From 8dd424c1f7e4ea2b8a21eb186d2ce7e75588e949 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Fri, 20 Oct 2017 21:19:31 +0200 Subject: Updated KRA scripts. --- scripts/kra-create.sh | 22 ++++++++--- scripts/kra-external-step1.sh | 60 ++++++++++++++++++++++++++++++ scripts/kra-external-step2.sh | 70 +++++++++++++++++++++++++++++++++++ scripts/kra-remote-create.sh | 54 +++++++++++++++++++++++++-- scripts/kra-remote-remove.sh | 4 +- scripts/kra-standalone-step1.sh | 32 ++++++++-------- scripts/kra-standalone-step2.sh | 36 +++++++++--------- scripts/kra_admin-cmc-sign.sh | 3 +- scripts/kra_audit_signing-cmc-sign.sh | 3 +- scripts/kra_storage-cmc-sign.sh | 3 +- scripts/kra_transport-cmc-sign.sh | 3 +- 11 files changed, 241 insertions(+), 49 deletions(-) create mode 100755 scripts/kra-external-step1.sh create mode 100755 scripts/kra-external-step2.sh diff --git a/scripts/kra-create.sh b/scripts/kra-create.sh index 60e0662..09b9a93 100755 --- a/scripts/kra-create.sh +++ b/scripts/kra-create.sh @@ -2,17 +2,26 @@ mkdir -p tmp +CA_HOSTNAME=`cat tmp/ca.hostname` + cat > tmp/kra.cfg << EOF [DEFAULT] pki_pin=Secret.123 [KRA] +#pki_admin_cert_file=/root/.dogtag/pki-tomcat/ca_admin.cert + #pki_import_admin_cert=False +#pki_import_admin_pkcs12_file=/root/.dogtag/pki-tomcat/ca_admin_cert.p12 +#pki_import_admin_pkcs12_password=Secret.123 +#pki_import_admin_pkcs12_nickname=caadmin -#pki_admin_cert_file=/root/.dogtag/pki-tomcat/ca_admin.cert -pki_import_admin_pkcs12_file=/root/.dogtag/pki-tomcat/ca_admin_cert.p12 -pki_import_admin_pkcs12_password=Secret.123 -pki_import_admin_pkcs12_nickname=caadmin +pki_import_admin_cert=False +pki_admin_email=kraadmin@example.com +pki_admin_name=kraadmin +pki_admin_nickname=kraadmin +pki_admin_password=Secret.123 +pki_admin_uid=kraadmin pki_admin_email=kraadmin@example.com pki_admin_name=kraadmin @@ -36,15 +45,15 @@ pki_client_pkcs12_password=Secret.123 pki_ds_base_dn=dc=kra,dc=pki,dc=example,dc=com pki_ds_password=Secret.123 -#pki_ds_database=userRoot -#pki_ds_database=pki pki_ds_database=kra #pki_ds_create_new_db=False #pki_ds_remove_data=False +pki_security_domain_hostname=$CA_HOSTNAME pki_security_domain_name=EXAMPLE pki_security_domain_user=caadmin pki_security_domain_password=Secret.123 + #pki_token_password=Secret.123 #pki_share_db=False @@ -58,3 +67,4 @@ EOF pkispawn -f tmp/kra.cfg -s KRA #/bin/cp /var/lib/pki/pki-tomcat/alias/kra_backup_keys.p12 . +echo $HOSTNAME > tmp/kra.hostname diff --git a/scripts/kra-external-step1.sh b/scripts/kra-external-step1.sh new file mode 100755 index 0000000..8c2157f --- /dev/null +++ b/scripts/kra-external-step1.sh @@ -0,0 +1,60 @@ +#!/bin/sh -x + +mkdir -p tmp + +CA_HOSTNAME=`cat tmp/ca.hostname` + +cat > tmp/kra-external-step1.cfg << EOF +[DEFAULT] +pki_pin=Secret.123 + +[KRA] +pki_admin_email=kraadmin@example.com +pki_admin_name=kraadmin +pki_admin_nickname=kraadmin +pki_admin_password=Secret.123 +pki_admin_uid=kraadmin + +#pki_backup_keys=True +#pki_backup_password=Secret.123 + +pki_client_database_password=Secret.123 +pki_client_database_purge=False +pki_client_pkcs12_password=Secret.123 + +pki_ds_base_dn=dc=kra,dc=pki,dc=example,dc=com +pki_ds_password=Secret.123 +pki_ds_database=kra + +pki_security_domain_hostname=$CA_HOSTNAME +pki_security_domain_name=EXAMPLE +pki_security_domain_user=caadmin +pki_security_domain_password=Secret.123 + +pki_token_password=Secret.123 + +pki_external=True +pki_external_step_two=False + +pki_storage_nickname=kra_storage +pki_transport_nickname=kra_transport +pki_audit_signing_nickname=kra_audit_signing +pki_sslserver_nickname=sslserver +pki_subsystem_nickname=subsystem + +#pki_external_storage_csr_path=tmp/kra_storage.csr +#pki_external_transport_csr_path=tmp/kra_transport.csr +#pki_external_subsystem_csr_path=tmp/subsystem.csr +#pki_external_sslserver_csr_path=tmp/sslserver.csr +#pki_external_audit_signing_csr_path=tmp/kra_audit_signing.csr +#pki_external_admin_csr_path=tmp/kra_admin.csr + +pki_storage_csr_path=tmp/kra_storage.csr +pki_transport_csr_path=tmp/kra_transport.csr +pki_subsystem_csr_path=tmp/subsystem.csr +pki_sslserver_csr_path=tmp/sslserver.csr +pki_audit_signing_csr_path=tmp/kra_audit_signing.csr +pki_admin_csr_path=tmp/kra_admin.csr +EOF + +pkispawn -f tmp/kra-external-step1.cfg -s KRA diff --git a/scripts/kra-external-step2.sh b/scripts/kra-external-step2.sh new file mode 100755 index 0000000..628986e --- /dev/null +++ b/scripts/kra-external-step2.sh @@ -0,0 +1,70 @@ +#!/bin/sh -x + +mkdir -p tmp + +CA_HOSTNAME=`cat tmp/ca.hostname` + +cat > tmp/kra-external-step2.cfg << EOF +[DEFAULT] +pki_pin=Secret.123 + +[KRA] +pki_admin_email=kraadmin@example.com +pki_admin_name=kraadmin +pki_admin_nickname=kraadmin +pki_admin_password=Secret.123 +pki_admin_uid=kraadmin + +#pki_backup_keys=True +#pki_backup_password=Secret.123 + +pki_client_database_password=Secret.123 +pki_client_database_purge=False +pki_client_pkcs12_password=Secret.123 + +pki_ds_base_dn=dc=kra,dc=pki,dc=example,dc=com +pki_ds_password=Secret.123 +pki_ds_database=kra + +pki_security_domain_hostname=$CA_HOSTNAME +pki_security_domain_name=EXAMPLE +pki_security_domain_user=caadmin +pki_security_domain_password=Secret.123 + +pki_token_password=Secret.123 + +pki_external=True +pki_external_step_two=True + +#pki_cert_chain_nickname=External CA + +#pki_cert_chain_path=tmp/cert_chain.p7b +#pki_cert_chain_path=tmp/external.crt + +#pki_ca_signing_nickname=ca_signing + +#pki_external_ca_signing_cert_path=tmp/ca_signing.crt +#pki_ca_signing_cert_path=tmp/ca_signing.crt + +pki_storage_nickname=kra_storage +pki_transport_nickname=kra_transport +pki_audit_signing_nickname=kra_audit_signing +pki_sslserver_nickname=sslserver +pki_subsystem_nickname=subsystem + +#pki_external_storage_cert_path=tmp/kra_storage.crt +#pki_external_transport_cert_path=tmp/kra_transport.crt +#pki_external_subsystem_cert_path=tmp/subsystem.crt +#pki_external_sslserver_cert_path=tmp/sslserver.crt +#pki_external_audit_signing_cert_path=tmp/kra_audit_signing.crt +#pki_external_admin_cert_path=tmp/kra_admin.crt + +pki_storage_cert_path=tmp/kra_storage.crt +pki_transport_cert_path=tmp/kra_transport.crt +pki_subsystem_cert_path=tmp/subsystem.crt +pki_sslserver_cert_path=tmp/sslserver.crt +pki_audit_signing_cert_path=tmp/kra_audit_signing.crt +pki_admin_cert_path=$PWD/tmp/kra_admin.crt +EOF + +pkispawn -f tmp/kra-external-step2.cfg -s KRA diff --git a/scripts/kra-remote-create.sh b/scripts/kra-remote-create.sh index a56cb29..90af51f 100755 --- a/scripts/kra-remote-create.sh +++ b/scripts/kra-remote-create.sh @@ -1,6 +1,54 @@ #!/bin/sh -x -cp external.crt /tmp -cp cert_chain.p7b /tmp +mkdir -p tmp -pkispawn -vvv -f kra-remote.cfg -s KRA +CA_HOSTNAME=`cat tmp/ca.hostname` + +#cp external.crt /tmp +#cp cert_chain.p7b /tmp + +cat > tmp/kra.cfg << EOF +[DEFAULT] +#pki_instance_name=pki-tomcat +#pki_http_port=18080 +#pki_https_port=18443 +pki_pin=Secret.123 + +[Tomcat] +#pki_ajp_port=18009 +#pki_tomcat_server_port=18005 + +[KRA] +#pki_admin_cert_file=ca_admin.cert +pki_import_admin_cert=False +pki_admin_email=kraadmin@example.com +pki_admin_name=kraadmin +pki_admin_nickname=kraadmin +pki_admin_password=Secret.123 +pki_admin_uid=kraadmin + +pki_client_database_password=Secret.123 +pki_client_database_purge=False +pki_client_pkcs12_password=Secret.123 + +pki_ds_base_dn=dc=kra,dc=pki,dc=example,dc=com +pki_ds_database=kra +pki_ds_password=Secret.123 + +pki_security_domain_hostname=$CA_HOSTNAME +pki_security_domain_user=caadmin +pki_security_domain_password=Secret.123 + +pki_token_password=Secret.123 + +#pki_server_pkcs12_path=pki-server.p12 +#pki_server_pkcs12_password=Secret.123 + +pki_storage_nickname=kra_storage +pki_transport_nickname=kra_transport +pki_audit_signing_nickname=kra_audit_signing +pki_sslserver_nickname=sslserver +pki_subsystem_nickname=subsystem +EOF + +pkispawn -vvv -f tmp/kra.cfg -s KRA diff --git a/scripts/kra-remote-remove.sh b/scripts/kra-remote-remove.sh index c88b3e5..8fa132d 100755 --- a/scripts/kra-remote-remove.sh +++ b/scripts/kra-remote-remove.sh @@ -1,4 +1,4 @@ #!/bin/sh -x -pkidestroy -v -s KRA -i pki-kra -#pkidestroy -v -s KRA -i pki-kra -u caadmin -W password +pkidestroy -v -s KRA -i pki-tomcat +#pkidestroy -v -s KRA -i pki-tomcat -u caadmin -W password diff --git a/scripts/kra-standalone-step1.sh b/scripts/kra-standalone-step1.sh index bfb6c83..4db8878 100755 --- a/scripts/kra-standalone-step1.sh +++ b/scripts/kra-standalone-step1.sh @@ -35,22 +35,20 @@ pki_transport_nickname=kra_transport pki_audit_signing_nickname=kra_audit_signing pki_sslserver_nickname=sslserver pki_subsystem_nickname=subsystem -#pki_cert_chain_nickname=ca_signing -#pki_cert_chain_nickname=Root CA Signing Certificate - ROOT - -pki_external_admin_csr_path=$PWD/tmp/kra_admin.csr -pki_external_audit_signing_csr_path=$PWD/tmp/kra_audit_signing.csr -pki_external_sslserver_csr_path=$PWD/tmp/sslserver.csr -pki_external_storage_csr_path=$PWD/tmp/kra_storage.csr -pki_external_subsystem_csr_path=$PWD/tmp/subsystem.csr -pki_external_transport_csr_path=$PWD/tmp/kra_transport.csr - -pki_admin_csr_path=$PWD/tmp/kra_admin.csr -pki_audit_signing_csr_path=$PWD/tmp/kra_audit_signing.csr -pki_sslserver_csr_path=$PWD/tmp/sslserver.csr -pki_storage_csr_path=$PWD/tmp/kra_storage.csr -pki_subsystem_csr_path=$PWD/tmp/subsystem.csr -pki_transport_csr_path=$PWD/tmp/kra_transport.csr + +#pki_external_storage_csr_path=tmp/kra_storage.csr +#pki_external_transport_csr_path=tmp/kra_transport.csr +#pki_external_subsystem_csr_path=tmp/subsystem.csr +#pki_external_sslserver_csr_path=tmp/sslserver.csr +#pki_external_audit_signing_csr_path=tmp/kra_audit_signing.csr +#pki_external_admin_csr_path=tmp/kra_admin.csr + +pki_storage_csr_path=tmp/kra_storage.csr +pki_transport_csr_path=tmp/kra_transport.csr +pki_subsystem_csr_path=tmp/subsystem.csr +pki_sslserver_csr_path=tmp/sslserver.csr +pki_audit_signing_csr_path=tmp/kra_audit_signing.csr +pki_admin_csr_path=tmp/kra_admin.csr EOF -pkispawn -f tmp/kra-standalone-step1.cfg -s KRA -v +pkispawn -f tmp/kra-standalone-step1.cfg -s KRA diff --git a/scripts/kra-standalone-step2.sh b/scripts/kra-standalone-step2.sh index 2264d5d..c678ba9 100755 --- a/scripts/kra-standalone-step2.sh +++ b/scripts/kra-standalone-step2.sh @@ -31,9 +31,11 @@ pki_standalone=True pki_external_step_two=True #pki_cert_chain_nickname=ca_signing -pki_cert_chain_nickname=Root CA Signing Certificate - ROOT -#pki_external_ca_cert_chain_path=$PWD/tmp/cert_chain.p7b -pki_external_ca_cert_path=$PWD/tmp/ca_signing.crt +#pki_cert_chain_nickname=Root CA Signing Certificate - ROOT +#pki_external_ca_cert_chain_path=tmp/cert_chain.p7b + +#pki_ca_signing_nickname=ca_signing +#pki_external_ca_cert_path=tmp/ca_signing.crt pki_storage_nickname=kra_storage pki_transport_nickname=kra_transport @@ -41,19 +43,19 @@ pki_audit_signing_nickname=kra_audit_signing pki_sslserver_nickname=sslserver pki_subsystem_nickname=subsystem -pki_external_admin_cert_path=$PWD/tmp/kra_admin.crt -pki_external_storage_cert_path=$PWD/tmp/kra_storage.crt -pki_external_transport_cert_path=$PWD/tmp/kra_transport.crt -pki_external_audit_signing_cert_path=$PWD/tmp/kra_audit_signing.crt -pki_external_sslserver_cert_path=$PWD/tmp/sslserver.crt -pki_external_subsystem_cert_path=$PWD/tmp/subsystem.crt - -pki_admin_cert_path=$PWD/tmp/kra_admin.crt -pki_storage_cert_path=$PWD/tmp/kra_storage.crt -pki_transport_cert_path=$PWD/tmp/kra_transport.crt -pki_audit_signing_cert_path=$PWD/tmp/kra_audit_signing.crt -pki_sslserver_cert_path=$PWD/tmp/sslserver.crt -pki_subsystem_cert_path=$PWD/tmp/subsystem.crt +#pki_external_storage_cert_path=tmp/kra_storage.crt +#pki_external_transport_cert_path=tmp/kra_transport.crt +#pki_external_subsystem_cert_path=tmp/subsystem.crt +#pki_external_sslserver_cert_path=tmp/sslserver.crt +#pki_external_audit_signing_cert_path=tmp/kra_audit_signing.crt +#pki_external_admin_cert_path=tmp/kra_admin.crt + +pki_storage_cert_path=tmp/kra_storage.crt +pki_transport_cert_path=tmp/kra_transport.crt +pki_subsystem_cert_path=tmp/subsystem.crt +pki_sslserver_cert_path=tmp/sslserver.crt +pki_audit_signing_cert_path=tmp/kra_audit_signing.crt +pki_admin_cert_path=tmp/kra_admin.crt EOF -pkispawn -f tmp/kra-standalone-step2.cfg -s KRA -v +pkispawn -f tmp/kra-standalone-step2.cfg -s KRA diff --git a/scripts/kra_admin-cmc-sign.sh b/scripts/kra_admin-cmc-sign.sh index 1f472c1..b5ce79e 100755 --- a/scripts/kra_admin-cmc-sign.sh +++ b/scripts/kra_admin-cmc-sign.sh @@ -59,7 +59,8 @@ tokenname=internal nickname=caadmin # CMC servlet path -servlet=/ca/ee/ca/profileSubmitCMCFull +#servlet=/ca/ee/ca/profileSubmitCMCFull +servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caFullCMCUserSignedCert # Path for the CMC request. input=tmp/kra_admin-cmc-request.bin diff --git a/scripts/kra_audit_signing-cmc-sign.sh b/scripts/kra_audit_signing-cmc-sign.sh index 5a5bbb5..334f3cd 100755 --- a/scripts/kra_audit_signing-cmc-sign.sh +++ b/scripts/kra_audit_signing-cmc-sign.sh @@ -59,7 +59,8 @@ tokenname=internal nickname=caadmin # CMC servlet path -servlet=/ca/ee/ca/profileSubmitCMCFullAuditSigningCert +#servlet=/ca/ee/ca/profileSubmitCMCFullAuditSigningCert +servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caCMCauditSigningCert # Path for the CMC request. input=tmp/kra_audit_signing-cmc-request.bin diff --git a/scripts/kra_storage-cmc-sign.sh b/scripts/kra_storage-cmc-sign.sh index 298e390..ea9dc93 100755 --- a/scripts/kra_storage-cmc-sign.sh +++ b/scripts/kra_storage-cmc-sign.sh @@ -59,7 +59,8 @@ tokenname=internal nickname=caadmin # CMC servlet path -servlet=/ca/ee/ca/profileSubmitCMCFullKRAstorageCert +#servlet=/ca/ee/ca/profileSubmitCMCFullKRAstorageCert +servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caCMCkraStorageCert # Path for the CMC request. input=tmp/kra_storage-cmc-request.bin diff --git a/scripts/kra_transport-cmc-sign.sh b/scripts/kra_transport-cmc-sign.sh index 1c82f5e..77ff39d 100755 --- a/scripts/kra_transport-cmc-sign.sh +++ b/scripts/kra_transport-cmc-sign.sh @@ -59,7 +59,8 @@ tokenname=internal nickname=caadmin # CMC servlet path -servlet=/ca/ee/ca/profileSubmitCMCFullKRAtransportCert +#servlet=/ca/ee/ca/profileSubmitCMCFullKRAtransportCert +servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caCMCkraTransportCert # Path for the CMC request. input=tmp/kra_transport-cmc-request.bin -- cgit