From 28c1241fbcc36cf3fdddd50d6978a1885145f713 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Fri, 21 Jul 2017 18:08:26 +0200 Subject: Added standalone KRA scripts. --- scripts/ca-external-cmc-sign.sh | 80 ----------------------------------- scripts/ca_signing-cmc-sign.sh | 80 +++++++++++++++++++++++++++++++++++ scripts/ca_signing-export.sh | 3 ++ scripts/kra-create.sh | 6 ++- scripts/kra-standalone-ca-sign.sh | 12 ++++++ scripts/kra-standalone-cmc-sign.sh | 12 ++++++ scripts/kra-standalone-sign.sh | 75 -------------------------------- scripts/kra-standalone-step1.sh | 51 ++++++++++++++++++---- scripts/kra-standalone-step2.sh | 53 +++++++++++++++++++---- scripts/kra.cfg | 39 ----------------- scripts/kra_admin-ca-sign.sh | 13 ++++++ scripts/kra_admin-cmc-sign.sh | 80 +++++++++++++++++++++++++++++++++++ scripts/kra_audit_signing-ca-sign.sh | 14 ++++++ scripts/kra_audit_signing-cmc-sign.sh | 80 +++++++++++++++++++++++++++++++++++ scripts/kra_storage-ca-sign.sh | 13 ++++++ scripts/kra_storage-cmc-sign.sh | 80 +++++++++++++++++++++++++++++++++++ scripts/kra_transport-ca-sign.sh | 13 ++++++ scripts/kra_transport-cmc-sign.sh | 80 +++++++++++++++++++++++++++++++++++ scripts/sslserver-ca-sign.sh | 13 ++++++ scripts/sslserver-cmc-sign.sh | 80 +++++++++++++++++++++++++++++++++++ scripts/subsystem-ca-sign.sh | 13 ++++++ scripts/subsystem-cmc-sign.sh | 80 +++++++++++++++++++++++++++++++++++ 22 files changed, 757 insertions(+), 213 deletions(-) delete mode 100755 scripts/ca-external-cmc-sign.sh create mode 100755 scripts/ca_signing-cmc-sign.sh create mode 100755 scripts/ca_signing-export.sh create mode 100755 scripts/kra-standalone-ca-sign.sh create mode 100755 scripts/kra-standalone-cmc-sign.sh delete mode 100755 scripts/kra-standalone-sign.sh delete mode 100644 scripts/kra.cfg create mode 100755 scripts/kra_admin-ca-sign.sh create mode 100755 scripts/kra_admin-cmc-sign.sh create mode 100755 scripts/kra_audit_signing-ca-sign.sh create mode 100755 scripts/kra_audit_signing-cmc-sign.sh create mode 100755 scripts/kra_storage-ca-sign.sh create mode 100755 scripts/kra_storage-cmc-sign.sh create mode 100755 scripts/kra_transport-ca-sign.sh create mode 100755 scripts/kra_transport-cmc-sign.sh create mode 100755 scripts/sslserver-ca-sign.sh create mode 100755 scripts/sslserver-cmc-sign.sh create mode 100755 scripts/subsystem-ca-sign.sh create mode 100755 scripts/subsystem-cmc-sign.sh diff --git a/scripts/ca-external-cmc-sign.sh b/scripts/ca-external-cmc-sign.sh deleted file mode 100755 index da20953..0000000 --- a/scripts/ca-external-cmc-sign.sh +++ /dev/null @@ -1,80 +0,0 @@ -#!/bin/sh - -mkdir -p tmp - -cat > tmp/cmc-request.cfg << EOF -# NSS database directory. -dbdir=$HOME/.dogtag/nssdb - -# NSS database password. -password=Secret.123 - -# Token name (default is internal). -tokenname=internal - -# Nickname for agent certificate. -nickname=caadmin - -# Request format: pkcs10 or crmf. -format=pkcs10 - -# Total number of PKCS10/CRMF requests. -numRequests=1 - -# Path to the PKCS10/CRMF request. -# The content must be in Base-64 encoded format. -# Multiple files are supported. They must be separated by space. -input=$PWD/tmp/ca_signing.csr - -# Path for the CMC request in binary format -output=$PWD/tmp/cmc-request.bin -EOF - -CMCRequest tmp/cmc-request.cfg - -cat > tmp/cmc-submit.cfg << EOF -# PKI server host name. -host=$HOSTNAME - -# PKI server port number. -port=8443 - -# Use secure connection. -# For secure connection with ECC, set environment variable 'export NSS_USE_DECODED_CKA_EC_POINT=1'. -secure=true - -# Use client authentication. -clientmode=true - -# NSS database directory. -dbdir=$HOME/.dogtag/nssdb - -# NSS database password. -password=Secret.123 - -# Token name (default: internal). -tokenname=internal - -# Nickname of agent certificate. -nickname=caadmin - -# CMC servlet path -servlet=/ca/ee/ca/profileSubmitCMCFullCACert - -# Path for the CMC request. -input=tmp/cmc-request.bin - -# Path for the CMC response. -output=tmp/cmc-response.bin -EOF - -HttpClient tmp/cmc-submit.cfg - -CMCResponse -d ~/.dogtag/nssdb -i tmp/cmc-response.bin - -BtoA tmp/cmc-response.bin tmp/cmc-response.b64 -echo "-----BEGIN PKCS7-----" > tmp/ca_signing.crt -cat tmp/cmc-response.b64 >> tmp/ca_signing.crt -echo "-----END PKCS7-----" >> tmp/ca_signing.crt - -pki cert-show --output tmp/external.crt 0x1 diff --git a/scripts/ca_signing-cmc-sign.sh b/scripts/ca_signing-cmc-sign.sh new file mode 100755 index 0000000..b25c6d9 --- /dev/null +++ b/scripts/ca_signing-cmc-sign.sh @@ -0,0 +1,80 @@ +#!/bin/sh + +mkdir -p tmp + +cat > tmp/ca_signing-cmc-request.cfg << EOF +# NSS database directory. +dbdir=$HOME/.dogtag/nssdb + +# NSS database password. +password=Secret.123 + +# Token name (default is internal). +tokenname=internal + +# Nickname for agent certificate. +nickname=caadmin + +# Request format: pkcs10 or crmf. +format=pkcs10 + +# Total number of PKCS10/CRMF requests. +numRequests=1 + +# Path to the PKCS10/CRMF request. +# The content must be in Base-64 encoded format. +# Multiple files are supported. They must be separated by space. +input=$PWD/tmp/ca_signing.csr + +# Path for the CMC request in binary format +output=$PWD/tmp/ca_signing-cmc-request.bin +EOF + +CMCRequest tmp/ca_signing-cmc-request.cfg + +cat > tmp/ca_signing-cmc-submit.cfg << EOF +# PKI server host name. +host=$HOSTNAME + +# PKI server port number. +port=8443 + +# Use secure connection. +# For secure connection with ECC, set environment variable 'export NSS_USE_DECODED_CKA_EC_POINT=1'. +secure=true + +# Use client authentication. +clientmode=true + +# NSS database directory. +dbdir=$HOME/.dogtag/nssdb + +# NSS database password. +password=Secret.123 + +# Token name (default: internal). +tokenname=internal + +# Nickname of agent certificate. +nickname=caadmin + +# CMC servlet path +servlet=/ca/ee/ca/profileSubmitCMCFullCACert + +# Path for the CMC request. +input=tmp/ca_signing-cmc-request.bin + +# Path for the CMC response. +output=tmp/ca_signing-cmc-response.bin +EOF + +HttpClient tmp/ca_signing-cmc-submit.cfg + +CMCResponse -d ~/.dogtag/nssdb -i tmp/ca_signing-cmc-response.bin + +BtoA tmp/ca_signing-cmc-response.bin tmp/ca_signing-cmc-response.b64 +echo "-----BEGIN PKCS7-----" > tmp/ca_signing.crt +cat tmp/ca_signing-cmc-response.b64 >> tmp/ca_signing.crt +echo "-----END PKCS7-----" >> tmp/ca_signing.crt + +pki cert-show --output tmp/external.crt 0x1 diff --git a/scripts/ca_signing-export.sh b/scripts/ca_signing-export.sh new file mode 100755 index 0000000..9e9a70a --- /dev/null +++ b/scripts/ca_signing-export.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +pki cert-show 0x1 --output tmp/ca_signing.crt diff --git a/scripts/kra-create.sh b/scripts/kra-create.sh index 488c4b8..d2990dd 100755 --- a/scripts/kra-create.sh +++ b/scripts/kra-create.sh @@ -1,6 +1,8 @@ #!/bin/sh -x -cat > kra.cfg << EOF +mkdir -p tmp + +cat > tmp/kra.cfg << EOF [KRA] pki_admin_cert_file=/root/.dogtag/pki-tomcat/ca_admin.cert #pki_import_admin_cert=False @@ -49,6 +51,6 @@ pki_ssl_server_nickname=sslserver pki_subsystem_nickname=subsystem EOF -pkispawn -vvv -f kra.cfg -s KRA +pkispawn -vvv -f tmp/kra.cfg -s KRA #/bin/cp /var/lib/pki/pki-tomcat/alias/kra_backup_keys.p12 . diff --git a/scripts/kra-standalone-ca-sign.sh b/scripts/kra-standalone-ca-sign.sh new file mode 100755 index 0000000..1b53902 --- /dev/null +++ b/scripts/kra-standalone-ca-sign.sh @@ -0,0 +1,12 @@ +#!/bin/sh + +./ca_signing-export.sh + +./kra_admin-ca-sign.sh + +./kra_transport-ca-sign.sh +./kra_storage-ca-sign.sh +./kra_audit_signing-ca-sign.sh + +./sslserver-ca-sign.sh +./subsystem-ca-sign.sh diff --git a/scripts/kra-standalone-cmc-sign.sh b/scripts/kra-standalone-cmc-sign.sh new file mode 100755 index 0000000..7bf7ddb --- /dev/null +++ b/scripts/kra-standalone-cmc-sign.sh @@ -0,0 +1,12 @@ +#!/bin/sh + +./ca_signing-export.sh + +./kra_admin-ca-sign.sh + +./kra_transport-cmc-sign.sh +./kra_storage-cmc-sign.sh +./kra_audit_signing-cmc-sign.sh + +./sslserver-cmc-sign.sh +./subsystem-cmc-sign.sh diff --git a/scripts/kra-standalone-sign.sh b/scripts/kra-standalone-sign.sh deleted file mode 100755 index 0c6a569..0000000 --- a/scripts/kra-standalone-sign.sh +++ /dev/null @@ -1,75 +0,0 @@ -#!/bin/sh - -rm -f external_ca.cert -rm -f kra_admin.cert -rm -f kra_transport.cert -rm -f kra_storage.cert -rm -f kra_sslserver.cert -rm -f kra_subsystem.cert -rm -f kra_audit_signing.cert - -#### CA Cert #### - -pki cert-show --output external_ca.cert 0x1 -#pki cert-show --output external_ca_chain.cert 0x1 - -#### Admin Cert #### - -REQUEST_ID=`pki ca-cert-request-submit --profile caUserCert --csr-file kra_admin.csr --subject uid=kraadmin | grep "Request ID:" | awk -F ': ' '{print $2;}'` -echo Request ID: $REQUEST_ID - -CERT_ID=`pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'` -echo Certificate ID: $CERT_ID - -pki cert-show --output kra_admin.cert $CERT_ID - -#### Transport Cert #### - -REQUEST_ID=`pki ca-cert-request-submit --profile caTransportCert --csr-file kra_transport.csr | grep "Request ID:" | awk -F ': ' '{print $2;}'` -echo Request ID: $REQUEST_ID - -CERT_ID=`pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'` -echo Certificate ID: $CERT_ID - -pki cert-show --output kra_transport.cert $CERT_ID - -#### Storage Cert #### - -REQUEST_ID=`pki ca-cert-request-submit --profile caStorageCert --csr-file kra_storage.csr | grep "Request ID:" | awk -F ': ' '{print $2;}'` -echo Request ID: $REQUEST_ID - -CERT_ID=`pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'` -echo Certificate ID: $CERT_ID - -pki cert-show --output kra_storage.cert $CERT_ID - -#### Server Cert #### - -REQUEST_ID=`pki ca-cert-request-submit --profile caServerCert --csr-file kra_sslserver.csr | grep "Request ID:" | awk -F ': ' '{print $2;}'` -echo Request ID: $REQUEST_ID - -CERT_ID=`pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'` -echo Certificate ID: $CERT_ID - -pki cert-show --output kra_sslserver.cert $CERT_ID - -#### Subsystem Cert #### - -REQUEST_ID=`pki ca-cert-request-submit --profile caSubsystemCert --csr-file kra_subsystem.csr | grep "Request ID:" | awk -F ': ' '{print $2;}'` -echo Request ID: $REQUEST_ID - -CERT_ID=`pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'` -echo Certificate ID: $CERT_ID - -pki cert-show --output kra_subsystem.cert $CERT_ID - -#### Audit Signing Cert #### - -REQUEST_ID=`pki ca-cert-request-submit --profile caSignedLogCert --csr-file kra_audit_signing.csr | grep "Request ID:" | awk -F ': ' '{print $2;}'` -echo Request ID: $REQUEST_ID - -CERT_ID=`pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'` -echo Certificate ID: $CERT_ID - -pki cert-show --output kra_audit_signing.cert $CERT_ID - diff --git a/scripts/kra-standalone-step1.sh b/scripts/kra-standalone-step1.sh index 073f9d4..87a649d 100755 --- a/scripts/kra-standalone-step1.sh +++ b/scripts/kra-standalone-step1.sh @@ -1,10 +1,45 @@ #!/bin/sh -x -pkispawn -v -f kra-standalone-step1.cfg -s KRA - -cp /etc/pki/pki-tomcat/kra_admin.csr . -cp /etc/pki/pki-tomcat/kra_transport.csr . -cp /etc/pki/pki-tomcat/kra_storage.csr . -cp /etc/pki/pki-tomcat/kra_sslserver.csr . -cp /etc/pki/pki-tomcat/kra_subsystem.csr . -cp /etc/pki/pki-tomcat/kra_audit_signing.csr . +mkdir -p tmp + +cat > tmp/kra-standalone-step1.cfg << EOF +[KRA] +pki_admin_email=kraadmin@example.com +pki_admin_name=kraadmin +pki_admin_nickname=kraadmin +pki_admin_password=Secret.123 +pki_admin_uid=kraadmin + +#pki_backup_keys=True +#pki_backup_password=Secret.123 + +pki_client_database_password=Secret.123 +pki_client_database_purge=False +pki_client_pkcs12_password=Secret.123 + +pki_ds_base_dn=dc=kra,dc=pki,dc=example,dc=com +pki_ds_password=Secret.123 +pki_ds_database=kra + +pki_security_domain_name=EXAMPLE +pki_token_password=Secret.123 + +pki_standalone=True +pki_external_step_two=False + +pki_storage_nickname=storage +pki_transport_nickname=transport +pki_audit_signing_nickname=kra_audit_signing +pki_ssl_server_nickname=sslserver +pki_subsystem_nickname=subsystem +pki_cert_chain_nickname=external + +pki_external_admin_csr_path=$PWD/tmp/kra_admin.csr +pki_external_audit_signing_csr_path=$PWD/tmp/kra_audit_signing.csr +pki_external_sslserver_csr_path=$PWD/tmp/sslserver.csr +pki_external_storage_csr_path=$PWD/tmp/kra_storage.csr +pki_external_subsystem_csr_path=$PWD/tmp/subsystem.csr +pki_external_transport_csr_path=$PWD/tmp/kra_transport.csr +EOF + +pkispawn -v -f tmp/kra-standalone-step1.cfg -s KRA diff --git a/scripts/kra-standalone-step2.sh b/scripts/kra-standalone-step2.sh index e58bbfe..e8fd709 100755 --- a/scripts/kra-standalone-step2.sh +++ b/scripts/kra-standalone-step2.sh @@ -1,15 +1,50 @@ #!/bin/sh -x -cp external_ca.cert /etc/pki/pki-tomcat +mkdir -p tmp # TODO: should not be required -cp external_ca_chain.cert /etc/pki/pki-tomcat +# cp tmp/ca_signing.crt tmp/cert_chain.p7b -cp kra_admin.cert /etc/pki/pki-tomcat -cp kra_transport.cert /etc/pki/pki-tomcat -cp kra_storage.cert /etc/pki/pki-tomcat -cp kra_sslserver.cert /etc/pki/pki-tomcat -cp kra_subsystem.cert /etc/pki/pki-tomcat -cp kra_audit_signing.cert /etc/pki/pki-tomcat +cat > tmp/kra-standalone-step2.cfg << EOF +[KRA] +pki_admin_email=kraadmin@example.com +pki_admin_name=kraadmin +pki_admin_nickname=kraadmin +pki_admin_password=Secret.123 +pki_admin_uid=kraadmin -pkispawn -v -f kra-standalone-step2.cfg -s KRA +#pki_backup_keys=True +#pki_backup_password=Secret.123 + +pki_client_database_password=Secret.123 +pki_client_database_purge=False +pki_client_pkcs12_password=Secret.123 + +pki_ds_base_dn=dc=kra,dc=pki,dc=example,dc=com +pki_ds_password=Secret.123 +pki_ds_database=kra + +pki_security_domain_name=EXAMPLE +pki_token_password=Secret.123 + +pki_standalone=True +pki_external_step_two=True + +pki_storage_nickname=storage +pki_transport_nickname=transport +pki_audit_signing_nickname=kra_audit_signing +pki_ssl_server_nickname=sslserver +pki_subsystem_nickname=subsystem +pki_cert_chain_nickname=external + +pki_external_ca_cert_chain_path=$PWD/tmp/cert_chain.p7b +pki_external_ca_cert_path=$PWD/tmp/ca_signing.crt +pki_external_admin_cert_path=$PWD/tmp/kra_admin.crt +pki_external_storage_cert_path=$PWD/tmp/kra_storage.crt +pki_external_transport_cert_path=$PWD/tmp/kra_transport.crt +pki_external_audit_signing_cert_path=$PWD/tmp/kra_audit_signing.crt +pki_external_sslserver_cert_path=$PWD/tmp/sslserver.crt +pki_external_subsystem_cert_path=$PWD/tmp/subsystem.crt +EOF + +pkispawn -v -f tmp/kra-standalone-step2.cfg -s KRA diff --git a/scripts/kra.cfg b/scripts/kra.cfg deleted file mode 100644 index ca1df6d..0000000 --- a/scripts/kra.cfg +++ /dev/null @@ -1,39 +0,0 @@ -[KRA] -pki_admin_cert_file=/root/.dogtag/pki-tomcat/ca_admin.cert -#pki_import_admin_cert=False -#pki_import_admin_pkcs12_file=/root/.dogtag/pki-tomcat/ca_admin_cert.p12 -#pki_import_admin_pkcs12_password=Secret123 -#pki_import_admin_pkcs12_nickname=caadmin - -pki_admin_email=kraadmin@example.com -pki_admin_name=kraadmin -pki_admin_nickname=kraadmin -pki_admin_password=Secret123 -pki_admin_uid=kraadmin - -#pki_backup_keys=True -#pki_backup_password=Secret123 - -pki_client_database_password=Secret123 -pki_client_pkcs12_password=Secret123 -#pki_client_database_purge=False - -#pki_clone_pkcs12_password=Secret123 - -#pki_ds_ldaps_port=636 -#pki_ds_secure_connection=True -#pki_ds_secure_connection_ca_nickname=Directory Server CA certificate -#pki_ds_secure_connection_ca_pem_file=dsca.pem -pki_ds_base_dn=dc=kra,dc=example,dc=com -pki_ds_password=Secret123 -pki_ds_database=kra -#pki_ds_database=userRoot -#pki_ds_create_new_db=False -#pki_ds_remove_data=True - - -pki_security_domain_name=EXAMPLE -pki_security_domain_user=caadmin -pki_security_domain_password=Secret123 -pki_token_password=Secret123 -#pki_share_db=False diff --git a/scripts/kra_admin-ca-sign.sh b/scripts/kra_admin-ca-sign.sh new file mode 100755 index 0000000..731a1bb --- /dev/null +++ b/scripts/kra_admin-ca-sign.sh @@ -0,0 +1,13 @@ +#!/bin/sh + +CMD="pki ca-cert-request-submit --profile caUserCert --csr-file tmp/kra_admin.csr --subject uid=kraadmin" +echo $CMD +REQUEST_ID=`$CMD | grep "Request ID:" | awk -F ': ' '{print $2;}'` +echo Request ID: $REQUEST_ID + +CMD="pki -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID" +echo $CMD +CERT_ID=`$CMD | grep "Certificate ID:" | awk -F ': ' '{print $2;}'` +echo Certificate ID: $CERT_ID + +pki cert-show --output tmp/kra_admin.crt $CERT_ID diff --git a/scripts/kra_admin-cmc-sign.sh b/scripts/kra_admin-cmc-sign.sh new file mode 100755 index 0000000..9f6730b --- /dev/null +++ b/scripts/kra_admin-cmc-sign.sh @@ -0,0 +1,80 @@ +#!/bin/sh + +mkdir -p tmp + +cat > tmp/kra_admin-cmc-request.cfg << EOF +# NSS database directory. +dbdir=$HOME/.dogtag/nssdb + +# NSS database password. +password=Secret.123 + +# Token name (default is internal). +tokenname=internal + +# Nickname for agent certificate. +nickname=caadmin + +# Request format: pkcs10 or crmf. +format=pkcs10 + +# Total number of PKCS10/CRMF requests. +numRequests=1 + +# Path to the PKCS10/CRMF request. +# The content must be in Base-64 encoded format. +# Multiple files are supported. They must be separated by space. +input=$PWD/tmp/kra_admin.csr + +# Path for the CMC request in binary format +output=$PWD/tmp/kra_admin-cmc-request.bin +EOF + +CMCRequest tmp/kra_admin-cmc-request.cfg + +cat > tmp/kra_admin-cmc-submit.cfg << EOF +# PKI server host name. +host=$HOSTNAME + +# PKI server port number. +port=8443 + +# Use secure connection. +# For secure connection with ECC, set environment variable 'export NSS_USE_DECODED_CKA_EC_POINT=1'. +secure=true + +# Use client authentication. +clientmode=true + +# NSS database directory. +dbdir=$HOME/.dogtag/nssdb + +# NSS database password. +password=Secret.123 + +# Token name (default: internal). +tokenname=internal + +# Nickname of agent certificate. +nickname=caadmin + +# CMC servlet path +servlet=/ca/ee/ca/profileSubmitUserSignedCMCFull + +# Path for the CMC request. +input=tmp/kra_admin-cmc-request.bin + +# Path for the CMC response. +output=tmp/kra_admin-cmc-response.bin +EOF + +HttpClient tmp/kra_admin-cmc-submit.cfg + +CMCResponse -d ~/.dogtag/nssdb -i tmp/kra_admin-cmc-response.bin + +BtoA tmp/kra_admin-cmc-response.bin tmp/kra_admin-cmc-response.b64 +echo "-----BEGIN PKCS7-----" > tmp/kra_admin.crt +cat tmp/kra_admin-cmc-response.b64 >> tmp/kra_admin.crt +echo "-----END PKCS7-----" >> tmp/kra_admin.crt + +pki cert-show --output tmp/external.crt 0x1 diff --git a/scripts/kra_audit_signing-ca-sign.sh b/scripts/kra_audit_signing-ca-sign.sh new file mode 100755 index 0000000..185ecc4 --- /dev/null +++ b/scripts/kra_audit_signing-ca-sign.sh @@ -0,0 +1,14 @@ +#!/bin/sh + +CMD="pki ca-cert-request-submit --profile caSignedLogCert --csr-file tmp/kra_audit_signing.csr" +echo $CMD +REQUEST_ID=`$CMD | grep "Request ID:" | awk -F ': ' '{print $2;}'` +echo Request ID: $REQUEST_ID + +CMD="pki -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID" +echo $CMD +CERT_ID=`$CMD | grep "Certificate ID:" | awk -F ': ' '{print $2;}'` +echo Certificate ID: $CERT_ID + +pki cert-show --output tmp/kra_audit_signing.crt $CERT_ID + diff --git a/scripts/kra_audit_signing-cmc-sign.sh b/scripts/kra_audit_signing-cmc-sign.sh new file mode 100755 index 0000000..9f7aa34 --- /dev/null +++ b/scripts/kra_audit_signing-cmc-sign.sh @@ -0,0 +1,80 @@ +#!/bin/sh + +mkdir -p tmp + +cat > tmp/kra_audit_signing-cmc-request.cfg << EOF +# NSS database directory. +dbdir=$HOME/.dogtag/nssdb + +# NSS database password. +password=Secret.123 + +# Token name (default is internal). +tokenname=internal + +# Nickname for agent certificate. +nickname=caadmin + +# Request format: pkcs10 or crmf. +format=pkcs10 + +# Total number of PKCS10/CRMF requests. +numRequests=1 + +# Path to the PKCS10/CRMF request. +# The content must be in Base-64 encoded format. +# Multiple files are supported. They must be separated by space. +input=$PWD/tmp/kra_audit_signing.csr + +# Path for the CMC request in binary format +output=$PWD/tmp/kra_audit_signing-cmc-request.bin +EOF + +CMCRequest tmp/kra_audit_signing-cmc-request.cfg + +cat > tmp/kra_audit_signing-cmc-submit.cfg << EOF +# PKI server host name. +host=$HOSTNAME + +# PKI server port number. +port=8443 + +# Use secure connection. +# For secure connection with ECC, set environment variable 'export NSS_USE_DECODED_CKA_EC_POINT=1'. +secure=true + +# Use client authentication. +clientmode=true + +# NSS database directory. +dbdir=$HOME/.dogtag/nssdb + +# NSS database password. +password=Secret.123 + +# Token name (default: internal). +tokenname=internal + +# Nickname of agent certificate. +nickname=caadmin + +# CMC servlet path +servlet=/ca/ee/ca/profileSubmitCMCFullAuditSigningCert + +# Path for the CMC request. +input=tmp/kra_audit_signing-cmc-request.bin + +# Path for the CMC response. +output=tmp/kra_audit_signing-cmc-response.bin +EOF + +HttpClient tmp/kra_audit_signing-cmc-submit.cfg + +CMCResponse -d ~/.dogtag/nssdb -i tmp/kra_audit_signing-cmc-response.bin + +BtoA tmp/kra_audit_signing-cmc-response.bin tmp/kra_audit_signing-cmc-response.b64 +echo "-----BEGIN PKCS7-----" > tmp/kra_audit_signing.crt +cat tmp/kra_audit_signing-cmc-response.b64 >> tmp/kra_audit_signing.crt +echo "-----END PKCS7-----" >> tmp/kra_audit_signing.crt + +pki cert-show --output tmp/external.crt 0x1 diff --git a/scripts/kra_storage-ca-sign.sh b/scripts/kra_storage-ca-sign.sh new file mode 100755 index 0000000..861cfbf --- /dev/null +++ b/scripts/kra_storage-ca-sign.sh @@ -0,0 +1,13 @@ +#!/bin/sh + +CMD="pki ca-cert-request-submit --profile caStorageCert --csr-file tmp/kra_storage.csr" +echo $CMD +REQUEST_ID=`$CMD | grep "Request ID:" | awk -F ': ' '{print $2;}'` +echo Request ID: $REQUEST_ID + +CMD="pki -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID" +echo $CMD +CERT_ID=`$CMD | grep "Certificate ID:" | awk -F ': ' '{print $2;}'` +echo Certificate ID: $CERT_ID + +pki cert-show --output tmp/kra_storage.crt $CERT_ID diff --git a/scripts/kra_storage-cmc-sign.sh b/scripts/kra_storage-cmc-sign.sh new file mode 100755 index 0000000..c8af179 --- /dev/null +++ b/scripts/kra_storage-cmc-sign.sh @@ -0,0 +1,80 @@ +#!/bin/sh + +mkdir -p tmp + +cat > tmp/kra_storage-cmc-request.cfg << EOF +# NSS database directory. +dbdir=$HOME/.dogtag/nssdb + +# NSS database password. +password=Secret.123 + +# Token name (default is internal). +tokenname=internal + +# Nickname for agent certificate. +nickname=caadmin + +# Request format: pkcs10 or crmf. +format=pkcs10 + +# Total number of PKCS10/CRMF requests. +numRequests=1 + +# Path to the PKCS10/CRMF request. +# The content must be in Base-64 encoded format. +# Multiple files are supported. They must be separated by space. +input=$PWD/tmp/kra_storage.csr + +# Path for the CMC request in binary format +output=$PWD/tmp/kra_storage-cmc-request.bin +EOF + +CMCRequest tmp/kra_storage-cmc-request.cfg + +cat > tmp/kra_storage-cmc-submit.cfg << EOF +# PKI server host name. +host=$HOSTNAME + +# PKI server port number. +port=8443 + +# Use secure connection. +# For secure connection with ECC, set environment variable 'export NSS_USE_DECODED_CKA_EC_POINT=1'. +secure=true + +# Use client authentication. +clientmode=true + +# NSS database directory. +dbdir=$HOME/.dogtag/nssdb + +# NSS database password. +password=Secret.123 + +# Token name (default: internal). +tokenname=internal + +# Nickname of agent certificate. +nickname=caadmin + +# CMC servlet path +servlet=/ca/ee/ca/profileSubmitCMCFullKRAstorageCert + +# Path for the CMC request. +input=tmp/kra_storage-cmc-request.bin + +# Path for the CMC response. +output=tmp/kra_storage-cmc-response.bin +EOF + +HttpClient tmp/kra_storage-cmc-submit.cfg + +CMCResponse -d ~/.dogtag/nssdb -i tmp/kra_storage-cmc-response.bin + +BtoA tmp/kra_storage-cmc-response.bin tmp/kra_storage-cmc-response.b64 +echo "-----BEGIN PKCS7-----" > tmp/kra_storage.crt +cat tmp/kra_storage-cmc-response.b64 >> tmp/kra_storage.crt +echo "-----END PKCS7-----" >> tmp/kra_storage.crt + +pki cert-show --output tmp/external.crt 0x1 diff --git a/scripts/kra_transport-ca-sign.sh b/scripts/kra_transport-ca-sign.sh new file mode 100755 index 0000000..90e9917 --- /dev/null +++ b/scripts/kra_transport-ca-sign.sh @@ -0,0 +1,13 @@ +#!/bin/sh + +CMD="pki ca-cert-request-submit --profile caTransportCert --csr-file tmp/kra_transport.csr" +echo $CMD +REQUEST_ID=`$CMD | grep "Request ID:" | awk -F ': ' '{print $2;}'` +echo Request ID: $REQUEST_ID + +CMD="pki -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID" +echo $CMD +CERT_ID=`$CMD | grep "Certificate ID:" | awk -F ': ' '{print $2;}'` +echo Certificate ID: $CERT_ID + +pki cert-show --output tmp/kra_transport.crt $CERT_ID diff --git a/scripts/kra_transport-cmc-sign.sh b/scripts/kra_transport-cmc-sign.sh new file mode 100755 index 0000000..3341efd --- /dev/null +++ b/scripts/kra_transport-cmc-sign.sh @@ -0,0 +1,80 @@ +#!/bin/sh + +mkdir -p tmp + +cat > tmp/kra_transport-cmc-request.cfg << EOF +# NSS database directory. +dbdir=$HOME/.dogtag/nssdb + +# NSS database password. +password=Secret.123 + +# Token name (default is internal). +tokenname=internal + +# Nickname for agent certificate. +nickname=caadmin + +# Request format: pkcs10 or crmf. +format=pkcs10 + +# Total number of PKCS10/CRMF requests. +numRequests=1 + +# Path to the PKCS10/CRMF request. +# The content must be in Base-64 encoded format. +# Multiple files are supported. They must be separated by space. +input=$PWD/tmp/kra_transport.csr + +# Path for the CMC request in binary format +output=$PWD/tmp/kra_transport-cmc-request.bin +EOF + +CMCRequest tmp/kra_transport-cmc-request.cfg + +cat > tmp/kra_transport-cmc-submit.cfg << EOF +# PKI server host name. +host=$HOSTNAME + +# PKI server port number. +port=8443 + +# Use secure connection. +# For secure connection with ECC, set environment variable 'export NSS_USE_DECODED_CKA_EC_POINT=1'. +secure=true + +# Use client authentication. +clientmode=true + +# NSS database directory. +dbdir=$HOME/.dogtag/nssdb + +# NSS database password. +password=Secret.123 + +# Token name (default: internal). +tokenname=internal + +# Nickname of agent certificate. +nickname=caadmin + +# CMC servlet path +servlet=/ca/ee/ca/profileSubmitCMCFullKRAtransportCert + +# Path for the CMC request. +input=tmp/kra_transport-cmc-request.bin + +# Path for the CMC response. +output=tmp/kra_transport-cmc-response.bin +EOF + +HttpClient tmp/kra_transport-cmc-submit.cfg + +CMCResponse -d ~/.dogtag/nssdb -i tmp/kra_transport-cmc-response.bin + +BtoA tmp/kra_transport-cmc-response.bin tmp/kra_transport-cmc-response.b64 +echo "-----BEGIN PKCS7-----" > tmp/kra_transport.crt +cat tmp/kra_transport-cmc-response.b64 >> tmp/kra_transport.crt +echo "-----END PKCS7-----" >> tmp/kra_transport.crt + +pki cert-show --output tmp/external.crt 0x1 diff --git a/scripts/sslserver-ca-sign.sh b/scripts/sslserver-ca-sign.sh new file mode 100755 index 0000000..8dd728c --- /dev/null +++ b/scripts/sslserver-ca-sign.sh @@ -0,0 +1,13 @@ +#!/bin/sh + +CMD="pki ca-cert-request-submit --profile caServerCert --csr-file tmp/sslserver.csr" +echo $CMD +REQUEST_ID=`$CMD | grep "Request ID:" | awk -F ': ' '{print $2;}'` +echo Request ID: $REQUEST_ID + +CMD="pki -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID" +echo $CMD +CERT_ID=`$CMD | grep "Certificate ID:" | awk -F ': ' '{print $2;}'` +echo Certificate ID: $CERT_ID + +pki cert-show --output tmp/sslserver.crt $CERT_ID diff --git a/scripts/sslserver-cmc-sign.sh b/scripts/sslserver-cmc-sign.sh new file mode 100755 index 0000000..bb288ea --- /dev/null +++ b/scripts/sslserver-cmc-sign.sh @@ -0,0 +1,80 @@ +#!/bin/sh + +mkdir -p tmp + +cat > tmp/sslserver-cmc-request.cfg << EOF +# NSS database directory. +dbdir=$HOME/.dogtag/nssdb + +# NSS database password. +password=Secret.123 + +# Token name (default is internal). +tokenname=internal + +# Nickname for agent certificate. +nickname=caadmin + +# Request format: pkcs10 or crmf. +format=pkcs10 + +# Total number of PKCS10/CRMF requests. +numRequests=1 + +# Path to the PKCS10/CRMF request. +# The content must be in Base-64 encoded format. +# Multiple files are supported. They must be separated by space. +input=$PWD/tmp/sslserver.csr + +# Path for the CMC request in binary format +output=$PWD/tmp/sslserver-cmc-request.bin +EOF + +CMCRequest tmp/sslserver-cmc-request.cfg + +cat > tmp/sslserver-cmc-submit.cfg << EOF +# PKI server host name. +host=$HOSTNAME + +# PKI server port number. +port=8443 + +# Use secure connection. +# For secure connection with ECC, set environment variable 'export NSS_USE_DECODED_CKA_EC_POINT=1'. +secure=true + +# Use client authentication. +clientmode=true + +# NSS database directory. +dbdir=$HOME/.dogtag/nssdb + +# NSS database password. +password=Secret.123 + +# Token name (default: internal). +tokenname=internal + +# Nickname of agent certificate. +nickname=caadmin + +# CMC servlet path +servlet=/ca/ee/ca/profileSubmitCMCFullServerCert + +# Path for the CMC request. +input=tmp/sslserver-cmc-request.bin + +# Path for the CMC response. +output=tmp/sslserver-cmc-response.bin +EOF + +HttpClient tmp/sslserver-cmc-submit.cfg + +CMCResponse -d ~/.dogtag/nssdb -i tmp/sslserver-cmc-response.bin + +BtoA tmp/sslserver-cmc-response.bin tmp/sslserver-cmc-response.b64 +echo "-----BEGIN PKCS7-----" > tmp/sslserver.crt +cat tmp/sslserver-cmc-response.b64 >> tmp/sslserver.crt +echo "-----END PKCS7-----" >> tmp/sslserver.crt + +pki cert-show --output tmp/external.crt 0x1 diff --git a/scripts/subsystem-ca-sign.sh b/scripts/subsystem-ca-sign.sh new file mode 100755 index 0000000..14cc32a --- /dev/null +++ b/scripts/subsystem-ca-sign.sh @@ -0,0 +1,13 @@ +#!/bin/sh + +CMD="pki ca-cert-request-submit --profile caSubsystemCert --csr-file tmp/subsystem.csr" +echo $CMD +REQUEST_ID=`$CMD | grep "Request ID:" | awk -F ': ' '{print $2;}'` +echo Request ID: $REQUEST_ID + +CMD="pki -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID" +echo $CMD +CERT_ID=`$CMD | grep "Certificate ID:" | awk -F ': ' '{print $2;}'` +echo Certificate ID: $CERT_ID + +pki cert-show --output tmp/subsystem.crt $CERT_ID diff --git a/scripts/subsystem-cmc-sign.sh b/scripts/subsystem-cmc-sign.sh new file mode 100755 index 0000000..eb74b7c --- /dev/null +++ b/scripts/subsystem-cmc-sign.sh @@ -0,0 +1,80 @@ +#!/bin/sh + +mkdir -p tmp + +cat > tmp/subsystem-cmc-request.cfg << EOF +# NSS database directory. +dbdir=$HOME/.dogtag/nssdb + +# NSS database password. +password=Secret.123 + +# Token name (default is internal). +tokenname=internal + +# Nickname for agent certificate. +nickname=caadmin + +# Request format: pkcs10 or crmf. +format=pkcs10 + +# Total number of PKCS10/CRMF requests. +numRequests=1 + +# Path to the PKCS10/CRMF request. +# The content must be in Base-64 encoded format. +# Multiple files are supported. They must be separated by space. +input=$PWD/tmp/subsystem.csr + +# Path for the CMC request in binary format +output=$PWD/tmp/subsystem-cmc-request.bin +EOF + +CMCRequest tmp/subsystem-cmc-request.cfg + +cat > tmp/subsystem-cmc-submit.cfg << EOF +# PKI server host name. +host=$HOSTNAME + +# PKI server port number. +port=8443 + +# Use secure connection. +# For secure connection with ECC, set environment variable 'export NSS_USE_DECODED_CKA_EC_POINT=1'. +secure=true + +# Use client authentication. +clientmode=true + +# NSS database directory. +dbdir=$HOME/.dogtag/nssdb + +# NSS database password. +password=Secret.123 + +# Token name (default: internal). +tokenname=internal + +# Nickname of agent certificate. +nickname=caadmin + +# CMC servlet path +servlet=/ca/ee/ca/profileSubmitCMCFullSubsystemCert + +# Path for the CMC request. +input=tmp/subsystem-cmc-request.bin + +# Path for the CMC response. +output=tmp/subsystem-cmc-response.bin +EOF + +HttpClient tmp/subsystem-cmc-submit.cfg + +CMCResponse -d ~/.dogtag/nssdb -i tmp/subsystem-cmc-response.bin + +BtoA tmp/subsystem-cmc-response.bin tmp/subsystem-cmc-response.b64 +echo "-----BEGIN PKCS7-----" > tmp/subsystem.crt +cat tmp/subsystem-cmc-response.b64 >> tmp/subsystem.crt +echo "-----END PKCS7-----" >> tmp/subsystem.crt + +pki cert-show --output tmp/external.crt 0x1 -- cgit