From e95825fb85e60bfa29a3124c37d6aac890a08163 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Thu, 20 Jul 2017 07:35:04 +0200 Subject: Updated OCSP scripts. --- scripts/ocsp-create.sh | 2 +- scripts/ocsp-get.sh | 5 ++++ scripts/ocsp-merged-create.sh | 2 +- scripts/ocsp-standalone-sign.sh | 57 ++++++++++++++++++++++++++++++++++++++++ scripts/ocsp-standalone-step1.sh | 9 +++++++ scripts/ocsp-standalone-step2.sh | 12 +++++++++ 6 files changed, 85 insertions(+), 2 deletions(-) create mode 100755 scripts/ocsp-get.sh create mode 100755 scripts/ocsp-standalone-sign.sh create mode 100755 scripts/ocsp-standalone-step1.sh create mode 100755 scripts/ocsp-standalone-step2.sh diff --git a/scripts/ocsp-create.sh b/scripts/ocsp-create.sh index 3680932..f76101e 100755 --- a/scripts/ocsp-create.sh +++ b/scripts/ocsp-create.sh @@ -1,3 +1,3 @@ #!/bin/sh -x -pkispawn -v -f ocsp.cfg -s OCSP -v 2>&1 | tee build/ocsp-create.log +pkispawn -v -f ocsp.cfg -s OCSP -v diff --git a/scripts/ocsp-get.sh b/scripts/ocsp-get.sh new file mode 100755 index 0000000..806c2ca --- /dev/null +++ b/scripts/ocsp-get.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +curl -I http://$HOSTNAME:8080/ca/ocsp/MGcwZTA+MDwwOjAJBgUrDgMCGgUABBRDZrJcZsDTn6Yii8TESb0h9WCStQQUuggtiV2wlfzGPqLB/rhkEr6G4ZMCARuiIzAhMB8GCSsGAQUFBzABAgQSBBAisg9UCMEuEVDFDdPCqQ21 + +curl -I http://$HOSTNAME:8080/ca/ocsp/MGcwZTA%2BMDwwOjAJBgUrDgMCGgUABBRDZrJcZsDTn6Yii8TESb0h9WCStQQUuggtiV2wlfzGPqLB%2FrhkEr6G4ZMCARuiIzAhMB8GCSsGAQUFBzABAgQSBBAisg9UCMEuEVDFDdPCqQ21 diff --git a/scripts/ocsp-merged-create.sh b/scripts/ocsp-merged-create.sh index 0b2a779..142c8a1 100755 --- a/scripts/ocsp-merged-create.sh +++ b/scripts/ocsp-merged-create.sh @@ -1,3 +1,3 @@ #!/bin/sh -x -pkispawn -f merged.cfg -s OCSP -v 2>&1 | tee build/ocsp-merged-create.log +pkispawn -f merged.cfg -s OCSP -v diff --git a/scripts/ocsp-standalone-sign.sh b/scripts/ocsp-standalone-sign.sh new file mode 100755 index 0000000..68dd4bd --- /dev/null +++ b/scripts/ocsp-standalone-sign.sh @@ -0,0 +1,57 @@ +#!/bin/sh + +#### CA Cert #### + +pki cert-show --output external_ca.cert 0x1 +#pki cert-show --output external_ca_chain.cert 0x1 + +#### Admin Cert #### + +REQUEST_ID=`pki ca-cert-request-submit --profile caUserCert --csr-file ocsp_admin.csr --subject uid=ocspadmin | grep "Request ID:" | awk -F ': ' '{print $2;}'` +echo Request ID: $REQUEST_ID + +CERT_ID=`pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'` +echo Certificate ID: $CERT_ID + +pki cert-show --output ocsp_admin.cert $CERT_ID + +#### OCSP Signing Cert #### + +REQUEST_ID=`pki ca-cert-request-submit --profile caOCSPSigningCert --csr-file ocsp_signing.csr | grep "Request ID:" | awk -F ': ' '{print $2;}'` +echo Request ID: $REQUEST_ID + +CERT_ID=`pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'` +echo Certificate ID: $CERT_ID + +pki cert-show --output ocsp_signing.cert $CERT_ID + +#### Server Cert #### + +REQUEST_ID=`pki ca-cert-request-submit --profile caServerCert --csr-file ocsp_sslserver.csr | grep "Request ID:" | awk -F ': ' '{print $2;}'` +echo Request ID: $REQUEST_ID + +CERT_ID=`pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'` +echo Certificate ID: $CERT_ID + +pki cert-show --output ocsp_sslserver.cert $CERT_ID + +#### Subsystem Cert #### + +REQUEST_ID=`pki ca-cert-request-submit --profile caSubsystemCert --csr-file ocsp_subsystem.csr | grep "Request ID:" | awk -F ': ' '{print $2;}'` +echo Request ID: $REQUEST_ID + +CERT_ID=`pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'` +echo Certificate ID: $CERT_ID + +pki cert-show --output ocsp_subsystem.cert $CERT_ID + +#### Audit Signing Cert #### + +REQUEST_ID=`pki ca-cert-request-submit --profile caSignedLogCert --csr-file ocsp_audit_signing.csr | grep "Request ID:" | awk -F ': ' '{print $2;}'` +echo Request ID: $REQUEST_ID + +CERT_ID=`pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'` +echo Certificate ID: $CERT_ID + +pki cert-show --output ocsp_audit_signing.cert $CERT_ID + diff --git a/scripts/ocsp-standalone-step1.sh b/scripts/ocsp-standalone-step1.sh new file mode 100755 index 0000000..0d14be4 --- /dev/null +++ b/scripts/ocsp-standalone-step1.sh @@ -0,0 +1,9 @@ +#!/bin/sh -x + +pkispawn -v -f ocsp-standalone-step1.cfg -s OCSP + +cp /etc/pki/pki-tomcat/ocsp_admin.csr . +cp /etc/pki/pki-tomcat/ocsp_audit_signing.csr . +cp /etc/pki/pki-tomcat/ocsp_signing.csr . +cp /etc/pki/pki-tomcat/ocsp_sslserver.csr . +cp /etc/pki/pki-tomcat/ocsp_subsystem.csr . diff --git a/scripts/ocsp-standalone-step2.sh b/scripts/ocsp-standalone-step2.sh new file mode 100755 index 0000000..fabf3a8 --- /dev/null +++ b/scripts/ocsp-standalone-step2.sh @@ -0,0 +1,12 @@ +#!/bin/sh -x + +cp external_ca.cert /etc/pki/pki-tomcat +cp external_ca_chain.cert /etc/pki/pki-tomcat + +cp ocsp_admin.cert /etc/pki/pki-tomcat +cp ocsp_signing.cert /etc/pki/pki-tomcat +cp ocsp_sslserver.cert /etc/pki/pki-tomcat +cp ocsp_subsystem.cert /etc/pki/pki-tomcat +cp ocsp_audit_signing.cert /etc/pki/pki-tomcat + +pkispawn -v -f ocsp-standalone-step2.cfg -s OCSP -- cgit