diff options
author | Endi S. Dewata <edewata@redhat.com> | 2017-07-20 07:30:37 +0200 |
---|---|---|
committer | Endi S. Dewata <edewata@redhat.com> | 2017-07-20 07:30:37 +0200 |
commit | cc84991f7ebf911d3b5303738c84d6778accc537 (patch) | |
tree | e2a80008548fe8dc308468dc2e28b22daba4b4dd | |
parent | d2cc01d76e69f8d3602c5181263b95cbcd1c79a3 (diff) | |
download | pki-dev-cc84991f7ebf911d3b5303738c84d6778accc537.tar.gz pki-dev-cc84991f7ebf911d3b5303738c84d6778accc537.tar.xz pki-dev-cc84991f7ebf911d3b5303738c84d6778accc537.zip |
Added NSS database scripts.
-rwxr-xr-x | scripts/nssdb-ca-create.sh | 19 | ||||
-rwxr-xr-x | scripts/nssdb-cert-del.sh | 8 | ||||
-rwxr-xr-x | scripts/nssdb-cert-list.sh | 3 | ||||
-rwxr-xr-x | scripts/nssdb-create.sh | 8 | ||||
-rwxr-xr-x | scripts/nssdb-csr.sh | 25 | ||||
-rwxr-xr-x | scripts/nssdb-hsm-fips-check.sh | 3 | ||||
-rwxr-xr-x | scripts/nssdb-hsm-fips-disable.sh | 3 | ||||
-rwxr-xr-x | scripts/nssdb-hsm-fips-enable.sh | 3 | ||||
-rwxr-xr-x | scripts/nssdb-hsm-list.sh | 3 | ||||
-rwxr-xr-x | scripts/nssdb-key-list.sh | 3 | ||||
-rwxr-xr-x | scripts/nssdb-lunasa-add.sh | 5 | ||||
-rwxr-xr-x | scripts/nssdb-lunasa-cert-list.sh | 3 | ||||
-rwxr-xr-x | scripts/nssdb-lunasa-csr.sh | 25 | ||||
-rwxr-xr-x | scripts/nssdb-lunasa-del.sh | 3 | ||||
-rwxr-xr-x | scripts/nssdb-lunasa-key-list.sh | 3 | ||||
-rwxr-xr-x | scripts/nssdb-nfast-add.sh | 3 | ||||
-rwxr-xr-x | scripts/nssdb-nfast-cert-list.sh | 4 | ||||
-rwxr-xr-x | scripts/nssdb-nfast-csr.sh | 25 | ||||
-rwxr-xr-x | scripts/nssdb-nfast-del.sh | 3 | ||||
-rwxr-xr-x | scripts/nssdb-nfast-key-list.sh | 4 | ||||
-rwxr-xr-x | scripts/nssdb-user-request.sh | 15 | ||||
-rwxr-xr-x | scripts/nssdb-user-sign.sh | 41 |
22 files changed, 212 insertions, 0 deletions
diff --git a/scripts/nssdb-ca-create.sh b/scripts/nssdb-ca-create.sh new file mode 100755 index 0000000..4da6779 --- /dev/null +++ b/scripts/nssdb-ca-create.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +# generate self-signed CA certificate + +echo -e "y\n\ny\n" | \ + certutil -S \ + -d nssdb \ + -f nssdb/password.txt \ + -z nssdb/noise.bin \ + -n "CA Signing Certificate" \ + -s "CN=CA Signing Certificate,O=EXAMPLE" \ + -x \ + -t "CTu,Cu,Cu" \ + -m $RANDOM\ + -2 \ + --keyUsage certSigning \ + --nsCertType sslCA,smimeCA,objectSigningCA + +certutil -L -d nssdb -n "CA Signing Certificate" -a > nssdb/ca.crt diff --git a/scripts/nssdb-cert-del.sh b/scripts/nssdb-cert-del.sh new file mode 100755 index 0000000..222a26d --- /dev/null +++ b/scripts/nssdb-cert-del.sh @@ -0,0 +1,8 @@ +#!/bin/sh -x + +certutil -D -d nssdb -h lunasaDEV -f lunasaDEV.txt -n "lunasaDEV:edewata/pki-tomcat/subsystem" +certutil -D -d nssdb -h lunasaDEV -f lunasaDEV.txt -n "lunasaDEV:edewata/pki-tomcat/CA/signing" +certutil -D -d nssdb -h lunasaDEV -f lunasaDEV.txt -n "lunasaDEV:edewata/pki-tomcat/CA/ocsp_signing" +certutil -D -d nssdb -h lunasaDEV -f lunasaDEV.txt -n "lunasaDEV:edewata/pki-tomcat/sslserver" +certutil -D -d nssdb -h lunasaDEV -f lunasaDEV.txt -n "lunasaDEV:edewata/pki-tomcat/CA/audit_signing" + diff --git a/scripts/nssdb-cert-list.sh b/scripts/nssdb-cert-list.sh new file mode 100755 index 0000000..9eacf1c --- /dev/null +++ b/scripts/nssdb-cert-list.sh @@ -0,0 +1,3 @@ +#!/bin/sh -x + +certutil -L -d nssdb diff --git a/scripts/nssdb-create.sh b/scripts/nssdb-create.sh new file mode 100755 index 0000000..3c02ade --- /dev/null +++ b/scripts/nssdb-create.sh @@ -0,0 +1,8 @@ +#!/bin/sh + +rm -rf nssdb +mkdir nssdb +echo Secret.123 > nssdb/password.txt +#certutil -N -d nssdb +certutil -N -d nssdb -f nssdb/password.txt +openssl rand -out nssdb/noise.bin 2048 diff --git a/scripts/nssdb-csr.sh b/scripts/nssdb-csr.sh new file mode 100755 index 0000000..f29787e --- /dev/null +++ b/scripts/nssdb-csr.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +OUTPUT=nssdb/ca_signing.csr + +echo -e "y\n\ny\n" | \ + certutil -R \ + -d nssdb \ + -h internal \ + -f nssdb/password.txt \ + -s "CN=CA Signing Certificate,O=EXAMPLE" \ + -z nssdb/noise.bin \ + -k rsa \ + -g 2048 \ + -Z SHA512 \ + -2 \ + --keyUsage digitalSignature,nonRepudiation,certSigning,crlSigning,critical \ + -o nssdb/ca.csr.der + +BtoA nssdb/ca.csr.der nssdb/ca.csr.pem +echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > $OUTPUT +cat nssdb/ca.csr.pem >> $OUTPUT +echo "-----END NEW CERTIFICATE REQUEST-----" >> $OUTPUT + +rm nssdb/ca.csr.der +rm nssdb/ca.csr.pem diff --git a/scripts/nssdb-hsm-fips-check.sh b/scripts/nssdb-hsm-fips-check.sh new file mode 100755 index 0000000..4791617 --- /dev/null +++ b/scripts/nssdb-hsm-fips-check.sh @@ -0,0 +1,3 @@ +#!/bin/sh -x + +modutil -dbdir nssdb -chkfips true diff --git a/scripts/nssdb-hsm-fips-disable.sh b/scripts/nssdb-hsm-fips-disable.sh new file mode 100755 index 0000000..8ac2f68 --- /dev/null +++ b/scripts/nssdb-hsm-fips-disable.sh @@ -0,0 +1,3 @@ +#!/bin/sh -x + +modutil -dbdir nssdb -fips false diff --git a/scripts/nssdb-hsm-fips-enable.sh b/scripts/nssdb-hsm-fips-enable.sh new file mode 100755 index 0000000..f8fea20 --- /dev/null +++ b/scripts/nssdb-hsm-fips-enable.sh @@ -0,0 +1,3 @@ +#!/bin/sh -x + +modutil -dbdir nssdb -fips true diff --git a/scripts/nssdb-hsm-list.sh b/scripts/nssdb-hsm-list.sh new file mode 100755 index 0000000..cb90b97 --- /dev/null +++ b/scripts/nssdb-hsm-list.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +modutil -dbdir nssdb -list diff --git a/scripts/nssdb-key-list.sh b/scripts/nssdb-key-list.sh new file mode 100755 index 0000000..db0c4dd --- /dev/null +++ b/scripts/nssdb-key-list.sh @@ -0,0 +1,3 @@ +#!/bin/sh -x + +certutil -K -d nssdb -f password.txt diff --git a/scripts/nssdb-lunasa-add.sh b/scripts/nssdb-lunasa-add.sh new file mode 100755 index 0000000..a2a2c54 --- /dev/null +++ b/scripts/nssdb-lunasa-add.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +#modutil -dbdir nssdb -nocertdb -add lunasa -libfile /usr/safenet/lunaclient/lib/libCryptoki2_64.so -force +modutil -dbdir nssdb -add lunasa -libfile /usr/safenet/lunaclient/lib/libCryptoki2_64.so -force +#modutil -dbdir nssdb -add lunasa -libfile /usr/lib/libcklog2.so -force diff --git a/scripts/nssdb-lunasa-cert-list.sh b/scripts/nssdb-lunasa-cert-list.sh new file mode 100755 index 0000000..3dcb750 --- /dev/null +++ b/scripts/nssdb-lunasa-cert-list.sh @@ -0,0 +1,3 @@ +#!/bin/sh -x + +certutil -L -d nssdb -h lunasaDEV -f lunasa.txt diff --git a/scripts/nssdb-lunasa-csr.sh b/scripts/nssdb-lunasa-csr.sh new file mode 100755 index 0000000..53afc55 --- /dev/null +++ b/scripts/nssdb-lunasa-csr.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +OUTPUT=ca_signing.csr + +echo -e "y\n\ny\n" | \ + certutil -R \ + -d nssdb \ + -h lunasaDEV \ + -f lunasa.txt \ + -s "CN=CA Signing Certificate,O=EXAMPLE" \ + -z nssdb/noise.bin \ + -k rsa \ + -g 2048 \ + -Z SHA512 \ + -2 \ + --keyUsage digitalSignature,nonRepudiation,certSigning,crlSigning,critical \ + -o ca.csr.der + +BtoA ca.csr.der ca.csr.pem +echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > $OUTPUT +cat ca.csr.pem >> $OUTPUT +echo "-----END NEW CERTIFICATE REQUEST-----" >> $OUTPUT + +rm ca.csr.der +rm ca.csr.pem diff --git a/scripts/nssdb-lunasa-del.sh b/scripts/nssdb-lunasa-del.sh new file mode 100755 index 0000000..b458c93 --- /dev/null +++ b/scripts/nssdb-lunasa-del.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +modutil -dbdir nssdb -delete lunasa -force diff --git a/scripts/nssdb-lunasa-key-list.sh b/scripts/nssdb-lunasa-key-list.sh new file mode 100755 index 0000000..0087a23 --- /dev/null +++ b/scripts/nssdb-lunasa-key-list.sh @@ -0,0 +1,3 @@ +#!/bin/sh -x + +certutil -K -d nssdb -h lunasaDEV -f lunasa.txt diff --git a/scripts/nssdb-nfast-add.sh b/scripts/nssdb-nfast-add.sh new file mode 100755 index 0000000..2de2a31 --- /dev/null +++ b/scripts/nssdb-nfast-add.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +modutil -dbdir nssdb -add nfast -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so -force diff --git a/scripts/nssdb-nfast-cert-list.sh b/scripts/nssdb-nfast-cert-list.sh new file mode 100755 index 0000000..005f1e8 --- /dev/null +++ b/scripts/nssdb-nfast-cert-list.sh @@ -0,0 +1,4 @@ +#!/bin/sh -x + +#certutil -L -d nssdb -h NHSM6000-OCS -f nfast.txt +certutil -L -d nssdb -h edewata -f password.txt diff --git a/scripts/nssdb-nfast-csr.sh b/scripts/nssdb-nfast-csr.sh new file mode 100755 index 0000000..e23557a --- /dev/null +++ b/scripts/nssdb-nfast-csr.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +OUTPUT=ca_signing.csr + +echo -e "y\n\ny\n" | \ + certutil -R \ + -d nssdb \ + -h edewata \ + -f password.txt \ + -s "CN=CA Signing Certificate,O=EXAMPLE" \ + -z nssdb/noise.bin \ + -k rsa \ + -g 2048 \ + -Z SHA512 \ + -2 \ + --keyUsage digitalSignature,nonRepudiation,certSigning,crlSigning,critical \ + -o ca.csr.der + +BtoA ca.csr.der ca.csr.pem +echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > $OUTPUT +cat ca.csr.pem >> $OUTPUT +echo "-----END NEW CERTIFICATE REQUEST-----" >> $OUTPUT + +rm ca.csr.der +rm ca.csr.pem diff --git a/scripts/nssdb-nfast-del.sh b/scripts/nssdb-nfast-del.sh new file mode 100755 index 0000000..055a266 --- /dev/null +++ b/scripts/nssdb-nfast-del.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +modutil -dbdir nssdb -delete nfast -force diff --git a/scripts/nssdb-nfast-key-list.sh b/scripts/nssdb-nfast-key-list.sh new file mode 100755 index 0000000..c7ddd80 --- /dev/null +++ b/scripts/nssdb-nfast-key-list.sh @@ -0,0 +1,4 @@ +#!/bin/sh -x + +#certutil -K -d nssdb -h NHSM6000-OCS -f nfast.txt +certutil -K -d nssdb -h edewata -f password.txt diff --git a/scripts/nssdb-user-request.sh b/scripts/nssdb-user-request.sh new file mode 100755 index 0000000..b8c2d5e --- /dev/null +++ b/scripts/nssdb-user-request.sh @@ -0,0 +1,15 @@ +#!/bin/sh +x + +certutil -R \ + -d nssdb \ + -z nssdb/noise.bin \ + -f nssdb/password.txt \ + -s "UID=testuser,O=EXAMPLE" \ + -o nssdb/testuser.csr.der + +BtoA nssdb/testuser.csr.der nssdb/testuser.csr.pem +echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > nssdb/testuser.csr +cat nssdb/testuser.csr.pem >> nssdb/testuser.csr +echo "-----END NEW CERTIFICATE REQUEST-----" >> nssdb/testuser.csr +rm nssdb/testuser.csr.der +rm nssdb/testuser.csr.pem diff --git a/scripts/nssdb-user-sign.sh b/scripts/nssdb-user-sign.sh new file mode 100755 index 0000000..7f0dcc9 --- /dev/null +++ b/scripts/nssdb-user-sign.sh @@ -0,0 +1,41 @@ +#!/bin/sh + +echo "Generating user certificate..." + +# self-signed user cert +#echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\n" | \ +# certutil -C -x \ +# -d nssdb \ +# -f nssdb/password.txt \ +# -m $RANDOM \ +# -a -i testuser.csr \ +# -o testuser.crt \ +# -c "testuser" \ +# -1 -2 + +echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\n" | \ + certutil -C \ + -d nssdb \ + -f nssdb/password.txt \ + -m $RANDOM \ + -a -i nssdb/testuser.csr \ + -o nssdb/testuser.crt \ + -c "CA Signing Certificate" \ + -1 -2 + +echo "Importing user certificate..." +# -f nssdb/password.txt \ + +certutil -A \ + -d nssdb \ + -n "testuser" \ + -i nssdb/testuser.crt \ + -t "" + +echo "Generating PKCS #7 file..." + +openssl crl2pkcs7 \ + -nocrl \ + -certfile nssdb/ca.crt \ + -certfile nssdb/testuser.crt \ + -out nssdb/cert_chain.p7b |