Added CMC scripts.

author: Endi S. Dewata <edewata@redhat.com> 2017-07-21 04:32:58 +0200
committer: Endi S. Dewata <edewata@redhat.com> 2017-07-21 04:32:58 +0200
commit: d62ea0eca2a05a7059f071296250c63e9ea9b347 (patch)
tree: f1516e945bf0e3098999c900bc0d5b36e84aaa90
parent: 810406fecc39b0214af5d21fee0ca8beb9568f98 (diff)
download: pki-dev-d62ea0eca2a05a7059f071296250c63e9ea9b347.tar.gz
pki-dev-d62ea0eca2a05a7059f071296250c63e9ea9b347.tar.xz
pki-dev-d62ea0eca2a05a7059f071296250c63e9ea9b347.zip
8 files changed, 293 insertions, 63 deletions
diff --git a/scripts/admin-init.sh b/scripts/admin-init.sh
new file mode 100755
index 0000000..abf448e
--- /dev/null
+++ b/scripts/admin-init.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+pki -c Secret.123 client-init --force
+
+pki -c Secret.123 client-cert-import "CA Signing Certificate" --ca-server
+
+pki -c Secret.123 client-cert-import \
+ --pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \
+ --pkcs12-password Secret.123
+
+#pki -c Secret.123 pkcs12-import \
+# --pkcs12-file ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \
+# --pkcs12-password Secret.123
diff --git a/scripts/ca-create.sh b/scripts/ca-create.sh
index 48c5342..32c8925 100755
--- a/scripts/ca-create.sh
+++ b/scripts/ca-create.sh
@@ -1,8 +1,44 @@
 #!/bin/sh -x
 
-pkispawn -vv -f ca.cfg -s CA
+mkdir -p tmp
+
+cat > tmp/ca.cfg << EOF
+[DEFAULT]
+#pki_pin=Secret.123
+
+[CA]
+pki_admin_email=caadmin@example.com
+pki_admin_name=caadmin
+pki_admin_nickname=caadmin
+pki_admin_password=Secret.123
+pki_admin_uid=caadmin
+
+#pki_backup_keys=True
+#pki_backup_password=Secret.123
+
+pki_client_database_password=Secret.123
+pki_client_database_purge=False
+pki_client_pkcs12_password=Secret.123
+
+pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
+pki_ds_password=Secret.123
+pki_ds_database=ca
+
+pki_security_domain_name=EXAMPLE
+
+#pki_server_pkcs12_path=pki-server.p12
+#pki_server_pkcs12_password=Secret.123
+
+pki_ca_signing_nickname=ca_signing
+pki_ocsp_signing_nickname=ca_ocsp_signing
+pki_audit_signing_nickname=ca_audit_signing
+pki_ssl_server_nickname=sslserver
+pki_subsystem_nickname=subsystem
+EOF
+
+pkispawn -vv -f tmp/ca.cfg -s CA
 
 #/bin/cp /root/.dogtag/pki-tomcat/ca_admin.cert .
 #/bin/cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 .
 #/bin/cp /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf ca_admin_cert.txt
-#echo $HOSTNAME > master.txt
+echo $HOSTNAME > tmp/master.txt
diff --git a/scripts/ca-external-cmc-sign.sh b/scripts/ca-external-cmc-sign.sh
new file mode 100755
index 0000000..da20953
--- /dev/null
+++ b/scripts/ca-external-cmc-sign.sh
@@ -0,0 +1,80 @@
+#!/bin/sh
+
+mkdir -p tmp
+
+cat > tmp/cmc-request.cfg << EOF
+# NSS database directory.
+dbdir=$HOME/.dogtag/nssdb
+
+# NSS database password.
+password=Secret.123
+
+# Token name (default is internal).
+tokenname=internal
+
+# Nickname for agent certificate.
+nickname=caadmin
+
+# Request format: pkcs10 or crmf.
+format=pkcs10
+
+# Total number of PKCS10/CRMF requests.
+numRequests=1
+
+# Path to the PKCS10/CRMF request.
+# The content must be in Base-64 encoded format.
+# Multiple files are supported. They must be separated by space.
+input=$PWD/tmp/ca_signing.csr
+
+# Path for the CMC request in binary format
+output=$PWD/tmp/cmc-request.bin
+EOF
+
+CMCRequest tmp/cmc-request.cfg
+
+cat > tmp/cmc-submit.cfg << EOF
+# PKI server host name.
+host=$HOSTNAME
+
+# PKI server port number.
+port=8443
+
+# Use secure connection.
+# For secure connection with ECC, set environment variable 'export NSS_USE_DECODED_CKA_EC_POINT=1'.
+secure=true
+
+# Use client authentication.
+clientmode=true
+
+# NSS database directory.
+dbdir=$HOME/.dogtag/nssdb
+
+# NSS database password.
+password=Secret.123
+
+# Token name (default: internal).
+tokenname=internal
+
+# Nickname of agent certificate.
+nickname=caadmin
+
+# CMC servlet path
+servlet=/ca/ee/ca/profileSubmitCMCFullCACert
+
+# Path for the CMC request.
+input=tmp/cmc-request.bin
+
+# Path for the CMC response.
+output=tmp/cmc-response.bin
+EOF
+
+HttpClient tmp/cmc-submit.cfg
+
+CMCResponse -d ~/.dogtag/nssdb -i tmp/cmc-response.bin
+
+BtoA tmp/cmc-response.bin tmp/cmc-response.b64
+echo "-----BEGIN PKCS7-----" > tmp/ca_signing.crt
+cat tmp/cmc-response.b64 >> tmp/ca_signing.crt
+echo "-----END PKCS7-----" >> tmp/ca_signing.crt
+
+pki cert-show --output tmp/external.crt 0x1
diff --git a/scripts/ca-external-nss-sign.sh b/scripts/ca-external-nss-sign.sh
index f8b4bc9..b67082c 100755
--- a/scripts/ca-external-nss-sign.sh
+++ b/scripts/ca-external-nss-sign.sh
@@ -1,20 +1,19 @@
 #!/bin/sh
 
-rm -rf external
-mkdir external
-certutil -N -d external -f password.txt
-openssl rand -out external/noise.bin 2048
+rm -rf tmp/external
+mkdir -p tmp/external
+certutil -N -d tmp/external -f password.txt
+openssl rand -out tmp/external/noise.bin 2048
 
 echo "## Generating external CA certificate..."
 
-#ROOTCA_SKID="0x847bb8664d7a32f182974ca861fb26867ecb42cd"
 ROOTCA_SKID="0x`openssl rand -hex 20`"
 
 echo -e "y\n\ny\n${ROOTCA_SKID}\n\n" | \
  certutil -S \
- -d external \
+ -d tmp/external \
  -f password.txt \
- -z external/noise.bin \
+ -z tmp/external/noise.bin \
  -n "External CA" \
  -s "CN=External CA,O=EXTERNAL" \
  -x \
@@ -24,26 +23,25 @@ echo -e "y\n\ny\n${ROOTCA_SKID}\n\n" | \
  --keyUsage digitalSignature,nonRepudiation,certSigning,crlSigning,critical \
  --extSKID
 
-# --keyUsage certSigning \
 # --nsCertType sslCA,smimeCA,objectSigningCA
+
 echo "## Exporting external CA certificate..."
 
-certutil -L -d external -n "External CA" -a > external.crt
+certutil -L -d tmp/external -n "External CA" -a > tmp/external.crt
 
 echo "## Signing the CA signing certificate..."
 
-#SUBCA_SKID="0x7d34de0374bcb294d5447479060266a52310e9ce"
 SUBCA_SKID="0x`openssl rand -hex 20`"
 SUBCA_OCSP="http://$HOSTNAME:8080/ca/ocsp"
 
 echo -e "y\n\ny\ny\n${ROOTCA_SKID}\n\n\n\n${SUBCA_SKID}\n\n2\n7\n${SUBCA_OCSP}\n\n\n\n" | \
  certutil -C \
- -d external \
+ -d tmp/external \
  -f password.txt \
  -m $RANDOM \
  -a \
- -i ca_signing.csr \
- -o ca_signing.crt \
+ -i tmp/ca_signing.csr \
+ -o tmp/ca_signing.crt \
  -c "External CA" \
  --extSKID \
  -2 -3 \
@@ -53,15 +51,16 @@ echo -e "y\n\ny\ny\n${ROOTCA_SKID}\n\n\n\n${SUBCA_SKID}\n\n2\n7\n${SUBCA_OCSP}\n
 
 echo "## Generating certificate chain..."
 
-certutil -A -d external -n "CA Signing Certificate" -t "CT,C,C" -a -i ca_signing.crt
+certutil -A -d tmp/external -n "CA Signing Certificate" -t "CT,C,C" -a -i tmp/ca_signing.crt
 
-openssl crl2pkcs7 -nocrl -certfile external.crt -out cert_chain.p7b
-#openssl crl2pkcs7 -nocrl -certfile external.crt -certfile ca_signing.crt -out cert_chain.p7b
+openssl crl2pkcs7 -nocrl -certfile tmp/external.crt -out tmp/cert_chain.p7b
+#openssl crl2pkcs7 -nocrl -certfile tmp/external.crt -certfile tmp/ca_signing.crt -out tmp/cert_chain.p7b
 
 #certutil -C \
-# -d external \
+# -d tmp/external \
 # -f password.txt \
 # -m $RANDOM \
-# -a -i ca_signing.csr \
-# -o ca_signing.crt \
+# -a \
+# -i tmp/ca_signing.csr \
+# -o tmp/ca_signing.crt \
 # -c "External CA"
diff --git a/scripts/ca-external-step1.sh b/scripts/ca-external-step1.sh
index 19eca2b..a9d6df9 100755
--- a/scripts/ca-external-step1.sh
+++ b/scripts/ca-external-step1.sh
@@ -1,28 +1,78 @@
 #!/bin/sh -x
 
-rm -f /tmp/ca_signing.csr
-rm -f /tmp/ca_ocsp_signing.csr
-rm -f /tmp/ca_audit_signing.csr
-rm -f /tmp/sslserver.csr
-rm -f /tmp/subsystem.csr
-
-rm -r /tmp/external.crt
-rm -r /tmp/cert_chain.p7b
-rm -f /tmp/ca_signing.crt
-
-rm -f /tmp/example.crt
-rm -f /tmp/example2.crt
-rm -f /tmp/example.p7
-rm -f /tmp/example2.p7
-rm -f /tmp/example.p7b
-rm -f /tmp/example2.p7b
-rm -f /tmp/example3.csr
-rm -f /tmp/example3.crt
-
-pkispawn -vv -f ca-external-step1.cfg -s CA
-
-/bin/cp -f /tmp/ca_signing.csr .
-/bin/cp -f /tmp/ca_ocsp_signing.csr .
-/bin/cp -f /tmp/ca_audit_signing.csr .
-/bin/cp -f /tmp/sslserver.csr .
-/bin/cp -f /tmp/subsystem.csr .
+mkdir -p tmp
+
+rm -f tmp/ca_signing.csr
+rm -f tmp/ca_ocsp_signing.csr
+rm -f tmp/ca_audit_signing.csr
+rm -f tmp/sslserver.csr
+rm -f tmp/subsystem.csr
+
+rm -r tmp/external.crt
+rm -r tmp/cert_chain.p7b
+rm -f tmp/ca_signing.crt
+
+rm -f tmp/example.crt
+rm -f tmp/example2.crt
+rm -f tmp/example.p7
+rm -f tmp/example2.p7
+rm -f tmp/example.p7b
+rm -f tmp/example2.p7b
+rm -f tmp/example3.csr
+rm -f tmp/example3.crt
+
+cat > tmp/ca-external-step1.cfg << EOF
+#[DEFAULT]
+#pki_instance_name=pki-child
+#pki_pin=Secret.123
+
+[CA]
+pki_admin_email=caadmin@example.com
+pki_admin_name=caadmin
+pki_admin_nickname=caadmin
+pki_admin_password=Secret.123
+pki_admin_uid=caadmin
+
+pki_backup_keys=True
+pki_backup_password=Secret.123
+
+pki_client_database_password=Secret.123
+pki_client_database_purge=False
+pki_client_pkcs12_password=Secret.123
+
+pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
+pki_ds_database=ca
+pki_ds_password=Secret.123
+
+pki_security_domain_name=EXAMPLE
+
+pki_token_password=Secret.123
+
+pki_external=True
+pki_external_step_two=False
+pki_external_csr_path=$PWD/tmp/ca_signing.csr
+
+#pki_ca_signing_csr_path=$PWD/tmp/ca_signing.csr
+pki_ocsp_signing_csr_path=$PWD/tmp/ca_ocsp_signing.csr
+pki_audit_signing_csr_path=$PWD/tmp/ca_audit_signing.csr
+pki_ssl_server_csr_path=$PWD/tmp/sslserver.csr
+pki_subsystem_csr_path=$PWD/tmp/subsystem.csr
+
+#pki_security_domain_name=CHILD
+#pki_ca_signing_csr_path=$PWD/tmp/example2.csr
+#pki_ca_signing_subject_dn=CN=Child Cert,O=CHILD
+
+#pki_security_domain_name=GRANDCHILD
+#pki_ca_signing_csr_path=$PWD/tmp/example3.csr
+#pki_ca_signing_subject_dn=CN=Grandchild Cert,O=GRANDCHILD
+
+#pki_req_ext_add=True
+
+pki_ca_signing_nickname=ca_signing
+pki_ocsp_signing_nickname=ca_ocsp_signing
+pki_audit_signing_nickname=ca_audit_signing
+pki_ssl_server_nickname=sslserver
+pki_subsystem_nickname=subsystem
+EOF
+
+pkispawn -vv -f tmp/ca-external-step1.cfg -s CA
diff --git a/scripts/ca-external-step2.sh b/scripts/ca-external-step2.sh
index 801bd1f..a45afdc 100755
--- a/scripts/ca-external-step2.sh
+++ b/scripts/ca-external-step2.sh
@@ -1,13 +1,48 @@
 #!/bin/sh -x
 
-cp ca_signing.crt /tmp
-cp external.crt /tmp
-cp cert_chain.p7b /tmp
+mkdir -p tmp
 
-#cp level1.crt /tmp
-#cp level2.crt /tmp
+cat > tmp/ca-external-step2.cfg << EOF
+#[DEFAULT]
+#pki_instance_name=pki-child
+#pki_pin=Secret.123
 
-#cp example.crt /tmp
-#cp example2.p7b /tmp
+[CA]
+pki_admin_email=caadmin@example.com
+pki_admin_name=caadmin
+pki_admin_nickname=caadmin
+pki_admin_password=Secret.123
+pki_admin_uid=caadmin
 
-pkispawn -vv -f ca-external-step2.cfg -s CA
+pki_backup_keys=True
+pki_backup_password=Secret.123
+
+pki_client_database_password=Secret.123
+pki_client_database_purge=False
+pki_client_pkcs12_password=Secret.123
+
+pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
+pki_ds_database=ca
+pki_ds_password=Secret.123
+
+pki_security_domain_name=EXAMPLE
+pki_token_password=Secret.123
+
+pki_external=True
+pki_external_step_two=True
+pki_external_csr_path=$PWD/tmp/ca_signing.csr
+pki_external_ca_cert_path=$PWD/tmp/ca_signing.crt
+
+pki_external_ca_cert_chain_nickname=external
+pki_external_ca_cert_chain_path=$PWD/tmp/external.crt
+#pki_external_ca_cert_chain_path=$PWD/tmp/cert_chain.p7b
+#pki_external_ca_cert_chain_path=$PWD/tmp/level2.crt
+
+pki_ca_signing_nickname=ca_signing
+pki_ocsp_signing_nickname=ca_ocsp_signing
+pki_audit_signing_nickname=ca_audit_signing
+pki_ssl_server_nickname=sslserver
+pki_subsystem_nickname=subsystem
+EOF
+
+pkispawn -vv -f tmp/ca-external-step2.cfg -s CA
diff --git a/scripts/root-admin-init.sh b/scripts/root-admin-init.sh
new file mode 100755
index 0000000..f30990f
--- /dev/null
+++ b/scripts/root-admin-init.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+pki -c Secret.123 client-init --force
+
+pki -c Secret.123 client-cert-import "Root CA Signing Certificate" --ca-server
+
+pki -c Secret.123 client-cert-import \
+ --pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \
+ --pkcs12-password Secret.123
+
+#pki -c Secret.123 pkcs12-import \
+# --pkcs12-file ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \
+# --pkcs12-password Secret.123
diff --git a/scripts/ca.cfg b/scripts/root-ca-create.sh
index 3181abe..bf2cea6 100644..100755
--- a/scripts/ca.cfg
+++ b/scripts/root-ca-create.sh
@@ -1,6 +1,8 @@
-[DEFAULT]
-#pki_pin=Secret.123
+#!/bin/sh -x
 
+mkdir -p tmp
+
+cat > tmp/root-ca.cfg << EOF
 [CA]
 pki_admin_email=caadmin@example.com
 pki_admin_name=caadmin
@@ -8,24 +10,26 @@ pki_admin_nickname=caadmin
 pki_admin_password=Secret.123
 pki_admin_uid=caadmin
 
-#pki_backup_keys=True
-#pki_backup_password=Secret.123
-
-pki_client_database_password=Secret.123
-pki_client_database_purge=False
+#pki_client_database_password=Secret.123
+#pki_client_database_purge=False
 pki_client_pkcs12_password=Secret.123
 
 pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
 pki_ds_password=Secret.123
 pki_ds_database=ca
 
-pki_security_domain_name=EXAMPLE
+pki_security_domain_name=ROOT
 
 #pki_server_pkcs12_path=pki-server.p12
 #pki_server_pkcs12_password=Secret.123
 
 pki_ca_signing_nickname=ca_signing
+pki_ca_signing_subject_dn=cn=Root CA Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
+
 pki_ocsp_signing_nickname=ca_ocsp_signing
 pki_audit_signing_nickname=ca_audit_signing
 pki_ssl_server_nickname=sslserver
 pki_subsystem_nickname=subsystem
+EOF
+
+pkispawn -vv -f tmp/root-ca.cfg -s CA
author	Endi S. Dewata <edewata@redhat.com>	2017-07-21 04:32:58 +0200
committer	Endi S. Dewata <edewata@redhat.com>	2017-07-21 04:32:58 +0200
commit	d62ea0eca2a05a7059f071296250c63e9ea9b347 (patch)
tree	f1516e945bf0e3098999c900bc0d5b36e84aaa90
parent	810406fecc39b0214af5d21fee0ca8beb9568f98 (diff)
download	pki-dev-d62ea0eca2a05a7059f071296250c63e9ea9b347.tar.gz pki-dev-d62ea0eca2a05a7059f071296250c63e9ea9b347.tar.xz pki-dev-d62ea0eca2a05a7059f071296250c63e9ea9b347.zip