From 1adf9a0cac7ff5ddebe30db4c380133ff3718b8a Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Fri, 20 Oct 2017 21:16:52 +0200 Subject: Updated CA scripts. --- scripts/ca-admin-init.sh | 15 ++++++++++ scripts/ca-all-existing-create.sh | 52 ---------------------------------- scripts/ca-all-existing-export.sh | 33 ---------------------- scripts/ca-clone-admin-init.sh | 13 +++++++++ scripts/ca-clone-prep.sh | 6 ++-- scripts/ca-create.sh | 8 +----- scripts/ca-existing-certs-create.sh | 54 ++++++++++++++++++++++++++++++++++++ scripts/ca-existing-create.sh | 52 ---------------------------------- scripts/ca-existing-export-certs.sh | 37 ++++++++++++++++++++++++ scripts/ca-existing-export-pkcs12.sh | 33 ++++++++++++++++++++++ scripts/ca-existing-pkcs12-create.sh | 52 ++++++++++++++++++++++++++++++++++ scripts/ca-external-step1.sh | 21 +++++++------- scripts/ca-external-step2.sh | 27 +++++++++++------- scripts/ca-step1.sh | 37 ++++++++++++++++++++++-- scripts/ca-step2.sh | 42 ++++++++++++++++++++++++++-- scripts/ca-sub-create.sh | 42 +++++++++++++++++++++++++++- scripts/ca_signing-cmc-sign.sh | 3 +- scripts/ca_signing-export.sh | 3 +- 18 files changed, 354 insertions(+), 176 deletions(-) create mode 100755 scripts/ca-admin-init.sh delete mode 100755 scripts/ca-all-existing-create.sh delete mode 100755 scripts/ca-all-existing-export.sh create mode 100755 scripts/ca-clone-admin-init.sh create mode 100755 scripts/ca-existing-certs-create.sh delete mode 100755 scripts/ca-existing-create.sh create mode 100755 scripts/ca-existing-export-certs.sh create mode 100755 scripts/ca-existing-export-pkcs12.sh create mode 100755 scripts/ca-existing-pkcs12-create.sh diff --git a/scripts/ca-admin-init.sh b/scripts/ca-admin-init.sh new file mode 100755 index 0000000..814c14b --- /dev/null +++ b/scripts/ca-admin-init.sh @@ -0,0 +1,15 @@ +#!/bin/sh + +pki -c Secret.123 client-init --force + +pki -c Secret.123 client-cert-import "Root CA Signing Certificate" --ca-cert tmp/external.crt + +pki -c Secret.123 client-cert-import "CA Signing Certificate" --ca-server + +pki -c Secret.123 client-cert-import \ + --pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \ + --pkcs12-password Secret.123 + +#pki -c Secret.123 pkcs12-import \ +# --pkcs12-file ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \ +# --pkcs12-password Secret.123 diff --git a/scripts/ca-all-existing-create.sh b/scripts/ca-all-existing-create.sh deleted file mode 100755 index 98c05d8..0000000 --- a/scripts/ca-all-existing-create.sh +++ /dev/null @@ -1,52 +0,0 @@ -#!/bin/sh -x - -mkdir -p tmp - -cat > tmp/ca-all-existing.cfg << EOF -[DEFAULT] -pki_pin=Secret.123 - -[CA] -pki_admin_email=caadmin@example.com -pki_admin_name=caadmin -pki_admin_nickname=caadmin -pki_admin_password=Secret.123 -pki_admin_uid=caadmin - -pki_client_database_password=Secret.123 -pki_client_database_purge=False -pki_client_pkcs12_password=Secret.123 - -pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com -pki_ds_password=Secret.123 -pki_ds_database=ca - -pki_security_domain_name=EXAMPLE - -pki_token_password=Secret.123 - -pki_existing=True - -pki_ca_signing_nickname=ca_signing -pki_ca_signing_csr_path=$PWD/tmp/ca_signing.csr - -pki_ocsp_signing_nickname=ca_ocsp_signing -pki_ocsp_signing_csr_path=$PWD/tmp/ca_ocsp_signing.csr - -pki_sslserver_nickname=sslserver -pki_sslserver_csr_path=$PWD/tmp/sslserver.csr - -pki_subsystem_nickname=subsystem -pki_subsystem_csr_path=$PWD/tmp/subsystem.csr - -pki_audit_signing_nickname=ca_audit_signing -pki_audit_signing_csr_path=$PWD/tmp/ca_audit_signing.csr - -pki_pkcs12_path=$PWD/tmp/ca-certs.p12 -pki_pkcs12_password=Secret.123 - -#pki_serial_number_range_start=6 -#pki_request_number_range_start=1 -EOF - -pkispawn -f tmp/ca-all-existing.cfg -s CA diff --git a/scripts/ca-all-existing-export.sh b/scripts/ca-all-existing-export.sh deleted file mode 100755 index da2ce2d..0000000 --- a/scripts/ca-all-existing-export.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/sh -x - -grep "internal=" /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2}' > tmp/internal.txt -#PKCS12Export -debug -d /var/lib/pki/pki-tomcat/alias -p tmp/internal.txt -w password.txt -o tmp/ca-certs.p12 -PKCS12Export -d /var/lib/pki/pki-tomcat/alias -p tmp/internal.txt -w password.txt -o tmp/ca-certs.p12 - -pki pkcs12-cert-find --pkcs12-file tmp/ca-certs.p12 --pkcs12-password-file password.txt -pki pkcs12-key-find --pkcs12-file tmp/ca-certs.p12 --pkcs12-password-file password.txt - -echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/ca_signing.csr -sed -n "/^ca.signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/ca_signing.csr -echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/ca_signing.csr - -echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/ca_ocsp_signing.csr -sed -n "/^ca.ocsp_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/ca_ocsp_signing.csr -echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/ca_ocsp_signing.csr - -echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/sslserver.csr -sed -n "/^ca.sslserver.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/sslserver.csr -echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/sslserver.csr - -echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/subsystem.csr -sed -n "/^ca.subsystem.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/subsystem.csr -echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/subsystem.csr - -echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/ca_audit_signing.csr -sed -n "/^ca.audit_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/ca_audit_signing.csr -echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/ca_audit_signing.csr - -#pki-server ca-clone-prepare --pkcs12-file tmp/ca-certs.p12 --pkcs12-password-file password.txt - -cp ~/.dogtag/pki-tomcat/ca_admin.cert tmp -cp ~/.dogtag/pki-tomcat/ca_admin_cert.p12 tmp diff --git a/scripts/ca-clone-admin-init.sh b/scripts/ca-clone-admin-init.sh new file mode 100755 index 0000000..eefe7cc --- /dev/null +++ b/scripts/ca-clone-admin-init.sh @@ -0,0 +1,13 @@ +#!/bin/sh + +pki -c Secret.123 client-init --force + +pki -c Secret.123 client-cert-import "CA Signing Certificate" --ca-server + +pki -c Secret.123 client-cert-import \ + --pkcs12 tmp/ca_admin_cert.p12 \ + --pkcs12-password Secret.123 + +#pki -c Secret.123 pkcs12-import \ +# --pkcs12-file tmp/ca_admin_cert.p12 \ +# --pkcs12-password Secret.123 diff --git a/scripts/ca-clone-prep.sh b/scripts/ca-clone-prep.sh index 378b70e..7808d33 100755 --- a/scripts/ca-clone-prep.sh +++ b/scripts/ca-clone-prep.sh @@ -6,11 +6,11 @@ echo $HOSTNAME > tmp/master.txt grep "internal=" /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2}' > tmp/internal.txt -PKCS12Export -debug -d /var/lib/pki/pki-tomcat/alias -p tmp/internal.txt -w password.txt -o tmp/ca_backup_keys.p12 -pki pkcs12-cert-find --pkcs12-file tmp/ca_backup_keys.p12 --pkcs12-password-file password.txt +#PKCS12Export -debug -d /var/lib/pki/pki-tomcat/alias -p tmp/internal.txt -w password.txt -o tmp/ca_backup_keys.p12 +#pki pkcs12-cert-find --pkcs12-file tmp/ca_backup_keys.p12 --pkcs12-password-file password.txt pki-server ca-clone-prepare --pkcs12-file tmp/ca-certs.p12 --pkcs12-password-file password.txt pki pkcs12-cert-find --pkcs12-file tmp/ca-certs.p12 --pkcs12-password-file password.txt #cp ~/.dogtag/pki-tomcat/ca_admin.cert tmp -#cp ~/.dogtag/pki-tomcat/ca_admin_cert.p12 tmp +cp ~/.dogtag/pki-tomcat/ca_admin_cert.p12 tmp diff --git a/scripts/ca-create.sh b/scripts/ca-create.sh index 009d330..1095700 100755 --- a/scripts/ca-create.sh +++ b/scripts/ca-create.sh @@ -13,9 +13,6 @@ pki_admin_nickname=caadmin pki_admin_password=Secret.123 pki_admin_uid=caadmin -#pki_backup_keys=True -#pki_backup_password=Secret.123 - pki_client_database_password=Secret.123 pki_client_database_purge=False pki_client_pkcs12_password=Secret.123 @@ -26,9 +23,6 @@ pki_ds_database=ca pki_security_domain_name=EXAMPLE -#pki_server_pkcs12_path=pki-server.p12 -#pki_server_pkcs12_password=Secret.123 - pki_ca_signing_nickname=ca_signing pki_ocsp_signing_nickname=ca_ocsp_signing pki_audit_signing_nickname=ca_audit_signing @@ -41,4 +35,4 @@ pkispawn -f tmp/ca.cfg -s CA #/bin/cp /root/.dogtag/pki-tomcat/ca_admin.cert . #/bin/cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 . #/bin/cp /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf ca_admin_cert.txt -#echo $HOSTNAME > tmp/master.txt +echo $HOSTNAME > tmp/ca.hostname diff --git a/scripts/ca-existing-certs-create.sh b/scripts/ca-existing-certs-create.sh new file mode 100755 index 0000000..646e4dc --- /dev/null +++ b/scripts/ca-existing-certs-create.sh @@ -0,0 +1,54 @@ +#!/bin/sh -x + +mkdir -p tmp + +cat > tmp/ca-existing-certs.cfg << EOF +[DEFAULT] +pki_pin=Secret.123 + +[CA] +pki_admin_email=caadmin@example.com +pki_admin_name=caadmin +pki_admin_nickname=caadmin +pki_admin_password=Secret.123 +pki_admin_uid=caadmin + +pki_client_database_password=Secret.123 +pki_client_database_purge=False +pki_client_pkcs12_password=Secret.123 + +pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com +pki_ds_password=Secret.123 +pki_ds_database=ca + +pki_security_domain_name=EXAMPLE + +pki_token_password=Secret.123 + +pki_existing=True + +pki_ca_signing_nickname=ca_signing +pki_ca_signing_csr_path=tmp/ca_signing.csr +pki_ca_signing_cert_path=tmp/ca_signing.crt + +pki_ocsp_signing_nickname=ca_ocsp_signing +pki_ocsp_signing_csr_path=tmp/ca_ocsp_signing.csr +pki_ocsp_signing_cert_path=tmp/ca_ocsp_signing.crt + +pki_sslserver_nickname=sslserver +pki_sslserver_csr_path=tmp/sslserver.csr +pki_sslserver_cert_path=tmp/sslserver.crt + +pki_subsystem_nickname=subsystem +pki_subsystem_csr_path=tmp/subsystem.csr +pki_subsystem_cert_path=tmp/subsystem.crt + +pki_audit_signing_nickname=ca_audit_signing +pki_audit_signing_csr_path=tmp/ca_audit_signing.csr +pki_audit_signing_cert_path=tmp/ca_audit_signing.crt + +#pki_serial_number_range_start=6 +#pki_request_number_range_start=1 +EOF + +pkispawn -v -f tmp/ca-existing-certs.cfg -s CA diff --git a/scripts/ca-existing-create.sh b/scripts/ca-existing-create.sh deleted file mode 100755 index 823b98e..0000000 --- a/scripts/ca-existing-create.sh +++ /dev/null @@ -1,52 +0,0 @@ -#!/bin/sh -x - -mkdir -p tmp - -cat > tmp/ca-existing.cfg << EOF -[DEFAULT] -pki_pin=Secret.123 - -[CA] -pki_admin_email=caadmin@example.com -pki_admin_name=caadmin -pki_admin_nickname=caadmin -pki_admin_password=Secret.123 -pki_admin_uid=caadmin - -pki_client_database_password=Secret.123 -pki_client_database_purge=False -pki_client_pkcs12_password=Secret.123 - -pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com -pki_ds_password=Secret.123 -pki_ds_database=ca - -pki_security_domain_name=EXAMPLE - -pki_token_password=Secret.123 - -pki_existing=True - -pki_ca_signing_nickname=ca_signing -pki_ca_signing_csr_path=$PWD/tmp/ca_signing.csr - -pki_ocsp_signing_nickname=ca_ocsp_signing -#pki_ocsp_signing_csr_path=$PWD/tmp/ca_ocsp_signing.csr - -pki_sslserver_nickname=sslserver -#pki_sslserver_csr_path=$PWD/tmp/sslserver.csr - -pki_subsystem_nickname=subsystem -#pki_subsystem_csr_path=$PWD/tmp/subsystem.csr - -pki_audit_signing_nickname=ca_audit_signing -#pki_audit_signing_csr_path=$PWD/tmp/ca_audit_signing.csr - -pki_pkcs12_path=$PWD/tmp/ca-certs.p12 -pki_pkcs12_password=Secret.123 - -#pki_serial_number_range_start=6 -#pki_request_number_range_start=1 -EOF - -pkispawn -v -f tmp/ca-existing.cfg -s CA diff --git a/scripts/ca-existing-export-certs.sh b/scripts/ca-existing-export-certs.sh new file mode 100755 index 0000000..3645488 --- /dev/null +++ b/scripts/ca-existing-export-certs.sh @@ -0,0 +1,37 @@ +#!/bin/sh -x + +#grep "internal=" /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2}' > tmp/internal.txt +#PKCS12Export -debug -d /var/lib/pki/pki-tomcat/alias -p tmp/internal.txt -w password.txt -o tmp/ca-certs.p12 +#PKCS12Export -d /var/lib/pki/pki-tomcat/alias -p tmp/internal.txt -w password.txt -o tmp/ca-certs.p12 + +#pki pkcs12-cert-find --pkcs12-file tmp/ca-certs.p12 --pkcs12-password-file password.txt +#pki pkcs12-key-find --pkcs12-file tmp/ca-certs.p12 --pkcs12-password-file password.txt + +certutil -L -d /var/lib/pki/pki-tomcat/alias -n "ca_signing" -a > tmp/ca_signing.crt +certutil -L -d /var/lib/pki/pki-tomcat/alias -n "ca_ocsp_signing" -a > tmp/ca_ocsp_signing.crt +certutil -L -d /var/lib/pki/pki-tomcat/alias -n "ca_audit_signing" -a > tmp/ca_audit_signing.crt +certutil -L -d /var/lib/pki/pki-tomcat/alias -n "subsystem" -a > tmp/subsystem.crt +certutil -L -d /var/lib/pki/pki-tomcat/alias -n "sslserver" -a > tmp/sslserver.crt + +echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/ca_signing.csr +sed -n "/^ca.signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/ca_signing.csr +echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/ca_signing.csr + +echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/ca_ocsp_signing.csr +sed -n "/^ca.ocsp_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/ca_ocsp_signing.csr +echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/ca_ocsp_signing.csr + +echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/sslserver.csr +sed -n "/^ca.sslserver.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/sslserver.csr +echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/sslserver.csr + +echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/subsystem.csr +sed -n "/^ca.subsystem.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/subsystem.csr +echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/subsystem.csr + +echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/ca_audit_signing.csr +sed -n "/^ca.audit_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/ca_audit_signing.csr +echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/ca_audit_signing.csr + +#cp ~/.dogtag/pki-tomcat/ca_admin.cert tmp +#cp ~/.dogtag/pki-tomcat/ca_admin_cert.p12 tmp diff --git a/scripts/ca-existing-export-pkcs12.sh b/scripts/ca-existing-export-pkcs12.sh new file mode 100755 index 0000000..da2ce2d --- /dev/null +++ b/scripts/ca-existing-export-pkcs12.sh @@ -0,0 +1,33 @@ +#!/bin/sh -x + +grep "internal=" /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2}' > tmp/internal.txt +#PKCS12Export -debug -d /var/lib/pki/pki-tomcat/alias -p tmp/internal.txt -w password.txt -o tmp/ca-certs.p12 +PKCS12Export -d /var/lib/pki/pki-tomcat/alias -p tmp/internal.txt -w password.txt -o tmp/ca-certs.p12 + +pki pkcs12-cert-find --pkcs12-file tmp/ca-certs.p12 --pkcs12-password-file password.txt +pki pkcs12-key-find --pkcs12-file tmp/ca-certs.p12 --pkcs12-password-file password.txt + +echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/ca_signing.csr +sed -n "/^ca.signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/ca_signing.csr +echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/ca_signing.csr + +echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/ca_ocsp_signing.csr +sed -n "/^ca.ocsp_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/ca_ocsp_signing.csr +echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/ca_ocsp_signing.csr + +echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/sslserver.csr +sed -n "/^ca.sslserver.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/sslserver.csr +echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/sslserver.csr + +echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/subsystem.csr +sed -n "/^ca.subsystem.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/subsystem.csr +echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/subsystem.csr + +echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/ca_audit_signing.csr +sed -n "/^ca.audit_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/ca_audit_signing.csr +echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/ca_audit_signing.csr + +#pki-server ca-clone-prepare --pkcs12-file tmp/ca-certs.p12 --pkcs12-password-file password.txt + +cp ~/.dogtag/pki-tomcat/ca_admin.cert tmp +cp ~/.dogtag/pki-tomcat/ca_admin_cert.p12 tmp diff --git a/scripts/ca-existing-pkcs12-create.sh b/scripts/ca-existing-pkcs12-create.sh new file mode 100755 index 0000000..c7519e8 --- /dev/null +++ b/scripts/ca-existing-pkcs12-create.sh @@ -0,0 +1,52 @@ +#!/bin/sh -x + +mkdir -p tmp + +cat > tmp/ca-existing.cfg << EOF +[DEFAULT] +pki_pin=Secret.123 + +[CA] +pki_admin_email=caadmin@example.com +pki_admin_name=caadmin +pki_admin_nickname=caadmin +pki_admin_password=Secret.123 +pki_admin_uid=caadmin + +pki_client_database_password=Secret.123 +pki_client_database_purge=False +pki_client_pkcs12_password=Secret.123 + +pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com +pki_ds_password=Secret.123 +pki_ds_database=ca + +pki_security_domain_name=EXAMPLE + +pki_token_password=Secret.123 + +pki_existing=True + +pki_pkcs12_path=tmp/ca-certs.p12 +pki_pkcs12_password=Secret.123 + +pki_ca_signing_nickname=ca_signing +pki_ca_signing_csr_path=tmp/ca_signing.csr + +pki_ocsp_signing_nickname=ca_ocsp_signing +pki_ocsp_signing_csr_path=tmp/ca_ocsp_signing.csr + +pki_sslserver_nickname=sslserver +pki_sslserver_csr_path=tmp/sslserver.csr + +pki_subsystem_nickname=subsystem +pki_subsystem_csr_path=tmp/subsystem.csr + +pki_audit_signing_nickname=ca_audit_signing +pki_audit_signing_csr_path=tmp/ca_audit_signing.csr + +#pki_serial_number_range_start=6 +#pki_request_number_range_start=1 +EOF + +pkispawn -v -f tmp/ca-existing.cfg -s CA diff --git a/scripts/ca-external-step1.sh b/scripts/ca-external-step1.sh index 85ccfc7..96365de 100755 --- a/scripts/ca-external-step1.sh +++ b/scripts/ca-external-step1.sh @@ -4,7 +4,6 @@ mkdir -p tmp cat > tmp/ca-external-step1.cfg << EOF [DEFAULT] -#pki_instance_name=pki-child pki_pin=Secret.123 [CA] @@ -31,19 +30,21 @@ pki_token_password=Secret.123 pki_external=True pki_external_step_two=False -pki_external_csr_path=$PWD/tmp/ca_signing.csr -#pki_ca_signing_csr_path=$PWD/tmp/ca_signing.csr -#pki_ocsp_signing_csr_path=$PWD/tmp/ca_ocsp_signing.csr -#pki_audit_signing_csr_path=$PWD/tmp/ca_audit_signing.csr -#pki_sslserver_csr_path=$PWD/tmp/sslserver.csr -#pki_subsystem_csr_path=$PWD/tmp/subsystem.csr +#pki_external_csr_path=tmp/ca_signing.csr +pki_ca_signing_csr_path=tmp/ca_signing.csr + +#pki_ca_signing_csr_path=tmp/ca_signing.csr +#pki_ocsp_signing_csr_path=tmp/ca_ocsp_signing.csr +#pki_subsystem_csr_path=tmp/subsystem.csr +#pki_sslserver_csr_path=tmp/sslserver.csr +#pki_audit_signing_csr_path=tmp/ca_audit_signing.csr pki_ca_signing_nickname=ca_signing pki_ocsp_signing_nickname=ca_ocsp_signing -pki_audit_signing_nickname=ca_audit_signing -pki_sslserver_nickname=sslserver pki_subsystem_nickname=subsystem +pki_sslserver_nickname=sslserver +pki_audit_signing_nickname=ca_audit_signing EOF -pkispawn -f tmp/ca-external-step1.cfg -s CA -v +pkispawn -f tmp/ca-external-step1.cfg -s CA diff --git a/scripts/ca-external-step2.sh b/scripts/ca-external-step2.sh index c94ce19..9e16c46 100755 --- a/scripts/ca-external-step2.sh +++ b/scripts/ca-external-step2.sh @@ -4,7 +4,6 @@ mkdir -p tmp cat > tmp/ca-external-step2.cfg << EOF [DEFAULT] -#pki_instance_name=pki-child pki_pin=Secret.123 [CA] @@ -30,20 +29,28 @@ pki_token_password=Secret.123 pki_external=True pki_external_step_two=True -pki_external_csr_path=$PWD/tmp/ca_signing.csr -pki_external_ca_cert_path=$PWD/tmp/ca_signing.crt + +#pki_external_csr_path=tmp/ca_signing.csr +pki_ca_signing_csr_path=tmp/ca_signing.csr + +#pki_external_ca_cert_path=tmp/ca_signing.crt +pki_ca_signing_cert_path=tmp/ca_signing.crt #pki_external_ca_cert_chain_nickname=external -pki_external_ca_cert_chain_nickname=Root CA Signing Certificate - ROOT -#pki_external_ca_cert_chain_nickname=External CA - EXTERNAL -#pki_external_ca_cert_chain_path=$PWD/tmp/cert_chain.p7b -pki_external_ca_cert_chain_path=$PWD/tmp/external.crt +#pki_external_ca_cert_chain_nickname=Root CA Signing Certificate - ROOT +#pki_cert_chain_nickname=Root CA Signing Certificate - ROOT + +#pki_external_ca_cert_chain_path=tmp/cert_chain.p7b +#pki_external_ca_cert_chain_path=tmp/external.crt +#pki_cert_chain_path=tmp/external.crt pki_ca_signing_nickname=ca_signing pki_ocsp_signing_nickname=ca_ocsp_signing -pki_audit_signing_nickname=ca_audit_signing -pki_sslserver_nickname=sslserver pki_subsystem_nickname=subsystem +pki_sslserver_nickname=sslserver +pki_audit_signing_nickname=ca_audit_signing EOF -pkispawn -f tmp/ca-external-step2.cfg -s CA -v +pkispawn -f tmp/ca-external-step2.cfg -s CA + +echo $HOSTNAME > tmp/ca.hostname diff --git a/scripts/ca-step1.sh b/scripts/ca-step1.sh index 77487cf..2c419ae 100755 --- a/scripts/ca-step1.sh +++ b/scripts/ca-step1.sh @@ -1,5 +1,36 @@ #!/bin/sh -x -#pkispawn -v -f ca-step1.cfg -s CA -pkispawn -v -f ca.cfg -s CA --skip-configuration -#pkispawn -v -f ca.cfg -s CA --stop-at configuration +mkdir -p tmp + +cat > tmp/ca-step1.cfg << EOF +[DEFAULT] +pki_pin=Secret.123 + +[CA] +pki_admin_email=caadmin@example.com +pki_admin_name=caadmin +pki_admin_nickname=caadmin +pki_admin_password=Secret.123 +pki_admin_uid=caadmin + +pki_client_database_password=Secret.123 +pki_client_database_purge=False +pki_client_pkcs12_password=Secret.123 + +pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com +pki_ds_password=Secret.123 +pki_ds_database=ca + +pki_security_domain_name=EXAMPLE + +pki_ca_signing_nickname=ca_signing +pki_ocsp_signing_nickname=ca_ocsp_signing +pki_audit_signing_nickname=ca_audit_signing +pki_sslserver_nickname=sslserver +pki_subsystem_nickname=subsystem + +pki_skip_configuration=True +EOF + +pkispawn -f tmp/ca-step1.cfg -s CA +#pkispawn -f tmp/ca.cfg -s CA --skip-configuration diff --git a/scripts/ca-step2.sh b/scripts/ca-step2.sh index 2112391..574f6ba 100755 --- a/scripts/ca-step2.sh +++ b/scripts/ca-step2.sh @@ -1,5 +1,41 @@ #!/bin/sh -x -#pkispawn -v -f ca-step2.cfg -s CA -pkispawn -v -f ca.cfg -s CA --skip-installation -#pkispawn -v -f ca.cfg -s CA --start-from configuration +mkdir -p tmp + +cat > tmp/ca-step2.cfg << EOF +[DEFAULT] +pki_pin=Secret.123 + +[CA] +pki_admin_email=caadmin@example.com +pki_admin_name=caadmin +pki_admin_nickname=caadmin +pki_admin_password=Secret.123 +pki_admin_uid=caadmin + +pki_client_database_password=Secret.123 +pki_client_database_purge=False +pki_client_pkcs12_password=Secret.123 + +pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com +pki_ds_password=Secret.123 +pki_ds_database=ca + +pki_security_domain_name=EXAMPLE + +pki_ca_signing_nickname=ca_signing +pki_ocsp_signing_nickname=ca_ocsp_signing +pki_audit_signing_nickname=ca_audit_signing +pki_sslserver_nickname=sslserver +pki_subsystem_nickname=subsystem + +pki_skip_installation=True +EOF + +pkispawn -f tmp/ca-step2.cfg -s CA +#pkispawn -f tmp/ca.cfg -s CA --skip-installation + +#/bin/cp /root/.dogtag/pki-tomcat/ca_admin.cert . +#/bin/cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 . +#/bin/cp /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf ca_admin_cert.txt +echo $HOSTNAME > tmp/ca.hostname diff --git a/scripts/ca-sub-create.sh b/scripts/ca-sub-create.sh index 049fce8..aa65c1e 100755 --- a/scripts/ca-sub-create.sh +++ b/scripts/ca-sub-create.sh @@ -1,3 +1,43 @@ #!/bin/sh -x -pkispawn -v -f ca-sub.cfg -s CA +mkdir -p tmp + +ISSUING_CA=`cat tmp/root.txt` + +cat > tmp/ca-sub.cfg << EOF +[DEFAULT] +pki_pin=Secret.123 + +[CA] +pki_admin_email=caadmin@example.com +pki_admin_name=caadmin +pki_admin_nickname=caadmin +pki_admin_password=Secret.123 +pki_admin_uid=caadmin + +pki_subordinate=True +pki_issuing_ca_hostname=$ISSUING_CA +pki_issuing_ca_https_port=8443 +pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=EXAMPLE + +pki_client_database_password=Secret.123 +pki_client_database_purge=False +pki_client_pkcs12_password=Secret.123 + +pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com +pki_ds_database=ca +pki_ds_password=Secret.123 + +pki_security_domain_hostname=$ISSUING_CA +pki_security_domain_https_port=8443 +pki_security_domain_user=caadmin +pki_security_domain_password=Secret.123 + +pki_ca_signing_nickname=ca_signing +pki_ocsp_signing_nickname=ca_ocsp_signing +pki_audit_signing_nickname=ca_audit_signing +pki_sslserver_nickname=sslserver +pki_subsystem_nickname=subsystem +EOF + +pkispawn -v -f tmp/ca-sub.cfg -s CA diff --git a/scripts/ca_signing-cmc-sign.sh b/scripts/ca_signing-cmc-sign.sh index c6b0eb8..5bab7ec 100755 --- a/scripts/ca_signing-cmc-sign.sh +++ b/scripts/ca_signing-cmc-sign.sh @@ -59,7 +59,8 @@ tokenname=internal nickname=caadmin # CMC servlet path -servlet=/ca/ee/ca/profileSubmitCMCFullCACert +#servlet=/ca/ee/ca/profileSubmitCMCFull +servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caCMCcaCert # Path for the CMC request. input=tmp/ca_signing-cmc-request.bin diff --git a/scripts/ca_signing-export.sh b/scripts/ca_signing-export.sh index 9e9a70a..d9ad743 100755 --- a/scripts/ca_signing-export.sh +++ b/scripts/ca_signing-export.sh @@ -1,3 +1,4 @@ #!/bin/sh -pki cert-show 0x1 --output tmp/ca_signing.crt +#pki cert-show 0x1 --output tmp/ca_signing.crt +pki -d /etc/pki/pki-tomcat/alias -c Secret.123 client-cert-show ca_signing --cert tmp/ca_signing.crt -- cgit