Updated CA scripts.

1 files changed, 67 insertions, 0 deletions

diff --git a/scripts/ca-external-nss-sign.sh b/scripts/ca-external-nss-sign.sh
new file mode 100755
index 0000000..f8b4bc9
--- /dev/null
+++ b/scripts/ca-external-nss-sign.sh
@@ -0,0 +1,67 @@
+#!/bin/sh
+
+rm -rf external
+mkdir external
+certutil -N -d external -f password.txt
+openssl rand -out external/noise.bin 2048
+
+echo "## Generating external CA certificate..."
+
+#ROOTCA_SKID="0x847bb8664d7a32f182974ca861fb26867ecb42cd"
+ROOTCA_SKID="0x`openssl rand -hex 20`"
+
+echo -e "y\n\ny\n${ROOTCA_SKID}\n\n" | \
+ certutil -S \
+ -d external \
+ -f password.txt \
+ -z external/noise.bin \
+ -n "External CA" \
+ -s "CN=External CA,O=EXTERNAL" \
+ -x \
+ -t "CTu,Cu,Cu" \
+ -m $RANDOM\
+ -2 \
+ --keyUsage digitalSignature,nonRepudiation,certSigning,crlSigning,critical \
+ --extSKID
+
+# --keyUsage certSigning \
+# --nsCertType sslCA,smimeCA,objectSigningCA
+echo "## Exporting external CA certificate..."
+
+certutil -L -d external -n "External CA" -a > external.crt
+
+echo "## Signing the CA signing certificate..."
+
+#SUBCA_SKID="0x7d34de0374bcb294d5447479060266a52310e9ce"
+SUBCA_SKID="0x`openssl rand -hex 20`"
+SUBCA_OCSP="http://$HOSTNAME:8080/ca/ocsp"
+
+echo -e "y\n\ny\ny\n${ROOTCA_SKID}\n\n\n\n${SUBCA_SKID}\n\n2\n7\n${SUBCA_OCSP}\n\n\n\n" | \
+ certutil -C \
+ -d external \
+ -f password.txt \
+ -m $RANDOM \
+ -a \
+ -i ca_signing.csr \
+ -o ca_signing.crt \
+ -c "External CA" \
+ --extSKID \
+ -2 -3 \
+ --keyUsage digitalSignature,nonRepudiation,certSigning,crlSigning,critical \
+ --extAIA \
+ --extSKID
+
+echo "## Generating certificate chain..."
+
+certutil -A -d external -n "CA Signing Certificate" -t "CT,C,C" -a -i ca_signing.crt
+
+openssl crl2pkcs7 -nocrl -certfile external.crt -out cert_chain.p7b
+#openssl crl2pkcs7 -nocrl -certfile external.crt -certfile ca_signing.crt -out cert_chain.p7b
+
+#certutil -C \
+# -d external \
+# -f password.txt \
+# -m $RANDOM \
+# -a -i ca_signing.csr \
+# -o ca_signing.crt \
+# -c "External CA"