From 931c891fffd8811ac229728ae8132d72132f20f7 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Thu, 14 Sep 2017 16:15:33 +0200 Subject: Updated CA scripts. --- scripts/ca-all-existing-create.sh | 52 ++++++++++++++++++ scripts/ca-all-existing-export.sh | 33 +++++++++++ scripts/ca-clone-create.sh | 7 +-- scripts/ca-clone-prep.sh | 2 +- scripts/ca-create.sh | 6 +- scripts/ca-existing-create.sh | 9 ++- scripts/ca-external-openssl-sign.sh | 106 ++++++++++++++++++++++++++++++++++++ scripts/ca-external-step1.sh | 41 ++------------ scripts/ca-external-step2.sh | 11 ++-- scripts/ca-python-test.sh | 46 ++++++++++++++++ 10 files changed, 264 insertions(+), 49 deletions(-) create mode 100755 scripts/ca-all-existing-create.sh create mode 100755 scripts/ca-all-existing-export.sh create mode 100755 scripts/ca-external-openssl-sign.sh create mode 100755 scripts/ca-python-test.sh (limited to 'scripts') diff --git a/scripts/ca-all-existing-create.sh b/scripts/ca-all-existing-create.sh new file mode 100755 index 0000000..98c05d8 --- /dev/null +++ b/scripts/ca-all-existing-create.sh @@ -0,0 +1,52 @@ +#!/bin/sh -x + +mkdir -p tmp + +cat > tmp/ca-all-existing.cfg << EOF +[DEFAULT] +pki_pin=Secret.123 + +[CA] +pki_admin_email=caadmin@example.com +pki_admin_name=caadmin +pki_admin_nickname=caadmin +pki_admin_password=Secret.123 +pki_admin_uid=caadmin + +pki_client_database_password=Secret.123 +pki_client_database_purge=False +pki_client_pkcs12_password=Secret.123 + +pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com +pki_ds_password=Secret.123 +pki_ds_database=ca + +pki_security_domain_name=EXAMPLE + +pki_token_password=Secret.123 + +pki_existing=True + +pki_ca_signing_nickname=ca_signing +pki_ca_signing_csr_path=$PWD/tmp/ca_signing.csr + +pki_ocsp_signing_nickname=ca_ocsp_signing +pki_ocsp_signing_csr_path=$PWD/tmp/ca_ocsp_signing.csr + +pki_sslserver_nickname=sslserver +pki_sslserver_csr_path=$PWD/tmp/sslserver.csr + +pki_subsystem_nickname=subsystem +pki_subsystem_csr_path=$PWD/tmp/subsystem.csr + +pki_audit_signing_nickname=ca_audit_signing +pki_audit_signing_csr_path=$PWD/tmp/ca_audit_signing.csr + +pki_pkcs12_path=$PWD/tmp/ca-certs.p12 +pki_pkcs12_password=Secret.123 + +#pki_serial_number_range_start=6 +#pki_request_number_range_start=1 +EOF + +pkispawn -f tmp/ca-all-existing.cfg -s CA diff --git a/scripts/ca-all-existing-export.sh b/scripts/ca-all-existing-export.sh new file mode 100755 index 0000000..da2ce2d --- /dev/null +++ b/scripts/ca-all-existing-export.sh @@ -0,0 +1,33 @@ +#!/bin/sh -x + +grep "internal=" /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2}' > tmp/internal.txt +#PKCS12Export -debug -d /var/lib/pki/pki-tomcat/alias -p tmp/internal.txt -w password.txt -o tmp/ca-certs.p12 +PKCS12Export -d /var/lib/pki/pki-tomcat/alias -p tmp/internal.txt -w password.txt -o tmp/ca-certs.p12 + +pki pkcs12-cert-find --pkcs12-file tmp/ca-certs.p12 --pkcs12-password-file password.txt +pki pkcs12-key-find --pkcs12-file tmp/ca-certs.p12 --pkcs12-password-file password.txt + +echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/ca_signing.csr +sed -n "/^ca.signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/ca_signing.csr +echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/ca_signing.csr + +echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/ca_ocsp_signing.csr +sed -n "/^ca.ocsp_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/ca_ocsp_signing.csr +echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/ca_ocsp_signing.csr + +echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/sslserver.csr +sed -n "/^ca.sslserver.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/sslserver.csr +echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/sslserver.csr + +echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/subsystem.csr +sed -n "/^ca.subsystem.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/subsystem.csr +echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/subsystem.csr + +echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > tmp/ca_audit_signing.csr +sed -n "/^ca.audit_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> tmp/ca_audit_signing.csr +echo "-----END NEW CERTIFICATE REQUEST-----" >> tmp/ca_audit_signing.csr + +#pki-server ca-clone-prepare --pkcs12-file tmp/ca-certs.p12 --pkcs12-password-file password.txt + +cp ~/.dogtag/pki-tomcat/ca_admin.cert tmp +cp ~/.dogtag/pki-tomcat/ca_admin_cert.p12 tmp diff --git a/scripts/ca-clone-create.sh b/scripts/ca-clone-create.sh index 251cc7a..0e2d393 100755 --- a/scripts/ca-clone-create.sh +++ b/scripts/ca-clone-create.sh @@ -41,22 +41,21 @@ pki_clone_uri=https://$MASTER:8443 # Dogtag 10.2 pki_clone_pkcs12_password=Secret.123 -#pki_clone_pkcs12_path=$PWD/tmp/ca_backup_keys.p12 pki_clone_pkcs12_path=$PWD/tmp/ca-certs.p12 # PKI 10 pki_ca_signing_nickname=ca_signing pki_ocsp_signing_nickname=ca_ocsp_signing pki_audit_signing_nickname=ca_audit_signing -pki_ssl_server_nickname=sslserver +pki_sslserver_nickname=sslserver pki_subsystem_nickname=subsystem # PKI 9 #pki_ca_signing_nickname=caSigningCert cert-pki-ca #pki_ocsp_signing_nickname=ocspSigningCert cert-pki-ca #pki_audit_signing_nickname=auditSigningCert cert-pki-ca -#pki_ssl_server_nickname=Server-Cert cert-pki-ca +#pki_sslserver_nickname=Server-Cert cert-pki-ca #pki_subsystem_nickname=subsystemCert cert-pki-ca EOF -pkispawn -vvv -f tmp/ca-clone.cfg -s CA +pkispawn -f tmp/ca-clone.cfg -s CA diff --git a/scripts/ca-clone-prep.sh b/scripts/ca-clone-prep.sh index 3993580..378b70e 100755 --- a/scripts/ca-clone-prep.sh +++ b/scripts/ca-clone-prep.sh @@ -2,7 +2,7 @@ mkdir -p tmp -#echo $HOSTNAME > tmp/master.txt +echo $HOSTNAME > tmp/master.txt grep "internal=" /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2}' > tmp/internal.txt diff --git a/scripts/ca-create.sh b/scripts/ca-create.sh index cc1bf21..009d330 100755 --- a/scripts/ca-create.sh +++ b/scripts/ca-create.sh @@ -32,13 +32,13 @@ pki_security_domain_name=EXAMPLE pki_ca_signing_nickname=ca_signing pki_ocsp_signing_nickname=ca_ocsp_signing pki_audit_signing_nickname=ca_audit_signing -pki_ssl_server_nickname=sslserver +pki_sslserver_nickname=sslserver pki_subsystem_nickname=subsystem EOF -pkispawn -vv -f tmp/ca.cfg -s CA +pkispawn -f tmp/ca.cfg -s CA #/bin/cp /root/.dogtag/pki-tomcat/ca_admin.cert . #/bin/cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 . #/bin/cp /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf ca_admin_cert.txt -echo $HOSTNAME > tmp/master.txt +#echo $HOSTNAME > tmp/master.txt diff --git a/scripts/ca-existing-create.sh b/scripts/ca-existing-create.sh index d020a62..823b98e 100755 --- a/scripts/ca-existing-create.sh +++ b/scripts/ca-existing-create.sh @@ -31,9 +31,16 @@ pki_ca_signing_nickname=ca_signing pki_ca_signing_csr_path=$PWD/tmp/ca_signing.csr pki_ocsp_signing_nickname=ca_ocsp_signing -pki_ssl_server_nickname=sslserver +#pki_ocsp_signing_csr_path=$PWD/tmp/ca_ocsp_signing.csr + +pki_sslserver_nickname=sslserver +#pki_sslserver_csr_path=$PWD/tmp/sslserver.csr + pki_subsystem_nickname=subsystem +#pki_subsystem_csr_path=$PWD/tmp/subsystem.csr + pki_audit_signing_nickname=ca_audit_signing +#pki_audit_signing_csr_path=$PWD/tmp/ca_audit_signing.csr pki_pkcs12_path=$PWD/tmp/ca-certs.p12 pki_pkcs12_password=Secret.123 diff --git a/scripts/ca-external-openssl-sign.sh b/scripts/ca-external-openssl-sign.sh new file mode 100755 index 0000000..1d76d0d --- /dev/null +++ b/scripts/ca-external-openssl-sign.sh @@ -0,0 +1,106 @@ +#!/bin/sh + +mkdir -p tmp + +cat > tmp/external.cfg << EOF +HOME = tmp +RANDFILE = tmp/random.bin + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +[ CA_default ] + +default_days = 1000 # how long to certify for +default_crl_days = 30 # how long before next CRL +default_md = sha256 # use public key default MD +preserve = no # keep passed DN ordering + +x509_extensions = ca_extensions # The extensions to add to the cert + +email_in_dn = no # Don't concat the email in the DN +copy_extensions = copy # Required to copy SANs from CSR to cert + +#################################################################### +[ req ] +default_bits = 4096 +default_keyfile = tmp/external.key +distinguished_name = ca_distinguished_name +x509_extensions = ca_extensions +string_mask = utf8only + +#################################################################### +[ ca_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = US + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Maryland + +localityName = Locality Name (eg, city) +localityName_default = Baltimore + +organizationName = Organization Name (eg, company) +organizationName_default = Test CA, Limited + +organizationalUnitName = Organizational Unit (eg, division) +organizationalUnitName_default = Server Research Department + +commonName = Common Name (e.g. server FQDN or YOUR name) +commonName_default = Test CA + +emailAddress = Email Address +emailAddress_default = test@example.com + +#################################################################### +[ ca_extensions ] + +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always, issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, nonRepudiation, keyCertSign, cRLSign +EOF + +openssl req \ + -config tmp/external.cfg \ + -newkey rsa:2048 \ + -keyout tmp/external.key \ + -nodes \ + -x509 \ + -out tmp/external.crt \ + -subj "/O=EXTERNAL/CN=External CA" \ + -days 365 + +openssl x509 -text -noout -in tmp/external.crt + +################################################################################ +# Issuing CA signing certificate + +cat > tmp/ca_signing-ext.cfg << EOF +[ ca_extensions ] + +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always, issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, nonRepudiation, keyCertSign, cRLSign +EOF + +openssl x509 -req \ + -CA tmp/external.crt \ + -CAkey tmp/external.key \ + -CAcreateserial \ + -in tmp/ca_signing.csr \ + -out tmp/ca_signing.crt \ + -extfile tmp/external.cfg \ + -extensions ca_extensions \ + -set_serial 1 + +openssl x509 -text -noout -in tmp/ca_signing.crt + +################################################################################ +# Exporting certificate chain + +openssl crl2pkcs7 -nocrl \ + -certfile tmp/external.crt \ + -out tmp/cert_chain.p7b diff --git a/scripts/ca-external-step1.sh b/scripts/ca-external-step1.sh index ecc8112..85ccfc7 100755 --- a/scripts/ca-external-step1.sh +++ b/scripts/ca-external-step1.sh @@ -2,25 +2,6 @@ mkdir -p tmp -rm -f tmp/ca_signing.csr -rm -f tmp/ca_ocsp_signing.csr -rm -f tmp/ca_audit_signing.csr -rm -f tmp/sslserver.csr -rm -f tmp/subsystem.csr - -rm -r tmp/external.crt -rm -r tmp/cert_chain.p7b -rm -f tmp/ca_signing.crt - -rm -f tmp/example.crt -rm -f tmp/example2.crt -rm -f tmp/example.p7 -rm -f tmp/example2.p7 -rm -f tmp/example.p7b -rm -f tmp/example2.p7b -rm -f tmp/example3.csr -rm -f tmp/example3.crt - cat > tmp/ca-external-step1.cfg << EOF [DEFAULT] #pki_instance_name=pki-child @@ -53,26 +34,16 @@ pki_external_step_two=False pki_external_csr_path=$PWD/tmp/ca_signing.csr #pki_ca_signing_csr_path=$PWD/tmp/ca_signing.csr -pki_ocsp_signing_csr_path=$PWD/tmp/ca_ocsp_signing.csr -pki_audit_signing_csr_path=$PWD/tmp/ca_audit_signing.csr -pki_ssl_server_csr_path=$PWD/tmp/sslserver.csr -pki_subsystem_csr_path=$PWD/tmp/subsystem.csr - -#pki_security_domain_name=CHILD -#pki_ca_signing_csr_path=$PWD/tmp/example2.csr -#pki_ca_signing_subject_dn=CN=Child Cert,O=CHILD - -#pki_security_domain_name=GRANDCHILD -#pki_ca_signing_csr_path=$PWD/tmp/example3.csr -#pki_ca_signing_subject_dn=CN=Grandchild Cert,O=GRANDCHILD - -#pki_req_ext_add=True +#pki_ocsp_signing_csr_path=$PWD/tmp/ca_ocsp_signing.csr +#pki_audit_signing_csr_path=$PWD/tmp/ca_audit_signing.csr +#pki_sslserver_csr_path=$PWD/tmp/sslserver.csr +#pki_subsystem_csr_path=$PWD/tmp/subsystem.csr pki_ca_signing_nickname=ca_signing pki_ocsp_signing_nickname=ca_ocsp_signing pki_audit_signing_nickname=ca_audit_signing -pki_ssl_server_nickname=sslserver +pki_sslserver_nickname=sslserver pki_subsystem_nickname=subsystem EOF -pkispawn -vv -f tmp/ca-external-step1.cfg -s CA +pkispawn -f tmp/ca-external-step1.cfg -s CA -v diff --git a/scripts/ca-external-step2.sh b/scripts/ca-external-step2.sh index 0b2ca58..c94ce19 100755 --- a/scripts/ca-external-step2.sh +++ b/scripts/ca-external-step2.sh @@ -33,16 +33,17 @@ pki_external_step_two=True pki_external_csr_path=$PWD/tmp/ca_signing.csr pki_external_ca_cert_path=$PWD/tmp/ca_signing.crt -pki_external_ca_cert_chain_nickname=external -pki_external_ca_cert_chain_path=$PWD/tmp/external.crt +#pki_external_ca_cert_chain_nickname=external +pki_external_ca_cert_chain_nickname=Root CA Signing Certificate - ROOT +#pki_external_ca_cert_chain_nickname=External CA - EXTERNAL #pki_external_ca_cert_chain_path=$PWD/tmp/cert_chain.p7b -#pki_external_ca_cert_chain_path=$PWD/tmp/level2.crt +pki_external_ca_cert_chain_path=$PWD/tmp/external.crt pki_ca_signing_nickname=ca_signing pki_ocsp_signing_nickname=ca_ocsp_signing pki_audit_signing_nickname=ca_audit_signing -pki_ssl_server_nickname=sslserver +pki_sslserver_nickname=sslserver pki_subsystem_nickname=subsystem EOF -pkispawn -vv -f tmp/ca-external-step2.cfg -s CA +pkispawn -f tmp/ca-external-step2.cfg -s CA -v diff --git a/scripts/ca-python-test.sh b/scripts/ca-python-test.sh new file mode 100755 index 0000000..4a0d059 --- /dev/null +++ b/scripts/ca-python-test.sh @@ -0,0 +1,46 @@ +#!/bin/sh -x + +mkdir -p tmp + +pk12util \ + -d /etc/pki/pki-tomcat/alias \ + -K Secret.123 \ + -o tmp/sslserver.p12 \ + -W Secret.123 \ + -n sslserver + +openssl pkcs12 \ + -in tmp/sslserver.p12 \ + -passin pass:Secret.123 \ + -out tmp/sslserver.pem \ + -nodes + +openssl pkcs12 \ + -in tmp/sslserver.p12 \ + -passin pass:Secret.123 \ + -out tmp/sslserver.key \ + -nodes \ + -nocerts + +openssl pkcs12 \ + -in tmp/sslserver.p12 \ + -passin pass:Secret.123 \ + -out tmp/sslserver.crt \ + -clcerts \ + -nokeys + +openssl pkcs12 \ + -in tmp/sslserver.p12 \ + -passin pass:Secret.123 \ + -out tmp/sslserver.p7b \ + -nokeys + +openssl pkcs12 \ + -in tmp/sslserver.p12 \ + -passin pass:Secret.123 \ + -out tmp/sslserver.chain \ + -cacerts \ + -nokeys + +pki -c Secret.123 client-init --force +#python ca-python-test.py -- cgit