Added NSS database scripts.

22 files changed, 212 insertions, 0 deletions

diff --git a/scripts/nssdb-ca-create.sh b/scripts/nssdb-ca-create.sh
new file mode 100755
index 0000000..4da6779
--- /dev/null
+++ b/scripts/nssdb-ca-create.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+# generate self-signed CA certificate
+
+echo -e "y\n\ny\n" | \
+ certutil -S \
+ -d nssdb \
+ -f nssdb/password.txt \
+ -z nssdb/noise.bin \
+ -n "CA Signing Certificate" \
+ -s "CN=CA Signing Certificate,O=EXAMPLE" \
+ -x \
+ -t "CTu,Cu,Cu" \
+ -m $RANDOM\
+ -2 \
+ --keyUsage certSigning \
+ --nsCertType sslCA,smimeCA,objectSigningCA
+
+certutil -L -d nssdb -n "CA Signing Certificate" -a > nssdb/ca.crt
diff --git a/scripts/nssdb-cert-del.sh b/scripts/nssdb-cert-del.sh
new file mode 100755
index 0000000..222a26d
--- /dev/null
+++ b/scripts/nssdb-cert-del.sh
@@ -0,0 +1,8 @@
+#!/bin/sh -x
+
+certutil -D -d nssdb -h lunasaDEV -f lunasaDEV.txt -n "lunasaDEV:edewata/pki-tomcat/subsystem"
+certutil -D -d nssdb -h lunasaDEV -f lunasaDEV.txt -n "lunasaDEV:edewata/pki-tomcat/CA/signing"
+certutil -D -d nssdb -h lunasaDEV -f lunasaDEV.txt -n "lunasaDEV:edewata/pki-tomcat/CA/ocsp_signing"
+certutil -D -d nssdb -h lunasaDEV -f lunasaDEV.txt -n "lunasaDEV:edewata/pki-tomcat/sslserver"
+certutil -D -d nssdb -h lunasaDEV -f lunasaDEV.txt -n "lunasaDEV:edewata/pki-tomcat/CA/audit_signing"
+
diff --git a/scripts/nssdb-cert-list.sh b/scripts/nssdb-cert-list.sh
new file mode 100755
index 0000000..9eacf1c
--- /dev/null
+++ b/scripts/nssdb-cert-list.sh
@@ -0,0 +1,3 @@
+#!/bin/sh -x
+
+certutil -L -d nssdb
diff --git a/scripts/nssdb-create.sh b/scripts/nssdb-create.sh
new file mode 100755
index 0000000..3c02ade
--- /dev/null
+++ b/scripts/nssdb-create.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+rm -rf nssdb
+mkdir nssdb
+echo Secret.123 > nssdb/password.txt
+#certutil -N -d nssdb
+certutil -N -d nssdb -f nssdb/password.txt
+openssl rand -out nssdb/noise.bin 2048
diff --git a/scripts/nssdb-csr.sh b/scripts/nssdb-csr.sh
new file mode 100755
index 0000000..f29787e
--- /dev/null
+++ b/scripts/nssdb-csr.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+OUTPUT=nssdb/ca_signing.csr
+
+echo -e "y\n\ny\n" | \
+ certutil -R \
+ -d nssdb \
+ -h internal \
+ -f nssdb/password.txt \
+ -s "CN=CA Signing Certificate,O=EXAMPLE" \
+ -z nssdb/noise.bin \
+ -k rsa \
+ -g 2048 \
+ -Z SHA512 \
+ -2 \
+ --keyUsage digitalSignature,nonRepudiation,certSigning,crlSigning,critical \
+ -o nssdb/ca.csr.der
+
+BtoA nssdb/ca.csr.der nssdb/ca.csr.pem
+echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > $OUTPUT
+cat nssdb/ca.csr.pem >> $OUTPUT
+echo "-----END NEW CERTIFICATE REQUEST-----" >> $OUTPUT
+
+rm nssdb/ca.csr.der
+rm nssdb/ca.csr.pem
diff --git a/scripts/nssdb-hsm-fips-check.sh b/scripts/nssdb-hsm-fips-check.sh
new file mode 100755
index 0000000..4791617
--- /dev/null
+++ b/scripts/nssdb-hsm-fips-check.sh
@@ -0,0 +1,3 @@
+#!/bin/sh -x
+
+modutil -dbdir nssdb -chkfips true
diff --git a/scripts/nssdb-hsm-fips-disable.sh b/scripts/nssdb-hsm-fips-disable.sh
new file mode 100755
index 0000000..8ac2f68
--- /dev/null
+++ b/scripts/nssdb-hsm-fips-disable.sh
@@ -0,0 +1,3 @@
+#!/bin/sh -x
+
+modutil -dbdir nssdb -fips false
diff --git a/scripts/nssdb-hsm-fips-enable.sh b/scripts/nssdb-hsm-fips-enable.sh
new file mode 100755
index 0000000..f8fea20
--- /dev/null
+++ b/scripts/nssdb-hsm-fips-enable.sh
@@ -0,0 +1,3 @@
+#!/bin/sh -x
+
+modutil -dbdir nssdb -fips true
diff --git a/scripts/nssdb-hsm-list.sh b/scripts/nssdb-hsm-list.sh
new file mode 100755
index 0000000..cb90b97
--- /dev/null
+++ b/scripts/nssdb-hsm-list.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+modutil -dbdir nssdb -list
diff --git a/scripts/nssdb-key-list.sh b/scripts/nssdb-key-list.sh
new file mode 100755
index 0000000..db0c4dd
--- /dev/null
+++ b/scripts/nssdb-key-list.sh
@@ -0,0 +1,3 @@
+#!/bin/sh -x
+
+certutil -K -d nssdb -f password.txt
diff --git a/scripts/nssdb-lunasa-add.sh b/scripts/nssdb-lunasa-add.sh
new file mode 100755
index 0000000..a2a2c54
--- /dev/null
+++ b/scripts/nssdb-lunasa-add.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+#modutil -dbdir nssdb -nocertdb -add lunasa -libfile /usr/safenet/lunaclient/lib/libCryptoki2_64.so -force
+modutil -dbdir nssdb -add lunasa -libfile /usr/safenet/lunaclient/lib/libCryptoki2_64.so -force
+#modutil -dbdir nssdb -add lunasa -libfile /usr/lib/libcklog2.so -force
diff --git a/scripts/nssdb-lunasa-cert-list.sh b/scripts/nssdb-lunasa-cert-list.sh
new file mode 100755
index 0000000..3dcb750
--- /dev/null
+++ b/scripts/nssdb-lunasa-cert-list.sh
@@ -0,0 +1,3 @@
+#!/bin/sh -x
+
+certutil -L -d nssdb -h lunasaDEV -f lunasa.txt
diff --git a/scripts/nssdb-lunasa-csr.sh b/scripts/nssdb-lunasa-csr.sh
new file mode 100755
index 0000000..53afc55
--- /dev/null
+++ b/scripts/nssdb-lunasa-csr.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+OUTPUT=ca_signing.csr
+
+echo -e "y\n\ny\n" | \
+ certutil -R \
+ -d nssdb \
+ -h lunasaDEV \
+ -f lunasa.txt \
+ -s "CN=CA Signing Certificate,O=EXAMPLE" \
+ -z nssdb/noise.bin \
+ -k rsa \
+ -g 2048 \
+ -Z SHA512 \
+ -2 \
+ --keyUsage digitalSignature,nonRepudiation,certSigning,crlSigning,critical \
+ -o ca.csr.der
+
+BtoA ca.csr.der ca.csr.pem
+echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > $OUTPUT
+cat ca.csr.pem >> $OUTPUT
+echo "-----END NEW CERTIFICATE REQUEST-----" >> $OUTPUT
+
+rm ca.csr.der
+rm ca.csr.pem
diff --git a/scripts/nssdb-lunasa-del.sh b/scripts/nssdb-lunasa-del.sh
new file mode 100755
index 0000000..b458c93
--- /dev/null
+++ b/scripts/nssdb-lunasa-del.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+modutil -dbdir nssdb -delete lunasa -force
diff --git a/scripts/nssdb-lunasa-key-list.sh b/scripts/nssdb-lunasa-key-list.sh
new file mode 100755
index 0000000..0087a23
--- /dev/null
+++ b/scripts/nssdb-lunasa-key-list.sh
@@ -0,0 +1,3 @@
+#!/bin/sh -x
+
+certutil -K -d nssdb -h lunasaDEV -f lunasa.txt
diff --git a/scripts/nssdb-nfast-add.sh b/scripts/nssdb-nfast-add.sh
new file mode 100755
index 0000000..2de2a31
--- /dev/null
+++ b/scripts/nssdb-nfast-add.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+modutil -dbdir nssdb -add nfast -libfile /opt/nfast/toolkits/pkcs11/libcknfast.so -force
diff --git a/scripts/nssdb-nfast-cert-list.sh b/scripts/nssdb-nfast-cert-list.sh
new file mode 100755
index 0000000..005f1e8
--- /dev/null
+++ b/scripts/nssdb-nfast-cert-list.sh
@@ -0,0 +1,4 @@
+#!/bin/sh -x
+
+#certutil -L -d nssdb -h NHSM6000-OCS -f nfast.txt
+certutil -L -d nssdb -h edewata -f password.txt
diff --git a/scripts/nssdb-nfast-csr.sh b/scripts/nssdb-nfast-csr.sh
new file mode 100755
index 0000000..e23557a
--- /dev/null
+++ b/scripts/nssdb-nfast-csr.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+OUTPUT=ca_signing.csr
+
+echo -e "y\n\ny\n" | \
+ certutil -R \
+ -d nssdb \
+ -h edewata \
+ -f password.txt \
+ -s "CN=CA Signing Certificate,O=EXAMPLE" \
+ -z nssdb/noise.bin \
+ -k rsa \
+ -g 2048 \
+ -Z SHA512 \
+ -2 \
+ --keyUsage digitalSignature,nonRepudiation,certSigning,crlSigning,critical \
+ -o ca.csr.der
+
+BtoA ca.csr.der ca.csr.pem
+echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > $OUTPUT
+cat ca.csr.pem >> $OUTPUT
+echo "-----END NEW CERTIFICATE REQUEST-----" >> $OUTPUT
+
+rm ca.csr.der
+rm ca.csr.pem
diff --git a/scripts/nssdb-nfast-del.sh b/scripts/nssdb-nfast-del.sh
new file mode 100755
index 0000000..055a266
--- /dev/null
+++ b/scripts/nssdb-nfast-del.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+modutil -dbdir nssdb -delete nfast -force
diff --git a/scripts/nssdb-nfast-key-list.sh b/scripts/nssdb-nfast-key-list.sh
new file mode 100755
index 0000000..c7ddd80
--- /dev/null
+++ b/scripts/nssdb-nfast-key-list.sh
@@ -0,0 +1,4 @@
+#!/bin/sh -x
+
+#certutil -K -d nssdb -h NHSM6000-OCS -f nfast.txt
+certutil -K -d nssdb -h edewata -f password.txt
diff --git a/scripts/nssdb-user-request.sh b/scripts/nssdb-user-request.sh
new file mode 100755
index 0000000..b8c2d5e
--- /dev/null
+++ b/scripts/nssdb-user-request.sh
@@ -0,0 +1,15 @@
+#!/bin/sh +x
+
+certutil -R \
+ -d nssdb \
+ -z nssdb/noise.bin \
+ -f nssdb/password.txt \
+ -s "UID=testuser,O=EXAMPLE" \
+ -o nssdb/testuser.csr.der
+
+BtoA nssdb/testuser.csr.der nssdb/testuser.csr.pem
+echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > nssdb/testuser.csr
+cat nssdb/testuser.csr.pem >> nssdb/testuser.csr
+echo "-----END NEW CERTIFICATE REQUEST-----" >> nssdb/testuser.csr
+rm nssdb/testuser.csr.der
+rm nssdb/testuser.csr.pem
diff --git a/scripts/nssdb-user-sign.sh b/scripts/nssdb-user-sign.sh
new file mode 100755
index 0000000..7f0dcc9
--- /dev/null
+++ b/scripts/nssdb-user-sign.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+
+echo "Generating user certificate..."
+
+# self-signed user cert
+#echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\n" | \
+# certutil -C -x \
+# -d nssdb \
+# -f nssdb/password.txt \
+# -m $RANDOM \
+# -a -i testuser.csr \
+# -o testuser.crt \
+# -c "testuser" \
+# -1 -2
+
+echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\n" | \
+ certutil -C \
+ -d nssdb \
+ -f nssdb/password.txt \
+ -m $RANDOM \
+ -a -i nssdb/testuser.csr \
+ -o nssdb/testuser.crt \
+ -c "CA Signing Certificate" \
+ -1 -2
+
+echo "Importing user certificate..."
+# -f nssdb/password.txt \
+
+certutil -A \
+ -d nssdb \
+ -n "testuser" \
+ -i nssdb/testuser.crt \
+ -t ""
+
+echo "Generating PKCS #7 file..."
+
+openssl crl2pkcs7 \
+ -nocrl \
+ -certfile nssdb/ca.crt \
+ -certfile nssdb/testuser.crt \
+ -out nssdb/cert_chain.p7b