diff options
| author | Endi S. Dewata <edewata@redhat.com> | 2017-08-01 04:59:54 +0200 |
|---|---|---|
| committer | Endi S. Dewata <edewata@redhat.com> | 2017-08-01 04:59:54 +0200 |
| commit | d9a2c41533a95044b021d94b53081a07424b90b4 (patch) | |
| tree | 4235f45474fbba73fd7182d83716c4a2b4cd4ec5 | |
| parent | 45edbfb5082cd07b1bfd437d94a6d8f8dd99a74e (diff) | |
| download | pki-dev-d9a2c41533a95044b021d94b53081a07424b90b4.tar.gz pki-dev-d9a2c41533a95044b021d94b53081a07424b90b4.tar.xz pki-dev-d9a2c41533a95044b021d94b53081a07424b90b4.zip | |
Updated OCSP scripts.
| -rwxr-xr-x | scripts/ocsp-create.sh | 46 | ||||
| -rwxr-xr-x | scripts/ocsp-standalone-ca-sign.sh | 10 | ||||
| -rwxr-xr-x | scripts/ocsp-standalone-sign.sh | 57 | ||||
| -rwxr-xr-x | scripts/ocsp-standalone-step1.sh | 6 | ||||
| -rwxr-xr-x | scripts/ocsp-standalone-step2.sh | 19 | ||||
| -rw-r--r-- | scripts/ocsp.cfg | 29 | ||||
| -rwxr-xr-x | scripts/ocsp_admin-ca-sign.sh | 13 | ||||
| -rwxr-xr-x | scripts/ocsp_audit_signing-ca-sign.sh | 14 | ||||
| -rwxr-xr-x | scripts/ocsp_signing-ca-sign.sh | 14 |
9 files changed, 108 insertions, 100 deletions
diff --git a/scripts/ocsp-create.sh b/scripts/ocsp-create.sh index f76101e..ad018a4 100755 --- a/scripts/ocsp-create.sh +++ b/scripts/ocsp-create.sh @@ -1,3 +1,47 @@ #!/bin/sh -x -pkispawn -v -f ocsp.cfg -s OCSP -v +mkdir -p tmp + +cat > tmp/ocsp.cfg << EOF +[DEFAULT] +#pki_pin=Secret.123 + +[OCSP] +pki_admin_cert_file=/root/.dogtag/pki-tomcat/ca_admin.cert +pki_admin_email=ocspadmin@example.com +pki_admin_name=ocspadmin +pki_admin_nickname=ocspadmin +pki_admin_password=Secret.123 +pki_admin_uid=ocspadmin + +pki_backup_keys=True +pki_backup_password=Secret.123 + +pki_client_database_password=Secret.123 +pki_client_database_purge=False +pki_client_pkcs12_password=Secret.123 + +pki_ds_base_dn=dc=ocsp,dc=pki,dc=example,dc=com +#pki_ds_database=userRoot +pki_ds_database=ocsp +#pki_ds_create_new_db=False +pki_ds_password=Secret.123 + +pki_clone_pkcs12_password=Secret.123 + +pki_security_domain_name=EXAMPLE +pki_security_domain_user=caadmin +pki_security_domain_password=Secret.123 + +pki_token_password=Secret.123 + +#pki_profiles_in_ldap=False +#pki_share_db=False + +pki_ocsp_signing_nickname=ocsp_signing +pki_audit_signing_nickname=ocsp_audit_signing +pki_ssl_server_nickname=sslserver +pki_subsystem_nickname=subsystem +EOF + +pkispawn -v -f tmp/ocsp.cfg -s OCSP -v diff --git a/scripts/ocsp-standalone-ca-sign.sh b/scripts/ocsp-standalone-ca-sign.sh new file mode 100755 index 0000000..63ab317 --- /dev/null +++ b/scripts/ocsp-standalone-ca-sign.sh @@ -0,0 +1,10 @@ +#!/bin/sh + +./ca_signing-export.sh + +./ocsp_admin-ca-sign.sh +./ocsp_signing-ca-sign.sh +./ocsp_audit_signing-ca-sign.sh + +./sslserver-ca-sign.sh +./subsystem-ca-sign.sh diff --git a/scripts/ocsp-standalone-sign.sh b/scripts/ocsp-standalone-sign.sh deleted file mode 100755 index f60b655..0000000 --- a/scripts/ocsp-standalone-sign.sh +++ /dev/null @@ -1,57 +0,0 @@ -#!/bin/sh - -#### CA Cert #### - -pki cert-show --output tmp/ca_signing.crt 0x1 -#pki cert-show --output cert_chain.p7b 0x1 - -#### Admin Cert #### - -REQUEST_ID=`pki ca-cert-request-submit --profile caUserCert --csr-file tmp/ocsp_admin.csr --subject uid=ocspadmin | grep "Request ID:" | awk -F ': ' '{print $2;}'` -echo Request ID: $REQUEST_ID - -CERT_ID=`pki -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'` -echo Certificate ID: $CERT_ID - -pki cert-show --output tmp/ocsp_admin.crt $CERT_ID - -#### OCSP Signing Cert #### - -REQUEST_ID=`pki ca-cert-request-submit --profile caOCSPCert --csr-file tmp/ocsp_signing.csr | grep "Request ID:" | awk -F ': ' '{print $2;}'` -echo Request ID: $REQUEST_ID - -CERT_ID=`pki -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'` -echo Certificate ID: $CERT_ID - -pki cert-show --output tmp/ocsp_signing.crt $CERT_ID - -#### Server Cert #### - -REQUEST_ID=`pki ca-cert-request-submit --profile caServerCert --csr-file tmp/sslserver.csr | grep "Request ID:" | awk -F ': ' '{print $2;}'` -echo Request ID: $REQUEST_ID - -CERT_ID=`pki -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'` -echo Certificate ID: $CERT_ID - -pki cert-show --output tmp/sslserver.crt $CERT_ID - -#### Subsystem Cert #### - -REQUEST_ID=`pki ca-cert-request-submit --profile caSubsystemCert --csr-file tmp/subsystem.csr | grep "Request ID:" | awk -F ': ' '{print $2;}'` -echo Request ID: $REQUEST_ID - -CERT_ID=`pki -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'` -echo Certificate ID: $CERT_ID - -pki cert-show --output tmp/subsystem.crt $CERT_ID - -#### Audit Signing Cert #### - -REQUEST_ID=`pki ca-cert-request-submit --profile caSignedLogCert --csr-file tmp/ocsp_audit_signing.csr | grep "Request ID:" | awk -F ': ' '{print $2;}'` -echo Request ID: $REQUEST_ID - -CERT_ID=`pki -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'` -echo Certificate ID: $CERT_ID - -pki cert-show --output tmp/ocsp_audit_signing.crt $CERT_ID - diff --git a/scripts/ocsp-standalone-step1.sh b/scripts/ocsp-standalone-step1.sh index 7cd161e..50c9df7 100755 --- a/scripts/ocsp-standalone-step1.sh +++ b/scripts/ocsp-standalone-step1.sh @@ -3,6 +3,9 @@ mkdir -p tmp cat > tmp/ocsp-standalone-step1.cfg << EOF +[DEFAULT] +pki_pin=Secret.123 + [OCSP] pki_admin_email=ocspadmin@example.com pki_admin_name=ocspadmin @@ -27,10 +30,11 @@ pki_token_password=Secret.123 pki_standalone=True pki_external_step_two=False -pki_signing_nickname=ocsp_signing +pki_ocsp_signing_nickname=ocsp_signing pki_audit_signing_nickname=ocsp_audit_signing pki_ssl_server_nickname=sslserver pki_subsystem_nickname=subsystem +pki_cert_chain_nickname=ca_signing pki_external_admin_csr_path=$PWD/tmp/ocsp_admin.csr pki_external_audit_signing_csr_path=$PWD/tmp/ocsp_audit_signing.csr diff --git a/scripts/ocsp-standalone-step2.sh b/scripts/ocsp-standalone-step2.sh index e2d5162..91a15bc 100755 --- a/scripts/ocsp-standalone-step2.sh +++ b/scripts/ocsp-standalone-step2.sh @@ -2,16 +2,10 @@ mkdir -p tmp -cp external_ca.cert /etc/pki/pki-tomcat -cp external_ca_chain.cert /etc/pki/pki-tomcat - -cp ocsp_admin.cert /etc/pki/pki-tomcat -cp ocsp_signing.cert /etc/pki/pki-tomcat -cp ocsp_sslserver.cert /etc/pki/pki-tomcat -cp ocsp_subsystem.cert /etc/pki/pki-tomcat -cp ocsp_audit_signing.cert /etc/pki/pki-tomcat - cat > tmp/ocsp-standalone-step2.cfg << EOF +[DEFAULT] +pki_pin=Secret.123 + [OCSP] pki_admin_email=ocspadmin@example.com pki_admin_name=ocspadmin @@ -36,16 +30,17 @@ pki_token_password=Secret.123 pki_standalone=True pki_external_step_two=True +pki_ocsp_signing_nickname=ocsp_signing pki_audit_signing_nickname=ocsp_audit_signing -pki_signing_nickname=ocsp_signing pki_ssl_server_nickname=sslserver pki_subsystem_nickname=subsystem +pki_cert_chain_nickname=ca_signing -pki_external_ca_cert_chain_path=$PWD/tmp/cert_chain.p7b +#pki_external_ca_cert_chain_path=$PWD/tmp/cert_chain.p7b pki_external_ca_cert_path=$PWD/tmp/ca_signing.crt pki_external_admin_cert_path=$PWD/tmp/ocsp_admin.crt -pki_external_audit_signing_cert_path=$PWD/tmp/ocsp_audit_signing.crt pki_external_signing_cert_path=$PWD/tmp/ocsp_signing.crt +pki_external_audit_signing_cert_path=$PWD/tmp/ocsp_audit_signing.crt pki_external_sslserver_cert_path=$PWD/tmp/sslserver.crt pki_external_subsystem_cert_path=$PWD/tmp/subsystem.crt EOF diff --git a/scripts/ocsp.cfg b/scripts/ocsp.cfg deleted file mode 100644 index f0c1218..0000000 --- a/scripts/ocsp.cfg +++ /dev/null @@ -1,29 +0,0 @@ -[OCSP] -pki_admin_cert_file=/root/.dogtag/pki-tomcat/ca_admin.cert -pki_admin_email=ocspadmin@example.com -pki_admin_name=ocspadmin -pki_admin_nickname=ocspadmin -pki_admin_password=Secret123 -pki_admin_uid=ocspadmin - -pki_backup_keys=True -pki_backup_password=Secret123 - -pki_client_database_password=Secret123 -pki_client_database_purge=False -pki_client_pkcs12_password=Secret123 - -pki_ds_base_dn=dc=ocsp,dc=example,dc=com -pki_ds_database=ocsp -pki_ds_password=Secret123 - -pki_clone_pkcs12_password=Secret123 - -pki_security_domain_name=EXAMPLE -pki_security_domain_user=caadmin -pki_security_domain_password=Secret123 - -pki_token_password=Secret123 - -#pki_profiles_in_ldap=False -#pki_share_db=False diff --git a/scripts/ocsp_admin-ca-sign.sh b/scripts/ocsp_admin-ca-sign.sh new file mode 100755 index 0000000..6b5e4eb --- /dev/null +++ b/scripts/ocsp_admin-ca-sign.sh @@ -0,0 +1,13 @@ +#!/bin/sh + +CMD="pki ca-cert-request-submit --profile caUserCert --csr-file tmp/ocsp_admin.csr --subject uid=ocspadmin" +echo $CMD +REQUEST_ID=`$CMD | grep "Request ID:" | awk -F ': ' '{print $2;}'` +echo Request ID: $REQUEST_ID + +CMD="pki -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID" +echo $CMD +CERT_ID=`$CMD | grep "Certificate ID:" | awk -F ': ' '{print $2;}'` +echo Certificate ID: $CERT_ID + +pki cert-show --output tmp/ocsp_admin.crt $CERT_ID diff --git a/scripts/ocsp_audit_signing-ca-sign.sh b/scripts/ocsp_audit_signing-ca-sign.sh new file mode 100755 index 0000000..decbf57 --- /dev/null +++ b/scripts/ocsp_audit_signing-ca-sign.sh @@ -0,0 +1,14 @@ +#!/bin/sh + +CMD="pki ca-cert-request-submit --profile caSignedLogCert --csr-file tmp/ocsp_audit_signing.csr" +echo $CMD +REQUEST_ID=`$CMD | grep "Request ID:" | awk -F ': ' '{print $2;}'` +echo Request ID: $REQUEST_ID + +CMD="pki -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID" +echo $CMD +CERT_ID=`$CMD | grep "Certificate ID:" | awk -F ': ' '{print $2;}'` +echo Certificate ID: $CERT_ID + +pki cert-show --output tmp/ocsp_audit_signing.crt $CERT_ID + diff --git a/scripts/ocsp_signing-ca-sign.sh b/scripts/ocsp_signing-ca-sign.sh new file mode 100755 index 0000000..d6f1c3d --- /dev/null +++ b/scripts/ocsp_signing-ca-sign.sh @@ -0,0 +1,14 @@ +#!/bin/sh + +CMD="pki ca-cert-request-submit --profile caOCSPCert --csr-file tmp/ocsp_signing.csr" +echo $CMD +REQUEST_ID=`$CMD | grep "Request ID:" | awk -F ': ' '{print $2;}'` +echo Request ID: $REQUEST_ID + +CMD="pki -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID" +echo $CMD +CERT_ID=`$CMD | grep "Certificate ID:" | awk -F ': ' '{print $2;}'` +echo Certificate ID: $CERT_ID + +pki cert-show --output tmp/ocsp_signing.crt $CERT_ID + |