summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rwxr-xr-xscripts/ca-all-existing-create.sh52
-rwxr-xr-xscripts/ca-all-existing-export.sh33
-rwxr-xr-xscripts/ca-clone-create.sh7
-rwxr-xr-xscripts/ca-clone-prep.sh2
-rwxr-xr-xscripts/ca-create.sh6
-rwxr-xr-xscripts/ca-existing-create.sh9
-rwxr-xr-xscripts/ca-external-openssl-sign.sh106
-rwxr-xr-xscripts/ca-external-step1.sh41
-rwxr-xr-xscripts/ca-external-step2.sh11
-rwxr-xr-xscripts/ca-python-test.sh46
10 files changed, 264 insertions, 49 deletions
diff --git a/scripts/ca-all-existing-create.sh b/scripts/ca-all-existing-create.sh
new file mode 100755
index 0000000..98c05d8
--- /dev/null
+++ b/scripts/ca-all-existing-create.sh
@@ -0,0 +1,52 @@
+#!/bin/sh -x
+
+mkdir -p tmp
+
+cat > tmp/ca-all-existing.cfg << EOF
+[DEFAULT]
+pki_pin=Secret.123
+
+[CA]
+pki_admin_email=caadmin@example.com
+pki_admin_name=caadmin
+pki_admin_nickname=caadmin
+pki_admin_password=Secret.123
+pki_admin_uid=caadmin
+
+pki_client_database_password=Secret.123
+pki_client_database_purge=False
+pki_client_pkcs12_password=Secret.123
+
+pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
+pki_ds_password=Secret.123
+pki_ds_database=ca
+
+pki_security_domain_name=EXAMPLE
+
+pki_token_password=Secret.123
+
+pki_existing=True
+
+pki_ca_signing_nickname=ca_signing
+pki_ca_signing_csr_path=$PWD/tmp/ca_signing.csr
+
+pki_ocsp_signing_nickname=ca_ocsp_signing
+pki_ocsp_signing_csr_path=$PWD/tmp/ca_ocsp_signing.csr
+
+pki_sslserver_nickname=sslserver
+pki_sslserver_csr_path=$PWD/tmp/sslserver.csr
+
+pki_subsystem_nickname=subsystem
+pki_subsystem_csr_path=$PWD/tmp/subsystem.csr
+
+pki_audit_signing_nickname=ca_audit_signing
+pki_audit_signing_csr_path=$PWD/tmp/ca_audit_signing.csr
+
+pki_pkcs12_path=$PWD/tmp/ca-certs.p12
+pki_pkcs12_password=Secret.123
+
+#pki_serial_number_range_start=6
+#pki_request_number_range_start=1
+EOF
+
+pkispawn -f tmp/ca-all-existing.cfg -s CA
diff --git a/scripts/ca-all-existing-export.sh b/scripts/ca-all-existing-export.sh
new file mode 100755
index 0000000..da2ce2d
--- /dev/null
+++ b/scripts/ca-all-existing-export.sh
@@ -0,0 +1,33 @@
+#!/bin/sh -x
+
+grep "internal=" /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2}' > tmp/internal.txt
+#PKCS12Export -debug -d /var/lib/pki/pki-tomcat/alias -p tmp/internal.txt -w password.txt -o tmp/ca-certs.p12
+PKCS12Export -d /var/lib/pki/pki-tomcat/alias -p tmp/internal.txt -w password.txt -o tmp/ca-certs.p12
+
+pki pkcs12-cert-find --pkcs12-file tmp/ca-certs.p12 --pkcs12-password-file password.txt
+pki pkcs12-key-find --pkcs12-file tmp/ca-certs.p12 --pkcs12-password-file password.txt
+
+echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/ca_signing.csr
+sed -n "/^ca.signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/ca_signing.csr
+echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/ca_signing.csr
+
+echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/ca_ocsp_signing.csr
+sed -n "/^ca.ocsp_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/ca_ocsp_signing.csr
+echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/ca_ocsp_signing.csr
+
+echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/sslserver.csr
+sed -n "/^ca.sslserver.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/sslserver.csr
+echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/sslserver.csr
+
+echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/subsystem.csr
+sed -n "/^ca.subsystem.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/subsystem.csr
+echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/subsystem.csr
+
+echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/ca_audit_signing.csr
+sed -n "/^ca.audit_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/ca_audit_signing.csr
+echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/ca_audit_signing.csr
+
+#pki-server ca-clone-prepare --pkcs12-file tmp/ca-certs.p12 --pkcs12-password-file password.txt
+
+cp ~/.dogtag/pki-tomcat/ca_admin.cert tmp
+cp ~/.dogtag/pki-tomcat/ca_admin_cert.p12 tmp
diff --git a/scripts/ca-clone-create.sh b/scripts/ca-clone-create.sh
index 251cc7a..0e2d393 100755
--- a/scripts/ca-clone-create.sh
+++ b/scripts/ca-clone-create.sh
@@ -41,22 +41,21 @@ pki_clone_uri=https://$MASTER:8443
# Dogtag 10.2
pki_clone_pkcs12_password=Secret.123
-#pki_clone_pkcs12_path=$PWD/tmp/ca_backup_keys.p12
pki_clone_pkcs12_path=$PWD/tmp/ca-certs.p12
# PKI 10
pki_ca_signing_nickname=ca_signing
pki_ocsp_signing_nickname=ca_ocsp_signing
pki_audit_signing_nickname=ca_audit_signing
-pki_ssl_server_nickname=sslserver
+pki_sslserver_nickname=sslserver
pki_subsystem_nickname=subsystem
# PKI 9
#pki_ca_signing_nickname=caSigningCert cert-pki-ca
#pki_ocsp_signing_nickname=ocspSigningCert cert-pki-ca
#pki_audit_signing_nickname=auditSigningCert cert-pki-ca
-#pki_ssl_server_nickname=Server-Cert cert-pki-ca
+#pki_sslserver_nickname=Server-Cert cert-pki-ca
#pki_subsystem_nickname=subsystemCert cert-pki-ca
EOF
-pkispawn -vvv -f tmp/ca-clone.cfg -s CA
+pkispawn -f tmp/ca-clone.cfg -s CA
diff --git a/scripts/ca-clone-prep.sh b/scripts/ca-clone-prep.sh
index 3993580..378b70e 100755
--- a/scripts/ca-clone-prep.sh
+++ b/scripts/ca-clone-prep.sh
@@ -2,7 +2,7 @@
mkdir -p tmp
-#echo $HOSTNAME > tmp/master.txt
+echo $HOSTNAME > tmp/master.txt
grep "internal=" /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2}' > tmp/internal.txt
diff --git a/scripts/ca-create.sh b/scripts/ca-create.sh
index cc1bf21..009d330 100755
--- a/scripts/ca-create.sh
+++ b/scripts/ca-create.sh
@@ -32,13 +32,13 @@ pki_security_domain_name=EXAMPLE
pki_ca_signing_nickname=ca_signing
pki_ocsp_signing_nickname=ca_ocsp_signing
pki_audit_signing_nickname=ca_audit_signing
-pki_ssl_server_nickname=sslserver
+pki_sslserver_nickname=sslserver
pki_subsystem_nickname=subsystem
EOF
-pkispawn -vv -f tmp/ca.cfg -s CA
+pkispawn -f tmp/ca.cfg -s CA
#/bin/cp /root/.dogtag/pki-tomcat/ca_admin.cert .
#/bin/cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 .
#/bin/cp /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf ca_admin_cert.txt
-echo $HOSTNAME > tmp/master.txt
+#echo $HOSTNAME > tmp/master.txt
diff --git a/scripts/ca-existing-create.sh b/scripts/ca-existing-create.sh
index d020a62..823b98e 100755
--- a/scripts/ca-existing-create.sh
+++ b/scripts/ca-existing-create.sh
@@ -31,9 +31,16 @@ pki_ca_signing_nickname=ca_signing
pki_ca_signing_csr_path=$PWD/tmp/ca_signing.csr
pki_ocsp_signing_nickname=ca_ocsp_signing
-pki_ssl_server_nickname=sslserver
+#pki_ocsp_signing_csr_path=$PWD/tmp/ca_ocsp_signing.csr
+
+pki_sslserver_nickname=sslserver
+#pki_sslserver_csr_path=$PWD/tmp/sslserver.csr
+
pki_subsystem_nickname=subsystem
+#pki_subsystem_csr_path=$PWD/tmp/subsystem.csr
+
pki_audit_signing_nickname=ca_audit_signing
+#pki_audit_signing_csr_path=$PWD/tmp/ca_audit_signing.csr
pki_pkcs12_path=$PWD/tmp/ca-certs.p12
pki_pkcs12_password=Secret.123
diff --git a/scripts/ca-external-openssl-sign.sh b/scripts/ca-external-openssl-sign.sh
new file mode 100755
index 0000000..1d76d0d
--- /dev/null
+++ b/scripts/ca-external-openssl-sign.sh
@@ -0,0 +1,106 @@
+#!/bin/sh
+
+mkdir -p tmp
+
+cat > tmp/external.cfg << EOF
+HOME = tmp
+RANDFILE = tmp/random.bin
+
+####################################################################
+[ ca ]
+default_ca = CA_default # The default ca section
+
+[ CA_default ]
+
+default_days = 1000 # how long to certify for
+default_crl_days = 30 # how long before next CRL
+default_md = sha256 # use public key default MD
+preserve = no # keep passed DN ordering
+
+x509_extensions = ca_extensions # The extensions to add to the cert
+
+email_in_dn = no # Don't concat the email in the DN
+copy_extensions = copy # Required to copy SANs from CSR to cert
+
+####################################################################
+[ req ]
+default_bits = 4096
+default_keyfile = tmp/external.key
+distinguished_name = ca_distinguished_name
+x509_extensions = ca_extensions
+string_mask = utf8only
+
+####################################################################
+[ ca_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = US
+
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = Maryland
+
+localityName = Locality Name (eg, city)
+localityName_default = Baltimore
+
+organizationName = Organization Name (eg, company)
+organizationName_default = Test CA, Limited
+
+organizationalUnitName = Organizational Unit (eg, division)
+organizationalUnitName_default = Server Research Department
+
+commonName = Common Name (e.g. server FQDN or YOUR name)
+commonName_default = Test CA
+
+emailAddress = Email Address
+emailAddress_default = test@example.com
+
+####################################################################
+[ ca_extensions ]
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always, issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, nonRepudiation, keyCertSign, cRLSign
+EOF
+
+openssl req \
+ -config tmp/external.cfg \
+ -newkey rsa:2048 \
+ -keyout tmp/external.key \
+ -nodes \
+ -x509 \
+ -out tmp/external.crt \
+ -subj "/O=EXTERNAL/CN=External CA" \
+ -days 365
+
+openssl x509 -text -noout -in tmp/external.crt
+
+################################################################################
+# Issuing CA signing certificate
+
+cat > tmp/ca_signing-ext.cfg << EOF
+[ ca_extensions ]
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always, issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, nonRepudiation, keyCertSign, cRLSign
+EOF
+
+openssl x509 -req \
+ -CA tmp/external.crt \
+ -CAkey tmp/external.key \
+ -CAcreateserial \
+ -in tmp/ca_signing.csr \
+ -out tmp/ca_signing.crt \
+ -extfile tmp/external.cfg \
+ -extensions ca_extensions \
+ -set_serial 1
+
+openssl x509 -text -noout -in tmp/ca_signing.crt
+
+################################################################################
+# Exporting certificate chain
+
+openssl crl2pkcs7 -nocrl \
+ -certfile tmp/external.crt \
+ -out tmp/cert_chain.p7b
diff --git a/scripts/ca-external-step1.sh b/scripts/ca-external-step1.sh
index ecc8112..85ccfc7 100755
--- a/scripts/ca-external-step1.sh
+++ b/scripts/ca-external-step1.sh
@@ -2,25 +2,6 @@
mkdir -p tmp
-rm -f tmp/ca_signing.csr
-rm -f tmp/ca_ocsp_signing.csr
-rm -f tmp/ca_audit_signing.csr
-rm -f tmp/sslserver.csr
-rm -f tmp/subsystem.csr
-
-rm -r tmp/external.crt
-rm -r tmp/cert_chain.p7b
-rm -f tmp/ca_signing.crt
-
-rm -f tmp/example.crt
-rm -f tmp/example2.crt
-rm -f tmp/example.p7
-rm -f tmp/example2.p7
-rm -f tmp/example.p7b
-rm -f tmp/example2.p7b
-rm -f tmp/example3.csr
-rm -f tmp/example3.crt
-
cat > tmp/ca-external-step1.cfg << EOF
[DEFAULT]
#pki_instance_name=pki-child
@@ -53,26 +34,16 @@ pki_external_step_two=False
pki_external_csr_path=$PWD/tmp/ca_signing.csr
#pki_ca_signing_csr_path=$PWD/tmp/ca_signing.csr
-pki_ocsp_signing_csr_path=$PWD/tmp/ca_ocsp_signing.csr
-pki_audit_signing_csr_path=$PWD/tmp/ca_audit_signing.csr
-pki_ssl_server_csr_path=$PWD/tmp/sslserver.csr
-pki_subsystem_csr_path=$PWD/tmp/subsystem.csr
-
-#pki_security_domain_name=CHILD
-#pki_ca_signing_csr_path=$PWD/tmp/example2.csr
-#pki_ca_signing_subject_dn=CN=Child Cert,O=CHILD
-
-#pki_security_domain_name=GRANDCHILD
-#pki_ca_signing_csr_path=$PWD/tmp/example3.csr
-#pki_ca_signing_subject_dn=CN=Grandchild Cert,O=GRANDCHILD
-
-#pki_req_ext_add=True
+#pki_ocsp_signing_csr_path=$PWD/tmp/ca_ocsp_signing.csr
+#pki_audit_signing_csr_path=$PWD/tmp/ca_audit_signing.csr
+#pki_sslserver_csr_path=$PWD/tmp/sslserver.csr
+#pki_subsystem_csr_path=$PWD/tmp/subsystem.csr
pki_ca_signing_nickname=ca_signing
pki_ocsp_signing_nickname=ca_ocsp_signing
pki_audit_signing_nickname=ca_audit_signing
-pki_ssl_server_nickname=sslserver
+pki_sslserver_nickname=sslserver
pki_subsystem_nickname=subsystem
EOF
-pkispawn -vv -f tmp/ca-external-step1.cfg -s CA
+pkispawn -f tmp/ca-external-step1.cfg -s CA -v
diff --git a/scripts/ca-external-step2.sh b/scripts/ca-external-step2.sh
index 0b2ca58..c94ce19 100755
--- a/scripts/ca-external-step2.sh
+++ b/scripts/ca-external-step2.sh
@@ -33,16 +33,17 @@ pki_external_step_two=True
pki_external_csr_path=$PWD/tmp/ca_signing.csr
pki_external_ca_cert_path=$PWD/tmp/ca_signing.crt
-pki_external_ca_cert_chain_nickname=external
-pki_external_ca_cert_chain_path=$PWD/tmp/external.crt
+#pki_external_ca_cert_chain_nickname=external
+pki_external_ca_cert_chain_nickname=Root CA Signing Certificate - ROOT
+#pki_external_ca_cert_chain_nickname=External CA - EXTERNAL
#pki_external_ca_cert_chain_path=$PWD/tmp/cert_chain.p7b
-#pki_external_ca_cert_chain_path=$PWD/tmp/level2.crt
+pki_external_ca_cert_chain_path=$PWD/tmp/external.crt
pki_ca_signing_nickname=ca_signing
pki_ocsp_signing_nickname=ca_ocsp_signing
pki_audit_signing_nickname=ca_audit_signing
-pki_ssl_server_nickname=sslserver
+pki_sslserver_nickname=sslserver
pki_subsystem_nickname=subsystem
EOF
-pkispawn -vv -f tmp/ca-external-step2.cfg -s CA
+pkispawn -f tmp/ca-external-step2.cfg -s CA -v
diff --git a/scripts/ca-python-test.sh b/scripts/ca-python-test.sh
new file mode 100755
index 0000000..4a0d059
--- /dev/null
+++ b/scripts/ca-python-test.sh
@@ -0,0 +1,46 @@
+#!/bin/sh -x
+
+mkdir -p tmp
+
+pk12util \
+ -d /etc/pki/pki-tomcat/alias \
+ -K Secret.123 \
+ -o tmp/sslserver.p12 \
+ -W Secret.123 \
+ -n sslserver
+
+openssl pkcs12 \
+ -in tmp/sslserver.p12 \
+ -passin pass:Secret.123 \
+ -out tmp/sslserver.pem \
+ -nodes
+
+openssl pkcs12 \
+ -in tmp/sslserver.p12 \
+ -passin pass:Secret.123 \
+ -out tmp/sslserver.key \
+ -nodes \
+ -nocerts
+
+openssl pkcs12 \
+ -in tmp/sslserver.p12 \
+ -passin pass:Secret.123 \
+ -out tmp/sslserver.crt \
+ -clcerts \
+ -nokeys
+
+openssl pkcs12 \
+ -in tmp/sslserver.p12 \
+ -passin pass:Secret.123 \
+ -out tmp/sslserver.p7b \
+ -nokeys
+
+openssl pkcs12 \
+ -in tmp/sslserver.p12 \
+ -passin pass:Secret.123 \
+ -out tmp/sslserver.chain \
+ -cacerts \
+ -nokeys
+
+pki -c Secret.123 client-init --force
+#python ca-python-test.py
generated by cgit (git 2.34.1) at 2024-04-20 02:22:59 +0000