Updated root scripts.

5 files changed, 156 insertions, 8 deletions

diff --git a/scripts/root-kra-create.sh b/scripts/root-kra-create.sh
new file mode 100755
index 0000000..196b413
--- /dev/null
+++ b/scripts/root-kra-create.sh
@@ -0,0 +1,41 @@
+#!/bin/sh -x
+
+mkdir -p tmp
+
+cat > tmp/root-kra.cfg << EOF
+[DEFAULT]
+pki_pin=Secret.123
+
+[KRA]
+pki_admin_cert_file=/root/.dogtag/pki-tomcat/ca_admin.cert
+#pki_import_admin_cert=False
+#pki_import_admin_pkcs12_file=/root/.dogtag/pki-tomcat/ca_admin_cert.p12
+#pki_import_admin_pkcs12_password=Secret.123
+#pki_import_admin_pkcs12_nickname=caadmin
+
+pki_admin_email=kraadmin@example.com
+pki_admin_name=kraadmin
+pki_admin_nickname=kraadmin
+pki_admin_password=Secret.123
+pki_admin_uid=kraadmin
+
+pki_client_database_password=Secret.123
+#pki_client_database_purge=False
+pki_client_pkcs12_password=Secret.123
+
+pki_ds_base_dn=dc=kra,dc=pki,dc=example,dc=com
+pki_ds_password=Secret.123
+pki_ds_database=kra
+
+pki_security_domain_name=ROOT
+pki_security_domain_user=caadmin
+pki_security_domain_password=Secret.123
+
+pki_storage_nickname=kra_storage
+pki_transport_nickname=kra_transport
+pki_audit_signing_nickname=kra_audit_signing
+pki_sslserver_nickname=sslserver
+pki_subsystem_nickname=subsystem
+EOF
+
+pkispawn -f tmp/root-kra.cfg -s KRA
diff --git a/scripts/root-openssl-create.sh b/scripts/root-openssl-create.sh
new file mode 100755
index 0000000..a2a71a0
--- /dev/null
+++ b/scripts/root-openssl-create.sh
@@ -0,0 +1,81 @@
+#!/bin/sh
+
+mkdir -p tmp
+
+cat > tmp/root.cfg << EOF
+HOME            = tmp
+RANDFILE        = ${ENV::HOME}/random.bin
+
+####################################################################
+[ ca ]
+default_ca  = CA_default        # The default ca section
+
+[ CA_default ]
+
+default_days    = 1000          # how long to certify for
+default_crl_days = 30           # how long before next CRL
+default_md  = sha256            # use public key default MD
+preserve    = no                # keep passed DN ordering
+
+x509_extensions = ca_extensions # The extensions to add to the cert
+
+email_in_dn = no                # Don't concat the email in the DN
+copy_extensions = copy          # Required to copy SANs from CSR to cert
+
+####################################################################
+[ req ]
+default_bits        = 4096
+default_keyfile     = tmp/external.key
+distinguished_name  = ca_distinguished_name
+x509_extensions     = ca_extensions
+string_mask         = utf8only
+
+####################################################################
+[ ca_distinguished_name ]
+countryName             = Country Name (2 letter code)
+countryName_default     = US
+
+stateOrProvinceName         = State or Province Name (full name)
+stateOrProvinceName_default = Maryland
+
+localityName                = Locality Name (eg, city)
+localityName_default        = Baltimore
+
+organizationName            = Organization Name (eg, company)
+organizationName_default    = Test CA, Limited
+
+organizationalUnitName         = Organizational Unit (eg, division)
+organizationalUnitName_default = Server Research Department
+
+commonName              = Common Name (e.g. server FQDN or YOUR name)
+commonName_default      = Test CA
+
+emailAddress            = Email Address
+emailAddress_default    = test@example.com
+
+####################################################################
+[ ca_extensions ]
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always, issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, nonRepudiation, keyCertSign, cRLSign
+EOF
+
+openssl req \
+ -config tmp/root.cfg \
+ -newkey rsa:2048 \
+ -keyout tmp/root.key \
+ -nodes -x509 \
+ -out tmp/root.crt \
+ -subj "/O=ROOT/CN=Root CA Signing Certificate" \
+ -days 365
+
+openssl x509 -text -noout -in tmp/root.crt
+
+openssl crl2pkcs7 \
+ -nocrl \
+ -certfile tmp/root.crt \
+ -out tmp/cert_chain.p7b
+
+echo $HOSTNAME > tmp/root.txt
diff --git a/scripts/root-openssl-subca-sign.sh b/scripts/root-openssl-subca-sign.sh
new file mode 100755
index 0000000..693371c
--- /dev/null
+++ b/scripts/root-openssl-subca-sign.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+mkdir -p tmp
+
+cat > tmp/ca_signing-ext.cfg << EOF
+[ ca_extensions ]
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always, issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, nonRepudiation, keyCertSign, cRLSign
+EOF
+
+openssl x509 -req \
+ -CA tmp/root.crt \
+ -CAkey tmp/root.key \
+ -CAcreateserial \
+ -in tmp/ca_signing.csr \
+ -out tmp/ca_signing.crt \
+ -extfile tmp/ca_signing-ext.cfg \
+ -extensions ca_extensions \
+ -set_serial 1
+
+openssl x509 -text -noout -in tmp/ca_signing.crt
diff --git a/scripts/root-admin-init.sh b/scripts/rootca-admin-init.sh
index f30990f..f30990f 100755
--- a/scripts/root-admin-init.sh
+++ b/scripts/rootca-admin-init.sh
diff --git a/scripts/root-ca-create.sh b/scripts/rootca-create.sh
index bf2cea6..62506ff 100755
--- a/scripts/root-ca-create.sh
+++ b/scripts/rootca-create.sh
@@ -2,7 +2,10 @@
 
 mkdir -p tmp
 
-cat > tmp/root-ca.cfg << EOF
+cat > tmp/rootca.cfg << EOF
+[DEFAULT]
+pki_pin=Secret.123
+
 [CA]
 pki_admin_email=caadmin@example.com
 pki_admin_name=caadmin
@@ -10,7 +13,7 @@ pki_admin_nickname=caadmin
 pki_admin_password=Secret.123
 pki_admin_uid=caadmin
 
-#pki_client_database_password=Secret.123
+pki_client_database_password=Secret.123
 #pki_client_database_purge=False
 pki_client_pkcs12_password=Secret.123
 
@@ -20,16 +23,15 @@ pki_ds_database=ca
 
 pki_security_domain_name=ROOT
 
-#pki_server_pkcs12_path=pki-server.p12
-#pki_server_pkcs12_password=Secret.123
-
 pki_ca_signing_nickname=ca_signing
-pki_ca_signing_subject_dn=cn=Root CA Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
+pki_ca_signing_subject_dn=cn=Root CA Signing Certificate,o=ROOT
 
 pki_ocsp_signing_nickname=ca_ocsp_signing
 pki_audit_signing_nickname=ca_audit_signing
-pki_ssl_server_nickname=sslserver
+pki_sslserver_nickname=sslserver
 pki_subsystem_nickname=subsystem
 EOF
 
-pkispawn -vv -f tmp/root-ca.cfg -s CA
+pkispawn -f tmp/rootca.cfg -s CA
+
+echo $HOSTNAME > tmp/rootca.txt