From 41d7cfc3d97918e736331af85818a6969161803b Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Tue, 1 Aug 2017 04:54:31 +0200
Subject: Updated CA scripts.

---
 scripts/ca-clone-create.sh    | 41 ++++++++++++++---------------
 scripts/ca-clone-prep.sh      | 19 +++++++-------
 scripts/ca-create.sh          |  2 +-
 scripts/ca-existing-create.sh | 46 ++++++++++++++++++++++++++++----
 scripts/ca-existing-export.sh | 11 ++++----
 scripts/ca-export.sh          | 46 ++++++++++++++++----------------
 scripts/ca-external-step1.sh  |  4 +--
 scripts/ca-external-step2.sh  |  4 +--
 scripts/ca-nfast-create.sh    | 61 ++++++++++++++++++++++++++++++++++++++++++-
 9 files changed, 163 insertions(+), 71 deletions(-)

(limited to 'scripts')

diff --git a/scripts/ca-clone-create.sh b/scripts/ca-clone-create.sh
index b890789..251cc7a 100755
--- a/scripts/ca-clone-create.sh
+++ b/scripts/ca-clone-create.sh
@@ -1,14 +1,12 @@
 #!/bin/sh -x
 
-MASTER=`cat master.txt`
+mkdir -p tmp
 
-/bin/cp ca_backup_keys.p12 /tmp
-/bin/cp ca_admin.cert /tmp
-/bin/cp ca_admin_cert.p12 /tmp
+MASTER=`cat tmp/master.txt`
 
-cat > ca-clone.cfg << EOF
-#[DEFAULT]
-#pki_pin=Secret.123
+cat > tmp/ca-clone.cfg << EOF
+[DEFAULT]
+pki_pin=Secret.123
 
 [CA]
 pki_admin_email=caadmin@example.com
@@ -37,12 +35,14 @@ pki_clone=True
 pki_clone_replicate_schema=True
 pki_clone_uri=https://$MASTER:8443
 
-# PKI 9
-#pki_ca_signing_nickname=caSigningCert cert-pki-ca
-#pki_ocsp_signing_nickname=ocspSigningCert cert-pki-ca
-#pki_audit_signing_nickname=auditSigningCert cert-pki-ca
-#pki_ssl_server_nickname=Server-Cert cert-pki-ca
-#pki_subsystem_nickname=subsystemCert cert-pki-ca
+# Dogtag 10.3
+#pki_server_pkcs12_path=$PWD/tmp/ca-certs.p12
+#pki_server_pkcs12_password=Secret.123
+
+# Dogtag 10.2
+pki_clone_pkcs12_password=Secret.123
+#pki_clone_pkcs12_path=$PWD/tmp/ca_backup_keys.p12
+pki_clone_pkcs12_path=$PWD/tmp/ca-certs.p12
 
 # PKI 10
 pki_ca_signing_nickname=ca_signing
@@ -51,13 +51,12 @@ pki_audit_signing_nickname=ca_audit_signing
 pki_ssl_server_nickname=sslserver
 pki_subsystem_nickname=subsystem
 
-# Dogtag 10.2 only
-pki_clone_pkcs12_password=Secret.123
-pki_clone_pkcs12_path=/tmp/ca_backup_keys.p12
-
-# Dogtag 10.3 only
-#pki_server_pkcs12_path=pki-server.p12
-#pki_server_pkcs12_password=Secret.123
+# PKI 9
+#pki_ca_signing_nickname=caSigningCert cert-pki-ca
+#pki_ocsp_signing_nickname=ocspSigningCert cert-pki-ca
+#pki_audit_signing_nickname=auditSigningCert cert-pki-ca
+#pki_ssl_server_nickname=Server-Cert cert-pki-ca
+#pki_subsystem_nickname=subsystemCert cert-pki-ca
 EOF
 
-pkispawn -vvv -f ca-clone.cfg -s CA
+pkispawn -vvv -f tmp/ca-clone.cfg -s CA
diff --git a/scripts/ca-clone-prep.sh b/scripts/ca-clone-prep.sh
index ffd5538..3993580 100755
--- a/scripts/ca-clone-prep.sh
+++ b/scripts/ca-clone-prep.sh
@@ -1,17 +1,16 @@
 #!/bin/sh -x
 
-echo $HOSTNAME > master.txt
+mkdir -p tmp
 
-grep "internal=" /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2}' > internal.txt
-echo Secret.123 > password.txt
+#echo $HOSTNAME > tmp/master.txt
 
-PKCS12Export -debug -d /var/lib/pki/pki-tomcat/alias -p internal.txt -w password.txt -o ca_backup_keys.p12
+grep "internal=" /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2}' > tmp/internal.txt
 
-pki pkcs12-cert-find --pkcs12-file ca_backup_keys.p12 --pkcs12-password Secret.123
+PKCS12Export -debug -d /var/lib/pki/pki-tomcat/alias -p tmp/internal.txt -w password.txt -o tmp/ca_backup_keys.p12
+pki pkcs12-cert-find --pkcs12-file tmp/ca_backup_keys.p12 --pkcs12-password-file password.txt
 
-pki-server ca-clone-prepare --pkcs12-file pki-server.p12 --pkcs12-password Secret.123
+pki-server ca-clone-prepare --pkcs12-file tmp/ca-certs.p12 --pkcs12-password-file password.txt
+pki pkcs12-cert-find --pkcs12-file tmp/ca-certs.p12 --pkcs12-password-file password.txt
 
-pki pkcs12-cert-find --pkcs12-file pki-server.p12 --pkcs12-password Secret.123
-
-cp ~/.dogtag/pki-tomcat/ca_admin.cert .
-cp ~/.dogtag/pki-tomcat/ca_admin_cert.p12 .
+#cp ~/.dogtag/pki-tomcat/ca_admin.cert tmp
+#cp ~/.dogtag/pki-tomcat/ca_admin_cert.p12 tmp
diff --git a/scripts/ca-create.sh b/scripts/ca-create.sh
index 32c8925..cc1bf21 100755
--- a/scripts/ca-create.sh
+++ b/scripts/ca-create.sh
@@ -4,7 +4,7 @@ mkdir -p tmp
 
 cat > tmp/ca.cfg << EOF
 [DEFAULT]
-#pki_pin=Secret.123
+pki_pin=Secret.123
 
 [CA]
 pki_admin_email=caadmin@example.com
diff --git a/scripts/ca-existing-create.sh b/scripts/ca-existing-create.sh
index a3b5a88..d020a62 100755
--- a/scripts/ca-existing-create.sh
+++ b/scripts/ca-existing-create.sh
@@ -1,9 +1,45 @@
 #!/bin/sh -x
 
-rm -rf /tmp/ca_signing.csr
-rm -rf /tmp/ca.p12
+mkdir -p tmp
 
-/bin/cp ca_signing.csr /tmp
-/bin/cp ca.p12 /tmp
+cat > tmp/ca-existing.cfg << EOF
+[DEFAULT]
+pki_pin=Secret.123
 
-pkispawn -v -f ca-existing.cfg -s CA
+[CA]
+pki_admin_email=caadmin@example.com
+pki_admin_name=caadmin
+pki_admin_nickname=caadmin
+pki_admin_password=Secret.123
+pki_admin_uid=caadmin
+
+pki_client_database_password=Secret.123
+pki_client_database_purge=False
+pki_client_pkcs12_password=Secret.123
+
+pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
+pki_ds_password=Secret.123
+pki_ds_database=ca
+
+pki_security_domain_name=EXAMPLE
+
+pki_token_password=Secret.123
+
+pki_existing=True
+
+pki_ca_signing_nickname=ca_signing
+pki_ca_signing_csr_path=$PWD/tmp/ca_signing.csr
+
+pki_ocsp_signing_nickname=ca_ocsp_signing
+pki_ssl_server_nickname=sslserver
+pki_subsystem_nickname=subsystem
+pki_audit_signing_nickname=ca_audit_signing
+
+pki_pkcs12_path=$PWD/tmp/ca-certs.p12
+pki_pkcs12_password=Secret.123
+
+#pki_serial_number_range_start=6
+#pki_request_number_range_start=1
+EOF
+
+pkispawn -v -f tmp/ca-existing.cfg -s CA
diff --git a/scripts/ca-existing-export.sh b/scripts/ca-existing-export.sh
index fdefc58..d8c0bd0 100755
--- a/scripts/ca-existing-export.sh
+++ b/scripts/ca-existing-export.sh
@@ -1,12 +1,11 @@
 #!/bin/sh -x
 
-rm -rf ca_signing.csr
-rm -rf ca.p12
+mkdir -p tmp
 
 pki-server subsystem-cert-export ca signing \
-  --csr-file ca_signing.csr \
-  --pkcs12-file ca.p12 \
+  --csr-file tmp/ca_signing.csr \
+  --pkcs12-file tmp/ca-certs.p12 \
   --pkcs12-password-file password.txt
 
-pki pkcs12-cert-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt
-pki pkcs12-key-find --pkcs12-file ca.p12 --pkcs12-password-file password.txt
+pki pkcs12-cert-find --pkcs12-file tmp/ca-certs.p12 --pkcs12-password-file password.txt
+pki pkcs12-key-find --pkcs12-file tmp/ca-certs.p12 --pkcs12-password-file password.txt
diff --git a/scripts/ca-export.sh b/scripts/ca-export.sh
index 351f68f..da2ce2d 100755
--- a/scripts/ca-export.sh
+++ b/scripts/ca-export.sh
@@ -1,33 +1,33 @@
 #!/bin/sh -x
 
-grep "internal=" /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2}' > internal.txt
-#PKCS12Export -debug -d /var/lib/pki/pki-tomcat/alias -p internal.txt -w password.txt -o ca_backup_keys.p12
-PKCS12Export -d /var/lib/pki/pki-tomcat/alias -p internal.txt -w password.txt -o ca_backup_keys.p12
+grep "internal=" /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2}' > tmp/internal.txt
+#PKCS12Export -debug -d /var/lib/pki/pki-tomcat/alias -p tmp/internal.txt -w password.txt -o tmp/ca-certs.p12
+PKCS12Export -d /var/lib/pki/pki-tomcat/alias -p tmp/internal.txt -w password.txt -o tmp/ca-certs.p12
 
-pki pkcs12-cert-find --pkcs12-file ca_backup_keys.p12 --pkcs12-password-file password.txt
-pki pkcs12-key-find --pkcs12-file ca_backup_keys.p12 --pkcs12-password-file password.txt
+pki pkcs12-cert-find --pkcs12-file tmp/ca-certs.p12 --pkcs12-password-file password.txt
+pki pkcs12-key-find --pkcs12-file tmp/ca-certs.p12 --pkcs12-password-file password.txt
 
-echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_signing.csr
-sed -n "/^ca.signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> ca_signing.csr
-echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_signing.csr
+echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/ca_signing.csr
+sed -n "/^ca.signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/ca_signing.csr
+echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/ca_signing.csr
 
-echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_ocsp_signing.csr
-sed -n "/^ca.ocsp_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> ca_ocsp_signing.csr
-echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_ocsp_signing.csr
+echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/ca_ocsp_signing.csr
+sed -n "/^ca.ocsp_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/ca_ocsp_signing.csr
+echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/ca_ocsp_signing.csr
 
-echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > sslserver.csr
-sed -n "/^ca.sslserver.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> sslserver.csr
-echo "-----END NEW CERTIFICATE REQUEST-----" >> sslserver.csr
+echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/sslserver.csr
+sed -n "/^ca.sslserver.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/sslserver.csr
+echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/sslserver.csr
 
-echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > subsystem.csr
-sed -n "/^ca.subsystem.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> subsystem.csr
-echo "-----END NEW CERTIFICATE REQUEST-----" >> subsystem.csr
+echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/subsystem.csr
+sed -n "/^ca.subsystem.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/subsystem.csr
+echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/subsystem.csr
 
-echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_audit_signing.csr
-sed -n "/^ca.audit_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> ca_audit_signing.csr
-echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_audit_signing.csr
+echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/ca_audit_signing.csr
+sed -n "/^ca.audit_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/ca_audit_signing.csr
+echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/ca_audit_signing.csr
 
-#pki-server ca-clone-prepare --pkcs12-file ca_backup_keys.p12 --pkcs12-password-file password.txt
+#pki-server ca-clone-prepare --pkcs12-file tmp/ca-certs.p12 --pkcs12-password-file password.txt
 
-cp ~/.dogtag/pki-tomcat/ca_admin.cert .
-cp ~/.dogtag/pki-tomcat/ca_admin_cert.p12 .
+cp ~/.dogtag/pki-tomcat/ca_admin.cert tmp
+cp ~/.dogtag/pki-tomcat/ca_admin_cert.p12 tmp
diff --git a/scripts/ca-external-step1.sh b/scripts/ca-external-step1.sh
index a9d6df9..ecc8112 100755
--- a/scripts/ca-external-step1.sh
+++ b/scripts/ca-external-step1.sh
@@ -22,9 +22,9 @@ rm -f tmp/example3.csr
 rm -f tmp/example3.crt
 
 cat > tmp/ca-external-step1.cfg << EOF
-#[DEFAULT]
+[DEFAULT]
 #pki_instance_name=pki-child
-#pki_pin=Secret.123
+pki_pin=Secret.123
 
 [CA]
 pki_admin_email=caadmin@example.com
diff --git a/scripts/ca-external-step2.sh b/scripts/ca-external-step2.sh
index a45afdc..0b2ca58 100755
--- a/scripts/ca-external-step2.sh
+++ b/scripts/ca-external-step2.sh
@@ -3,9 +3,9 @@
 mkdir -p tmp
 
 cat > tmp/ca-external-step2.cfg << EOF
-#[DEFAULT]
+[DEFAULT]
 #pki_instance_name=pki-child
-#pki_pin=Secret.123
+pki_pin=Secret.123
 
 [CA]
 pki_admin_email=caadmin@example.com
diff --git a/scripts/ca-nfast-create.sh b/scripts/ca-nfast-create.sh
index b0e914f..ca52316 100755
--- a/scripts/ca-nfast-create.sh
+++ b/scripts/ca-nfast-create.sh
@@ -1,3 +1,62 @@
 #!/bin/sh -x
 
-pkispawn -vv -f ca-nfast.cfg -s CA
+mkdir -p tmp
+
+USER=`cat user.txt`
+TOKEN=softcard
+
+cat > tmp/ca-nfast.cfg << EOF
+[DEFAULT]
+pki_pin=Secret.123
+pki_hsm_enable=True
+
+pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so
+pki_hsm_modulename=nfast
+pki_token_name=$TOKEN
+pki_token_password=Secret.123
+pki_pin=Secret.123
+
+[CA]
+pki_admin_email=caadmin@example.com
+pki_admin_name=caadmin
+pki_admin_nickname=caadmin
+pki_admin_password=Secret.123
+pki_admin_uid=caadmin
+
+pki_client_database_password=Secret.123
+pki_client_database_purge=False
+pki_client_pkcs12_password=Secret.123
+
+pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
+pki_ds_database=ca
+pki_ds_password=Secret.123
+
+pki_security_domain_name=EXAMPLE
+
+pki_ca_signing_nickname=ca_signing
+#pki_ca_signing_nickname=$USER/%(pki_instance_name)s/ca_signing
+#pki_ca_signing_token=internal
+#pki_ca_signing_token=$TOKEN
+
+pki_ocsp_signing_nickname=ca_ocsp_signing
+#pki_ocsp_signing_nickname=$USER/%(pki_instance_name)s/ca_ocsp_signing
+#pki_ocsp_signing_token=internal
+#pki_ocsp_signing_token=$TOKEN
+
+pki_audit_signing_nickname=ca_audit_signing
+#pki_audit_signing_nickname=$USER/%(pki_instance_name)s/ca_audit_signing
+#pki_audit_signing_token=internal
+#pki_audit_signing_token=$TOKEN
+
+pki_ssl_server_nickname=sslserver
+#pki_ssl_server_nickname=$USER/%(pki_instance_name)s/sslserver/%(pki_hostname)s
+#pki_ssl_server_token=internal
+#pki_ssl_server_token=$TOKEN
+
+pki_subsystem_nickname=subsystem
+#pki_subsystem_nickname=$USER/%(pki_instance_name)s/subsystem
+#pki_subsystem_token=internal
+#pki_subsystem_token=$TOKEN
+EOF
+
+pkispawn -vv -f tmp/ca-nfast.cfg -s CA
-- 
cgit