From 1e99e99968569712fcc6975e37f07e1c351b6d53 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 20 Jul 2017 07:59:42 +0200
Subject: Added external CA scripts.

---
 scripts/external-ca-sign.sh      | 11 +++++
 scripts/external-nss2-sign.sh    | 71 ++++++++++++++++++++++++++++++++
 scripts/external-nss3.sh         | 89 ++++++++++++++++++++++++++++++++++++++++
 scripts/external-openssl-sign.sh |  7 ++++
 scripts/external-step1a.sh       | 17 ++++++++
 scripts/external-step1b.sh       |  5 +++
 scripts/external-tinyca-sign.sh  | 18 ++++++++
 7 files changed, 218 insertions(+)
 create mode 100755 scripts/external-ca-sign.sh
 create mode 100755 scripts/external-nss2-sign.sh
 create mode 100755 scripts/external-nss3.sh
 create mode 100755 scripts/external-openssl-sign.sh
 create mode 100755 scripts/external-step1a.sh
 create mode 100755 scripts/external-step1b.sh
 create mode 100755 scripts/external-tinyca-sign.sh

(limited to 'scripts')

diff --git a/scripts/external-ca-sign.sh b/scripts/external-ca-sign.sh
new file mode 100755
index 0000000..efb864f
--- /dev/null
+++ b/scripts/external-ca-sign.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+REQUEST_ID=`pki ca-cert-request-submit --profile caCACert --csr-file ca_signing.csr | grep "Request ID:" | awk -F ': ' '{print $2;}'`
+echo Request ID: $REQUEST_ID
+
+CERT_ID=`pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'`
+echo Certificate ID: $CERT_ID
+
+pki cert-show --output ca_signing.crt $CERT_ID
+
+pki cert-show --output external.crt 0x1
diff --git a/scripts/external-nss2-sign.sh b/scripts/external-nss2-sign.sh
new file mode 100755
index 0000000..3d06431
--- /dev/null
+++ b/scripts/external-nss2-sign.sh
@@ -0,0 +1,71 @@
+#!/bin/sh
+
+# generate level 1 CA certificate
+
+rm -rf nssdb
+mkdir nssdb
+echo Secret123 > nssdb/password.txt
+certutil -N -d nssdb -f nssdb/password.txt
+openssl rand -out nssdb/noise.bin 2048
+
+echo -e "y\n\ny\n" | \
+ certutil -S \
+ -d nssdb \
+ -f nssdb/password.txt \
+ -z nssdb/noise.bin \
+ -n "Level 1 CA" \
+ -s "CN=CA Signing Certificate,O=LEVEL1" \
+ -x \
+ -t "CTu,Cu,Cu" \
+ -m $RANDOM\
+ -2 \
+ --keyUsage certSigning \
+ --nsCertType sslCA,smimeCA,objectSigningCA
+
+certutil -L -d nssdb -n "Level 1 CA" -a > level1.crt
+
+# generate level 2 CA certificate
+
+echo -e "y\n\ny\n" | \
+ certutil -R \
+ -d nssdb \
+ -f nssdb/password.txt \
+ -z nssdb/noise.bin \
+ -s "CN=CA Signing Certificate,O=LEVEL2" \
+ -2 \
+ --keyUsage digitalSignature,nonRepudiation,certSigning,crlSigning,critical \
+ -o level2.csr.der
+
+BtoA level2.csr.der level2.csr.pem
+echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > level2.csr
+cat level2.csr.pem >> level2.csr
+echo "-----END NEW CERTIFICATE REQUEST-----" >> level2.csr
+rm level2.csr.der
+rm level2.csr.pem
+
+echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\n" | \
+ certutil -C \
+ -d nssdb \
+ -f nssdb/password.txt \
+ -m $RANDOM \
+ -a \
+ -i level2.csr \
+ -o level2.crt \
+ -c "Level 1 CA" \
+ -1 -2
+
+certutil -A -d nssdb -n "Level 2 CA" -i level2.crt -t "CTu,Cu,Cu"
+
+openssl crl2pkcs7 -nocrl -certfile level1.crt -certfile level2.crt -out cert_chain.p7b
+
+# sign the CA signing certificate
+
+echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\n" | \
+ certutil -C \
+ -d nssdb \
+ -f nssdb/password.txt \
+ -m $RANDOM \
+ -a -i ca_signing.csr \
+ -o ca_signing.crt \
+ -c "Level 2 CA" \
+ -1 -2
diff --git a/scripts/external-nss3.sh b/scripts/external-nss3.sh
new file mode 100755
index 0000000..35ac602
--- /dev/null
+++ b/scripts/external-nss3.sh
@@ -0,0 +1,89 @@
+#!/bin/sh
+
+# generate level 1 CA certificate
+
+rm -rf nssdb
+mkdir nssdb
+echo Secret123 > nssdb/password.txt
+certutil -N -d nssdb -f nssdb/password.txt
+openssl rand -out nssdb/noise.bin 2048
+
+echo -e "y\n\ny\n" | \
+ certutil -S \
+ -d nssdb \
+ -f nssdb/password.txt \
+ -z nssdb/noise.bin \
+ -n "Level 1 CA" \
+ -s "CN=CA Signing Certificate,O=LEVEL1" \
+ -x \
+ -t "CTu,Cu,Cu" \
+ -m $RANDOM\
+ -2 \
+ --keyUsage digitalSignature,nonRepudiation,certSigning,crlSigning,critical
+
+certutil -L -d nssdb -n "Level 1 CA" -a > level1.crt
+
+# generate level 2 CA certificate
+
+echo -e "y\n\ny\n" | \
+ certutil -R \
+ -d nssdb \
+ -f nssdb/password.txt \
+ -z nssdb/noise.bin \
+ -s "CN=CA Signing Certificate,O=LEVEL2" \
+ -2 \
+ --keyUsage digitalSignature,nonRepudiation,certSigning,crlSigning,critical \
+ -o level2.csr.der
+
+BtoA level2.csr.der level2.csr.pem
+echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > level2.csr
+cat level2.csr.pem >> level2.csr
+echo "-----END NEW CERTIFICATE REQUEST-----" >> level2.csr
+rm level2.csr.der
+rm level2.csr.pem
+
+echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\n" | \
+ certutil -C \
+ -d nssdb \
+ -f nssdb/password.txt \
+ -m $RANDOM \
+ -a \
+ -i level2.csr \
+ -o level2.crt \
+ -c "Level 1 CA" \
+ -1 -2
+
+certutil -A -d nssdb -n "Level 2 CA" -i level2.crt -t "CTu,Cu,Cu"
+
+# generate level 3 CA certificate
+
+echo -e "y\n\ny\n" | \
+ certutil -R \
+ -d nssdb \
+ -f nssdb/password.txt \
+ -z nssdb/noise.bin \
+ -s "CN=CA Signing Certificate,O=LEVEL3" \
+ -2 \
+ --keyUsage digitalSignature,nonRepudiation,certSigning,crlSigning,critical \
+ -o level3.csr.der
+
+BtoA level3.csr.der level3.csr.pem
+echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > level3.csr
+cat level3.csr.pem >> level3.csr
+echo "-----END NEW CERTIFICATE REQUEST-----" >> level3.csr
+rm level3.csr.der
+rm level3.csr.pem
+
+echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\n" | \
+ certutil -C \
+ -d nssdb \
+ -f nssdb/password.txt \
+ -m $RANDOM \
+ -a \
+ -i level3.csr \
+ -o level3.crt \
+ -c "Level 2 CA" \
+ -1 -2
+
+certutil -A -d nssdb -n "Level 3 CA" -i level3.crt -t "CTu,Cu,Cu"
+
diff --git a/scripts/external-openssl-sign.sh b/scripts/external-openssl-sign.sh
new file mode 100755
index 0000000..a2d9313
--- /dev/null
+++ b/scripts/external-openssl-sign.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+openssl req -newkey rsa:2048 -keyout external.key -nodes -x509 -out external.crt -subj "/CN=External CA/O=EXTERNAL" -days 365
+
+openssl x509 -req -in ca_signing.csr -CA external.crt -CAkey external.key -CAcreateserial -out ca_signing.crt
+
+openssl crl2pkcs7 -nocrl -certfile external.crt -out cert_chain.p7b
diff --git a/scripts/external-step1a.sh b/scripts/external-step1a.sh
new file mode 100755
index 0000000..15d46d7
--- /dev/null
+++ b/scripts/external-step1a.sh
@@ -0,0 +1,17 @@
+#!/bin/sh -x
+
+rm -f /tmp/ca_signing.csr
+rm -r /tmp/external.crt
+rm -r /tmp/cert_chain.p7b
+rm -f /tmp/ca_signing.crt
+
+rm -f /tmp/example.crt
+rm -f /tmp/example2.crt
+rm -f /tmp/example.p7
+rm -f /tmp/example2.p7
+rm -f /tmp/example.p7b
+rm -f /tmp/example2.p7b
+rm -f /tmp/example3.csr
+rm -f /tmp/example3.crt
+
+pkispawn -vv -f external-step1a.cfg -s CA
diff --git a/scripts/external-step1b.sh b/scripts/external-step1b.sh
new file mode 100755
index 0000000..98e06c6
--- /dev/null
+++ b/scripts/external-step1b.sh
@@ -0,0 +1,5 @@
+#!/bin/sh -x
+
+pkispawn -vv -f external-step1b.cfg -s CA
+
+/bin/cp -f /tmp/ca_signing.csr .
diff --git a/scripts/external-tinyca-sign.sh b/scripts/external-tinyca-sign.sh
new file mode 100755
index 0000000..3ec14a2
--- /dev/null
+++ b/scripts/external-tinyca-sign.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+/usr/bin/openssl ca \
+ -batch \
+ -passin pass:Secret123 \
+ -notext \
+ -config /root/.TinyCA/RootCA/openssl.cnf \
+ -name ca_ca \
+ -in "ca_signing.csr" \
+ -out "ca_signing.crt" \
+ -days 7200 \
+ -preserveDN \
+ -md sha256 \
+ -noemailDN
+
+# -config external-tinyca.cnf \
+
+/bin/cp /root/.TinyCA/RootCA/cacert.pem external.crt
-- 
cgit