summaryrefslogtreecommitdiffstats
path: root/scripts
diff options
context:
space:
mode:
authorEndi S. Dewata <edewata@redhat.com>2017-08-01 04:54:31 +0200
committerEndi S. Dewata <edewata@redhat.com>2017-08-01 04:54:31 +0200
commit41d7cfc3d97918e736331af85818a6969161803b (patch)
treed133582da0bef31633d364f07df806ce6a83553b /scripts
parent78fcfec59faee408142ed75e61025ccab0c72acc (diff)
downloadpki-dev-41d7cfc3d97918e736331af85818a6969161803b.tar.gz
pki-dev-41d7cfc3d97918e736331af85818a6969161803b.tar.xz
pki-dev-41d7cfc3d97918e736331af85818a6969161803b.zip
Updated CA scripts.
Diffstat (limited to 'scripts')
-rwxr-xr-xscripts/ca-clone-create.sh41
-rwxr-xr-xscripts/ca-clone-prep.sh19
-rwxr-xr-xscripts/ca-create.sh2
-rwxr-xr-xscripts/ca-existing-create.sh46
-rwxr-xr-xscripts/ca-existing-export.sh11
-rwxr-xr-xscripts/ca-export.sh46
-rwxr-xr-xscripts/ca-external-step1.sh4
-rwxr-xr-xscripts/ca-external-step2.sh4
-rwxr-xr-xscripts/ca-nfast-create.sh61
9 files changed, 163 insertions, 71 deletions
diff --git a/scripts/ca-clone-create.sh b/scripts/ca-clone-create.sh
index b890789..251cc7a 100755
--- a/scripts/ca-clone-create.sh
+++ b/scripts/ca-clone-create.sh
@@ -1,14 +1,12 @@
#!/bin/sh -x
-MASTER=`cat master.txt`
+mkdir -p tmp
-/bin/cp ca_backup_keys.p12 /tmp
-/bin/cp ca_admin.cert /tmp
-/bin/cp ca_admin_cert.p12 /tmp
+MASTER=`cat tmp/master.txt`
-cat > ca-clone.cfg << EOF
-#[DEFAULT]
-#pki_pin=Secret.123
+cat > tmp/ca-clone.cfg << EOF
+[DEFAULT]
+pki_pin=Secret.123
[CA]
pki_admin_email=caadmin@example.com
@@ -37,12 +35,14 @@ pki_clone=True
pki_clone_replicate_schema=True
pki_clone_uri=https://$MASTER:8443
-# PKI 9
-#pki_ca_signing_nickname=caSigningCert cert-pki-ca
-#pki_ocsp_signing_nickname=ocspSigningCert cert-pki-ca
-#pki_audit_signing_nickname=auditSigningCert cert-pki-ca
-#pki_ssl_server_nickname=Server-Cert cert-pki-ca
-#pki_subsystem_nickname=subsystemCert cert-pki-ca
+# Dogtag 10.3
+#pki_server_pkcs12_path=$PWD/tmp/ca-certs.p12
+#pki_server_pkcs12_password=Secret.123
+
+# Dogtag 10.2
+pki_clone_pkcs12_password=Secret.123
+#pki_clone_pkcs12_path=$PWD/tmp/ca_backup_keys.p12
+pki_clone_pkcs12_path=$PWD/tmp/ca-certs.p12
# PKI 10
pki_ca_signing_nickname=ca_signing
@@ -51,13 +51,12 @@ pki_audit_signing_nickname=ca_audit_signing
pki_ssl_server_nickname=sslserver
pki_subsystem_nickname=subsystem
-# Dogtag 10.2 only
-pki_clone_pkcs12_password=Secret.123
-pki_clone_pkcs12_path=/tmp/ca_backup_keys.p12
-
-# Dogtag 10.3 only
-#pki_server_pkcs12_path=pki-server.p12
-#pki_server_pkcs12_password=Secret.123
+# PKI 9
+#pki_ca_signing_nickname=caSigningCert cert-pki-ca
+#pki_ocsp_signing_nickname=ocspSigningCert cert-pki-ca
+#pki_audit_signing_nickname=auditSigningCert cert-pki-ca
+#pki_ssl_server_nickname=Server-Cert cert-pki-ca
+#pki_subsystem_nickname=subsystemCert cert-pki-ca
EOF
-pkispawn -vvv -f ca-clone.cfg -s CA
+pkispawn -vvv -f tmp/ca-clone.cfg -s CA
diff --git a/scripts/ca-clone-prep.sh b/scripts/ca-clone-prep.sh
index ffd5538..3993580 100755
--- a/scripts/ca-clone-prep.sh
+++ b/scripts/ca-clone-prep.sh
@@ -1,17 +1,16 @@
#!/bin/sh -x
-echo $HOSTNAME > master.txt
+mkdir -p tmp
-grep "internal=" /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2}' > internal.txt
-echo Secret.123 > password.txt
+#echo $HOSTNAME > tmp/master.txt
-PKCS12Export -debug -d /var/lib/pki/pki-tomcat/alias -p internal.txt -w password.txt -o ca_backup_keys.p12
+grep "internal=" /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2}' > tmp/internal.txt
-pki pkcs12-cert-find --pkcs12-file ca_backup_keys.p12 --pkcs12-password Secret.123
+PKCS12Export -debug -d /var/lib/pki/pki-tomcat/alias -p tmp/internal.txt -w password.txt -o tmp/ca_backup_keys.p12
+pki pkcs12-cert-find --pkcs12-file tmp/ca_backup_keys.p12 --pkcs12-password-file password.txt
-pki-server ca-clone-prepare --pkcs12-file pki-server.p12 --pkcs12-password Secret.123
+pki-server ca-clone-prepare --pkcs12-file tmp/ca-certs.p12 --pkcs12-password-file password.txt
+pki pkcs12-cert-find --pkcs12-file tmp/ca-certs.p12 --pkcs12-password-file password.txt
-pki pkcs12-cert-find --pkcs12-file pki-server.p12 --pkcs12-password Secret.123
-
-cp ~/.dogtag/pki-tomcat/ca_admin.cert .
-cp ~/.dogtag/pki-tomcat/ca_admin_cert.p12 .
+#cp ~/.dogtag/pki-tomcat/ca_admin.cert tmp
+#cp ~/.dogtag/pki-tomcat/ca_admin_cert.p12 tmp
diff --git a/scripts/ca-create.sh b/scripts/ca-create.sh
index 32c8925..cc1bf21 100755
--- a/scripts/ca-create.sh
+++ b/scripts/ca-create.sh
@@ -4,7 +4,7 @@ mkdir -p tmp
cat > tmp/ca.cfg << EOF
[DEFAULT]
-#pki_pin=Secret.123
+pki_pin=Secret.123
[CA]
pki_admin_email=caadmin@example.com
diff --git a/scripts/ca-existing-create.sh b/scripts/ca-existing-create.sh
index a3b5a88..d020a62 100755
--- a/scripts/ca-existing-create.sh
+++ b/scripts/ca-existing-create.sh
@@ -1,9 +1,45 @@
#!/bin/sh -x
-rm -rf /tmp/ca_signing.csr
-rm -rf /tmp/ca.p12
+mkdir -p tmp
-/bin/cp ca_signing.csr /tmp
-/bin/cp ca.p12 /tmp
+cat > tmp/ca-existing.cfg << EOF
+[DEFAULT]
+pki_pin=Secret.123
-pkispawn -v -f ca-existing.cfg -s CA
+[CA]
+pki_admin_email=caadmin@example.com
+pki_admin_name=caadmin
+pki_admin_nickname=caadmin
+pki_admin_password=Secret.123
+pki_admin_uid=caadmin
+
+pki_client_database_password=Secret.123
+pki_client_database_purge=False
+pki_client_pkcs12_password=Secret.123
+
+pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
+pki_ds_password=Secret.123
+pki_ds_database=ca
+
+pki_security_domain_name=EXAMPLE
+
+pki_token_password=Secret.123
+
+pki_existing=True
+
+pki_ca_signing_nickname=ca_signing
+pki_ca_signing_csr_path=$PWD/tmp/ca_signing.csr
+
+pki_ocsp_signing_nickname=ca_ocsp_signing
+pki_ssl_server_nickname=sslserver
+pki_subsystem_nickname=subsystem
+pki_audit_signing_nickname=ca_audit_signing
+
+pki_pkcs12_path=$PWD/tmp/ca-certs.p12
+pki_pkcs12_password=Secret.123
+
+#pki_serial_number_range_start=6
+#pki_request_number_range_start=1
+EOF
+
+pkispawn -v -f tmp/ca-existing.cfg -s CA
diff --git a/scripts/ca-existing-export.sh b/scripts/ca-existing-export.sh
index fdefc58..d8c0bd0 100755
--- a/scripts/ca-existing-export.sh
+++ b/scripts/ca-existing-export.sh
@@ -1,12 +1,11 @@
#!/bin/sh -x
-rm -rf ca_signing.csr
-rm -rf ca.p12
+mkdir -p tmp
pki-server subsystem-cert-export ca signing \
- --csr-file ca_signing.csr \
- --pkcs12-file ca.p12 \
+ --csr-file tmp/ca_signing.csr \
+ --pkcs12-file tmp/ca-certs.p12 \
--pkcs12-password-file password.txt
-pki pkcs12-cert-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt
-pki pkcs12-key-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt
+pki pkcs12-cert-find --pkcs12-file tmp/ca-certs.p12 --pkcs12-password-file password.txt
+pki pkcs12-key-find --pkcs12-file tmp/ca-certs.p12 --pkcs12-password-file password.txt
diff --git a/scripts/ca-export.sh b/scripts/ca-export.sh
index 351f68f..da2ce2d 100755
--- a/scripts/ca-export.sh
+++ b/scripts/ca-export.sh
@@ -1,33 +1,33 @@
#!/bin/sh -x
-grep "internal=" /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2}' > internal.txt
-#PKCS12Export -debug -d /var/lib/pki/pki-tomcat/alias -p internal.txt -w password.txt -o ca_backup_keys.p12
-PKCS12Export -d /var/lib/pki/pki-tomcat/alias -p internal.txt -w password.txt -o ca_backup_keys.p12
+grep "internal=" /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2}' > tmp/internal.txt
+#PKCS12Export -debug -d /var/lib/pki/pki-tomcat/alias -p tmp/internal.txt -w password.txt -o tmp/ca-certs.p12
+PKCS12Export -d /var/lib/pki/pki-tomcat/alias -p tmp/internal.txt -w password.txt -o tmp/ca-certs.p12
-pki pkcs12-cert-find --pkcs12-file ca_backup_keys.p12 --pkcs12-password-file password.txt
-pki pkcs12-key-find --pkcs12-file ca_backup_keys.p12 --pkcs12-password-file password.txt
+pki pkcs12-cert-find --pkcs12-file tmp/ca-certs.p12 --pkcs12-password-file password.txt
+pki pkcs12-key-find --pkcs12-file tmp/ca-certs.p12 --pkcs12-password-file password.txt
-echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_signing.csr
-sed -n "/^ca.signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> ca_signing.csr
-echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_signing.csr
+echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/ca_signing.csr
+sed -n "/^ca.signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/ca_signing.csr
+echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/ca_signing.csr
-echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_ocsp_signing.csr
-sed -n "/^ca.ocsp_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> ca_ocsp_signing.csr
-echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_ocsp_signing.csr
+echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/ca_ocsp_signing.csr
+sed -n "/^ca.ocsp_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/ca_ocsp_signing.csr
+echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/ca_ocsp_signing.csr
-echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > sslserver.csr
-sed -n "/^ca.sslserver.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> sslserver.csr
-echo "-----END NEW CERTIFICATE REQUEST-----" >> sslserver.csr
+echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/sslserver.csr
+sed -n "/^ca.sslserver.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/sslserver.csr
+echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/sslserver.csr
-echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > subsystem.csr
-sed -n "/^ca.subsystem.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> subsystem.csr
-echo "-----END NEW CERTIFICATE REQUEST-----" >> subsystem.csr
+echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/subsystem.csr
+sed -n "/^ca.subsystem.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/subsystem.csr
+echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/subsystem.csr
-echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_audit_signing.csr
-sed -n "/^ca.audit_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> ca_audit_signing.csr
-echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_audit_signing.csr
+echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/ca_audit_signing.csr
+sed -n "/^ca.audit_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/ca_audit_signing.csr
+echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/ca_audit_signing.csr
-#pki-server ca-clone-prepare --pkcs12-file ca_backup_keys.p12 --pkcs12-password-file password.txt
+#pki-server ca-clone-prepare --pkcs12-file tmp/ca-certs.p12 --pkcs12-password-file password.txt
-cp ~/.dogtag/pki-tomcat/ca_admin.cert .
-cp ~/.dogtag/pki-tomcat/ca_admin_cert.p12 .
+cp ~/.dogtag/pki-tomcat/ca_admin.cert tmp
+cp ~/.dogtag/pki-tomcat/ca_admin_cert.p12 tmp
diff --git a/scripts/ca-external-step1.sh b/scripts/ca-external-step1.sh
index a9d6df9..ecc8112 100755
--- a/scripts/ca-external-step1.sh
+++ b/scripts/ca-external-step1.sh
@@ -22,9 +22,9 @@ rm -f tmp/example3.csr
rm -f tmp/example3.crt
cat > tmp/ca-external-step1.cfg << EOF
-#[DEFAULT]
+[DEFAULT]
#pki_instance_name=pki-child
-#pki_pin=Secret.123
+pki_pin=Secret.123
[CA]
pki_admin_email=caadmin@example.com
diff --git a/scripts/ca-external-step2.sh b/scripts/ca-external-step2.sh
index a45afdc..0b2ca58 100755
--- a/scripts/ca-external-step2.sh
+++ b/scripts/ca-external-step2.sh
@@ -3,9 +3,9 @@
mkdir -p tmp
cat > tmp/ca-external-step2.cfg << EOF
-#[DEFAULT]
+[DEFAULT]
#pki_instance_name=pki-child
-#pki_pin=Secret.123
+pki_pin=Secret.123
[CA]
pki_admin_email=caadmin@example.com
diff --git a/scripts/ca-nfast-create.sh b/scripts/ca-nfast-create.sh
index b0e914f..ca52316 100755
--- a/scripts/ca-nfast-create.sh
+++ b/scripts/ca-nfast-create.sh
@@ -1,3 +1,62 @@
#!/bin/sh -x
-pkispawn -vv -f ca-nfast.cfg -s CA
+mkdir -p tmp
+
+USER=`cat user.txt`
+TOKEN=softcard
+
+cat > tmp/ca-nfast.cfg << EOF
+[DEFAULT]
+pki_pin=Secret.123
+pki_hsm_enable=True
+
+pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so
+pki_hsm_modulename=nfast
+pki_token_name=$TOKEN
+pki_token_password=Secret.123
+pki_pin=Secret.123
+
+[CA]
+pki_admin_email=caadmin@example.com
+pki_admin_name=caadmin
+pki_admin_nickname=caadmin
+pki_admin_password=Secret.123
+pki_admin_uid=caadmin
+
+pki_client_database_password=Secret.123
+pki_client_database_purge=False
+pki_client_pkcs12_password=Secret.123
+
+pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
+pki_ds_database=ca
+pki_ds_password=Secret.123
+
+pki_security_domain_name=EXAMPLE
+
+pki_ca_signing_nickname=ca_signing
+#pki_ca_signing_nickname=$USER/%(pki_instance_name)s/ca_signing
+#pki_ca_signing_token=internal
+#pki_ca_signing_token=$TOKEN
+
+pki_ocsp_signing_nickname=ca_ocsp_signing
+#pki_ocsp_signing_nickname=$USER/%(pki_instance_name)s/ca_ocsp_signing
+#pki_ocsp_signing_token=internal
+#pki_ocsp_signing_token=$TOKEN
+
+pki_audit_signing_nickname=ca_audit_signing
+#pki_audit_signing_nickname=$USER/%(pki_instance_name)s/ca_audit_signing
+#pki_audit_signing_token=internal
+#pki_audit_signing_token=$TOKEN
+
+pki_ssl_server_nickname=sslserver
+#pki_ssl_server_nickname=$USER/%(pki_instance_name)s/sslserver/%(pki_hostname)s
+#pki_ssl_server_token=internal
+#pki_ssl_server_token=$TOKEN
+
+pki_subsystem_nickname=subsystem
+#pki_subsystem_nickname=$USER/%(pki_instance_name)s/subsystem
+#pki_subsystem_token=internal
+#pki_subsystem_token=$TOKEN
+EOF
+
+pkispawn -vv -f tmp/ca-nfast.cfg -s CA