diff options
| author | Endi Sukma Dewata <edewata@redhat.com> | 2012-08-07 11:26:54 -0500 |
|---|---|---|
| committer | Endi Sukma Dewata <edewata@redhat.com> | 2012-08-07 11:26:54 -0500 |
| commit | b781ff44d12fe7941db92323f70ad5999e680793 (patch) | |
| tree | f6ae09cb9e475fc69fb576474b124c7e7b36920d | |
| parent | 628d95cead4323fc4f6a0fa2eeda286e0304ae78 (diff) | |
| download | pki-dev-b781ff44d12fe7941db92323f70ad5999e680793.tar.gz pki-dev-b781ff44d12fe7941db92323f70ad5999e680793.tar.xz pki-dev-b781ff44d12fe7941db92323f70ad5999e680793.zip | |
Added CA clone scripts.
| -rw-r--r-- | scripts/ca-clone.cfg (renamed from scripts/ca.cfg) | 12 | ||||
| -rwxr-xr-x | scripts/ca-create.sh | 4 | ||||
| -rw-r--r-- | scripts/ca-master.cfg | 231 | ||||
| -rwxr-xr-x | scripts/ca-remove.sh | 2 | ||||
| -rwxr-xr-x | scripts/caclone-create.sh | 24 | ||||
| -rwxr-xr-x | scripts/caclone-remove.sh | 14 | ||||
| -rwxr-xr-x | scripts/caclone-restart.sh | 3 | ||||
| -rwxr-xr-x | scripts/caclone-start.sh | 2 | ||||
| -rwxr-xr-x | scripts/caclone-stop.sh | 2 | ||||
| -rwxr-xr-x | scripts/cert-request-approve.sh | 7 | ||||
| -rwxr-xr-x | scripts/cert-request-review.sh | 7 | ||||
| -rwxr-xr-x | scripts/cert-request-submit.sh | 2 | ||||
| -rwxr-xr-x | scripts/firefox-certs-import.sh | 13 |
13 files changed, 273 insertions, 50 deletions
diff --git a/scripts/ca.cfg b/scripts/ca-clone.cfg index c0899e3..7d0c6eb 100644 --- a/scripts/ca.cfg +++ b/scripts/ca-clone.cfg @@ -30,7 +30,7 @@ pki_token_password=Secret123 pki_admin_cert_request_type=crmf pki_admin_domain_name= pki_admin_dualkey=False -pki_admin_email= +pki_admin_email=admin@example.com pki_admin_keysize=2048 pki_admin_name=admin pki_admin_nickname=admin @@ -45,15 +45,15 @@ pki_audit_signing_signing_algorithm=SHA256withRSA pki_audit_signing_subject_dn= pki_audit_signing_token= pki_backup_keys=False -pki_client_database_dir= +pki_client_database_dir=../../certs/pki-clone pki_client_database_purge=False pki_client_dir= -pki_ds_base_dn= +pki_ds_base_dn=dc=pki-clone,dc=example,dc=com pki_ds_bind_dn=cn=Directory Manager pki_ds_database= pki_ds_hostname= -pki_ds_ldap_port=389 -pki_ds_ldaps_port=636 +pki_ds_ldap_port=390 +pki_ds_ldaps_port=637 pki_ds_remove_data=True pki_ds_secure_connection=False pki_group=pkiuser @@ -112,7 +112,7 @@ pki_enable_java_debugger=False pki_enable_proxy=False pki_http_port=8013 pki_https_port=8015 -pki_instance_name=pki-master +pki_instance_name=pki-clone pki_proxy_http_port=80 pki_proxy_https_port=443 pki_security_manager=false diff --git a/scripts/ca-create.sh b/scripts/ca-create.sh index b131f3d..12a7d75 100755 --- a/scripts/ca-create.sh +++ b/scripts/ca-create.sh @@ -1,5 +1,3 @@ #!/bin/sh -x -pkispawn -f ca.cfg -s CA -v - -./ca-restart.sh +pkispawn -f ca-master.cfg -s CA -v diff --git a/scripts/ca-master.cfg b/scripts/ca-master.cfg new file mode 100644 index 0000000..477dd2a --- /dev/null +++ b/scripts/ca-master.cfg @@ -0,0 +1,231 @@ +############################################################################### +## 'Sensitive' Data: ## +## ## +## Values in this section pertain to various PKI subsystems, and contain ## +## required 'sensitive' information which MUST ALWAYS be provided by users. ## +## ## +## IMPORTANT: Sensitive data values must NEVER be displayed to the ## +## console NOR stored in log files!!! ## +############################################################################### +[Sensitive] +pki_admin_password=Secret123 +pki_backup_password=Secret123 +pki_client_database_password=Secret123 +pki_client_pkcs12_password=Secret123 +pki_clone_pkcs12_password=Secret123 +pki_ds_password=Secret123 +pki_security_domain_password=Secret123 +pki_token_password=Secret123 +############################################################################### +## 'Common' Data: ## +## ## +## Values in this section are common to more than one PKI subsystem, and ## +## contain required information which MAY be overridden by users as ## +## necessary. ## +## ## +## NOTE: Default values will be generated for any and all required ## +## 'common' data values which are left undefined. ## +############################################################################### +[Common] +pki_admin_cert_request_type=crmf +pki_admin_domain_name= +pki_admin_dualkey=False +pki_admin_email=admin@example.com +pki_admin_keysize=2048 +pki_admin_name=admin +pki_admin_nickname=admin +pki_admin_subject_dn= +pki_admin_uid=admin +pki_audit_group=pkiaudit +pki_audit_signing_key_algorithm=SHA256withRSA +pki_audit_signing_key_size=2048 +pki_audit_signing_key_type=rsa +pki_audit_signing_nickname= +pki_audit_signing_signing_algorithm=SHA256withRSA +pki_audit_signing_subject_dn= +pki_audit_signing_token= +pki_backup_keys=False +pki_client_database_dir=../../certs/pki-master +pki_client_database_purge=False +pki_client_dir= +pki_ds_base_dn=dc=pki-master,dc=example,dc=com +pki_ds_bind_dn=cn=Directory Manager +pki_ds_database= +pki_ds_hostname= +pki_ds_ldap_port=389 +pki_ds_ldaps_port=636 +pki_ds_remove_data=True +pki_ds_secure_connection=False +pki_group=pkiuser +pki_restart_configured_instance=True +pki_security_domain_hostname= +pki_security_domain_https_port=8443 +pki_security_domain_name=EXAMPLE +pki_security_domain_user=admin +pki_ssl_server_key_algorithm=SHA256withRSA +pki_ssl_server_key_size=2048 +pki_ssl_server_key_type=rsa +pki_ssl_server_nickname= +pki_ssl_server_subject_dn= +pki_ssl_server_token= +pki_subsystem_key_algorithm=SHA256withRSA +pki_subsystem_key_size=2048 +pki_subsystem_key_type=rsa +pki_subsystem_nickname= +pki_subsystem_subject_dn= +pki_subsystem_token= +pki_token_name=internal +pki_user=pkiuser +############################################################################### +## 'Apache' Data: ## +## ## +## Values in this section are common to PKI subsystems that run ## +## as an instance of 'Apache' (RA and TPS subsystems), and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[Apache] +pki_instance_name=pki-apache +pki_http_port=80 +pki_https_port=443 +############################################################################### +## 'Tomcat' Data: ## +## ## +## Values in this section are common to PKI subsystems that run ## +## as an instance of 'Tomcat' (CA, KRA, OCSP, and TKS subsystems ## +## including 'Clones', 'Subordinate CAs', and 'External CAs'), and contain ## +## required information which MAY be overridden by users as necessary. ## +## ## +## PKI CLONES: To specify a 'CA Clone', a 'KRA Clone', an 'OCSP Clone', ## +## or a 'TKS Clone', change the value of 'pki_clone' ## +## from 'False' to 'True'. ## +## ## +## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ## +## are MUTUALLY EXCLUSIVE entities!!! ## +############################################################################### +[Tomcat] +pki_ajp_port=8009 +pki_clone=False +pki_clone_pkcs12_path= +pki_clone_replication_security=None +pki_clone_uri= +pki_enable_java_debugger=False +pki_enable_proxy=False +pki_http_port=8080 +pki_https_port=8443 +pki_instance_name=pki-master +pki_proxy_http_port=80 +pki_proxy_https_port=443 +pki_security_manager=false +pki_tomcat_server_port=8005 +############################################################################### +## 'CA' Data: ## +## ## +## Values in this section are common to CA subsystems including 'PKI CAs', ## +## 'Cloned CAs', 'Subordinate CAs', and 'External CAs', and contain ## +## required information which MAY be overridden by users as necessary. ## +## ## +## EXTERNAL CAs: To specify an 'External CA', change the value ## +## of 'pki_external' from 'False' to 'True'. ## +## ## +## SUBORDINATE CAs: To specify a 'Subordinate CA', change the value ## +## of 'pki_subordinate' from 'False' to 'True'. ## +## ## +## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ## +## are MUTUALLY EXCLUSIVE entities!!! ## +############################################################################### +[CA] +pki_ca_signing_key_algorithm=SHA256withRSA +pki_ca_signing_key_size=2048 +pki_ca_signing_key_type=rsa +pki_ca_signing_nickname= +pki_ca_signing_signing_algorithm=SHA256withRSA +pki_ca_signing_subject_dn= +pki_ca_signing_token= +pki_external=False +pki_external_ca_cert_chain_path= +pki_external_ca_cert_path= +pki_external_csr_path= +pki_external_step_two=False +pki_ocsp_signing_key_algorithm=SHA256withRSA +pki_ocsp_signing_key_size=2048 +pki_ocsp_signing_key_type=rsa +pki_ocsp_signing_nickname= +pki_ocsp_signing_signing_algorithm=SHA256withRSA +pki_ocsp_signing_subject_dn= +pki_ocsp_signing_token= +pki_subordinate=False +pki_subsystem=CA +pki_subsystem_name= +pki_war_file=ca.war +############################################################################### +## 'KRA' Data: ## +## ## +## Values in this section are common to KRA subsystems ## +## including 'PKI KRAs' and 'Cloned KRAs', and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[KRA] +pki_storage_key_algorithm=SHA256withRSA +pki_storage_key_size=2048 +pki_storage_key_type=rsa +pki_storage_nickname= +pki_storage_signing_algorithm=SHA256withRSA +pki_storage_subject_dn= +pki_storage_token= +pki_subsystem=KRA +pki_subsystem_name= +pki_transport_key_algorithm=SHA256withRSA +pki_transport_key_size=2048 +pki_transport_key_type=rsa +pki_transport_nickname= +pki_transport_signing_algorithm=SHA256withRSA +pki_transport_subject_dn= +pki_transport_token= +pki_war_file=kra.war +############################################################################### +## 'OCSP' Data: ## +## ## +## Values in this section are common to OCSP subsystems ## +## including 'PKI OCSPs' and 'Cloned OCSPs', and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[OCSP] +pki_ocsp_signing_key_algorithm=SHA256withRSA +pki_ocsp_signing_key_size=2048 +pki_ocsp_signing_key_type=rsa +pki_ocsp_signing_nickname= +pki_ocsp_signing_signing_algorithm=SHA256withRSA +pki_ocsp_signing_subject_dn= +pki_ocsp_signing_token= +pki_subsystem=OCSP +pki_subsystem_name= +pki_war_file=ocsp.war +############################################################################### +## 'RA' Data: ## +## ## +## Values in this section are common to PKI RA subsystems, and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[RA] +pki_subsystem=RA +pki_subsystem_name= +############################################################################### +## 'TKS' Data: ## +## ## +## Values in this section are common to TKS subsystems ## +## including 'PKI TKSs' and 'Cloned TKSs', and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[TKS] +pki_subsystem=TKS +pki_subsystem_name= +pki_war_file=tks.war +############################################################################### +## 'TPS' Data: ## +## ## +## Values in this section are common to PKI TPS subsystems, and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[TPS] +pki_subsystem=TPS +pki_subsystem_name= diff --git a/scripts/ca-remove.sh b/scripts/ca-remove.sh index 8394720..6c90c78 100755 --- a/scripts/ca-remove.sh +++ b/scripts/ca-remove.sh @@ -1,5 +1,6 @@ #!/bin/sh -x +SRC_DIR=`cd ../.. ; pwd` INSTANCE_NAME=pki-master pkidestroy -s CA -i $INSTANCE_NAME @@ -9,3 +10,4 @@ rm -rf /etc/sysconfig/$INSTANCE_NAME rm -rf /etc/sysconfig/pki/tomcat/$INSTANCE_NAME rm -rf /var/lib/pki/$INSTANCE_NAME rm -rf /var/log/pki/$INSTANCE_NAME +rm -rf $SRC_DIR/certs/$INSTANCE_NAME diff --git a/scripts/caclone-create.sh b/scripts/caclone-create.sh index 757271f..7a3bf12 100755 --- a/scripts/caclone-create.sh +++ b/scripts/caclone-create.sh @@ -1,25 +1,3 @@ #!/bin/sh -x -SRC_DIR=`cd ../.. ; pwd` - -INSTANCE_NAME=pki-caclone - -pkicreate -pki_instance_root=/var/lib \ - -pki_instance_name=$INSTANCE_NAME \ - -subsystem_type=ca \ - -secure_port=9444 \ - -unsecure_port=9181 \ - -tomcat_server_port=9702 \ - -user=pkiuser \ - -group=pkiuser \ - -redirect conf=/etc/$INSTANCE_NAME \ - -redirect logs=/var/log/$INSTANCE_NAME \ - -verbose - -ln -s /usr/share/tomcat6/bin /var/lib/$INSTANCE_NAME/bin -ln -s /usr/share/tomcat6/lib /var/lib/$INSTANCE_NAME/lib -rm -f /var/lib/$INSTANCE_NAME/webapps/ca/WEB-INF/lib/pki-* -ln -s $SRC_DIR/pki/build/classes /var/lib/$INSTANCE_NAME/webapps/ca/WEB-INF/classes - -systemctl restart pki-cad@$INSTANCE_NAME.service - +pkispawn -f ca-clone.cfg -s CA -v diff --git a/scripts/caclone-remove.sh b/scripts/caclone-remove.sh index 43523e6..cedd353 100755 --- a/scripts/caclone-remove.sh +++ b/scripts/caclone-remove.sh @@ -1,5 +1,13 @@ #!/bin/sh -x -pkiremove -pki_instance_root=/var/lib\ - -pki_instance_name=pki-caclone\ - -force +SRC_DIR=`cd ../.. ; pwd` +INSTANCE_NAME=pki-clone + +pkidestroy -s CA -i $INSTANCE_NAME + +rm -rf /etc/pki/$INSTANCE_NAME +rm -rf /etc/sysconfig/$INSTANCE_NAME +rm -rf /etc/sysconfig/pki/tomcat/$INSTANCE_NAME +rm -rf /var/lib/pki/$INSTANCE_NAME +rm -rf /var/log/pki/$INSTANCE_NAME +rm -rf $SRC_DIR/certs/$INSTANCE_NAME diff --git a/scripts/caclone-restart.sh b/scripts/caclone-restart.sh index 1ac3797..7c65fb1 100755 --- a/scripts/caclone-restart.sh +++ b/scripts/caclone-restart.sh @@ -1,3 +1,4 @@ #!/bin/sh -x -systemctl restart pki-cad@pki-caclone.service +./caclone-stop.sh +./caclone-start.sh diff --git a/scripts/caclone-start.sh b/scripts/caclone-start.sh index 037f171..9ebfd59 100755 --- a/scripts/caclone-start.sh +++ b/scripts/caclone-start.sh @@ -1,3 +1,3 @@ #!/bin/sh -x -systemctl start pki-cad@pki-caclone.service +systemctl start pki-tomcatd@ca-clone.service diff --git a/scripts/caclone-stop.sh b/scripts/caclone-stop.sh index d4d1c36..63e7b51 100755 --- a/scripts/caclone-stop.sh +++ b/scripts/caclone-stop.sh @@ -1,3 +1,3 @@ #!/bin/sh -x -systemctl stop pki-cad@pki-caclone.service +systemctl stop pki-tomcatd@ca-clone.service diff --git a/scripts/cert-request-approve.sh b/scripts/cert-request-approve.sh index dd0413a..be9b9bf 100755 --- a/scripts/cert-request-approve.sh +++ b/scripts/cert-request-approve.sh @@ -1,9 +1,8 @@ #!/bin/sh +SRC_DIR=`cd ../.. ; pwd` INSTANCE_NAME=pki-master -TEST_DIR=/tmp/${INSTANCE_NAME}_client -CLIENT_CERT_DIR=$TEST_DIR/alias -CLIENT_CERT_PASSWORD=`cat $TEST_DIR/password.conf` +CLIENT_CERT_DIR=$SRC_DIR/certs/$INSTANCE_NAME # Approve request as an agent -pki -U https://localhost:8015/ca -d $CLIENT_CERT_DIR -w $CLIENT_CERT_PASSWORD -n admin cert-request-approve cert-request-review.xml +pki -v -d $CLIENT_CERT_DIR -w Secret123 -n admin cert-request-approve cert-request-review.xml diff --git a/scripts/cert-request-review.sh b/scripts/cert-request-review.sh index a90be39..0bc736f 100755 --- a/scripts/cert-request-review.sh +++ b/scripts/cert-request-review.sh @@ -2,10 +2,9 @@ REQUEST_ID=$1 +SRC_DIR=`cd ../.. ; pwd` INSTANCE_NAME=pki-master -TEST_DIR=/tmp/${INSTANCE_NAME}_client -CLIENT_CERT_DIR=$TEST_DIR/alias -CLIENT_CERT_PASSWORD=`cat $TEST_DIR/password.conf` +CLIENT_CERT_DIR=$SRC_DIR/certs/$INSTANCE_NAME # Review request as an agent -pki -U https://localhost:8015/ca -d $CLIENT_CERT_DIR -w $CLIENT_CERT_PASSWORD -n admin cert-request-review $REQUEST_ID --output cert-request-review.xml +pki -v -d $CLIENT_CERT_DIR -w Secret123 -n admin cert-request-review $REQUEST_ID --output cert-request-review.xml diff --git a/scripts/cert-request-submit.sh b/scripts/cert-request-submit.sh index 8ef8a2d..56d8baf 100755 --- a/scripts/cert-request-submit.sh +++ b/scripts/cert-request-submit.sh @@ -1,4 +1,4 @@ #!/bin/sh # Submit request anonymously -pki -U http://localhost:8013/ca cert-request-submit cert-request.xml +pki -v cert-request-submit cert-request.xml diff --git a/scripts/firefox-certs-import.sh b/scripts/firefox-certs-import.sh index 35b6939..af25540 100755 --- a/scripts/firefox-certs-import.sh +++ b/scripts/firefox-certs-import.sh @@ -2,13 +2,20 @@ . ./ca-include.sh +SRC_DIR=`cd ../.. ; pwd` +INSTANCE_NAME=pki-master + FIREFOX_DIR=~/.mozilla/firefox PROFILE=`grep Path= $FIREFOX_DIR/profiles.ini | awk -F= '{print $2}'` -CLIENT_DIR=/tmp/pki-master_client -input=$CLIENT_DIR/ca_admin_cert.p12 +CLIENT_CERT_DIR=$SRC_DIR/certs/$INSTANCE_NAME +CLIENT_CERT_PASSWORD=$CLIENT_CERT_DIR/password.txt +CLIENT_CERT_PK12=$CLIENT_CERT_DIR/admin.p12 + +echo $PASSWORD > $CLIENT_CERT_PASSWORD +PKCS12Export -d "$CLIENT_CERT_DIR" -o "$CLIENT_CERT_PK12" -p "$CLIENT_CERT_PASSWORD" -w "$CLIENT_CERT_PASSWORD" -pk12util -i $input -d $FIREFOX_DIR/$PROFILE -W Secret123 +pk12util -i $CLIENT_CERT_PK12 -d $FIREFOX_DIR/$PROFILE -w $CLIENT_CERT_PASSWORD certutil -M -n admin -t u,u,u -d $FIREFOX_DIR/$PROFILE #pk12util -i $SRC_DIR/pki-dev/certs/kra/kra-client-certs.p12 -d $FIREFOX_DIR/$PROFILE -W Secret123 |