diff options
39 files changed, 541 insertions, 64 deletions
diff --git a/scripts/nssdb-admin-cert-del.sh b/scripts/nssdb-admin-cert-del.sh new file mode 100755 index 0000000..7782956 --- /dev/null +++ b/scripts/nssdb-admin-cert-del.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +certutil -D -d nssdb -n "admin" diff --git a/scripts/nssdb-admin-cert-show.sh b/scripts/nssdb-admin-cert-show.sh new file mode 100755 index 0000000..7c2f4af --- /dev/null +++ b/scripts/nssdb-admin-cert-show.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +certutil -L -d nssdb -n "admin" diff --git a/scripts/nssdb-admin-request.sh b/scripts/nssdb-admin-request.sh new file mode 100755 index 0000000..849f48f --- /dev/null +++ b/scripts/nssdb-admin-request.sh @@ -0,0 +1,15 @@ +#!/bin/sh + +certutil -R \ + -d nssdb \ + -f nssdb/password.txt \ + -z nssdb/noise.bin \ + -s "CN=PKI Adminstrator,E=admin@example.com,OU=pki-tomcat,O=EXAMPLE" \ + -o nssdb/admin.csr.der \ + -k rsa \ + -g 2048 \ + -Z SHA256 \ + --keyUsage critical,dataEncipherment,keyEncipherment,digitalSignature,nonRepudiation \ + --extKeyUsage clientAuth,emailProtection + +openssl req -inform der -in nssdb/admin.csr.der -out nssdb/admin.csr diff --git a/scripts/nssdb-admin-sign.sh b/scripts/nssdb-admin-sign.sh new file mode 100755 index 0000000..ff85f2e --- /dev/null +++ b/scripts/nssdb-admin-sign.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +AKID="`cat nssdb/ca_signing.skid`" +echo "AKID: ${AKID}" + +OCSP="`cat nssdb/ocsp_url`" +echo "OCSP: ${OCSP}" + +echo -e "y\n${AKID}\n\n\n\n2\n7\n${OCSP}\n\n\n\n" | \ + certutil -C \ + -d nssdb \ + -f nssdb/password.txt \ + -m $RANDOM \ + -a \ + -i nssdb/admin.csr \ + -o nssdb/admin.crt \ + -c "ca_signing" \ + -3 \ + --extAIA \ + --keyUsage critical,dataEncipherment,keyEncipherment,digitalSignature,nonRepudiation \ + --extKeyUsage clientAuth,emailProtection + +certutil -A -d nssdb -n "admin" -i nssdb/admin.crt -t ",," + +openssl x509 -text -noout -in nssdb/admin.crt diff --git a/scripts/nssdb-audit_signing-cert-del.sh b/scripts/nssdb-audit_signing-cert-del.sh new file mode 100755 index 0000000..843dc29 --- /dev/null +++ b/scripts/nssdb-audit_signing-cert-del.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +certutil -D -d nssdb -n "audit_signing" diff --git a/scripts/nssdb-audit_signing-cert-show.sh b/scripts/nssdb-audit_signing-cert-show.sh new file mode 100755 index 0000000..96e8bb6 --- /dev/null +++ b/scripts/nssdb-audit_signing-cert-show.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +certutil -L -d nssdb -n "audit_signing" diff --git a/scripts/nssdb-audit_signing-request.sh b/scripts/nssdb-audit_signing-request.sh new file mode 100755 index 0000000..006d298 --- /dev/null +++ b/scripts/nssdb-audit_signing-request.sh @@ -0,0 +1,14 @@ +#!/bin/sh + +certutil -R \ + -d nssdb \ + -f nssdb/password.txt \ + -z nssdb/noise.bin \ + -s "CN=Audit Signing Certificate,OU=pki-tomcat,O=EXAMPLE" \ + -o nssdb/audit_signing.csr.der \ + -k rsa \ + -g 2048 \ + -Z SHA256 \ + --keyUsage critical,digitalSignature,nonRepudiation + +openssl req -inform der -in nssdb/audit_signing.csr.der -out nssdb/audit_signing.csr diff --git a/scripts/nssdb-audit_signing-sign.sh b/scripts/nssdb-audit_signing-sign.sh new file mode 100755 index 0000000..a5f830e --- /dev/null +++ b/scripts/nssdb-audit_signing-sign.sh @@ -0,0 +1,24 @@ +#!/bin/sh + +AKID="`cat nssdb/ca_signing.skid`" +echo "AKID: ${AKID}" + +OCSP="`cat nssdb/ocsp_url`" +echo "OCSP: ${OCSP}" + +echo -e "y\n${AKID}\n\n\n\n2\n7\n${OCSP}\n\n\n\n" | \ + certutil -C \ + -d nssdb \ + -f nssdb/password.txt \ + -m $RANDOM \ + -a \ + -i nssdb/audit_signing.csr \ + -o nssdb/audit_signing.crt \ + -c "ca_signing" \ + -3 \ + --extAIA \ + --keyUsage critical,digitalSignature,nonRepudiation + +certutil -A -d nssdb -n "audit_signing" -i nssdb/audit_signing.crt -t ",,P" + +openssl x509 -text -noout -in nssdb/audit_signing.crt diff --git a/scripts/nssdb-ca_signing-cert-del.sh b/scripts/nssdb-ca_signing-cert-del.sh new file mode 100755 index 0000000..a400145 --- /dev/null +++ b/scripts/nssdb-ca_signing-cert-del.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +certutil -D -d nssdb -n "ca_signing" diff --git a/scripts/nssdb-ca_signing-cert-show.sh b/scripts/nssdb-ca_signing-cert-show.sh new file mode 100755 index 0000000..6aadf48 --- /dev/null +++ b/scripts/nssdb-ca_signing-cert-show.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +certutil -L -d nssdb -n "ca_signing" diff --git a/scripts/nssdb-ca_signing-create.sh b/scripts/nssdb-ca_signing-create.sh new file mode 100755 index 0000000..b387aca --- /dev/null +++ b/scripts/nssdb-ca_signing-create.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +SKID="0x`openssl rand -hex 20`" +echo $SKID > nssdb/ca_signing.skid + +OCSP="http://$HOSTNAME:8080/ca/ocsp" +echo $OCSP > nssdb/ocsp_url + +echo -e "y\n\ny\ny\n${SKID}\n\n\n\n${SKID}\n\n2\n7\n${OCSP}\n\n\n\n" | \ + certutil -S \ + -x \ + -d nssdb \ + -f nssdb/password.txt \ + -z nssdb/noise.bin \ + -n "ca_signing" \ + -s "CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE" \ + -t "CT,C,C" \ + -m $RANDOM \ + -k rsa \ + -g 2048 \ + -Z SHA256 \ + -2 \ + -3 \ + --extAIA \ + --extSKID \ + --keyUsage critical,certSigning,crlSigning,digitalSignature,nonRepudiation diff --git a/scripts/nssdb-ca_signing-csr-restore.sh b/scripts/nssdb-ca_signing-csr-restore.sh new file mode 100755 index 0000000..d1a7603 --- /dev/null +++ b/scripts/nssdb-ca_signing-csr-restore.sh @@ -0,0 +1,16 @@ +#!/bin/sh + +echo -e "y\n\ny\n" | \ + certutil -R \ + -d nssdb \ + -f nssdb/password.txt \ + -z nssdb/noise.bin \ + -s "CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE" \ + -o nssdb/ca_signing.csr.der \ + -k ca_signing \ + -g 2048 \ + -Z SHA256 \ + -2 \ + --keyUsage critical,certSigning,crlSigning,digitalSignature,nonRepudiation + +openssl req -inform der -in nssdb/ca_signing.csr.der -out nssdb/ca_signing.csr diff --git a/scripts/nssdb-ca_signing-request.sh b/scripts/nssdb-ca_signing-request.sh new file mode 100755 index 0000000..ad28cd8 --- /dev/null +++ b/scripts/nssdb-ca_signing-request.sh @@ -0,0 +1,16 @@ +#!/bin/sh + +echo -e "y\n\ny\n" | \ + certutil -R \ + -d nssdb \ + -f nssdb/password.txt \ + -z nssdb/noise.bin \ + -s "CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE" \ + -o nssdb/ca_signing.csr.der \ + -k rsa \ + -g 2048 \ + -Z SHA256 \ + -2 \ + --keyUsage critical,certSigning,crlSigning,digitalSignature,nonRepudiation + +openssl req -inform der -in nssdb/ca_signing.csr.der -out nssdb/ca_signing.csr diff --git a/scripts/nssdb-ca_signing-sign.sh b/scripts/nssdb-ca_signing-sign.sh new file mode 100755 index 0000000..6e5eeae --- /dev/null +++ b/scripts/nssdb-ca_signing-sign.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +SKID="0x`openssl rand -hex 20`" +echo $SKID > nssdb/ca_signing.skid + +OCSP="http://$HOSTNAME:8080/ca/ocsp" +echo $OCSP > nssdb/ocsp_url + +echo -e "y\n\ny\ny\n${SKID}\n\n\n\n${SKID}\n\n2\n7\n${OCSP}\n\n\n\n" | \ + certutil -C \ + -x \ + -d nssdb \ + -f nssdb/password.txt \ + -m $RANDOM \ + -a \ + -i nssdb/ca_signing.csr \ + -o nssdb/ca_signing.crt \ + -2 \ + -3 \ + --extAIA \ + --extSKID \ + --keyUsage critical,certSigning,crlSigning,digitalSignature,nonRepudiation + +certutil -A -d nssdb -n "ca_signing" -i nssdb/ca_signing.crt -t "CT,C,C" + +openssl x509 -text -noout -in nssdb/ca_signing.crt diff --git a/scripts/nssdb-create.sh b/scripts/nssdb-create.sh index 3c02ade..15ea47b 100755 --- a/scripts/nssdb-create.sh +++ b/scripts/nssdb-create.sh @@ -3,6 +3,5 @@ rm -rf nssdb mkdir nssdb echo Secret.123 > nssdb/password.txt -#certutil -N -d nssdb certutil -N -d nssdb -f nssdb/password.txt openssl rand -out nssdb/noise.bin 2048 diff --git a/scripts/nssdb-generate-audit_signing-csr.sh b/scripts/nssdb-generate-audit_signing-csr.sh deleted file mode 100755 index d04d0be..0000000 --- a/scripts/nssdb-generate-audit_signing-csr.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/sh - -certutil -R \ - -d nssdb \ - -h internal \ - -f nssdb/password.txt \ - -z nssdb/noise.bin \ - -s "CN=Audit Signing Certificate,OU=pki-tomcat,O=EXAMPLE" \ - -o audit_signing.csr.der - -openssl req -inform der -in audit_signing.csr.der -out audit_signing.csr - -#BtoA audit_signing.csr.der audit_signing.csr.pem -#echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > audit_signing.csr -#cat audit_signing.csr.pem >> audit_signing.csr -#echo "-----END NEW CERTIFICATE REQUEST-----" >> audit_signing.csr - -rm audit_signing.csr.der -#rm audit_signing.csr.pem - -openssl req -text -noout -in audit_signing.csr diff --git a/scripts/nssdb-generate-random-chain.sh b/scripts/nssdb-generate-random-chain.sh new file mode 100755 index 0000000..2ea0466 --- /dev/null +++ b/scripts/nssdb-generate-random-chain.sh @@ -0,0 +1,129 @@ +#!/bin/sh + +################################################################################ +# CA Level 1 +################################################################################ + +LEVEL1_SKID="0x`openssl rand -hex 20`" +OCSP="http://$HOSTNAME:8080/ca/ocsp" + +echo -e "y\n\ny\ny\n${LEVEL1_SKID}\n\n\n\n${LEVEL1_SKID}\n\n2\n7\n${OCSP}\n\n\n\n" | \ + certutil -S \ + -x \ + -d nssdb \ + -f nssdb/password.txt \ + -z nssdb/noise.bin \ + -n "level1" \ + -s "CN=Level 1 CA Signing Certificate,O=EXAMPLE" \ + -t "CT,C,C" \ + -m $RANDOM \ + -k rsa \ + -g 2048 \ + -Z SHA256 \ + -2 \ + -3 \ + --extAIA \ + --extSKID \ + --keyUsage critical,certSigning,crlSigning,digitalSignature,nonRepudiation + +certutil -L -d nssdb -n "level1" -a > nssdb/level1.crt + +################################################################################ +# CA Level 2 +################################################################################ + +echo -e "y\n\ny\n" | \ + certutil -R \ + -d nssdb \ + -f nssdb/password.txt \ + -z nssdb/noise.bin \ + -s "CN=Level 2 CA Signing Certificate,O=EXAMPLE" \ + -o nssdb/level2.csr.der \ + -k rsa \ + -g 2048 \ + -Z SHA256 \ + -2 \ + --keyUsage critical,certSigning,crlSigning,digitalSignature,nonRepudiation + +openssl req -inform der -in nssdb/level2.csr.der -out nssdb/level2.csr + +LEVEL2_SKID="0x`openssl rand -hex 20`" + +echo -e "y\n\ny\ny\n${LEVEL1_SKID}\n\n\n\n${LEVEL2_SKID}\n\n2\n7\n${OCSP}\n\n\n\n" | \ + certutil -C \ + -d nssdb \ + -f nssdb/password.txt \ + -m $RANDOM \ + -a \ + -i nssdb/level2.csr \ + -o nssdb/level2.crt \ + -c "level1" \ + -2 \ + -3 \ + --extAIA \ + --extSKID \ + --keyUsage critical,certSigning,crlSigning,digitalSignature,nonRepudiation + +certutil -A -d nssdb -n "level2" -i nssdb/level2.crt -t "CT,C,C" + +################################################################################ +# CA Level 3 +################################################################################ + +echo -e "y\n\ny\n" | \ + certutil -R \ + -d nssdb \ + -f nssdb/password.txt \ + -z nssdb/noise.bin \ + -s "CN=Level 3 CA Signing Certificate,O=EXAMPLE" \ + -o nssdb/level3.csr.der \ + -k rsa \ + -g 2048 \ + -Z SHA256 \ + -2 \ + --keyUsage critical,certSigning,crlSigning,digitalSignature,nonRepudiation + +openssl req -inform der -in nssdb/level3.csr.der -out nssdb/level3.csr + +LEVEL3_SKID="0x`openssl rand -hex 20`" + +echo -e "y\n\ny\ny\n${LEVEL2_SKID}\n\n\n\n${LEVEL3_SKID}\n\n2\n7\n${OCSP}\n\n\n\n" | \ + certutil -C \ + -d nssdb \ + -f nssdb/password.txt \ + -m $RANDOM \ + -a \ + -i nssdb/level3.csr \ + -o nssdb/level3.crt \ + -c "level2" \ + -2 \ + -3 \ + --extAIA \ + --extSKID \ + --keyUsage critical,certSigning,crlSigning,digitalSignature,nonRepudiation + +certutil -A -d nssdb -n "level3" -i nssdb/level3.crt -t "CT,C,C" + +################################################################################ +# Cert Chain +################################################################################ + +# complete chain +openssl crl2pkcs7 -nocrl -certfile nssdb/level1.crt -certfile nssdb/level2.crt -certfile nssdb/level3.crt -out nssdb/cert_chain.p7b + +# out of order chain +#openssl crl2pkcs7 -nocrl -certfile nssdb/level2.crt -certfile nssdb/level3.crt -certfile nssdb/level1.crt -out nssdb/cert_chain.p7b + +# root cert only +#openssl crl2pkcs7 -nocrl -certfile nssdb/level1.crt -out nssdb/cert_chain.p7b + +# leaf cert only +#openssl crl2pkcs7 -nocrl -certfile nssdb/level3.crt -out nssdb/cert_chain.p7b + +# broken chain +#openssl crl2pkcs7 -nocrl -certfile nssdb/level3.crt -certfile nssdb/level1.crt -out nssdb/cert_chain.p7b + +# duplicate cert +#openssl crl2pkcs7 -nocrl -certfile nssdb/level1.crt -certfile nssdb/level2.crt -certfile nssdb/level2.crt -out nssdb/cert_chain.p7b + +openssl pkcs7 -print_certs -in nssdb/cert_chain.p7b diff --git a/scripts/nssdb-generate-sslserver-csr.sh b/scripts/nssdb-generate-sslserver-csr.sh deleted file mode 100755 index f9d6ab1..0000000 --- a/scripts/nssdb-generate-sslserver-csr.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/sh - -certutil -R \ - -d nssdb \ - -h internal \ - -f nssdb/password.txt \ - -z nssdb/noise.bin \ - -s "CN=$HOSTNAME,OU=pki-tomcat,O=EXAMPLE" \ - -o sslserver.csr.der - -openssl req -inform der -in sslserver.csr.der -out sslserver.csr - -#BtoA sslserver.csr.der sslserver.csr.pem -#echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > sslserver.csr -#cat sslserver.csr.pem >> sslserver.csr -#echo "-----END NEW CERTIFICATE REQUEST-----" >> sslserver.csr - -rm sslserver.csr.der -#rm sslserver.csr.pem - -openssl req -text -noout -in sslserver.csr diff --git a/scripts/nssdb-generate-subsystem-csr.sh b/scripts/nssdb-generate-subsystem-csr.sh deleted file mode 100755 index 73f2cdb..0000000 --- a/scripts/nssdb-generate-subsystem-csr.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/sh - -certutil -R \ - -d nssdb \ - -h internal \ - -f nssdb/password.txt \ - -z nssdb/noise.bin \ - -s "CN=Subsystem Certificate,OU=pki-tomcat,O=EXAMPLE" \ - -o subsystem.csr.der - -openssl req -inform der -in subsystem.csr.der -out subsystem.csr - -#BtoA subsystem.csr.der subsystem.csr.pem -#echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > subsystem.csr -#cat subsystem.csr.pem >> subsystem.csr -#echo "-----END NEW CERTIFICATE REQUEST-----" >> subsystem.csr - -rm subsystem.csr.der -#rm subsystem.csr.pem - -openssl req -text -noout -in subsystem.csr diff --git a/scripts/nssdb-kra_storage-cert-del.sh b/scripts/nssdb-kra_storage-cert-del.sh new file mode 100755 index 0000000..f0284c6 --- /dev/null +++ b/scripts/nssdb-kra_storage-cert-del.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +certutil -D -d nssdb -n "kra_storage" diff --git a/scripts/nssdb-kra_storage-cert-show.sh b/scripts/nssdb-kra_storage-cert-show.sh new file mode 100755 index 0000000..113f377 --- /dev/null +++ b/scripts/nssdb-kra_storage-cert-show.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +certutil -L -d nssdb -n "kra_storage" diff --git a/scripts/nssdb-kra_storage-request.sh b/scripts/nssdb-kra_storage-request.sh new file mode 100755 index 0000000..c4f3c2b --- /dev/null +++ b/scripts/nssdb-kra_storage-request.sh @@ -0,0 +1,15 @@ +#!/bin/sh + +certutil -R \ + -d nssdb \ + -f nssdb/password.txt \ + -z nssdb/noise.bin \ + -s "CN=DRM Storage Certificate,OU=pki-tomcat,O=EXAMPLE" \ + -o nssdb/kra_storage.csr.der \ + -k rsa \ + -g 2048 \ + -Z SHA256 \ + --keyUsage critical,dataEncipherment,keyEncipherment,digitalSignature,nonRepudiation \ + --extKeyUsage clientAuth + +openssl req -inform der -in nssdb/kra_storage.csr.der -out nssdb/kra_storage.csr diff --git a/scripts/nssdb-kra_storage-sign.sh b/scripts/nssdb-kra_storage-sign.sh new file mode 100755 index 0000000..0ce337d --- /dev/null +++ b/scripts/nssdb-kra_storage-sign.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +AKID="`cat nssdb/ca_signing.skid`" +echo "AKID: ${AKID}" + +OCSP="`cat nssdb/ocsp_url`" +echo "OCSP: ${OCSP}" + +echo -e "y\n${AKID}\n\n\n\n2\n7\n${OCSP}\n\n\n\n" | \ + certutil -C \ + -d nssdb \ + -f nssdb/password.txt \ + -m $RANDOM \ + -a \ + -i nssdb/kra_storage.csr \ + -o nssdb/kra_storage.crt \ + -c "ca_signing" \ + -3 \ + --extAIA \ + --keyUsage critical,dataEncipherment,keyEncipherment,digitalSignature,nonRepudiation \ + --extKeyUsage clientAuth + +certutil -A -d nssdb -n "kra_storage" -i nssdb/kra_storage.crt -t ",," + +openssl x509 -text -noout -in nssdb/kra_storage.crt diff --git a/scripts/nssdb-kra_transport-cert-del.sh b/scripts/nssdb-kra_transport-cert-del.sh new file mode 100755 index 0000000..0c866b1 --- /dev/null +++ b/scripts/nssdb-kra_transport-cert-del.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +certutil -D -d nssdb -n "kra_transport" diff --git a/scripts/nssdb-kra_transport-cert-show.sh b/scripts/nssdb-kra_transport-cert-show.sh new file mode 100755 index 0000000..7981e0b --- /dev/null +++ b/scripts/nssdb-kra_transport-cert-show.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +certutil -L -d nssdb -n "kra_transport" diff --git a/scripts/nssdb-kra_transport-request.sh b/scripts/nssdb-kra_transport-request.sh new file mode 100755 index 0000000..24e8932 --- /dev/null +++ b/scripts/nssdb-kra_transport-request.sh @@ -0,0 +1,15 @@ +#!/bin/sh + +certutil -R \ + -d nssdb \ + -f nssdb/password.txt \ + -z nssdb/noise.bin \ + -s "CN=DRM Transport Certificate,OU=pki-tomcat,O=EXAMPLE" \ + -o nssdb/kra_transport.csr.der \ + -k rsa \ + -g 2048 \ + -Z SHA256 \ + --keyUsage critical,dataEncipherment,keyEncipherment,digitalSignature,nonRepudiation \ + --extKeyUsage clientAuth + +openssl req -inform der -in nssdb/kra_transport.csr.der -out nssdb/kra_transport.csr diff --git a/scripts/nssdb-kra_transport-sign.sh b/scripts/nssdb-kra_transport-sign.sh new file mode 100755 index 0000000..30855df --- /dev/null +++ b/scripts/nssdb-kra_transport-sign.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +AKID="`cat nssdb/ca_signing.skid`" +echo "AKID: ${AKID}" + +OCSP="`cat nssdb/ocsp_url`" +echo "OCSP: ${OCSP}" + +echo -e "y\n${AKID}\n\n\n\n2\n7\n${OCSP}\n\n\n\n" | \ + certutil -C \ + -d nssdb \ + -f nssdb/password.txt \ + -m $RANDOM \ + -a \ + -i nssdb/kra_transport.csr \ + -o nssdb/kra_transport.crt \ + -c "ca_signing" \ + -3 \ + --extAIA \ + --keyUsage critical,dataEncipherment,keyEncipherment,digitalSignature,nonRepudiation \ + --extKeyUsage clientAuth + +certutil -A -d nssdb -n "kra_transport" -i nssdb/kra_transport.crt -t ",," + +openssl x509 -text -noout -in nssdb/kra_transport.crt diff --git a/scripts/nssdb-ocsp_signing-cert-del.sh b/scripts/nssdb-ocsp_signing-cert-del.sh new file mode 100755 index 0000000..4f0ef06 --- /dev/null +++ b/scripts/nssdb-ocsp_signing-cert-del.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +certutil -D -d nssdb -n "ocsp_signing" diff --git a/scripts/nssdb-ocsp_signing-cert-show.sh b/scripts/nssdb-ocsp_signing-cert-show.sh new file mode 100755 index 0000000..f1760d8 --- /dev/null +++ b/scripts/nssdb-ocsp_signing-cert-show.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +certutil -L -d nssdb -n "ocsp_signing" diff --git a/scripts/nssdb-ocsp_signing-request.sh b/scripts/nssdb-ocsp_signing-request.sh new file mode 100755 index 0000000..d6af7fe --- /dev/null +++ b/scripts/nssdb-ocsp_signing-request.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +certutil -R \ + -d nssdb \ + -f nssdb/password.txt \ + -z nssdb/noise.bin \ + -s "CN=OCSP Signing Certificate,OU=pki-tomcat,O=EXAMPLE" \ + -o nssdb/ocsp_signing.csr.der \ + -k rsa \ + -g 2048 \ + -Z SHA256 \ + --extKeyUsage ocspResponder \ + --extGeneric 1.3.6.1.5.5.7.48.1.5:not-critical:/dev/null + +openssl req -inform der -in nssdb/ocsp_signing.csr.der -out nssdb/ocsp_signing.csr + +openssl req -text -noout -in nssdb/ocsp_signing.csr diff --git a/scripts/nssdb-ocsp_signing-sign.sh b/scripts/nssdb-ocsp_signing-sign.sh new file mode 100755 index 0000000..4478c40 --- /dev/null +++ b/scripts/nssdb-ocsp_signing-sign.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +AKID="`cat nssdb/ca_signing.skid`" +echo "AKID: ${AKID}" + +OCSP="`cat nssdb/ocsp_url`" +echo "OCSP: ${OCSP}" + +echo -e "y\n${AKID}\n\n\n\n2\n7\n${OCSP}\n\n\n\n" | \ + certutil -C \ + -d nssdb \ + -f nssdb/password.txt \ + -m $RANDOM \ + -a \ + -i nssdb/ocsp_signing.csr \ + -o nssdb/ocsp_signing.crt \ + -c "ca_signing" \ + -3 \ + --extAIA \ + --extKeyUsage ocspResponder \ + --extGeneric 1.3.6.1.5.5.7.48.1.5:not-critical:/dev/null + +certutil -A -d nssdb -n "ocsp_signing" -i nssdb/ocsp_signing.crt -t ",," + +openssl x509 -text -noout -in nssdb/ocsp_signing.crt diff --git a/scripts/nssdb-sslserver-cert-del.sh b/scripts/nssdb-sslserver-cert-del.sh new file mode 100755 index 0000000..4ace26f --- /dev/null +++ b/scripts/nssdb-sslserver-cert-del.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +certutil -D -d nssdb -n "sslserver" diff --git a/scripts/nssdb-sslserver-cert-show.sh b/scripts/nssdb-sslserver-cert-show.sh new file mode 100755 index 0000000..7fa8b8e --- /dev/null +++ b/scripts/nssdb-sslserver-cert-show.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +certutil -L -d nssdb -n "sslserver" diff --git a/scripts/nssdb-sslserver-request.sh b/scripts/nssdb-sslserver-request.sh new file mode 100755 index 0000000..5f3657c --- /dev/null +++ b/scripts/nssdb-sslserver-request.sh @@ -0,0 +1,15 @@ +#!/bin/sh + +certutil -R \ + -d nssdb \ + -f nssdb/password.txt \ + -z nssdb/noise.bin \ + -s "CN=$HOSTNAME,OU=pki-tomcat,O=EXAMPLE" \ + -o nssdb/sslserver.csr.der \ + -k rsa \ + -g 2048 \ + -Z SHA256 \ + --keyUsage critical,dataEncipherment,keyEncipherment,digitalSignature,nonRepudiation \ + --extKeyUsage serverAuth + +openssl req -inform der -in nssdb/sslserver.csr.der -out nssdb/sslserver.csr diff --git a/scripts/nssdb-sslserver-sign.sh b/scripts/nssdb-sslserver-sign.sh new file mode 100755 index 0000000..7eff977 --- /dev/null +++ b/scripts/nssdb-sslserver-sign.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +AKID="`cat nssdb/ca_signing.skid`" +echo "AKID: ${AKID}" + +OCSP="`cat nssdb/ocsp_url`" +echo "OCSP: ${OCSP}" + +echo -e "y\n${AKID}\n\n\n\n2\n7\n${OCSP}\n\n\n\n" | \ + certutil -C \ + -d nssdb \ + -f nssdb/password.txt \ + -m $RANDOM \ + -a \ + -i nssdb/sslserver.csr \ + -o nssdb/sslserver.crt \ + -c "ca_signing" \ + -3 \ + --extAIA \ + --keyUsage critical,dataEncipherment,keyEncipherment,digitalSignature,nonRepudiation \ + --extKeyUsage serverAuth + +certutil -A -d nssdb -n "sslserver" -i nssdb/sslserver.crt -t ",," + +openssl x509 -text -noout -in nssdb/sslserver.crt diff --git a/scripts/nssdb-subsystem-cert-del.sh b/scripts/nssdb-subsystem-cert-del.sh new file mode 100755 index 0000000..0b238bf --- /dev/null +++ b/scripts/nssdb-subsystem-cert-del.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +certutil -D -d nssdb -n "subsystem" diff --git a/scripts/nssdb-subsystem-cert-show.sh b/scripts/nssdb-subsystem-cert-show.sh new file mode 100755 index 0000000..bfe9e1b --- /dev/null +++ b/scripts/nssdb-subsystem-cert-show.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +certutil -L -d nssdb -n "subsystem" diff --git a/scripts/nssdb-subsystem-request.sh b/scripts/nssdb-subsystem-request.sh new file mode 100755 index 0000000..ed37cfc --- /dev/null +++ b/scripts/nssdb-subsystem-request.sh @@ -0,0 +1,15 @@ +#!/bin/sh + +certutil -R \ + -d nssdb \ + -f nssdb/password.txt \ + -z nssdb/noise.bin \ + -s "CN=Subsystem Certificate,OU=pki-tomcat,O=EXAMPLE" \ + -o nssdb/subsystem.csr.der \ + -k rsa \ + -g 2048 \ + -Z SHA256 \ + --keyUsage critical,dataEncipherment,keyEncipherment,digitalSignature,nonRepudiation \ + --extKeyUsage clientAuth,serverAuth + +openssl req -inform der -in nssdb/subsystem.csr.der -out nssdb/subsystem.csr diff --git a/scripts/nssdb-subsystem-sign.sh b/scripts/nssdb-subsystem-sign.sh new file mode 100755 index 0000000..9edf060 --- /dev/null +++ b/scripts/nssdb-subsystem-sign.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +AKID="`cat nssdb/ca_signing.skid`" +echo "AKID: ${AKID}" + +OCSP="`cat nssdb/ocsp_url`" +echo "OCSP: ${OCSP}" + +echo -e "y\n${AKID}\n\n\n\n2\n7\n${OCSP}\n\n\n\n" | \ + certutil -C \ + -d nssdb \ + -f nssdb/password.txt \ + -m $RANDOM \ + -a \ + -i nssdb/subsystem.csr \ + -o nssdb/subsystem.crt \ + -c "ca_signing" \ + -3 \ + --extAIA \ + --keyUsage critical,dataEncipherment,keyEncipherment,digitalSignature,nonRepudiation \ + --extKeyUsage clientAuth,serverAuth + +certutil -A -d nssdb -n "subsystem" -i nssdb/subsystem.crt -t ",," + +openssl x509 -text -noout -in nssdb/subsystem.crt |