From 7afd94fdcde2a17f88064ebae9e244c987150a04 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Fri, 20 Oct 2017 21:35:47 +0200
Subject: Updated root scripts.

---
 scripts/root-admin-init.sh         | 13 ------
 scripts/root-ca-create.sh          | 35 ----------------
 scripts/root-kra-create.sh         | 41 +++++++++++++++++++
 scripts/root-openssl-create.sh     | 81 ++++++++++++++++++++++++++++++++++++++
 scripts/root-openssl-subca-sign.sh | 24 +++++++++++
 scripts/rootca-admin-init.sh       | 13 ++++++
 scripts/rootca-create.sh           | 37 +++++++++++++++++
 7 files changed, 196 insertions(+), 48 deletions(-)
 delete mode 100755 scripts/root-admin-init.sh
 delete mode 100755 scripts/root-ca-create.sh
 create mode 100755 scripts/root-kra-create.sh
 create mode 100755 scripts/root-openssl-create.sh
 create mode 100755 scripts/root-openssl-subca-sign.sh
 create mode 100755 scripts/rootca-admin-init.sh
 create mode 100755 scripts/rootca-create.sh

diff --git a/scripts/root-admin-init.sh b/scripts/root-admin-init.sh
deleted file mode 100755
index f30990f..0000000
--- a/scripts/root-admin-init.sh
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/bin/sh
-
-pki -c Secret.123 client-init --force
-
-pki -c Secret.123 client-cert-import "Root CA Signing Certificate" --ca-server
-
-pki -c Secret.123 client-cert-import \
- --pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \
- --pkcs12-password Secret.123
-
-#pki -c Secret.123 pkcs12-import \
-# --pkcs12-file ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \
-# --pkcs12-password Secret.123
diff --git a/scripts/root-ca-create.sh b/scripts/root-ca-create.sh
deleted file mode 100755
index bf2cea6..0000000
--- a/scripts/root-ca-create.sh
+++ /dev/null
@@ -1,35 +0,0 @@
-#!/bin/sh -x
-
-mkdir -p tmp
-
-cat > tmp/root-ca.cfg << EOF
-[CA]
-pki_admin_email=caadmin@example.com
-pki_admin_name=caadmin
-pki_admin_nickname=caadmin
-pki_admin_password=Secret.123
-pki_admin_uid=caadmin
-
-#pki_client_database_password=Secret.123
-#pki_client_database_purge=False
-pki_client_pkcs12_password=Secret.123
-
-pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
-pki_ds_password=Secret.123
-pki_ds_database=ca
-
-pki_security_domain_name=ROOT
-
-#pki_server_pkcs12_path=pki-server.p12
-#pki_server_pkcs12_password=Secret.123
-
-pki_ca_signing_nickname=ca_signing
-pki_ca_signing_subject_dn=cn=Root CA Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
-
-pki_ocsp_signing_nickname=ca_ocsp_signing
-pki_audit_signing_nickname=ca_audit_signing
-pki_ssl_server_nickname=sslserver
-pki_subsystem_nickname=subsystem
-EOF
-
-pkispawn -vv -f tmp/root-ca.cfg -s CA
diff --git a/scripts/root-kra-create.sh b/scripts/root-kra-create.sh
new file mode 100755
index 0000000..196b413
--- /dev/null
+++ b/scripts/root-kra-create.sh
@@ -0,0 +1,41 @@
+#!/bin/sh -x
+
+mkdir -p tmp
+
+cat > tmp/root-kra.cfg << EOF
+[DEFAULT]
+pki_pin=Secret.123
+
+[KRA]
+pki_admin_cert_file=/root/.dogtag/pki-tomcat/ca_admin.cert
+#pki_import_admin_cert=False
+#pki_import_admin_pkcs12_file=/root/.dogtag/pki-tomcat/ca_admin_cert.p12
+#pki_import_admin_pkcs12_password=Secret.123
+#pki_import_admin_pkcs12_nickname=caadmin
+
+pki_admin_email=kraadmin@example.com
+pki_admin_name=kraadmin
+pki_admin_nickname=kraadmin
+pki_admin_password=Secret.123
+pki_admin_uid=kraadmin
+
+pki_client_database_password=Secret.123
+#pki_client_database_purge=False
+pki_client_pkcs12_password=Secret.123
+
+pki_ds_base_dn=dc=kra,dc=pki,dc=example,dc=com
+pki_ds_password=Secret.123
+pki_ds_database=kra
+
+pki_security_domain_name=ROOT
+pki_security_domain_user=caadmin
+pki_security_domain_password=Secret.123
+
+pki_storage_nickname=kra_storage
+pki_transport_nickname=kra_transport
+pki_audit_signing_nickname=kra_audit_signing
+pki_sslserver_nickname=sslserver
+pki_subsystem_nickname=subsystem
+EOF
+
+pkispawn -f tmp/root-kra.cfg -s KRA
diff --git a/scripts/root-openssl-create.sh b/scripts/root-openssl-create.sh
new file mode 100755
index 0000000..a2a71a0
--- /dev/null
+++ b/scripts/root-openssl-create.sh
@@ -0,0 +1,81 @@
+#!/bin/sh
+
+mkdir -p tmp
+
+cat > tmp/root.cfg << EOF
+HOME            = tmp
+RANDFILE        = ${ENV::HOME}/random.bin
+
+####################################################################
+[ ca ]
+default_ca  = CA_default        # The default ca section
+
+[ CA_default ]
+
+default_days    = 1000          # how long to certify for
+default_crl_days = 30           # how long before next CRL
+default_md  = sha256            # use public key default MD
+preserve    = no                # keep passed DN ordering
+
+x509_extensions = ca_extensions # The extensions to add to the cert
+
+email_in_dn = no                # Don't concat the email in the DN
+copy_extensions = copy          # Required to copy SANs from CSR to cert
+
+####################################################################
+[ req ]
+default_bits        = 4096
+default_keyfile     = tmp/external.key
+distinguished_name  = ca_distinguished_name
+x509_extensions     = ca_extensions
+string_mask         = utf8only
+
+####################################################################
+[ ca_distinguished_name ]
+countryName             = Country Name (2 letter code)
+countryName_default     = US
+
+stateOrProvinceName         = State or Province Name (full name)
+stateOrProvinceName_default = Maryland
+
+localityName                = Locality Name (eg, city)
+localityName_default        = Baltimore
+
+organizationName            = Organization Name (eg, company)
+organizationName_default    = Test CA, Limited
+
+organizationalUnitName         = Organizational Unit (eg, division)
+organizationalUnitName_default = Server Research Department
+
+commonName              = Common Name (e.g. server FQDN or YOUR name)
+commonName_default      = Test CA
+
+emailAddress            = Email Address
+emailAddress_default    = test@example.com
+
+####################################################################
+[ ca_extensions ]
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always, issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, nonRepudiation, keyCertSign, cRLSign
+EOF
+
+openssl req \
+ -config tmp/root.cfg \
+ -newkey rsa:2048 \
+ -keyout tmp/root.key \
+ -nodes -x509 \
+ -out tmp/root.crt \
+ -subj "/O=ROOT/CN=Root CA Signing Certificate" \
+ -days 365
+
+openssl x509 -text -noout -in tmp/root.crt
+
+openssl crl2pkcs7 \
+ -nocrl \
+ -certfile tmp/root.crt \
+ -out tmp/cert_chain.p7b
+
+echo $HOSTNAME > tmp/root.txt
diff --git a/scripts/root-openssl-subca-sign.sh b/scripts/root-openssl-subca-sign.sh
new file mode 100755
index 0000000..693371c
--- /dev/null
+++ b/scripts/root-openssl-subca-sign.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+mkdir -p tmp
+
+cat > tmp/ca_signing-ext.cfg << EOF
+[ ca_extensions ]
+
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always, issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, nonRepudiation, keyCertSign, cRLSign
+EOF
+
+openssl x509 -req \
+ -CA tmp/root.crt \
+ -CAkey tmp/root.key \
+ -CAcreateserial \
+ -in tmp/ca_signing.csr \
+ -out tmp/ca_signing.crt \
+ -extfile tmp/ca_signing-ext.cfg \
+ -extensions ca_extensions \
+ -set_serial 1
+
+openssl x509 -text -noout -in tmp/ca_signing.crt
diff --git a/scripts/rootca-admin-init.sh b/scripts/rootca-admin-init.sh
new file mode 100755
index 0000000..f30990f
--- /dev/null
+++ b/scripts/rootca-admin-init.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+pki -c Secret.123 client-init --force
+
+pki -c Secret.123 client-cert-import "Root CA Signing Certificate" --ca-server
+
+pki -c Secret.123 client-cert-import \
+ --pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \
+ --pkcs12-password Secret.123
+
+#pki -c Secret.123 pkcs12-import \
+# --pkcs12-file ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \
+# --pkcs12-password Secret.123
diff --git a/scripts/rootca-create.sh b/scripts/rootca-create.sh
new file mode 100755
index 0000000..62506ff
--- /dev/null
+++ b/scripts/rootca-create.sh
@@ -0,0 +1,37 @@
+#!/bin/sh -x
+
+mkdir -p tmp
+
+cat > tmp/rootca.cfg << EOF
+[DEFAULT]
+pki_pin=Secret.123
+
+[CA]
+pki_admin_email=caadmin@example.com
+pki_admin_name=caadmin
+pki_admin_nickname=caadmin
+pki_admin_password=Secret.123
+pki_admin_uid=caadmin
+
+pki_client_database_password=Secret.123
+#pki_client_database_purge=False
+pki_client_pkcs12_password=Secret.123
+
+pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
+pki_ds_password=Secret.123
+pki_ds_database=ca
+
+pki_security_domain_name=ROOT
+
+pki_ca_signing_nickname=ca_signing
+pki_ca_signing_subject_dn=cn=Root CA Signing Certificate,o=ROOT
+
+pki_ocsp_signing_nickname=ca_ocsp_signing
+pki_audit_signing_nickname=ca_audit_signing
+pki_sslserver_nickname=sslserver
+pki_subsystem_nickname=subsystem
+EOF
+
+pkispawn -f tmp/rootca.cfg -s CA
+
+echo $HOSTNAME > tmp/rootca.txt
-- 
cgit