summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEndi S. Dewata <edewata@redhat.com>2018-02-02 18:47:17 +0100
committerEndi S. Dewata <edewata@redhat.com>2018-02-02 18:47:17 +0100
commitec842e618d1def4eab56a56db315fca83e53b48c (patch)
tree62c39ae9c115f1a782600e19b534dce3c315c942
parent75c76bdaf20b783e0764845e1e0b65a15f42fe4a (diff)
downloadpki-dev-ec842e618d1def4eab56a56db315fca83e53b48c.tar.gz
pki-dev-ec842e618d1def4eab56a56db315fca83e53b48c.tar.xz
pki-dev-ec842e618d1def4eab56a56db315fca83e53b48c.zip
Updated sub CA scripts.
-rwxr-xr-xscripts/level3ca-create.sh62
-rwxr-xr-xscripts/rootca-admin-init.sh4
-rwxr-xr-xscripts/rootca-create.sh8
-rwxr-xr-xscripts/subca-admin-init.sh11
-rwxr-xr-xscripts/subca-ca-sign.sh13
-rwxr-xr-xscripts/subca-cmc-sign.sh74
-rwxr-xr-xscripts/subca-create.sh58
-rwxr-xr-xscripts/subca-external-step1.sh34
-rwxr-xr-xscripts/subca-external-step2.sh36
-rwxr-xr-xscripts/subca-lunasa-create.sh72
-rwxr-xr-xscripts/subca-lunasa-external-step1.sh63
-rwxr-xr-xscripts/subca-lunasa-external-step2.sh65
-rwxr-xr-xscripts/subca-nfast-external-step1.sh62
-rwxr-xr-xscripts/subca-nfast-external-step2.sh65
-rwxr-xr-xscripts/subca-nss-sign.sh66
-rwxr-xr-xscripts/subca-openssl-sign.sh106
-rwxr-xr-xscripts/subca-softcard-external-step1.sh61
-rwxr-xr-xscripts/subca-softcard-external-step2.sh63
18 files changed, 787 insertions, 136 deletions
diff --git a/scripts/level3ca-create.sh b/scripts/level3ca-create.sh
new file mode 100755
index 0000000..0cc8994
--- /dev/null
+++ b/scripts/level3ca-create.sh
@@ -0,0 +1,62 @@
+#!/bin/sh -x
+
+mkdir -p tmp
+
+SUBCA=`cat tmp/subca.hostname`
+
+cat > tmp/level3ca.cfg << EOF
+[DEFAULT]
+pki_pin=Secret.123
+
+[CA]
+pki_admin_email=caadmin@example.com
+pki_admin_name=caadmin
+pki_admin_nickname=caadmin
+pki_admin_password=Secret.123
+pki_admin_uid=caadmin
+
+pki_client_database_password=Secret.123
+pki_client_database_purge=False
+pki_client_pkcs12_password=Secret.123
+
+pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
+pki_ds_password=Secret.123
+pki_ds_database=ca
+
+pki_subordinate=True
+
+pki_issuing_ca_hostname=$SUBCA
+
+pki_security_domain_hostname=$SUBCA
+#pki_security_domain_name=EXAMPLE
+pki_security_domain_user=caadmin
+pki_security_domain_password=Secret.123
+
+pki_subordinate_create_new_security_domain=True
+pki_subordinate_security_domain_name=LEVEL3
+
+pki_ca_signing_nickname=${PREFIX}ca_signing
+pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=EXAMPLE
+pki_ca_signing_token=$TOKEN
+
+pki_ocsp_signing_nickname=${PREFIX}ca_ocsp_signing
+pki_ocsp_signing_subject_dn=cn=CA OCSP Signing Certificate,o=EXAMPLE
+pki_ocsp_signing_token=$TOKEN
+
+pki_audit_signing_nickname=${PREFIX}ca_audit_signing
+pki_audit_signing_subject_dn=cn=CA Audit Signing Certificate,o=EXAMPLE
+pki_audit_signing_token=$TOKEN
+
+pki_sslserver_nickname=${PREFIX}sslserver/$HOSTNAME
+pki_sslserver_subject_dn=cn=$HOSTNAME,o=EXAMPLE
+pki_sslserver_token=$TOKEN
+
+pki_subsystem_nickname=${PREFIX}subsystem/$HOSTNAME
+pki_subsystem_subject_dn=cn=Subsystem Certificate,o=EXAMPLE
+pki_subsystem_token=$TOKEN
+EOF
+
+pkispawn -v -f tmp/level3ca.cfg -s CA
+
+echo $HOSTNAME > tmp/level3ca.hostname
+
diff --git a/scripts/rootca-admin-init.sh b/scripts/rootca-admin-init.sh
index f30990f..85bef92 100755
--- a/scripts/rootca-admin-init.sh
+++ b/scripts/rootca-admin-init.sh
@@ -2,7 +2,9 @@
pki -c Secret.123 client-init --force
-pki -c Secret.123 client-cert-import "Root CA Signing Certificate" --ca-server
+#pki -c Secret.123 client-cert-import "Root CA Signing Certificate" --ca-server
+pki-server cert-export ca_signing --cert-file tmp/rootca_signing.crt
+pki -c Secret.123 client-cert-import --ca-cert tmp/rootca_signing.crt
pki -c Secret.123 client-cert-import \
--pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \
diff --git a/scripts/rootca-create.sh b/scripts/rootca-create.sh
index 62506ff..4cbb688 100755
--- a/scripts/rootca-create.sh
+++ b/scripts/rootca-create.sh
@@ -14,7 +14,7 @@ pki_admin_password=Secret.123
pki_admin_uid=caadmin
pki_client_database_password=Secret.123
-#pki_client_database_purge=False
+pki_client_database_purge=False
pki_client_pkcs12_password=Secret.123
pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
@@ -24,7 +24,7 @@ pki_ds_database=ca
pki_security_domain_name=ROOT
pki_ca_signing_nickname=ca_signing
-pki_ca_signing_subject_dn=cn=Root CA Signing Certificate,o=ROOT
+#pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=ROOT
pki_ocsp_signing_nickname=ca_ocsp_signing
pki_audit_signing_nickname=ca_audit_signing
@@ -32,6 +32,6 @@ pki_sslserver_nickname=sslserver
pki_subsystem_nickname=subsystem
EOF
-pkispawn -f tmp/rootca.cfg -s CA
+pkispawn -vvv -f tmp/rootca.cfg -s CA
-echo $HOSTNAME > tmp/rootca.txt
+echo $HOSTNAME > tmp/rootca.hostname
diff --git a/scripts/subca-admin-init.sh b/scripts/subca-admin-init.sh
index 7e7db59..a128d08 100755
--- a/scripts/subca-admin-init.sh
+++ b/scripts/subca-admin-init.sh
@@ -1,11 +1,16 @@
#!/bin/sh
-ROOT=`cat tmp/rootca.txt`
+#ROOTCA=`cat tmp/rootca.hostname`
pki -c Secret.123 client-init --force
-pki -h $ROOT -c Secret.123 client-cert-import "Root CA Signing Certificate" --ca-server
-pki -h $ROOT -c Secret.123 client-cert-import "Subordinate CA Signing Certificate" --serial 0x7
+#pki -h $ROOTCA -c Secret.123 client-cert-import "Root CA Signing Certificate" --ca-server
+pki -c Secret.123 client-cert-import --ca-cert tmp/rootca_signing.crt
+
+#pki -h $ROOTCA -c Secret.123 client-cert-import "Subordinate CA Signing Certificate" --serial 0x7
+
+pki-server cert-export ca_signing --cert-file tmp/subca_signing.crt
+pki -c Secret.123 client-cert-import --ca-cert tmp/subca_signing.crt
pki -c Secret.123 client-cert-import \
--pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \
diff --git a/scripts/subca-ca-sign.sh b/scripts/subca-ca-sign.sh
new file mode 100755
index 0000000..a55249f
--- /dev/null
+++ b/scripts/subca-ca-sign.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+#pki cert-show 0x1 --output tmp/external.crt
+#openssl crl2pkcs7 -nocrl -certfile tmp/external.crt -out tmp/cert_chain.p7b
+#pki -d /etc/pki/pki-tomcat/alias -c Secret.123 client-cert-show ca_signing --cert tmp/external.crt
+pki-server cert-export ca_signing --cert-file tmp/external.crt
+
+./ca_signing-ca-sign.sh
+
+openssl crl2pkcs7 -nocrl \
+ -certfile tmp/external.crt \
+ -certfile tmp/ca_signing.crt \
+ -out tmp/ca_signing.p7b
diff --git a/scripts/subca-cmc-sign.sh b/scripts/subca-cmc-sign.sh
index 9a512ad..42daebd 100755
--- a/scripts/subca-cmc-sign.sh
+++ b/scripts/subca-cmc-sign.sh
@@ -1,74 +1,6 @@
#!/bin/sh
-mkdir -p tmp
+#pki cert-show 0x1 --output tmp/external.crt
+#openssl crl2pkcs7 -nocrl -certfile tmp/external.crt -out tmp/cert_chain.p7b
-cat > tmp/subca-cmc-request.cfg << EOF
-# NSS database directory.
-dbdir=$HOME/.dogtag/nssdb
-
-# NSS database password.
-password=Secret.123
-
-# Token name (default is internal).
-tokenname=internal
-
-# Nickname for agent certificate.
-nickname=caadmin
-
-# Request format: pkcs10 or crmf.
-format=pkcs10
-
-# Total number of PKCS10/CRMF requests.
-numRequests=1
-
-# Path to the PKCS10/CRMF request.
-# The content must be in Base-64 encoded format.
-# Multiple files are supported. They must be separated by space.
-input=$PWD/tmp/subca.csr
-
-# Path for the CMC request in binary format
-output=$PWD/tmp/subca-cmc-request.bin
-EOF
-
-CMCRequest tmp/subca-cmc-request.cfg
-
-cat > tmp/subca-cmc-submit.cfg << EOF
-# PKI server host name.
-host=$HOSTNAME
-
-# PKI server port number.
-port=8443
-
-# Use secure connection.
-# For secure connection with ECC, set environment variable 'export NSS_USE_DECODED_CKA_EC_POINT=1'.
-secure=true
-
-# Use client authentication.
-clientmode=true
-
-# NSS database directory.
-dbdir=$HOME/.dogtag/nssdb
-
-# NSS database password.
-password=Secret.123
-
-# Token name (default: internal).
-tokenname=internal
-
-# Nickname of agent certificate.
-nickname=caadmin
-
-# CMC servlet path
-#servlet=/ca/ee/ca/profileSubmitCMCFull
-servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caCMCcaCert
-
-# Path for the CMC request.
-input=tmp/subca-cmc-request.bin
-
-# Path for the CMC response.
-output=tmp/subca-cmc-response.bin
-EOF
-
-HttpClient tmp/subca-cmc-submit.cfg
-
-CMCResponse -i tmp/subca-cmc-response.bin -o tmp/subca.crt
+./ca_signing-cmc-sign.sh
diff --git a/scripts/subca-create.sh b/scripts/subca-create.sh
index eaef0f5..940f06e 100755
--- a/scripts/subca-create.sh
+++ b/scripts/subca-create.sh
@@ -2,19 +2,12 @@
mkdir -p tmp
-ROOT=`cat tmp/rootca.txt`
+ROOTCA=`cat tmp/rootca.hostname`
cat > tmp/subca.cfg << EOF
[DEFAULT]
pki_pin=Secret.123
-#pki_https_port=9443
-#pki_http_port=9443
-
-#[Tomcat]
-#pki_ajp_port=9009
-#pki_tomcat_server_port=9005
-
[CA]
pki_admin_email=caadmin@example.com
pki_admin_name=caadmin
@@ -22,38 +15,47 @@ pki_admin_nickname=caadmin
pki_admin_password=Secret.123
pki_admin_uid=caadmin
-pki_subordinate=True
-pki_issuing_ca_hostname=$ROOT
-pki_issuing_ca_https_port=8443
-pki_ca_signing_subject_dn=cn=Subordinate CA Signing Certificate,o=SUBORDINATE
-
pki_client_database_password=Secret.123
pki_client_database_purge=False
pki_client_pkcs12_password=Secret.123
pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
-pki_ds_database=ca
pki_ds_password=Secret.123
+pki_ds_database=ca
-pki_security_domain_hostname=$ROOT
-pki_security_domain_https_port=8443
+pki_subordinate=True
+
+pki_issuing_ca_hostname=$ROOTCA
+
+pki_security_domain_hostname=$ROOTCA
+#pki_security_domain_name=EXAMPLE
pki_security_domain_user=caadmin
pki_security_domain_password=Secret.123
-#pki_subordinate_create_new_security_domain=True
-#pki_subordinate_security_domain_name=SUBORDINATE
+pki_subordinate_create_new_security_domain=True
+pki_subordinate_security_domain_name=EXAMPLE
+
+pki_ca_signing_nickname=${PREFIX}ca_signing
+pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=EXAMPLE
+pki_ca_signing_token=$TOKEN
-#pki_ca_signing_nickname=edewata/%(pki_instance_name)s/ca_signing
-#pki_ocsp_signing_nickname=edewata/%(pki_instance_name)s/ca_ocsp_signing
-#pki_audit_signing_nickname=edewata/%(pki_instance_name)s/ca_audit_signing
-#pki_sslserver_nickname=edewata/%(pki_instance_name)s/sslserver
-#pki_subsystem_nickname=edewata/%(pki_instance_name)s/subsystem
+pki_ocsp_signing_nickname=${PREFIX}ca_ocsp_signing
+pki_ocsp_signing_subject_dn=cn=CA OCSP Signing Certificate,o=EXAMPLE
+pki_ocsp_signing_token=$TOKEN
-pki_ca_signing_nickname=ca_signing
-pki_ocsp_signing_nickname=ca_ocsp_signing
-pki_audit_signing_nickname=ca_audit_signing
-pki_sslserver_nickname=sslserver
-pki_subsystem_nickname=subsystem
+pki_audit_signing_nickname=${PREFIX}ca_audit_signing
+pki_audit_signing_subject_dn=cn=CA Audit Signing Certificate,o=EXAMPLE
+pki_audit_signing_token=$TOKEN
+
+pki_sslserver_nickname=${PREFIX}sslserver/$HOSTNAME
+pki_sslserver_subject_dn=cn=$HOSTNAME,o=EXAMPLE
+pki_sslserver_token=$TOKEN
+
+pki_subsystem_nickname=${PREFIX}subsystem/$HOSTNAME
+pki_subsystem_subject_dn=cn=Subsystem Certificate,o=EXAMPLE
+pki_subsystem_token=$TOKEN
EOF
pkispawn -v -f tmp/subca.cfg -s CA
+
+echo $HOSTNAME > tmp/subca.hostname
diff --git a/scripts/subca-external-step1.sh b/scripts/subca-external-step1.sh
index d02ef72..cc0f51d 100755
--- a/scripts/subca-external-step1.sh
+++ b/scripts/subca-external-step1.sh
@@ -2,9 +2,7 @@
mkdir -p tmp
-ROOT=`cat tmp/rootca.txt`
-
-cat > tmp/subca.cfg << EOF
+cat > tmp/subca-step1.cfg << EOF
[DEFAULT]
pki_pin=Secret.123
@@ -20,23 +18,31 @@ pki_client_database_purge=False
pki_client_pkcs12_password=Secret.123
pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
-pki_ds_database=ca
pki_ds_password=Secret.123
+pki_ds_database=ca
-pki_security_domain_name=SUBORDINATE
-pki_token_password=Secret.123
+pki_security_domain_name=EXAMPLE
pki_external=True
pki_external_step_two=False
-pki_external_csr_path=tmp/subca.csr
-pki_ca_signing_subject_dn=cn=Subordinate CA Signing Certificate,o=SUBORDINATE
+pki_cert_chain_nickname=${PREFIX}external
+
+pki_ca_signing_nickname=${PREFIX}ca_signing
+pki_ca_signing_token=$TOKEN
+pki_external_csr_path=tmp/ca_signing.csr
+
+pki_ocsp_signing_nickname=${PREFIX}ca_ocsp_signing
+pki_ocsp_signing_token=$TOKEN
+
+pki_audit_signing_nickname=${PREFIX}ca_audit_signing
+pki_audit_signing_token=$TOKEN
+
+pki_sslserver_nickname=${PREFIX}sslserver/$HOSTNAME
+pki_sslserver_token=$TOKEN
-pki_ca_signing_nickname=ca_signing
-pki_ocsp_signing_nickname=ca_ocsp_signing
-pki_audit_signing_nickname=ca_audit_signing
-pki_sslserver_nickname=sslserver
-pki_subsystem_nickname=subsystem
+pki_subsystem_nickname=${PREFIX}subsystem/$HOSTNAME
+pki_subsystem_token=$TOKEN
EOF
-pkispawn -v -f tmp/subca.cfg -s CA
+pkispawn -vvv -f tmp/subca-step1.cfg -s CA
diff --git a/scripts/subca-external-step2.sh b/scripts/subca-external-step2.sh
index 3c50934..cdadf8b 100755
--- a/scripts/subca-external-step2.sh
+++ b/scripts/subca-external-step2.sh
@@ -2,7 +2,7 @@
mkdir -p tmp
-cat > tmp/subca.cfg << EOF
+cat > tmp/subca-step2.cfg << EOF
[DEFAULT]
pki_pin=Secret.123
@@ -18,27 +18,33 @@ pki_client_database_purge=False
pki_client_pkcs12_password=Secret.123
pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
-pki_ds_database=ca
pki_ds_password=Secret.123
+pki_ds_database=ca
-pki_security_domain_name=SUBORDINATE
-pki_token_password=Secret.123
+pki_security_domain_name=EXAMPLE
pki_external=True
pki_external_step_two=True
-pki_external_csr_path=tmp/subca.csr
-pki_external_ca_cert_path=tmp/subca.crt
-#pki_external_ca_cert_chain_nickname=Root CA Signing Certificate - ROOT
-#pki_external_ca_cert_chain_path=tmp/root.crt
+pki_cert_chain_nickname=${PREFIX}external
+pki_external_ca_cert_chain_path=tmp/external.crt
+
+pki_ca_signing_nickname=${PREFIX}ca_signing
+pki_ca_signing_token=$TOKEN
+pki_external_csr_path=tmp/ca_signing.csr
+pki_external_ca_cert_path=tmp/ca_signing.crt
+
+pki_ocsp_signing_nickname=${PREFIX}ca_ocsp_signing
+pki_ocsp_signing_token=$TOKEN
+
+pki_audit_signing_nickname=${PREFIX}ca_audit_signing
+pki_audit_signing_token=$TOKEN
-pki_ca_signing_subject_dn=cn=Subordinate CA Signing Certificate,o=SUBORDINATE
+pki_sslserver_nickname=${PREFIX}sslserver/$HOSTNAME
+pki_sslserver_token=$TOKEN
-pki_ca_signing_nickname=ca_signing
-pki_ocsp_signing_nickname=ca_ocsp_signing
-pki_audit_signing_nickname=ca_audit_signing
-pki_sslserver_nickname=sslserver
-pki_subsystem_nickname=subsystem
+pki_subsystem_nickname=${PREFIX}subsystem/$HOSTNAME
+pki_subsystem_token=$TOKEN
EOF
-pkispawn -v -f tmp/subca.cfg -s CA
+pkispawn -vvv -f tmp/subca-step2.cfg -s CA
diff --git a/scripts/subca-lunasa-create.sh b/scripts/subca-lunasa-create.sh
new file mode 100755
index 0000000..5a7315b
--- /dev/null
+++ b/scripts/subca-lunasa-create.sh
@@ -0,0 +1,72 @@
+#!/bin/sh -x
+
+mkdir -p tmp
+
+ROOT=`cat tmp/rootca.hostname`
+USER=`cat user.txt`
+PREFIX=$USER/
+
+TOKEN=lunasaDEV
+PASSWORD=devLuna555
+
+cat > tmp/subca.cfg << EOF
+[DEFAULT]
+pki_pin=Secret.123
+
+pki_hsm_enable=True
+pki_hsm_libfile=/usr/safenet/lunaclient/lib/libCryptoki2_64.so
+pki_hsm_modulename=lunasa
+pki_token_name=$TOKEN
+pki_token_password=$PASSWORD
+
+[CA]
+pki_admin_email=caadmin@example.com
+pki_admin_name=caadmin
+pki_admin_nickname=caadmin
+pki_admin_password=Secret.123
+pki_admin_uid=caadmin
+
+pki_client_database_password=Secret.123
+pki_client_database_purge=False
+pki_client_pkcs12_password=Secret.123
+
+pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
+pki_ds_password=Secret.123
+pki_ds_database=ca
+
+pki_subordinate=True
+
+pki_issuing_ca_hostname=$ROOT
+
+pki_security_domain_hostname=$ROOT
+pki_security_domain_name=EXAMPLE
+pki_security_domain_user=caadmin
+pki_security_domain_password=Secret.123
+
+pki_subordinate_create_new_security_domain=True
+pki_subordinate_security_domain_name=EXAMPLE
+
+pki_ca_signing_nickname=${PREFIX}ca_signing
+pki_ca_signing_subject_dn=CN=CA Signing Certificate,O=EXAMPLE
+pki_ca_signing_token=$TOKEN
+
+pki_ocsp_signing_nickname=${PREFIX}ca_ocsp_signing
+pki_ocsp_signing_subject_dn=CN=CA OCSP Signing Certificate,O=EXAMPLE
+pki_ocsp_signing_token=$TOKEN
+
+pki_audit_signing_nickname=${PREFIX}ca_audit_signing
+pki_audit_signing_subject_dn=CN=CA Audit Signing Certificate,O=EXAMPLE
+pki_audit_signing_token=$TOKEN
+
+pki_sslserver_nickname=${PREFIX}sslserver/$HOSTNAME
+pki_sslserver_subject_dn=CN=$HOSTNAME,O=EXAMPLE
+pki_sslserver_token=$TOKEN
+
+pki_subsystem_nickname=${PREFIX}subsystem/$HOSTNAME
+pki_subsystem_subject_dn=CN=Subsystem Certificate,O=EXAMPLE
+pki_subsystem_token=$TOKEN
+EOF
+
+pkispawn -v -f tmp/subca.cfg -s CA
+
+echo $HOSTNAME > tmp/ca.hostname
diff --git a/scripts/subca-lunasa-external-step1.sh b/scripts/subca-lunasa-external-step1.sh
new file mode 100755
index 0000000..c7be635
--- /dev/null
+++ b/scripts/subca-lunasa-external-step1.sh
@@ -0,0 +1,63 @@
+#!/bin/sh -x
+
+mkdir -p tmp
+
+USER=`cat user.txt`
+PREFIX=$USER/
+
+TOKEN=lunasaDEV
+PASSWORD=devLuna555
+
+cat > tmp/subca-step1.cfg << EOF
+[DEFAULT]
+pki_pin=Secret.123
+
+pki_hsm_enable=True
+pki_hsm_libfile=/usr/safenet/lunaclient/lib/libCryptoki2_64.so
+#pki_hsm_libfile=/usr/lib/libcklog2.so
+pki_hsm_modulename=lunasa
+pki_token_name=$TOKEN
+pki_token_password=$PASSWORD
+
+[CA]
+pki_admin_email=caadmin@example.com
+pki_admin_name=caadmin
+pki_admin_nickname=caadmin
+pki_admin_password=Secret.123
+pki_admin_uid=caadmin
+
+pki_client_database_password=Secret.123
+pki_client_database_purge=False
+pki_client_pkcs12_password=Secret.123
+
+pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
+pki_ds_password=Secret.123
+pki_ds_database=ca
+
+pki_external=True
+pki_external_step_two=False
+
+pki_security_domain_name=EXAMPLE
+
+pki_cert_chain_nickname=${PREFIX}external
+
+pki_ca_signing_nickname=${PREFIX}ca_signing
+pki_ca_signing_token=$TOKEN
+pki_external_csr_path=tmp/ca_signing.csr
+
+pki_ocsp_signing_nickname=${PREFIX}ca_ocsp_signing
+pki_ocsp_signing_token=$TOKEN
+
+pki_audit_signing_nickname=${PREFIX}ca_audit_signing
+pki_audit_signing_token=$TOKEN
+
+pki_sslserver_nickname=${PREFIX}sslserver/$HOSTNAME
+pki_sslserver_token=$TOKEN
+
+pki_subsystem_nickname=${PREFIX}subsystem/$HOSTNAME
+pki_subsystem_token=$TOKEN
+EOF
+
+pkispawn -vvv -f tmp/subca-step1.cfg -s CA
+
+#/bin/cp -f tmp/ca_signing.csr .
diff --git a/scripts/subca-lunasa-external-step2.sh b/scripts/subca-lunasa-external-step2.sh
new file mode 100755
index 0000000..2ab1dc8
--- /dev/null
+++ b/scripts/subca-lunasa-external-step2.sh
@@ -0,0 +1,65 @@
+#!/bin/sh -x
+
+mkdir -p tmp
+
+USER=`cat user.txt`
+PREFIX=$USER/
+
+TOKEN=lunasaDEV
+PASSWORD=devLuna555
+
+cat > tmp/subca-step2.cfg << EOF
+[DEFAULT]
+pki_pin=Secret.123
+
+pki_hsm_enable=True
+pki_hsm_libfile=/usr/safenet/lunaclient/lib/libCryptoki2_64.so
+#pki_hsm_libfile=/usr/lib/libcklog2.so
+pki_hsm_modulename=lunasa
+pki_token_name=$TOKEN
+pki_token_password=$PASSWORD
+
+[CA]
+pki_admin_email=caadmin@example.com
+pki_admin_name=caadmin
+pki_admin_nickname=caadmin
+pki_admin_password=Secret.123
+pki_admin_uid=caadmin
+
+pki_client_database_password=Secret.123
+pki_client_database_purge=False
+pki_client_pkcs12_password=Secret.123
+
+pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
+pki_ds_password=Secret.123
+pki_ds_database=ca
+
+pki_external=True
+pki_external_step_two=True
+
+pki_security_domain_name=EXAMPLE
+
+pki_cert_chain_nickname=${PREFIX}external
+pki_external_ca_cert_chain_path=tmp/external.crt
+#pki_external_ca_cert_chain_path=tmp/cert_chain.p7b
+
+pki_ca_signing_nickname=${PREFIX}ca_signing
+pki_ca_signing_token=$TOKEN
+pki_external_csr_path=tmp/ca_signing.csr
+pki_external_ca_cert_path=tmp/ca_signing.crt
+#pki_external_ca_cert_path=tmp/ca_signing.p7b
+
+pki_ocsp_signing_nickname=${PREFIX}ca_ocsp_signing
+pki_ocsp_signing_token=$TOKEN
+
+pki_audit_signing_nickname=${PREFIX}ca_audit_signing
+pki_audit_signing_token=$TOKEN
+
+pki_sslserver_nickname=${PREFIX}sslserver/$HOSTNAME
+pki_sslserver_token=$TOKEN
+
+pki_subsystem_nickname=${PREFIX}subsystem
+pki_subsystem_token=$TOKEN
+EOF
+
+pkispawn -vvv -f tmp/subca-step2.cfg -s CA
diff --git a/scripts/subca-nfast-external-step1.sh b/scripts/subca-nfast-external-step1.sh
new file mode 100755
index 0000000..91341de
--- /dev/null
+++ b/scripts/subca-nfast-external-step1.sh
@@ -0,0 +1,62 @@
+#!/bin/sh -x
+
+mkdir -p tmp
+
+USER=`cat user.txt`
+PREFIX=$USER/
+
+TOKEN=NHSM6000-OCS
+PASSWORD=`cat NHSM6000-OCS.txt`
+
+cat > tmp/subca-step1.cfg << EOF
+[DEFAULT]
+pki_pin=Secret.123
+
+pki_hsm_enable=True
+pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so
+pki_hsm_modulename=nfast
+pki_token_name=$TOKEN
+pki_token_password=$PASSWORD
+
+[CA]
+pki_admin_email=caadmin@example.com
+pki_admin_name=caadmin
+pki_admin_nickname=caadmin
+pki_admin_password=Secret.123
+pki_admin_uid=caadmin
+
+pki_client_database_password=Secret.123
+pki_client_database_purge=False
+pki_client_pkcs12_password=Secret.123
+
+pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
+pki_ds_password=Secret.123
+pki_ds_database=ca
+
+pki_security_domain_name=EXAMPLE
+
+pki_external=True
+pki_external_step_two=False
+
+#pki_cert_chain_nickname=${PREFIX}external
+
+pki_ca_signing_nickname=${PREFIX}ca_signing
+pki_ca_signing_token=$TOKEN
+#pki_external_csr_path=tmp/ca_signing.csr
+pki_ca_signing_csr_path=tmp/ca_signing.csr
+
+pki_ocsp_signing_nickname=${PREFIX}ca_ocsp_signing
+pki_ocsp_signing_token=$TOKEN
+
+pki_audit_signing_nickname=${PREFIX}ca_audit_signing
+pki_audit_signing_token=$TOKEN
+
+pki_sslserver_nickname=${PREFIX}sslserver/$HOSTNAME
+pki_sslserver_token=$TOKEN
+
+pki_subsystem_nickname=${PREFIX}subsystem/$HOSTNAME
+pki_subsystem_token=$TOKEN
+EOF
+
+pkispawn -vvv -f tmp/subca-step1.cfg -s CA
+
diff --git a/scripts/subca-nfast-external-step2.sh b/scripts/subca-nfast-external-step2.sh
new file mode 100755
index 0000000..8b8949d
--- /dev/null
+++ b/scripts/subca-nfast-external-step2.sh
@@ -0,0 +1,65 @@
+#!/bin/sh -x
+
+mkdir -p tmp
+
+USER=`cat user.txt`
+PREFIX=$USER/
+
+TOKEN=NHSM6000-OCS
+PASSWORD=`cat NHSM6000-OCS.txt`
+
+cat > tmp/subca-step2.cfg << EOF
+[DEFAULT]
+pki_pin=Secret.123
+
+pki_hsm_enable=True
+pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so
+pki_hsm_modulename=nfast
+pki_token_name=$TOKEN
+pki_token_password=$PASSWORD
+
+[CA]
+pki_admin_email=caadmin@example.com
+pki_admin_name=caadmin
+pki_admin_nickname=caadmin
+pki_admin_password=Secret.123
+pki_admin_uid=caadmin
+
+pki_client_database_password=Secret.123
+pki_client_database_purge=False
+pki_client_pkcs12_password=Secret.123
+
+pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
+pki_ds_password=Secret.123
+pki_ds_database=ca
+
+pki_security_domain_name=EXAMPLE
+
+pki_external=True
+pki_external_step_two=True
+
+pki_cert_chain_nickname=${PREFIX}external
+pki_external_ca_cert_chain_path=tmp/external.crt
+#pki_external_ca_cert_chain_path=tmp/cert_chain.p7b
+
+pki_ca_signing_nickname=${PREFIX}ca_signing
+pki_ca_signing_token=$TOKEN
+#pki_external_csr_path=tmp/ca_signing.csr
+pki_ca_signing_csr_path=tmp/ca_signing.csr
+#pki_external_ca_cert_path=tmp/ca_signing.crt
+pki_ca_signing_cert_path=tmp/ca_signing.crt
+
+pki_ocsp_signing_nickname=${PREFIX}ca_ocsp_signing
+pki_ocsp_signing_token=$TOKEN
+
+pki_audit_signing_nickname=${PREFIX}ca_audit_signing
+pki_audit_signing_token=$TOKEN
+
+pki_sslserver_nickname=${PREFIX}sslserver/$HOSTNAME
+pki_sslserver_token=$TOKEN
+
+pki_subsystem_nickname=${PREFIX}subsystem/$HOSTNAME
+pki_subsystem_token=$TOKEN
+EOF
+
+pkispawn -vvv -f tmp/subca-step2.cfg -s CA
diff --git a/scripts/subca-nss-sign.sh b/scripts/subca-nss-sign.sh
new file mode 100755
index 0000000..67682ec
--- /dev/null
+++ b/scripts/subca-nss-sign.sh
@@ -0,0 +1,66 @@
+#!/bin/sh
+
+rm -rf tmp/external
+mkdir -p tmp/external
+certutil -N -d tmp/external -f password.txt
+openssl rand -out tmp/external/noise.bin 2048
+
+echo "## Generating external CA certificate..."
+
+ROOTCA_SKID="0x`openssl rand -hex 20`"
+
+echo -e "y\n\ny\n${ROOTCA_SKID}\n\n" | \
+ certutil -S \
+ -d tmp/external \
+ -f password.txt \
+ -z tmp/external/noise.bin \
+ -n "External CA" \
+ -s "CN=External CA,O=EXTERNAL" \
+ -x \
+ -t "CTu,Cu,Cu" \
+ -m $RANDOM\
+ -2 \
+ --keyUsage digitalSignature,nonRepudiation,certSigning,crlSigning,critical \
+ --extSKID
+
+# --nsCertType sslCA,smimeCA,objectSigningCA
+
+echo "## Exporting external CA certificate..."
+
+certutil -L -d tmp/external -n "External CA" -a > tmp/external.crt
+
+echo "## Signing the CA signing certificate..."
+
+SUBCA_SKID="0x`openssl rand -hex 20`"
+SUBCA_OCSP="http://$HOSTNAME:8080/ca/ocsp"
+
+echo -e "y\n\ny\ny\n${ROOTCA_SKID}\n\n\n\n${SUBCA_SKID}\n\n2\n7\n${SUBCA_OCSP}\n\n\n\n" | \
+ certutil -C \
+ -d tmp/external \
+ -f password.txt \
+ -m $RANDOM \
+ -a \
+ -i tmp/ca_signing.csr \
+ -o tmp/ca_signing.crt \
+ -c "External CA" \
+ --extSKID \
+ -2 -3 \
+ --keyUsage digitalSignature,nonRepudiation,certSigning,crlSigning,critical \
+ --extAIA \
+ --extSKID
+
+echo "## Generating certificate chain..."
+
+certutil -A -d tmp/external -n "CA Signing Certificate" -t "CT,C,C" -a -i tmp/ca_signing.crt
+
+#openssl crl2pkcs7 -nocrl -certfile tmp/external.crt -out tmp/cert_chain.p7b
+#openssl crl2pkcs7 -nocrl -certfile tmp/external.crt -certfile tmp/ca_signing.crt -out tmp/cert_chain.p7b
+
+#certutil -C \
+# -d tmp/external \
+# -f password.txt \
+# -m $RANDOM \
+# -a \
+# -i tmp/ca_signing.csr \
+# -o tmp/ca_signing.crt \
+# -c "External CA"
diff --git a/scripts/subca-openssl-sign.sh b/scripts/subca-openssl-sign.sh
new file mode 100755
index 0000000..1d76d0d
--- /dev/null
+++ b/scripts/subca-openssl-sign.sh
@@ -0,0 +1,106 @@
+#!/bin/sh
+
+mkdir -p tmp
+
+cat > tmp/external.cfg << EOF
+HOME = tmp
+RANDFILE = tmp/random.bin
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+[ CA_default ]
+
+default_days = 1000 # how long to certify for
+default_crl_days = 30 # how long before next CRL
+default_md = sha256 # use public key default MD
+preserve = no # keep passed DN ordering
+
+x509_extensions = ca_extensions # The extensions to add to the cert
+
+email_in_dn = no # Don't concat the email in the DN
+copy_extensions = copy # Required to copy SANs from CSR to cert
+
+####################################################################
+[ req ]
+default_bits = 4096
+default_keyfile = tmp/external.key
+distinguished_name = ca_distinguished_name
+x509_extensions = ca_extensions
+string_mask = utf8only
+
+####################################################################
+[ ca_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = US
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = Maryland
+
+localityName = Locality Name (eg, city)
+localityName_default = Baltimore
+
+organizationName = Organization Name (eg, company)
+organizationName_default = Test CA, Limited
+
+organizationalUnitName = Organizational Unit (eg, division)
+organizationalUnitName_default = Server Research Department
+
+commonName = Common Name (e.g. server FQDN or YOUR name)
+commonName_default = Test CA
+
+emailAddress = Email Address
+emailAddress_default = test@example.com
+
+####################################################################
+[ ca_extensions ]
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always, issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, nonRepudiation, keyCertSign, cRLSign
+EOF
+
+openssl req \
+ -config tmp/external.cfg \
+ -newkey rsa:2048 \
+ -keyout tmp/external.key \
+ -nodes \
+ -x509 \
+ -out tmp/external.crt \
+ -subj "/O=EXTERNAL/CN=External CA" \
+ -days 365
+
+openssl x509 -text -noout -in tmp/external.crt
+
+################################################################################
+# Issuing CA signing certificate
+
+cat > tmp/ca_signing-ext.cfg << EOF
+[ ca_extensions ]
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always, issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, nonRepudiation, keyCertSign, cRLSign
+EOF
+
+openssl x509 -req \
+ -CA tmp/external.crt \
+ -CAkey tmp/external.key \
+ -CAcreateserial \
+ -in tmp/ca_signing.csr \
+ -out tmp/ca_signing.crt \
+ -extfile tmp/external.cfg \
+ -extensions ca_extensions \
+ -set_serial 1
+
+openssl x509 -text -noout -in tmp/ca_signing.crt
+
+################################################################################
+# Exporting certificate chain
+
+openssl crl2pkcs7 -nocrl \
+ -certfile tmp/external.crt \
+ -out tmp/cert_chain.p7b
diff --git a/scripts/subca-softcard-external-step1.sh b/scripts/subca-softcard-external-step1.sh
new file mode 100755
index 0000000..37c331d
--- /dev/null
+++ b/scripts/subca-softcard-external-step1.sh
@@ -0,0 +1,61 @@
+#!/bin/sh -x
+
+mkdir -p tmp
+
+USER=`cat user.txt`
+PREFIX=$USER/
+
+TOKEN=softcard
+PASSWORD=Secret.123
+
+cat > tmp/subca-step1.cfg << EOF
+[DEFAULT]
+pki_pin=Secret.123
+
+pki_hsm_enable=True
+pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so
+pki_hsm_modulename=nfast
+pki_token_name=$TOKEN
+pki_token_password=$PASSWORD
+
+[CA]
+pki_admin_email=caadmin@example.com
+pki_admin_name=caadmin
+pki_admin_nickname=caadmin
+pki_admin_password=Secret.123
+pki_admin_uid=caadmin
+
+pki_client_database_password=Secret.123
+pki_client_database_purge=False
+pki_client_pkcs12_password=Secret.123
+
+pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
+pki_ds_password=Secret.123
+pki_ds_database=ca
+
+pki_security_domain_name=EXAMPLE
+
+pki_external=True
+pki_external_step_two=False
+
+#pki_cert_chain_nickname=${PREFIX}external
+
+#pki_ca_signing_nickname=${PREFIX}ca_signing
+pki_ca_signing_token=$TOKEN
+pki_external_csr_path=tmp/ca_signing.csr
+
+pki_ocsp_signing_nickname=${PREFIX}ca_ocsp_signing
+pki_ocsp_signing_token=$TOKEN
+
+pki_audit_signing_nickname=${PREFIX}ca_audit_signing
+pki_audit_signing_token=$TOKEN
+
+pki_ssl_server_nickname=${PREFIX}sslserver/$HOSTNAME
+pki_ssl_server_token=$TOKEN
+
+pki_subsystem_nickname=${PREFIX}subsystem/$HOSTNAME
+pki_subsystem_token=$TOKEN
+EOF
+
+pkispawn -vvv -f tmp/subca-step1.cfg -s CA
+
diff --git a/scripts/subca-softcard-external-step2.sh b/scripts/subca-softcard-external-step2.sh
new file mode 100755
index 0000000..cd6b534
--- /dev/null
+++ b/scripts/subca-softcard-external-step2.sh
@@ -0,0 +1,63 @@
+#!/bin/sh -x
+
+mkdir -p tmp
+
+USER=`cat user.txt`
+PREFIX=USER/
+
+TOKEN=softcard
+PASSWORD=Secret.123
+
+cat > tmp/subca-step2.cfg << EOF
+[DEFAULT]
+pki_pin=Secret.123
+
+pki_hsm_enable=True
+pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so
+pki_hsm_modulename=nfast
+pki_token_name=$TOKEN
+pki_token_password=$PASSWORD
+
+[CA]
+pki_admin_email=caadmin@example.com
+pki_admin_name=caadmin
+pki_admin_nickname=caadmin
+pki_admin_password=Secret.123
+pki_admin_uid=caadmin
+
+pki_client_database_password=Secret.123
+pki_client_database_purge=False
+pki_client_pkcs12_password=Secret.123
+
+pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
+pki_ds_password=Secret.123
+pki_ds_database=ca
+
+pki_security_domain_name=EXAMPLE
+
+pki_external=True
+pki_external_step_two=True
+
+#pki_cert_chain_nickname=${PREFIX}external
+pki_external_ca_cert_chain_path=tmp/external.crt
+#pki_external_ca_cert_chain_path=tmp/cert_chain.p7b
+
+#pki_ca_signing_nickname=${PREFIX}ca_signing
+pki_ca_signing_token=$TOKEN
+pki_external_csr_path=tmp/ca_signing.csr
+pki_external_ca_cert_path=tmp/ca_signing.crt
+
+pki_ocsp_signing_nickname=${PREFIX}ca_ocsp_signing
+pki_ocsp_signing_token=$TOKEN
+
+pki_audit_signing_nickname=${PREFIX}ca_audit_signing
+pki_audit_signing_token=$TOKEN
+
+pki_ssl_server_nickname=${PREFIX}sslserver/$HOSTNAME
+pki_ssl_server_token=$TOKEN
+
+pki_subsystem_nickname=${PREFIX}subsystem/$HOSTNAME
+pki_subsystem_token=$TOKEN
+EOF
+
+pkispawn -vvv -f tmp/subca-step2.cfg -s CA