From 3190be941ce9bb8b05b1bf9d49aa95480c1ba77b Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Wed, 12 Jul 2017 17:28:37 +0200 Subject: Updated CA scripts. --- scripts/ca-admin-setup.sh | 15 +++++++++ scripts/ca-cert-find.sh | 3 ++ scripts/ca-clone-configure.sh | 66 ++++++++++++++++++++++++++++++++++++ scripts/ca-clone-create.sh | 63 ++++++++++++++++++++++++++++++++++ scripts/ca-clone-import.sh | 5 +++ scripts/ca-clone-prep.sh | 17 ++++++++++ scripts/ca-clone-remove.sh | 7 ++++ scripts/ca-clone-restart.sh | 4 +++ scripts/ca-clone-start.sh | 3 ++ scripts/ca-clone-stop.sh | 3 ++ scripts/ca-create.sh | 8 +++-- scripts/ca-csr-dump.sh | 3 ++ scripts/ca-customize.sh | 5 +++ scripts/ca-existing-create.sh | 9 +++++ scripts/ca-existing-export.sh | 12 +++++++ scripts/ca-export.sh | 33 ++++++++++++++++++ scripts/ca-external-nss-sign.sh | 67 +++++++++++++++++++++++++++++++++++++ scripts/ca-external-step1.sh | 28 ++++++++++++++++ scripts/ca-external-step2.sh | 13 +++++++ scripts/ca-hsm-fips-enable.sh | 3 ++ scripts/ca-keys.sh | 7 ++++ scripts/ca-level3-step1.sh | 19 +++++++++++ scripts/ca-level3-step2.sh | 7 ++++ scripts/ca-lunasa-clone-create.sh | 7 ++++ scripts/ca-lunasa-create.sh | 8 +++++ scripts/ca-lunasa-external-step1.sh | 19 +++++++++++ scripts/ca-lunasa-external-step2.sh | 10 ++++++ scripts/ca-merged-create.sh | 2 +- scripts/ca-nfast-create-step1.sh | 9 +++++ scripts/ca-nfast-create-step2.sh | 9 +++++ scripts/ca-nfast-create.sh | 3 ++ scripts/ca-nfast-external-step1.sh | 19 +++++++++++ scripts/ca-nfast-external-step2.sh | 10 ++++++ scripts/ca-p12-create.sh | 19 +++++++++++ scripts/ca-p12-export.sh | 64 +++++++++++++++++++++++++++++++++++ scripts/ca-remove.sh | 2 +- scripts/ca-renew-step1.sh | 10 ++++++ scripts/ca-renew-step2.sh | 66 ++++++++++++++++++++++++++++++++++++ scripts/ca-renew-step3.sh | 8 +++++ scripts/ca-restore.sh | 18 ++++++++++ scripts/ca-ssl-create.sh | 8 +++++ scripts/ca-step1.sh | 5 +++ scripts/ca-step2.sh | 5 +++ scripts/ca-sub-create.sh | 3 ++ scripts/ca-sub-lunasa-create.sh | 3 ++ scripts/ca-sub-nfast-step1.sh | 3 ++ scripts/ca-sub-nfast-step2.sh | 3 ++ scripts/ca-sub-nfast.sh | 3 ++ scripts/ca-sub-remove.sh | 6 ++++ scripts/ca-sub-step1.sh | 3 ++ scripts/ca-sub-step2.sh | 3 ++ scripts/ca-tomcat7-create.sh | 39 +++++++++++++++++++++ scripts/ca-tomcat8-create.sh | 39 +++++++++++++++++++++ scripts/ca-tomcat85-create.sh | 39 +++++++++++++++++++++ scripts/ca-tps-remove.sh | 13 +++++++ scripts/ca.cfg | 36 +++++++++----------- scripts/ca_signing-generate-csr.sh | 24 +++++++++++++ scripts/caext-create.sh | 3 ++ scripts/caext-remove.sh | 6 ++++ scripts/cassl-create.sh | 8 +++++ 60 files changed, 911 insertions(+), 24 deletions(-) create mode 100755 scripts/ca-admin-setup.sh create mode 100755 scripts/ca-cert-find.sh create mode 100755 scripts/ca-clone-configure.sh create mode 100755 scripts/ca-clone-create.sh create mode 100755 scripts/ca-clone-import.sh create mode 100755 scripts/ca-clone-prep.sh create mode 100755 scripts/ca-clone-remove.sh create mode 100755 scripts/ca-clone-restart.sh create mode 100755 scripts/ca-clone-start.sh create mode 100755 scripts/ca-clone-stop.sh create mode 100755 scripts/ca-csr-dump.sh create mode 100755 scripts/ca-customize.sh create mode 100755 scripts/ca-existing-create.sh create mode 100755 scripts/ca-existing-export.sh create mode 100755 scripts/ca-export.sh create mode 100755 scripts/ca-external-nss-sign.sh create mode 100755 scripts/ca-external-step1.sh create mode 100755 scripts/ca-external-step2.sh create mode 100755 scripts/ca-hsm-fips-enable.sh create mode 100755 scripts/ca-keys.sh create mode 100755 scripts/ca-level3-step1.sh create mode 100755 scripts/ca-level3-step2.sh create mode 100755 scripts/ca-lunasa-clone-create.sh create mode 100755 scripts/ca-lunasa-create.sh create mode 100755 scripts/ca-lunasa-external-step1.sh create mode 100755 scripts/ca-lunasa-external-step2.sh create mode 100755 scripts/ca-nfast-create-step1.sh create mode 100755 scripts/ca-nfast-create-step2.sh create mode 100755 scripts/ca-nfast-create.sh create mode 100755 scripts/ca-nfast-external-step1.sh create mode 100755 scripts/ca-nfast-external-step2.sh create mode 100755 scripts/ca-p12-create.sh create mode 100755 scripts/ca-p12-export.sh create mode 100755 scripts/ca-renew-step1.sh create mode 100755 scripts/ca-renew-step2.sh create mode 100755 scripts/ca-renew-step3.sh create mode 100755 scripts/ca-restore.sh create mode 100755 scripts/ca-ssl-create.sh create mode 100755 scripts/ca-step1.sh create mode 100755 scripts/ca-step2.sh create mode 100755 scripts/ca-sub-create.sh create mode 100755 scripts/ca-sub-lunasa-create.sh create mode 100755 scripts/ca-sub-nfast-step1.sh create mode 100755 scripts/ca-sub-nfast-step2.sh create mode 100755 scripts/ca-sub-nfast.sh create mode 100755 scripts/ca-sub-remove.sh create mode 100755 scripts/ca-sub-step1.sh create mode 100755 scripts/ca-sub-step2.sh create mode 100755 scripts/ca-tomcat7-create.sh create mode 100755 scripts/ca-tomcat8-create.sh create mode 100755 scripts/ca-tomcat85-create.sh create mode 100755 scripts/ca-tps-remove.sh create mode 100755 scripts/ca_signing-generate-csr.sh create mode 100755 scripts/caext-create.sh create mode 100755 scripts/caext-remove.sh create mode 100755 scripts/cassl-create.sh diff --git a/scripts/ca-admin-setup.sh b/scripts/ca-admin-setup.sh new file mode 100755 index 0000000..c7f4953 --- /dev/null +++ b/scripts/ca-admin-setup.sh @@ -0,0 +1,15 @@ +#!/bin/sh -x + +pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret123 -n caadmin ca-user-add causer --fullName "CA Admin" +pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret123 -n caadmin ca-group-member-add "Administrators" causer + +REQUEST_ID=`pki -c Secret123 client-cert-request uid=causer | grep "Request ID:" | awk -F ': ' '{print $2;}'` +echo Request ID: $REQUEST_ID + +CERT_ID=`pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'` +echo Certificate ID: $CERT_ID + +pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret123 -n caadmin ca-user-cert-add causer --serial $CERT_ID +pki -c Secret123 client-cert-import causer --serial $CERT_ID + +pki -c Secret123 client-cert-show causer --pkcs12 causer.p12 --pkcs12-password Secret123 diff --git a/scripts/ca-cert-find.sh b/scripts/ca-cert-find.sh new file mode 100755 index 0000000..3992d10 --- /dev/null +++ b/scripts/ca-cert-find.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +curl http://$HOSTNAME:8080/ca/rest/certs | xmllint --format - diff --git a/scripts/ca-clone-configure.sh b/scripts/ca-clone-configure.sh new file mode 100755 index 0000000..4c3d55b --- /dev/null +++ b/scripts/ca-clone-configure.sh @@ -0,0 +1,66 @@ +#!/bin/sh -x + +PKI_DEV_SRC=`cd .. ; pwd` + +INSTANCE_NAME=pki-caclone +PASSWORD=Secret123 +PIN=`grep preop.pin= /var/lib/$INSTANCE_NAME/conf/CS.cfg | awk -F= '{ print $2; }'` + +REALM=EXAMPLE-COM +CERTS=$PKI_DEV_SRC/certs/caclone +rm -rf $CERTS +mkdir -p $CERTS + +./ca-clone-certs.sh + +pkisilent ConfigureCA \ + -cs_hostname "$HOSTNAME" \ + -cs_port "9444" \ + -preop_pin "$PIN" \ + -client_certdb_dir "$CERTS" \ + -client_certdb_pwd "$PASSWORD" \ + -token_name "internal" \ + -domain_name "$REALM" \ + -subsystem_name "Certificate Authority Clone" \ + -clone "true" \ + -clone_uri "https://$HOSTNAME:9443" \ + -clone_p12_file "ca-server-certs.p12" \ + -clone_p12_password "$PASSWORD" \ + -sd_hostname "$HOSTNAME" \ + -sd_admin_port 9443 \ + -sd_ssl_port 9443 \ + -sd_agent_port 9443 \ + -sd_admin_name "caadmin" \ + -sd_admin_password "$PASSWORD" \ + -ldap_host "localhost" \ + -ldap_port "390" \ + -base_dn "dc=ca,dc=example,dc=com" \ + -db_name "example.com-$INSTANCE_NAME" \ + -bind_dn "cn=Directory Manager" \ + -bind_password "$PASSWORD" \ + -remove_data "true" \ + -key_type rsa \ + -key_size 2048 \ + -key_algorithm SHA256withRSA \ + -signing_signingalgorithm SHA256withRSA \ + -save_p12 true \ + -backup_fname "$CERTS/caclone-server-certs.p12" \ + -backup_pwd "$PASSWORD" \ + -ca_sign_cert_subject_name "CN=Certificate Authority,O=$REALM" \ + -ca_ocsp_cert_subject_name "CN=OCSP Signing Certificate,O=$REALM" \ + -ca_server_cert_subject_name "CN=$HOSTNAME,O=$REALM" \ + -ca_subsystem_cert_subject_name "CN=CA Subsystem Certificate,O=$REALM" \ + -ca_audit_signing_cert_subject_name "CN=CA Audit Signing Certificate,O=$REALM" \ + -admin_user "caadmin" \ + -agent_name "caadmin" \ + -admin_email "caadmin@example.com" \ + -admin_password "$PASSWORD" \ + -agent_key_size 2048 \ + -agent_key_type rsa \ + -agent_cert_subject "CN=caadmin,UID=caadmin,E=caadmin@example.com,O=$REALM" + + +echo $PASSWORD > "$CERTS/password.txt" +PKCS12Export -d "$CERTS" -o "$CERTS/caclone-client-certs.p12" -p "$CERTS/password.txt" -w "$CERTS/password.txt" + +systemctl restart pki-cad@$INSTANCE_NAME.service diff --git a/scripts/ca-clone-create.sh b/scripts/ca-clone-create.sh new file mode 100755 index 0000000..b890789 --- /dev/null +++ b/scripts/ca-clone-create.sh @@ -0,0 +1,63 @@ +#!/bin/sh -x + +MASTER=`cat master.txt` + +/bin/cp ca_backup_keys.p12 /tmp +/bin/cp ca_admin.cert /tmp +/bin/cp ca_admin_cert.p12 /tmp + +cat > ca-clone.cfg << EOF +#[DEFAULT] +#pki_pin=Secret.123 + +[CA] +pki_admin_email=caadmin@example.com +pki_admin_name=caadmin +pki_admin_nickname=caadmin +pki_admin_password=Secret.123 +pki_admin_uid=caadmin + +pki_client_database_password=Secret.123 +pki_client_pkcs12_password=Secret.123 + +pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com +pki_ds_database=ca +pki_ds_password=Secret.123 + +#pki_ds_secure_connection=True +#pki_ds_ldaps_port=636 +#pki_ds_secure_connection_ca_nickname=$MASTER +#pki_ds_secure_connection_ca_pem_file=$MASTER.crt + +pki_security_domain_hostname=$MASTER +pki_security_domain_user=caadmin +pki_security_domain_password=Secret.123 + +pki_clone=True +pki_clone_replicate_schema=True +pki_clone_uri=https://$MASTER:8443 + +# PKI 9 +#pki_ca_signing_nickname=caSigningCert cert-pki-ca +#pki_ocsp_signing_nickname=ocspSigningCert cert-pki-ca +#pki_audit_signing_nickname=auditSigningCert cert-pki-ca +#pki_ssl_server_nickname=Server-Cert cert-pki-ca +#pki_subsystem_nickname=subsystemCert cert-pki-ca + +# PKI 10 +pki_ca_signing_nickname=ca_signing +pki_ocsp_signing_nickname=ca_ocsp_signing +pki_audit_signing_nickname=ca_audit_signing +pki_ssl_server_nickname=sslserver +pki_subsystem_nickname=subsystem + +# Dogtag 10.2 only +pki_clone_pkcs12_password=Secret.123 +pki_clone_pkcs12_path=/tmp/ca_backup_keys.p12 + +# Dogtag 10.3 only +#pki_server_pkcs12_path=pki-server.p12 +#pki_server_pkcs12_password=Secret.123 +EOF + +pkispawn -vvv -f ca-clone.cfg -s CA diff --git a/scripts/ca-clone-import.sh b/scripts/ca-clone-import.sh new file mode 100755 index 0000000..5914b7c --- /dev/null +++ b/scripts/ca-clone-import.sh @@ -0,0 +1,5 @@ +#!/bin/sh -x + +cp /home/edewata/ca_backup_keys.p12 /tmp +cp /home/edewata/ca_admin.cert /tmp +cp /home/edewata/ca_admin_cert.p12 /tmp diff --git a/scripts/ca-clone-prep.sh b/scripts/ca-clone-prep.sh new file mode 100755 index 0000000..ffd5538 --- /dev/null +++ b/scripts/ca-clone-prep.sh @@ -0,0 +1,17 @@ +#!/bin/sh -x + +echo $HOSTNAME > master.txt + +grep "internal=" /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2}' > internal.txt +echo Secret.123 > password.txt + +PKCS12Export -debug -d /var/lib/pki/pki-tomcat/alias -p internal.txt -w password.txt -o ca_backup_keys.p12 + +pki pkcs12-cert-find --pkcs12-file ca_backup_keys.p12 --pkcs12-password Secret.123 + +pki-server ca-clone-prepare --pkcs12-file pki-server.p12 --pkcs12-password Secret.123 + +pki pkcs12-cert-find --pkcs12-file pki-server.p12 --pkcs12-password Secret.123 + +cp ~/.dogtag/pki-tomcat/ca_admin.cert . +cp ~/.dogtag/pki-tomcat/ca_admin_cert.p12 . diff --git a/scripts/ca-clone-remove.sh b/scripts/ca-clone-remove.sh new file mode 100755 index 0000000..7e98422 --- /dev/null +++ b/scripts/ca-clone-remove.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +SRC_DIR=`cd ../.. ; pwd` +#INSTANCE_NAME=pki-clone +INSTANCE_NAME=pki-tomcat + +pkidestroy -v -s CA -i $INSTANCE_NAME diff --git a/scripts/ca-clone-restart.sh b/scripts/ca-clone-restart.sh new file mode 100755 index 0000000..9c158d7 --- /dev/null +++ b/scripts/ca-clone-restart.sh @@ -0,0 +1,4 @@ +#!/bin/sh -x + +./ca-clone-stop.sh +./ca-clone-start.sh diff --git a/scripts/ca-clone-start.sh b/scripts/ca-clone-start.sh new file mode 100755 index 0000000..9ebfd59 --- /dev/null +++ b/scripts/ca-clone-start.sh @@ -0,0 +1,3 @@ +#!/bin/sh -x + +systemctl start pki-tomcatd@ca-clone.service diff --git a/scripts/ca-clone-stop.sh b/scripts/ca-clone-stop.sh new file mode 100755 index 0000000..63e7b51 --- /dev/null +++ b/scripts/ca-clone-stop.sh @@ -0,0 +1,3 @@ +#!/bin/sh -x + +systemctl stop pki-tomcatd@ca-clone.service diff --git a/scripts/ca-create.sh b/scripts/ca-create.sh index 42b4105..48c5342 100755 --- a/scripts/ca-create.sh +++ b/scripts/ca-create.sh @@ -1,4 +1,8 @@ #!/bin/sh -x -mkdir -p build -pkispawn -v -f ca.cfg -s CA 2>&1 | tee build/ca-create.log +pkispawn -vv -f ca.cfg -s CA + +#/bin/cp /root/.dogtag/pki-tomcat/ca_admin.cert . +#/bin/cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 . +#/bin/cp /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf ca_admin_cert.txt +#echo $HOSTNAME > master.txt diff --git a/scripts/ca-csr-dump.sh b/scripts/ca-csr-dump.sh new file mode 100755 index 0000000..177d356 --- /dev/null +++ b/scripts/ca-csr-dump.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +openssl req -text -noout -in /tmp/ca_signing.csr diff --git a/scripts/ca-customize.sh b/scripts/ca-customize.sh new file mode 100755 index 0000000..1bae37e --- /dev/null +++ b/scripts/ca-customize.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +sed -i "s/startTime=60/startTime=0/" /var/lib/pki/pki-tomcat/ca/profiles/ca/caSignedLogCert.cfg + +./tomcat-restart.sh diff --git a/scripts/ca-existing-create.sh b/scripts/ca-existing-create.sh new file mode 100755 index 0000000..a3b5a88 --- /dev/null +++ b/scripts/ca-existing-create.sh @@ -0,0 +1,9 @@ +#!/bin/sh -x + +rm -rf /tmp/ca_signing.csr +rm -rf /tmp/ca.p12 + +/bin/cp ca_signing.csr /tmp +/bin/cp ca.p12 /tmp + +pkispawn -v -f ca-existing.cfg -s CA diff --git a/scripts/ca-existing-export.sh b/scripts/ca-existing-export.sh new file mode 100755 index 0000000..fdefc58 --- /dev/null +++ b/scripts/ca-existing-export.sh @@ -0,0 +1,12 @@ +#!/bin/sh -x + +rm -rf ca_signing.csr +rm -rf ca.p12 + +pki-server subsystem-cert-export ca signing \ + --csr-file ca_signing.csr \ + --pkcs12-file ca.p12 \ + --pkcs12-password-file password.txt + +pki pkcs12-cert-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt +pki pkcs12-key-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt diff --git a/scripts/ca-export.sh b/scripts/ca-export.sh new file mode 100755 index 0000000..351f68f --- /dev/null +++ b/scripts/ca-export.sh @@ -0,0 +1,33 @@ +#!/bin/sh -x + +grep "internal=" /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2}' > internal.txt +#PKCS12Export -debug -d /var/lib/pki/pki-tomcat/alias -p internal.txt -w password.txt -o ca_backup_keys.p12 +PKCS12Export -d /var/lib/pki/pki-tomcat/alias -p internal.txt -w password.txt -o ca_backup_keys.p12 + +pki pkcs12-cert-find --pkcs12-file ca_backup_keys.p12 --pkcs12-password-file password.txt +pki pkcs12-key-find --pkcs12-file ca_backup_keys.p12 --pkcs12-password-file password.txt + +echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_signing.csr +sed -n "/^ca.signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> ca_signing.csr +echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_signing.csr + +echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_ocsp_signing.csr +sed -n "/^ca.ocsp_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> ca_ocsp_signing.csr +echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_ocsp_signing.csr + +echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > sslserver.csr +sed -n "/^ca.sslserver.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> sslserver.csr +echo "-----END NEW CERTIFICATE REQUEST-----" >> sslserver.csr + +echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > subsystem.csr +sed -n "/^ca.subsystem.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> subsystem.csr +echo "-----END NEW CERTIFICATE REQUEST-----" >> subsystem.csr + +echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_audit_signing.csr +sed -n "/^ca.audit_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> ca_audit_signing.csr +echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_audit_signing.csr + +#pki-server ca-clone-prepare --pkcs12-file ca_backup_keys.p12 --pkcs12-password-file password.txt + +cp ~/.dogtag/pki-tomcat/ca_admin.cert . +cp ~/.dogtag/pki-tomcat/ca_admin_cert.p12 . diff --git a/scripts/ca-external-nss-sign.sh b/scripts/ca-external-nss-sign.sh new file mode 100755 index 0000000..f8b4bc9 --- /dev/null +++ b/scripts/ca-external-nss-sign.sh @@ -0,0 +1,67 @@ +#!/bin/sh + +rm -rf external +mkdir external +certutil -N -d external -f password.txt +openssl rand -out external/noise.bin 2048 + +echo "## Generating external CA certificate..." + +#ROOTCA_SKID="0x847bb8664d7a32f182974ca861fb26867ecb42cd" +ROOTCA_SKID="0x`openssl rand -hex 20`" + +echo -e "y\n\ny\n${ROOTCA_SKID}\n\n" | \ + certutil -S \ + -d external \ + -f password.txt \ + -z external/noise.bin \ + -n "External CA" \ + -s "CN=External CA,O=EXTERNAL" \ + -x \ + -t "CTu,Cu,Cu" \ + -m $RANDOM\ + -2 \ + --keyUsage digitalSignature,nonRepudiation,certSigning,crlSigning,critical \ + --extSKID + +# --keyUsage certSigning \ +# --nsCertType sslCA,smimeCA,objectSigningCA +echo "## Exporting external CA certificate..." + +certutil -L -d external -n "External CA" -a > external.crt + +echo "## Signing the CA signing certificate..." + +#SUBCA_SKID="0x7d34de0374bcb294d5447479060266a52310e9ce" +SUBCA_SKID="0x`openssl rand -hex 20`" +SUBCA_OCSP="http://$HOSTNAME:8080/ca/ocsp" + +echo -e "y\n\ny\ny\n${ROOTCA_SKID}\n\n\n\n${SUBCA_SKID}\n\n2\n7\n${SUBCA_OCSP}\n\n\n\n" | \ + certutil -C \ + -d external \ + -f password.txt \ + -m $RANDOM \ + -a \ + -i ca_signing.csr \ + -o ca_signing.crt \ + -c "External CA" \ + --extSKID \ + -2 -3 \ + --keyUsage digitalSignature,nonRepudiation,certSigning,crlSigning,critical \ + --extAIA \ + --extSKID + +echo "## Generating certificate chain..." + +certutil -A -d external -n "CA Signing Certificate" -t "CT,C,C" -a -i ca_signing.crt + +openssl crl2pkcs7 -nocrl -certfile external.crt -out cert_chain.p7b +#openssl crl2pkcs7 -nocrl -certfile external.crt -certfile ca_signing.crt -out cert_chain.p7b + +#certutil -C \ +# -d external \ +# -f password.txt \ +# -m $RANDOM \ +# -a -i ca_signing.csr \ +# -o ca_signing.crt \ +# -c "External CA" diff --git a/scripts/ca-external-step1.sh b/scripts/ca-external-step1.sh new file mode 100755 index 0000000..19eca2b --- /dev/null +++ b/scripts/ca-external-step1.sh @@ -0,0 +1,28 @@ +#!/bin/sh -x + +rm -f /tmp/ca_signing.csr +rm -f /tmp/ca_ocsp_signing.csr +rm -f /tmp/ca_audit_signing.csr +rm -f /tmp/sslserver.csr +rm -f /tmp/subsystem.csr + +rm -r /tmp/external.crt +rm -r /tmp/cert_chain.p7b +rm -f /tmp/ca_signing.crt + +rm -f /tmp/example.crt +rm -f /tmp/example2.crt +rm -f /tmp/example.p7 +rm -f /tmp/example2.p7 +rm -f /tmp/example.p7b +rm -f /tmp/example2.p7b +rm -f /tmp/example3.csr +rm -f /tmp/example3.crt + +pkispawn -vv -f ca-external-step1.cfg -s CA + +/bin/cp -f /tmp/ca_signing.csr . +/bin/cp -f /tmp/ca_ocsp_signing.csr . +/bin/cp -f /tmp/ca_audit_signing.csr . +/bin/cp -f /tmp/sslserver.csr . +/bin/cp -f /tmp/subsystem.csr . diff --git a/scripts/ca-external-step2.sh b/scripts/ca-external-step2.sh new file mode 100755 index 0000000..801bd1f --- /dev/null +++ b/scripts/ca-external-step2.sh @@ -0,0 +1,13 @@ +#!/bin/sh -x + +cp ca_signing.crt /tmp +cp external.crt /tmp +cp cert_chain.p7b /tmp + +#cp level1.crt /tmp +#cp level2.crt /tmp + +#cp example.crt /tmp +#cp example2.p7b /tmp + +pkispawn -vv -f ca-external-step2.cfg -s CA diff --git a/scripts/ca-hsm-fips-enable.sh b/scripts/ca-hsm-fips-enable.sh new file mode 100755 index 0000000..b767b84 --- /dev/null +++ b/scripts/ca-hsm-fips-enable.sh @@ -0,0 +1,3 @@ +#!/bin/sh -x + +modutil -dbdir /var/lib/pki/pki-tomcat/alias/ -fips true diff --git a/scripts/ca-keys.sh b/scripts/ca-keys.sh new file mode 100755 index 0000000..52b71c4 --- /dev/null +++ b/scripts/ca-keys.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +NSSDB_PASSWORD=`grep internal= /var/lib/pki/pki-tomcat/conf/password.conf | awk -F = '{ print $2; }'` + +echo $NSSDB_PASSWORD > /var/lib/pki/pki-tomcat/alias/password.txt + +certutil -K -d /var/lib/pki/pki-tomcat/alias -f /var/lib/pki/pki-tomcat/alias/password.txt diff --git a/scripts/ca-level3-step1.sh b/scripts/ca-level3-step1.sh new file mode 100755 index 0000000..43b2bcd --- /dev/null +++ b/scripts/ca-level3-step1.sh @@ -0,0 +1,19 @@ +#!/bin/sh -x + +rm -f /tmp/ca_signing.csr +rm -r /tmp/external.crt +rm -r /tmp/cert_chain.p7b +rm -f /tmp/ca_signing.crt + +rm -f /tmp/example.crt +rm -f /tmp/example2.crt +rm -f /tmp/example.p7 +rm -f /tmp/example2.p7 +rm -f /tmp/example.p7b +rm -f /tmp/example2.p7b +rm -f /tmp/example3.csr +rm -f /tmp/example3.crt + +pkispawn -vv -f ca-level3-step1.cfg -s CA + +/bin/cp -f /tmp/ca_signing.csr . diff --git a/scripts/ca-level3-step2.sh b/scripts/ca-level3-step2.sh new file mode 100755 index 0000000..2d7f09a --- /dev/null +++ b/scripts/ca-level3-step2.sh @@ -0,0 +1,7 @@ +#!/bin/sh -x + +cp ca_signing.crt /tmp +cp external.crt /tmp +cp cert_chain.p7b /tmp + +pkispawn -vv -f ca-level3-step2.cfg -s CA diff --git a/scripts/ca-lunasa-clone-create.sh b/scripts/ca-lunasa-clone-create.sh new file mode 100755 index 0000000..0f5c76e --- /dev/null +++ b/scripts/ca-lunasa-clone-create.sh @@ -0,0 +1,7 @@ +#!/bin/sh -x + +#/bin/cp ca_backup_keys.p12 /tmp +#/bin/cp ca_admin.cert /tmp +#/bin/cp ca_admin_cert.p12 /tmp + +pkispawn -vvv -f ca-lunasa-clone.cfg -s CA diff --git a/scripts/ca-lunasa-create.sh b/scripts/ca-lunasa-create.sh new file mode 100755 index 0000000..d4e50f8 --- /dev/null +++ b/scripts/ca-lunasa-create.sh @@ -0,0 +1,8 @@ +#!/bin/sh -x + +pkispawn -vv -f ca-lunasa.cfg -s CA + +/bin/cp /root/.dogtag/pki-tomcat/ca_admin.cert . +/bin/cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 . +/bin/cp /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf ca_admin_cert.txt +echo $HOSTNAME > master.txt diff --git a/scripts/ca-lunasa-external-step1.sh b/scripts/ca-lunasa-external-step1.sh new file mode 100755 index 0000000..934b78e --- /dev/null +++ b/scripts/ca-lunasa-external-step1.sh @@ -0,0 +1,19 @@ +#!/bin/sh -x + +rm -f /tmp/ca_signing.csr +rm -r /tmp/external.crt +rm -r /tmp/cert_chain.p7b +rm -f /tmp/ca_signing.crt + +rm -f /tmp/example.crt +rm -f /tmp/example2.crt +rm -f /tmp/example.p7 +rm -f /tmp/example2.p7 +rm -f /tmp/example.p7b +rm -f /tmp/example2.p7b +rm -f /tmp/example3.csr +rm -f /tmp/example3.crt + +pkispawn -vv -f ca-lunasa-external-step1.cfg -s CA + +/bin/cp -f /tmp/ca_signing.csr . diff --git a/scripts/ca-lunasa-external-step2.sh b/scripts/ca-lunasa-external-step2.sh new file mode 100755 index 0000000..c6f3004 --- /dev/null +++ b/scripts/ca-lunasa-external-step2.sh @@ -0,0 +1,10 @@ +#!/bin/sh -x + +cp ca_signing.crt /tmp +cp external.crt /tmp +cp cert_chain.p7b /tmp + +#cp example.crt /tmp +#cp example2.p7b /tmp + +pkispawn -vv -f ca-lunasa-external-step2.cfg -s CA diff --git a/scripts/ca-merged-create.sh b/scripts/ca-merged-create.sh index 0f6aee7..e2f6435 100755 --- a/scripts/ca-merged-create.sh +++ b/scripts/ca-merged-create.sh @@ -1,3 +1,3 @@ #!/bin/sh -x -pkispawn -v -f ca-merged.cfg -s CA -v 2>&1 | tee build/ca-merged-create.log +pkispawn -v -f ca-merged.cfg -s CA -v diff --git a/scripts/ca-nfast-create-step1.sh b/scripts/ca-nfast-create-step1.sh new file mode 100755 index 0000000..483fdbb --- /dev/null +++ b/scripts/ca-nfast-create-step1.sh @@ -0,0 +1,9 @@ +#!/bin/sh -x + +#pkispawn -vv -f ca-nfast-step1.cfg -s CA +pkispawn -vv -f ca-nfast.cfg -s CA --skip-configuration + +#/bin/cp /root/.dogtag/pki-tomcat/ca_admin.cert . +#/bin/cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 . +#/bin/cp /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf ca_admin_cert.txt +#echo $HOSTNAME > master.txt diff --git a/scripts/ca-nfast-create-step2.sh b/scripts/ca-nfast-create-step2.sh new file mode 100755 index 0000000..8afa365 --- /dev/null +++ b/scripts/ca-nfast-create-step2.sh @@ -0,0 +1,9 @@ +#!/bin/sh -x + +#pkispawn -vv -f ca-nfast-step2.cfg -s CA +pkispawn -vv -f ca-nfast.cfg -s CA --skip-installation + +#/bin/cp /root/.dogtag/pki-tomcat/ca_admin.cert . +#/bin/cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 . +#/bin/cp /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf ca_admin_cert.txt +#echo $HOSTNAME > master.txt diff --git a/scripts/ca-nfast-create.sh b/scripts/ca-nfast-create.sh new file mode 100755 index 0000000..b0e914f --- /dev/null +++ b/scripts/ca-nfast-create.sh @@ -0,0 +1,3 @@ +#!/bin/sh -x + +pkispawn -vv -f ca-nfast.cfg -s CA diff --git a/scripts/ca-nfast-external-step1.sh b/scripts/ca-nfast-external-step1.sh new file mode 100755 index 0000000..8cb4448 --- /dev/null +++ b/scripts/ca-nfast-external-step1.sh @@ -0,0 +1,19 @@ +#!/bin/sh -x + +rm -f /tmp/ca_signing.csr +rm -r /tmp/external.crt +rm -r /tmp/cert_chain.p7b +rm -f /tmp/ca_signing.crt + +rm -f /tmp/example.crt +rm -f /tmp/example2.crt +rm -f /tmp/example.p7 +rm -f /tmp/example2.p7 +rm -f /tmp/example.p7b +rm -f /tmp/example2.p7b +rm -f /tmp/example3.csr +rm -f /tmp/example3.crt + +pkispawn -vv -f ca-nfast-external-step1.cfg -s CA + +/bin/cp -f /tmp/ca_signing.csr . diff --git a/scripts/ca-nfast-external-step2.sh b/scripts/ca-nfast-external-step2.sh new file mode 100755 index 0000000..6b877d8 --- /dev/null +++ b/scripts/ca-nfast-external-step2.sh @@ -0,0 +1,10 @@ +#!/bin/sh -x + +cp ca_signing.crt /tmp +cp external.crt /tmp +cp cert_chain.p7b /tmp + +#cp example.crt /tmp +#cp example2.p7b /tmp + +pkispawn -vv -f ca-nfast-external-step2.cfg -s CA diff --git a/scripts/ca-p12-create.sh b/scripts/ca-p12-create.sh new file mode 100755 index 0000000..2f1d5e6 --- /dev/null +++ b/scripts/ca-p12-create.sh @@ -0,0 +1,19 @@ +#!/bin/sh -x + +rm -rf /tmp/ca.p12 +rm -rf /tmp/external.crt +rm -rf /tmp/ca_signing.csr +rm -rf /tmp/ca_ocsp_signing.csr +rm -rf /tmp/ca_audit_signing.csr +rm -rf /tmp/sslserver.csr +rm -rf /tmp/subsystem.csr + +/bin/cp ca.p12 /tmp +/bin/cp external.crt /tmp +/bin/cp ca_signing.csr /tmp +/bin/cp ca_ocsp_signing.csr /tmp +/bin/cp ca_audit_signing.csr /tmp +/bin/cp sslserver.csr /tmp +/bin/cp subsystem.csr /tmp + +pkispawn -v -f ca-p12.cfg -s CA diff --git a/scripts/ca-p12-export.sh b/scripts/ca-p12-export.sh new file mode 100755 index 0000000..ecbec57 --- /dev/null +++ b/scripts/ca-p12-export.sh @@ -0,0 +1,64 @@ +#!/bin/sh -x + +rm -rf ca.p12 +rm -rf ca_signing.csr +rm -rf ca_ocsp_signing.csr +rm -rf sslserver.csr +rm -rf subsystem.csr +rm -rf ca_audit_signing.csr + +#grep internal= /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2;}' > internal.txt +#PKCS12Export -d /var/lib/pki/pki-tomcat/alias -p internal.txt -o ca.p12 -w password.txt + +#echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_signing.csr +#grep ca.signing.certreq /var/lib/pki/pki-tomcat/ca/conf/CS.cfg | awk -F= '{print $2;}' >> ca_signing.csr +#echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_signing.csr + +#echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_ocsp_signing.csr +#sed -n "/^ca.ocsp_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> ca_ocsp_signing.csr +#echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_ocsp_signing.csr + +#echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > sslserver.csr +#sed -n "/^ca.sslserver.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> sslserver.csr +#echo "-----END NEW CERTIFICATE REQUEST-----" >> sslserver.csr + +#echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > subsystem.csr +#sed -n "/^ca.subsystem.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> subsystem.csr +#echo "-----END NEW CERTIFICATE REQUEST-----" >> subsystem.csr + +#echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_audit_signing.csr +#sed -n "/^ca.audit_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> ca_audit_signing.csr +#echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_audit_signing.csr + +pki-server subsystem-cert-export ca signing \ + --csr-file ca_signing.csr \ + --pkcs12-file ca.p12 \ + --pkcs12-password-file password.txt + +pki-server subsystem-cert-export ca ocsp_signing \ + --append \ + --csr-file ca_ocsp_signing.csr \ + --pkcs12-file ca.p12 \ + --pkcs12-password-file password.txt + +#pki-server subsystem-cert-export ca sslserver \ +# --append \ +# --csr-file sslserver.csr \ +# --pkcs12-file ca.p12 \ +# --pkcs12-password-file password.txt + +pki-server subsystem-cert-export ca subsystem \ + --append \ + --csr-file subsystem.csr \ + --pkcs12-file ca.p12 \ + --pkcs12-password-file password.txt + +pki-server subsystem-cert-export ca audit_signing \ + --append \ + --csr-file ca_audit_signing.csr \ + --pkcs12-file ca.p12 \ + --pkcs12-password-file password.txt + +pki pkcs12-cert-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt +pki pkcs12-key-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt + diff --git a/scripts/ca-remove.sh b/scripts/ca-remove.sh index 2f5640b..d60ebb4 100755 --- a/scripts/ca-remove.sh +++ b/scripts/ca-remove.sh @@ -3,4 +3,4 @@ SRC_DIR=`cd ../.. ; pwd` INSTANCE_NAME=pki-tomcat -pkidestroy -v -s CA -i $INSTANCE_NAME +pkidestroy -s CA -i $INSTANCE_NAME diff --git a/scripts/ca-renew-step1.sh b/scripts/ca-renew-step1.sh new file mode 100755 index 0000000..6c883d8 --- /dev/null +++ b/scripts/ca-renew-step1.sh @@ -0,0 +1,10 @@ +#!/bin/sh -x + +timedatectl set-ntp true --adjust-system-clock + +./pki-nuke.sh pki-tomcat + +./ca-create.sh + +pki-server subsystem-cert-find ca +certutil -L -d /var/lib/pki/pki-tomcat/alias diff --git a/scripts/ca-renew-step2.sh b/scripts/ca-renew-step2.sh new file mode 100755 index 0000000..d957368 --- /dev/null +++ b/scripts/ca-renew-step2.sh @@ -0,0 +1,66 @@ +#!/bin/sh -x + +timedatectl set-ntp false +timedatectl set-time 2018-11-26 + +./tomcat-restart.sh + +sleep 5 + +pki ca-cert-request-submit --profile caManualRenewal --serial 0x2 +pki ca-cert-request-submit --profile caManualRenewal --serial 0x3 +pki ca-cert-request-submit --profile caManualRenewal --serial 0x4 +pki ca-cert-request-submit --profile caManualRenewal --serial 0x5 + +pki ca-cert-request-submit --profile caManualRenewal --serial 0x6 + +#pki -U https://$HOSTNAME:8443 \ +# -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin client-cert-request \ +# "CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=EXAMPLE" \ +# --profile caManualRenewal + +pki -d ~/.dogtag/pki-tomcat/ca/alias -n caadmin -c Secret.123 ca-cert-request-review 0x7 --action approve +pki -d ~/.dogtag/pki-tomcat/ca/alias -n caadmin -c Secret.123 ca-cert-request-review 0x8 --action approve +pki -d ~/.dogtag/pki-tomcat/ca/alias -n caadmin -c Secret.123 ca-cert-request-review 0x9 --action approve +pki -d ~/.dogtag/pki-tomcat/ca/alias -n caadmin -c Secret.123 ca-cert-request-review 0xa --action approve +pki -d ~/.dogtag/pki-tomcat/ca/alias -n caadmin -c Secret.123 ca-cert-request-review 0xb --action approve + +pki ca-cert-show 0x7 --output ca_ocsp_signing.crt +pki ca-cert-show 0x8 --output sslserver.crt +pki ca-cert-show 0x9 --output subsystem.crt +pki ca-cert-show 0xa --output ca_audit_signing.crt + +pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-user-cert-add caadmin --serial 0xb + +#pki ca-cert-show 0xb --output caadmin.crt +certutil -D -d ~/.dogtag/pki-tomcat/ca/alias -n caadmin +pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 client-cert-import caadmin --serial 0xb + +pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-user-cert-del caadmin "2;6;CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE;CN=PKI Administrator,E=caadmin@example.com,OU=pki-tomcat,O=EXAMPLE" + +./tomcat-stop.sh + +pki-server subsystem-cert-update ca ocsp_signing --cert ca_ocsp_signing.crt --replace +pki-server subsystem-cert-update ca sslserver --cert sslserver.crt --replace +pki-server subsystem-cert-update ca subsystem --cert subsystem.crt --replace +pki-server subsystem-cert-update ca audit_signing --cert ca_audit_signing.crt --replace + +#pki-server subsystem-cert-update ca audit_signing --cert ca_audit_signing.crt +#pki-server subsystem-cert-update ca sslserver --cert sslserver.crt +#pki-server subsystem-cert-update ca subsystem --cert subsystem.crt +#pki-server subsystem-cert-update ca audit_signing --cert ca_audit_signing.crt + +#certutil -D -d /var/lib/pki/pki-tomcat/alias -n ca_ocsp_signing +#certutil -D -d /var/lib/pki/pki-tomcat/alias -n sslserver +#certutil -D -d /var/lib/pki/pki-tomcat/alias -n subsystem +#certutil -D -d /var/lib/pki/pki-tomcat/alias -n ca_audit_signing + +#certutil -A -d /var/lib/pki/pki-tomcat/alias -n ca_ocsp_signing -i ca_ocsp_signing.crt -t "u,u,u" +#certutil -A -d /var/lib/pki/pki-tomcat/alias -n sslserver -i sslserver.crt -t "u,u,u" +#certutil -A -d /var/lib/pki/pki-tomcat/alias -n subsystem -i subsystem.crt -t "u,u,u" +#certutil -A -d /var/lib/pki/pki-tomcat/alias -n ca_audit_signing -i ca_audit_signing.crt -t "u,u,Pu" + +./tomcat-start.sh + +pki-server subsystem-cert-find ca +certutil -L -d /var/lib/pki/pki-tomcat/alias diff --git a/scripts/ca-renew-step3.sh b/scripts/ca-renew-step3.sh new file mode 100755 index 0000000..ff79eba --- /dev/null +++ b/scripts/ca-renew-step3.sh @@ -0,0 +1,8 @@ +#!/bin/sh -x + +timedatectl set-time 2019-01-01 + +./tomcat-restart.sh + +pki-server subsystem-cert-find ca +certutil -L -d /var/lib/pki/pki-tomcat/alias diff --git a/scripts/ca-restore.sh b/scripts/ca-restore.sh new file mode 100755 index 0000000..ca86782 --- /dev/null +++ b/scripts/ca-restore.sh @@ -0,0 +1,18 @@ +#!/bin/sh -x + +rm -rf /tmp/ca.p12 +rm -rf /tmp/ca_signing.csr + +/bin/cp ca.p12 /tmp +/bin/cp ca_signing.csr /tmp + +pkispawn -vv -f ca-restore.cfg -s CA --stop-at configuration +#systemctl start pki-tomcatd@pki-tomcat.service +#sleep 5 +pkispawn -vv -f ca-restore.cfg -s CA --start-from finalization + +/bin/cp /root/.dogtag/pki-tomcat/ca_admin.cert . +/bin/cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 . +/bin/cp /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf ca_admin_cert.txt +/bin/cp /var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12 . +echo $HOSTNAME > master.txt diff --git a/scripts/ca-ssl-create.sh b/scripts/ca-ssl-create.sh new file mode 100755 index 0000000..eb05421 --- /dev/null +++ b/scripts/ca-ssl-create.sh @@ -0,0 +1,8 @@ +#!/bin/sh -x + +pkispawn -vv -f ca-ssl.cfg -s CA + +/bin/cp /root/.dogtag/pki-tomcat/ca_admin.cert . +/bin/cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 . +/bin/cp /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf ca_admin_cert.txt +echo $HOSTNAME > master.txt diff --git a/scripts/ca-step1.sh b/scripts/ca-step1.sh new file mode 100755 index 0000000..77487cf --- /dev/null +++ b/scripts/ca-step1.sh @@ -0,0 +1,5 @@ +#!/bin/sh -x + +#pkispawn -v -f ca-step1.cfg -s CA +pkispawn -v -f ca.cfg -s CA --skip-configuration +#pkispawn -v -f ca.cfg -s CA --stop-at configuration diff --git a/scripts/ca-step2.sh b/scripts/ca-step2.sh new file mode 100755 index 0000000..2112391 --- /dev/null +++ b/scripts/ca-step2.sh @@ -0,0 +1,5 @@ +#!/bin/sh -x + +#pkispawn -v -f ca-step2.cfg -s CA +pkispawn -v -f ca.cfg -s CA --skip-installation +#pkispawn -v -f ca.cfg -s CA --start-from configuration diff --git a/scripts/ca-sub-create.sh b/scripts/ca-sub-create.sh new file mode 100755 index 0000000..049fce8 --- /dev/null +++ b/scripts/ca-sub-create.sh @@ -0,0 +1,3 @@ +#!/bin/sh -x + +pkispawn -v -f ca-sub.cfg -s CA diff --git a/scripts/ca-sub-lunasa-create.sh b/scripts/ca-sub-lunasa-create.sh new file mode 100755 index 0000000..58489c4 --- /dev/null +++ b/scripts/ca-sub-lunasa-create.sh @@ -0,0 +1,3 @@ +#!/bin/sh -x + +pkispawn -v -f ca-sub-lunasa.cfg -s CA diff --git a/scripts/ca-sub-nfast-step1.sh b/scripts/ca-sub-nfast-step1.sh new file mode 100755 index 0000000..022329a --- /dev/null +++ b/scripts/ca-sub-nfast-step1.sh @@ -0,0 +1,3 @@ +#!/bin/sh -x + +pkispawn -v -f ca-sub-nfast.cfg -s CA --skip-configuration diff --git a/scripts/ca-sub-nfast-step2.sh b/scripts/ca-sub-nfast-step2.sh new file mode 100755 index 0000000..2d90471 --- /dev/null +++ b/scripts/ca-sub-nfast-step2.sh @@ -0,0 +1,3 @@ +#!/bin/sh -x + +pkispawn -vv -f ca-sub-nfast.cfg -s CA --skip-installation diff --git a/scripts/ca-sub-nfast.sh b/scripts/ca-sub-nfast.sh new file mode 100755 index 0000000..341e4e1 --- /dev/null +++ b/scripts/ca-sub-nfast.sh @@ -0,0 +1,3 @@ +#!/bin/sh -x + +pkispawn -v -f ca-sub-nfast.cfg -s CA diff --git a/scripts/ca-sub-remove.sh b/scripts/ca-sub-remove.sh new file mode 100755 index 0000000..d60ebb4 --- /dev/null +++ b/scripts/ca-sub-remove.sh @@ -0,0 +1,6 @@ +#!/bin/sh + +SRC_DIR=`cd ../.. ; pwd` +INSTANCE_NAME=pki-tomcat + +pkidestroy -s CA -i $INSTANCE_NAME diff --git a/scripts/ca-sub-step1.sh b/scripts/ca-sub-step1.sh new file mode 100755 index 0000000..8f70b90 --- /dev/null +++ b/scripts/ca-sub-step1.sh @@ -0,0 +1,3 @@ +#!/bin/sh -x + +pkispawn -v -f ca-sub.cfg -s CA --skip-configuration diff --git a/scripts/ca-sub-step2.sh b/scripts/ca-sub-step2.sh new file mode 100755 index 0000000..3c8ce44 --- /dev/null +++ b/scripts/ca-sub-step2.sh @@ -0,0 +1,3 @@ +#!/bin/sh -x + +pkispawn -vv -f ca-sub.cfg -s CA --skip-installation diff --git a/scripts/ca-tomcat7-create.sh b/scripts/ca-tomcat7-create.sh new file mode 100755 index 0000000..cfb67c2 --- /dev/null +++ b/scripts/ca-tomcat7-create.sh @@ -0,0 +1,39 @@ +#!/bin/sh -x + +cat > ca-tomcat7.cfg < ca-tomcat8.cfg < ca-tomcat85.cfg < ca_signing.csr +#cat ca_signing.csr.pem >> ca_signing.csr +#echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_signing.csr + +rm ca_signing.csr.der +#rm ca_signing.csr.pem + +openssl req -text -noout -in ca_signing.csr diff --git a/scripts/caext-create.sh b/scripts/caext-create.sh new file mode 100755 index 0000000..c5ee8a8 --- /dev/null +++ b/scripts/caext-create.sh @@ -0,0 +1,3 @@ +#!/bin/sh -x + +pkispawn -f caext.cfg -s CA diff --git a/scripts/caext-remove.sh b/scripts/caext-remove.sh new file mode 100755 index 0000000..4e5cd07 --- /dev/null +++ b/scripts/caext-remove.sh @@ -0,0 +1,6 @@ +#!/bin/sh + +SRC_DIR=`cd ../.. ; pwd` +INSTANCE_NAME=pki-external + +pkidestroy -s CA -i $INSTANCE_NAME diff --git a/scripts/cassl-create.sh b/scripts/cassl-create.sh new file mode 100755 index 0000000..1ea5811 --- /dev/null +++ b/scripts/cassl-create.sh @@ -0,0 +1,8 @@ +#!/bin/sh -x + +pkispawn -vv -f cassl.cfg -s CA + +/bin/cp /root/.dogtag/pki-tomcat/ca_admin.cert . +/bin/cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 . +/bin/cp /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf ca_admin_cert.txt +echo $HOSTNAME > master.txt -- cgit