+pkispawn -vv -f ca-nfast-external-step2.cfg -s CA
diff --git a/scripts/ca-p12-create.sh b/scripts/ca-p12-create.sh
new file mode 100755
index 0000000..2f1d5e6
--- /dev/null
+++ b/scripts/ca-p12-create.sh
@@ -0,0 +1,19 @@
+#!/bin/sh -x
+
+rm -rf /tmp/ca.p12
+rm -rf /tmp/external.crt
+rm -rf /tmp/ca_signing.csr
+rm -rf /tmp/ca_ocsp_signing.csr
+rm -rf /tmp/ca_audit_signing.csr
+rm -rf /tmp/sslserver.csr
+rm -rf /tmp/subsystem.csr
+
+/bin/cp ca.p12 /tmp
+/bin/cp external.crt /tmp
+/bin/cp ca_signing.csr /tmp
+/bin/cp ca_ocsp_signing.csr /tmp
+/bin/cp ca_audit_signing.csr /tmp
+/bin/cp sslserver.csr /tmp
+/bin/cp subsystem.csr /tmp
+
+pkispawn -v -f ca-p12.cfg -s CA
diff --git a/scripts/ca-p12-export.sh b/scripts/ca-p12-export.sh
new file mode 100755
index 0000000..ecbec57
--- /dev/null
+++ b/scripts/ca-p12-export.sh
@@ -0,0 +1,64 @@
+#!/bin/sh -x
+
+rm -rf ca.p12
+rm -rf ca_signing.csr
+rm -rf ca_ocsp_signing.csr
+rm -rf sslserver.csr
+rm -rf subsystem.csr
+rm -rf ca_audit_signing.csr
+
+#grep internal= /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2;}' > internal.txt
+#PKCS12Export -d /var/lib/pki/pki-tomcat/alias -p internal.txt -o ca.p12 -w password.txt
+
+#echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_signing.csr
+#grep ca.signing.certreq /var/lib/pki/pki-tomcat/ca/conf/CS.cfg | awk -F= '{print $2;}' >> ca_signing.csr
+#echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_signing.csr
+
+#echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_ocsp_signing.csr
+#sed -n "/^ca.ocsp_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> ca_ocsp_signing.csr
+#echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_ocsp_signing.csr
+
+#echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > sslserver.csr
+#sed -n "/^ca.sslserver.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> sslserver.csr
+#echo "-----END NEW CERTIFICATE REQUEST-----" >> sslserver.csr
+
+#echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > subsystem.csr
+#sed -n "/^ca.subsystem.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> subsystem.csr
+#echo "-----END NEW CERTIFICATE REQUEST-----" >> subsystem.csr
+
+#echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_audit_signing.csr
+#sed -n "/^ca.audit_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> ca_audit_signing.csr
+#echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_audit_signing.csr
+
+pki-server subsystem-cert-export ca signing \
+ --csr-file ca_signing.csr \
+ --pkcs12-file ca.p12 \
+ --pkcs12-password-file password.txt
+
+pki-server subsystem-cert-export ca ocsp_signing \
+ --append \
+ --csr-file ca_ocsp_signing.csr \
+ --pkcs12-file ca.p12 \
+ --pkcs12-password-file password.txt
+
+#pki-server subsystem-cert-export ca sslserver \
+# --append \
+# --csr-file sslserver.csr \
+# --pkcs12-file ca.p12 \
+# --pkcs12-password-file password.txt
+
+pki-server subsystem-cert-export ca subsystem \
+ --append \
+ --csr-file subsystem.csr \
+ --pkcs12-file ca.p12 \
+ --pkcs12-password-file password.txt
+
+pki-server subsystem-cert-export ca audit_signing \
+ --append \
+ --csr-file ca_audit_signing.csr \
+ --pkcs12-file ca.p12 \
+ --pkcs12-password-file password.txt
+
+pki pkcs12-cert-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt
+pki pkcs12-key-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt
+
diff --git a/scripts/ca-remove.sh b/scripts/ca-remove.sh
index 2f5640b..d60ebb4 100755
--- a/scripts/ca-remove.sh
+++ b/scripts/ca-remove.sh
@@ -3,4 +3,4 @@
SRC_DIR=`cd ../.. ; pwd`
INSTANCE_NAME=pki-tomcat
-pkidestroy -v -s CA -i $INSTANCE_NAME
+pkidestroy -s CA -i $INSTANCE_NAME
diff --git a/scripts/ca-renew-step1.sh b/scripts/ca-renew-step1.sh
new file mode 100755
index 0000000..6c883d8
--- /dev/null
+++ b/scripts/ca-renew-step1.sh
@@ -0,0 +1,10 @@
+#!/bin/sh -x
+
+timedatectl set-ntp true --adjust-system-clock
+
+./pki-nuke.sh pki-tomcat
+
+./ca-create.sh
+
+pki-server subsystem-cert-find ca
+certutil -L -d /var/lib/pki/pki-tomcat/alias
diff --git a/scripts/ca-renew-step2.sh b/scripts/ca-renew-step2.sh
new file mode 100755
index 0000000..d957368
--- /dev/null
+++ b/scripts/ca-renew-step2.sh
@@ -0,0 +1,66 @@
+#!/bin/sh -x
+
+timedatectl set-ntp false
+timedatectl set-time 2018-11-26
+
+./tomcat-restart.sh
+
+sleep 5
+
+pki ca-cert-request-submit --profile caManualRenewal --serial 0x2
+pki ca-cert-request-submit --profile caManualRenewal --serial 0x3
+pki ca-cert-request-submit --profile caManualRenewal --serial 0x4
+pki ca-cert-request-submit --profile caManualRenewal --serial 0x5
+
+pki ca-cert-request-submit --profile caManualRenewal --serial 0x6
+
+#pki -U https://$HOSTNAME:8443 \
+# -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin client-cert-request \
+# "CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=EXAMPLE" \
+# --profile caManualRenewal
+
+pki -d ~/.dogtag/pki-tomcat/ca/alias -n caadmin -c Secret.123 ca-cert-request-review 0x7 --action approve
+pki -d ~/.dogtag/pki-tomcat/ca/alias -n caadmin -c Secret.123 ca-cert-request-review 0x8 --action approve
+pki -d ~/.dogtag/pki-tomcat/ca/alias -n caadmin -c Secret.123 ca-cert-request-review 0x9 --action approve
+pki -d ~/.dogtag/pki-tomcat/ca/alias -n caadmin -c Secret.123 ca-cert-request-review 0xa --action approve
+pki -d ~/.dogtag/pki-tomcat/ca/alias -n caadmin -c Secret.123 ca-cert-request-review 0xb --action approve
+
+pki ca-cert-show 0x7 --output ca_ocsp_signing.crt
+pki ca-cert-show 0x8 --output sslserver.crt
+pki ca-cert-show 0x9 --output subsystem.crt
+pki ca-cert-show 0xa --output ca_audit_signing.crt
+
+pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-user-cert-add caadmin --serial 0xb
+
+#pki ca-cert-show 0xb --output caadmin.crt
+certutil -D -d ~/.dogtag/pki-tomcat/ca/alias -n caadmin
+pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 client-cert-import caadmin --serial 0xb
+
+pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-user-cert-del caadmin "2;6;CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE;CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=EXAMPLE"
+
+./tomcat-stop.sh
+
+pki-server subsystem-cert-update ca ocsp_signing --cert ca_ocsp_signing.crt --replace
+pki-server subsystem-cert-update ca sslserver --cert sslserver.crt --replace
+pki-server subsystem-cert-update ca subsystem --cert subsystem.crt --replace
+pki-server subsystem-cert-update ca audit_signing --cert ca_audit_signing.crt --replace
+
+#pki-server subsystem-cert-update ca audit_signing --cert ca_audit_signing.crt
+#pki-server subsystem-cert-update ca sslserver --cert sslserver.crt
+#pki-server subsystem-cert-update ca subsystem --cert subsystem.crt
+#pki-server subsystem-cert-update ca audit_signing --cert ca_audit_signing.crt
+
+#certutil -D -d /var/lib/pki/pki-tomcat/alias -n ca_ocsp_signing
+#certutil -D -d /var/lib/pki/pki-tomcat/alias -n sslserver
+#certutil -D -d /var/lib/pki/pki-tomcat/alias -n subsystem
+#certutil -D -d /var/lib/pki/pki-tomcat/alias -n ca_audit_signing
+
+#certutil -A -d /var/lib/pki/pki-tomcat/alias -n ca_ocsp_signing -i ca_ocsp_signing.crt -t "u,u,u"
+#certutil -A -d /var/lib/pki/pki-tomcat/alias -n sslserver -i sslserver.crt -t "u,u,u"
+#certutil -A -d /var/lib/pki/pki-tomcat/alias -n subsystem -i subsystem.crt -t "u,u,u"
+#certutil -A -d /var/lib/pki/pki-tomcat/alias -n ca_audit_signing -i ca_audit_signing.crt -t "u,u,Pu"
+
+./tomcat-start.sh
+
+pki-server subsystem-cert-find ca
+certutil -L -d /var/lib/pki/pki-tomcat/alias
diff --git a/scripts/ca-renew-step3.sh b/scripts/ca-renew-step3.sh
new file mode 100755
index 0000000..ff79eba
--- /dev/null
+++ b/scripts/ca-renew-step3.sh
@@ -0,0 +1,8 @@
+#!/bin/sh -x
+
+timedatectl set-time 2019-01-01
+
+./tomcat-restart.sh
+
+pki-server subsystem-cert-find ca
+certutil -L -d /var/lib/pki/pki-tomcat/alias
diff --git a/scripts/ca-restore.sh b/scripts/ca-restore.sh
new file mode 100755
index 0000000..ca86782
--- /dev/null
+++ b/scripts/ca-restore.sh
@@ -0,0 +1,18 @@
+#!/bin/sh -x
+
+rm -rf /tmp/ca.p12
+rm -rf /tmp/ca_signing.csr
+
+/bin/cp ca.p12 /tmp
+/bin/cp ca_signing.csr /tmp
+
+pkispawn -vv -f ca-restore.cfg -s CA --stop-at configuration
+#systemctl start pki-tomcatd@pki-tomcat.service
+#sleep 5
+pkispawn -vv -f ca-restore.cfg -s CA --start-from finalization
+
+/bin/cp /root/.dogtag/pki-tomcat/ca_admin.cert .
+/bin/cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 .
+/bin/cp /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf ca_admin_cert.txt
+/bin/cp /var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12 .
+echo $HOSTNAME > master.txt
diff --git a/scripts/ca-ssl-create.sh b/scripts/ca-ssl-create.sh
new file mode 100755
index 0000000..eb05421
--- /dev/null
+++ b/scripts/ca-ssl-create.sh
@@ -0,0 +1,8 @@
+#!/bin/sh -x
+
+pkispawn -vv -f ca-ssl.cfg -s CA
+
+/bin/cp /root/.dogtag/pki-tomcat/ca_admin.cert .
+/bin/cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 .
+/bin/cp /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf ca_admin_cert.txt
+echo $HOSTNAME > master.txt
diff --git a/scripts/ca-step1.sh b/scripts/ca-step1.sh
new file mode 100755
index 0000000..77487cf
--- /dev/null
+++ b/scripts/ca-step1.sh
@@ -0,0 +1,5 @@
+#!/bin/sh -x
+
+#pkispawn -v -f ca-step1.cfg -s CA
+pkispawn -v -f ca.cfg -s CA --skip-configuration
+#pkispawn -v -f ca.cfg -s CA --stop-at configuration
diff --git a/scripts/ca-step2.sh b/scripts/ca-step2.sh
new file mode 100755
index 0000000..2112391
--- /dev/null
+++ b/scripts/ca-step2.sh
@@ -0,0 +1,5 @@
+#!/bin/sh -x
+
+#pkispawn -v -f ca-step2.cfg -s CA
+pkispawn -v -f ca.cfg -s CA --skip-installation
+#pkispawn -v -f ca.cfg -s CA --start-from configuration
diff --git a/scripts/ca-sub-create.sh b/scripts/ca-sub-create.sh
new file mode 100755
index 0000000..049fce8
--- /dev/null
+++ b/scripts/ca-sub-create.sh
@@ -0,0 +1,3 @@
+#!/bin/sh -x
+
+pkispawn -v -f ca-sub.cfg -s CA
diff --git a/scripts/ca-sub-lunasa-create.sh b/scripts/ca-sub-lunasa-create.sh
new file mode 100755
index 0000000..58489c4
--- /dev/null
+++ b/scripts/ca-sub-lunasa-create.sh
@@ -0,0 +1,3 @@
+#!/bin/sh -x
+
+pkispawn -v -f ca-sub-lunasa.cfg -s CA
diff --git a/scripts/ca-sub-nfast-step1.sh b/scripts/ca-sub-nfast-step1.sh
new file mode 100755
index 0000000..022329a
--- /dev/null
+++ b/scripts/ca-sub-nfast-step1.sh
@@ -0,0 +1,3 @@
+#!/bin/sh -x
+
+pkispawn -v -f ca-sub-nfast.cfg -s CA --skip-configuration
diff --git a/scripts/ca-sub-nfast-step2.sh b/scripts/ca-sub-nfast-step2.sh
new file mode 100755
index 0000000..2d90471
--- /dev/null
+++ b/scripts/ca-sub-nfast-step2.sh
@@ -0,0 +1,3 @@
+#!/bin/sh -x
+
+pkispawn -vv -f ca-sub-nfast.cfg -s CA --skip-installation
diff --git a/scripts/ca-sub-nfast.sh b/scripts/ca-sub-nfast.sh
new file mode 100755
index 0000000..341e4e1
--- /dev/null
+++ b/scripts/ca-sub-nfast.sh
@@ -0,0 +1,3 @@
+#!/bin/sh -x
+
+pkispawn -v -f ca-sub-nfast.cfg -s CA
diff --git a/scripts/ca-sub-remove.sh b/scripts/ca-sub-remove.sh
new file mode 100755
index 0000000..d60ebb4
--- /dev/null
+++ b/scripts/ca-sub-remove.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+SRC_DIR=`cd ../.. ; pwd`
+INSTANCE_NAME=pki-tomcat
+
+pkidestroy -s CA -i $INSTANCE_NAME
diff --git a/scripts/ca-sub-step1.sh b/scripts/ca-sub-step1.sh
new file mode 100755
index 0000000..8f70b90
--- /dev/null
+++ b/scripts/ca-sub-step1.sh
@@ -0,0 +1,3 @@
+#!/bin/sh -x
+
+pkispawn -v -f ca-sub.cfg -s CA --skip-configuration
diff --git a/scripts/ca-sub-step2.sh b/scripts/ca-sub-step2.sh
new file mode 100755
index 0000000..3c8ce44
--- /dev/null
+++ b/scripts/ca-sub-step2.sh
@@ -0,0 +1,3 @@
+#!/bin/sh -x
+
+pkispawn -vv -f ca-sub.cfg -s CA --skip-installation
diff --git a/scripts/ca-tomcat7-create.sh b/scripts/ca-tomcat7-create.sh
new file mode 100755
index 0000000..cfb67c2
--- /dev/null
+++ b/scripts/ca-tomcat7-create.sh
@@ -0,0 +1,39 @@
+#!/bin/sh -x
+
+cat > ca-tomcat7.cfg <<EOF
+[DEFAULT]
+pki_backup_keys=True
+pki_backup_password=Secret.123
+pki_pin=Secret.123
+
+[Tomcat]
+tomcat_home=/usr/share/tomcat70
+
+[CA]
+pki_admin_email=caadmin@example.com
+pki_admin_name=caadmin
+pki_admin_nickname=caadmin
+pki_admin_password=Secret.123
+pki_admin_uid=caadmin
+
+pki_client_database_password=Secret.123
+pki_client_database_purge=False
+pki_client_pkcs12_password=Secret.123
+
+pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
+pki_ds_password=Secret.123
+pki_ds_database=ca
+
+pki_security_domain_name=EXAMPLE
+
+#pki_server_pkcs12_path=pki-server.p12
+#pki_server_pkcs12_password=Secret.123
+
+pki_ca_signing_nickname=ca_signing
+pki_ocsp_signing_nickname=ca_ocsp_signing
+pki_audit_signing_nickname=ca_audit_signing
+pki_ssl_server_nickname=sslserver
+pki_subsystem_nickname=subsystem
+EOF
+
+pkispawn -vv -f ca-tomcat7.cfg -s CA
diff --git a/scripts/ca-tomcat8-create.sh b/scripts/ca-tomcat8-create.sh
new file mode 100755
index 0000000..c4abda6
--- /dev/null
+++ b/scripts/ca-tomcat8-create.sh
@@ -0,0 +1,39 @@
+#!/bin/sh -x
+
+cat > ca-tomcat8.cfg <<EOF
+[DEFAULT]
+pki_backup_keys=True
+pki_backup_password=Secret.123
+pki_pin=Secret.123
+
+[Tomcat]
+tomcat_home=/usr/share/tomcat80
+
+[CA]
+pki_admin_email=caadmin@example.com
+pki_admin_name=caadmin
+pki_admin_nickname=caadmin
+pki_admin_password=Secret.123
+pki_admin_uid=caadmin
+
+pki_client_database_password=Secret.123
+pki_client_database_purge=False
+pki_client_pkcs12_password=Secret.123
+
+pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
+pki_ds_password=Secret.123
+pki_ds_database=ca
+
+pki_security_domain_name=EXAMPLE
+
+#pki_server_pkcs12_path=pki-server.p12
+#pki_server_pkcs12_password=Secret.123
+
+pki_ca_signing_nickname=ca_signing
+pki_ocsp_signing_nickname=ca_ocsp_signing
+pki_audit_signing_nickname=ca_audit_signing
+pki_ssl_server_nickname=sslserver
+pki_subsystem_nickname=subsystem
+EOF
+
+pkispawn -vv -f ca-tomcat8.cfg -s CA
diff --git a/scripts/ca-tomcat85-create.sh b/scripts/ca-tomcat85-create.sh
new file mode 100755
index 0000000..44b27be
--- /dev/null
+++ b/scripts/ca-tomcat85-create.sh
@@ -0,0 +1,39 @@
+#!/bin/sh -x
+
+cat > ca-tomcat85.cfg <<EOF
+[DEFAULT]
+pki_backup_keys=True
+pki_backup_password=Secret.123
+pki_pin=Secret.123
+
+[Tomcat]
+tomcat_home=/usr/share/tomcat85
+
+[CA]
+pki_admin_email=caadmin@example.com
+pki_admin_name=caadmin
+pki_admin_nickname=caadmin
+pki_admin_password=Secret.123
+pki_admin_uid=caadmin
+
+pki_client_database_password=Secret.123
+pki_client_database_purge=False
+pki_client_pkcs12_password=Secret.123
+
+pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
+pki_ds_password=Secret.123
+pki_ds_database=ca
+
+pki_security_domain_name=EXAMPLE
+
+#pki_server_pkcs12_path=pki-server.p12
+#pki_server_pkcs12_password=Secret.123
+
+pki_ca_signing_nickname=ca_signing
+pki_ocsp_signing_nickname=ca_ocsp_signing
+pki_audit_signing_nickname=ca_audit_signing
+pki_ssl_server_nickname=sslserver
+pki_subsystem_nickname=subsystem
+EOF
+
+pkispawn -vv -f ca-tomcat85.cfg -s CA
diff --git a/scripts/ca-tps-remove.sh b/scripts/ca-tps-remove.sh
new file mode 100755
index 0000000..267e3a9
--- /dev/null
+++ b/scripts/ca-tps-remove.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+TPSHOST=`cat tps.host`
+
+ldapmodify -x -D "cn=Directory Manager" -w Secret123 -c << EOF
+dn: cn=Certificate Manager Agents,ou=groups,dc=ca,dc=pki,dc=example,dc=com
+changetype: modify
+delete: uniqueMember
+uniqueMember: uid=TPS-$TPSHOST-8443,ou=people,dc=ca,dc=pki,dc=example,dc=com
+
+dn: uid=TPS-$TPSHOST-8443,ou=people,dc=ca,dc=pki,dc=example,dc=com
+changetype: delete
+EOF
diff --git a/scripts/ca.cfg b/scripts/ca.cfg
index cb70973..3181abe 100644
--- a/scripts/ca.cfg
+++ b/scripts/ca.cfg
@@ -1,35 +1,31 @@
+[DEFAULT]
+#pki_pin=Secret.123
+
[CA]
pki_admin_email=caadmin@example.com
pki_admin_name=caadmin
pki_admin_nickname=caadmin
-pki_admin_password=Secret123
+pki_admin_password=Secret.123
pki_admin_uid=caadmin
#pki_backup_keys=True
-#pki_backup_password=Secret123
+#pki_backup_password=Secret.123
-pki_client_database_password=Secret123
+pki_client_database_password=Secret.123
pki_client_database_purge=False
-pki_client_pkcs12_password=Secret123
-
-#pki_ds_ldaps_port=636
-#pki_ds_secure_connection=True
-#pki_ds_secure_connection_ca_nickname=Directory Server CA certificate
-#pki_ds_secure_connection_ca_pem_file=dsca.pem
+pki_client_pkcs12_password=Secret.123
-pki_ds_base_dn=dc=ca,dc=example,dc=com
-pki_ds_password=Secret123
+pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
+pki_ds_password=Secret.123
pki_ds_database=ca
-#pki_ds_database=userRoot
-#pki_ds_create_new_db=False
-#pki_ds_remove_data=True
pki_security_domain_name=EXAMPLE
-pki_token_password=Secret123
-
-#pki_ds_secure_connection=True
-#pki_ds_secure_connection_ca_nickname=Directory Server CA certificate
-#pki_ds_secure_connection_ca_pem_file=/root/dsca.pem
#pki_server_pkcs12_path=pki-server.p12
-#pki_server_pkcs12_password=Secret123
+#pki_server_pkcs12_password=Secret.123
+
+pki_ca_signing_nickname=ca_signing
+pki_ocsp_signing_nickname=ca_ocsp_signing
+pki_audit_signing_nickname=ca_audit_signing
+pki_ssl_server_nickname=sslserver
+pki_subsystem_nickname=subsystem
diff --git a/scripts/ca_signing-generate-csr.sh b/scripts/ca_signing-generate-csr.sh
new file mode 100755
index 0000000..4ba7204
--- /dev/null
+++ b/scripts/ca_signing-generate-csr.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+echo -e "y\n\ny\n" | \
+ certutil -R \
+ -d nssdb \
+ -h internal \
+ -f nssdb/password.txt \
+ -z nssdb/noise.bin \
+ -s "CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE" \
+ -2 \
+ --keyUsage digitalSignature,nonRepudiation,certSigning,crlSigning,critical \
+ -o ca_signing.csr.der
+
+openssl req -inform der -in ca_signing.csr.der -out ca_signing.csr
+
+#BtoA ca_signing.csr.der ca_signing.csr.pem
+#echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_signing.csr
+#cat ca_signing.csr.pem >> ca_signing.csr
+#echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_signing.csr
+
+rm ca_signing.csr.der
+#rm ca_signing.csr.pem
+
+openssl req -text -noout -in ca_signing.csr
diff --git a/scripts/caext-create.sh b/scripts/caext-create.sh
new file mode 100755
index 0000000..c5ee8a8
--- /dev/null
+++ b/scripts/caext-create.sh
@@ -0,0 +1,3 @@
+#!/bin/sh -x
+
+pkispawn -f caext.cfg -s CA
diff --git a/scripts/caext-remove.sh b/scripts/caext-remove.sh
new file mode 100755
index 0000000..4e5cd07
--- /dev/null
+++ b/scripts/caext-remove.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+SRC_DIR=`cd ../.. ; pwd`
+INSTANCE_NAME=pki-external
+
+pkidestroy -s CA -i $INSTANCE_NAME
diff --git a/scripts/cassl-create.sh b/scripts/cassl-create.sh
new file mode 100755
index 0000000..1ea5811
--- /dev/null
+++ b/scripts/cassl-create.sh
@@ -0,0 +1,8 @@
+#!/bin/sh -x
+
+pkispawn -vv -f cassl.cfg -s CA
+
+/bin/cp /root/.dogtag/pki-tomcat/ca_admin.cert .
+/bin/cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 .
+/bin/cp /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf ca_admin_cert.txt
+echo $HOSTNAME > master.txt