diff options
author | Endi S. Dewata <edewata@redhat.com> | 2017-07-12 17:28:37 +0200 |
---|---|---|
committer | Endi S. Dewata <edewata@redhat.com> | 2017-07-12 17:28:37 +0200 |
commit | 3190be941ce9bb8b05b1bf9d49aa95480c1ba77b (patch) | |
tree | 33b37845f9a405ef9ce4b8396ac8f180e5794154 /scripts/ca-external-nss-sign.sh | |
parent | da5d725379fff33a445c0b0a5c510b62e2485c88 (diff) | |
download | pki-dev-3190be941ce9bb8b05b1bf9d49aa95480c1ba77b.tar.gz pki-dev-3190be941ce9bb8b05b1bf9d49aa95480c1ba77b.tar.xz pki-dev-3190be941ce9bb8b05b1bf9d49aa95480c1ba77b.zip |
Updated CA scripts.
Diffstat (limited to 'scripts/ca-external-nss-sign.sh')
-rwxr-xr-x | scripts/ca-external-nss-sign.sh | 67 |
1 files changed, 67 insertions, 0 deletions
diff --git a/scripts/ca-external-nss-sign.sh b/scripts/ca-external-nss-sign.sh new file mode 100755 index 0000000..f8b4bc9 --- /dev/null +++ b/scripts/ca-external-nss-sign.sh @@ -0,0 +1,67 @@ +#!/bin/sh + +rm -rf external +mkdir external +certutil -N -d external -f password.txt +openssl rand -out external/noise.bin 2048 + +echo "## Generating external CA certificate..." + +#ROOTCA_SKID="0x847bb8664d7a32f182974ca861fb26867ecb42cd" +ROOTCA_SKID="0x`openssl rand -hex 20`" + +echo -e "y\n\ny\n${ROOTCA_SKID}\n\n" | \ + certutil -S \ + -d external \ + -f password.txt \ + -z external/noise.bin \ + -n "External CA" \ + -s "CN=External CA,O=EXTERNAL" \ + -x \ + -t "CTu,Cu,Cu" \ + -m $RANDOM\ + -2 \ + --keyUsage digitalSignature,nonRepudiation,certSigning,crlSigning,critical \ + --extSKID + +# --keyUsage certSigning \ +# --nsCertType sslCA,smimeCA,objectSigningCA +echo "## Exporting external CA certificate..." + +certutil -L -d external -n "External CA" -a > external.crt + +echo "## Signing the CA signing certificate..." + +#SUBCA_SKID="0x7d34de0374bcb294d5447479060266a52310e9ce" +SUBCA_SKID="0x`openssl rand -hex 20`" +SUBCA_OCSP="http://$HOSTNAME:8080/ca/ocsp" + +echo -e "y\n\ny\ny\n${ROOTCA_SKID}\n\n\n\n${SUBCA_SKID}\n\n2\n7\n${SUBCA_OCSP}\n\n\n\n" | \ + certutil -C \ + -d external \ + -f password.txt \ + -m $RANDOM \ + -a \ + -i ca_signing.csr \ + -o ca_signing.crt \ + -c "External CA" \ + --extSKID \ + -2 -3 \ + --keyUsage digitalSignature,nonRepudiation,certSigning,crlSigning,critical \ + --extAIA \ + --extSKID + +echo "## Generating certificate chain..." + +certutil -A -d external -n "CA Signing Certificate" -t "CT,C,C" -a -i ca_signing.crt + +openssl crl2pkcs7 -nocrl -certfile external.crt -out cert_chain.p7b +#openssl crl2pkcs7 -nocrl -certfile external.crt -certfile ca_signing.crt -out cert_chain.p7b + +#certutil -C \ +# -d external \ +# -f password.txt \ +# -m $RANDOM \ +# -a -i ca_signing.csr \ +# -o ca_signing.crt \ +# -c "External CA" |