From b781ff44d12fe7941db92323f70ad5999e680793 Mon Sep 17 00:00:00 2001 From: Endi Sukma Dewata Date: Tue, 7 Aug 2012 11:26:54 -0500 Subject: Added CA clone scripts. --- scripts/ca-clone.cfg | 231 ++++++++++++++++++++++++++++++++++++++++ scripts/ca-create.sh | 4 +- scripts/ca-master.cfg | 231 ++++++++++++++++++++++++++++++++++++++++ scripts/ca-remove.sh | 2 + scripts/ca.cfg | 231 ---------------------------------------- scripts/caclone-create.sh | 24 +---- scripts/caclone-remove.sh | 14 ++- scripts/caclone-restart.sh | 3 +- scripts/caclone-start.sh | 2 +- scripts/caclone-stop.sh | 2 +- scripts/cert-request-approve.sh | 7 +- scripts/cert-request-review.sh | 7 +- scripts/cert-request-submit.sh | 2 +- scripts/firefox-certs-import.sh | 13 ++- 14 files changed, 498 insertions(+), 275 deletions(-) create mode 100644 scripts/ca-clone.cfg create mode 100644 scripts/ca-master.cfg delete mode 100644 scripts/ca.cfg (limited to 'scripts') diff --git a/scripts/ca-clone.cfg b/scripts/ca-clone.cfg new file mode 100644 index 0000000..7d0c6eb --- /dev/null +++ b/scripts/ca-clone.cfg @@ -0,0 +1,231 @@ +############################################################################### +## 'Sensitive' Data: ## +## ## +## Values in this section pertain to various PKI subsystems, and contain ## +## required 'sensitive' information which MUST ALWAYS be provided by users. ## +## ## +## IMPORTANT: Sensitive data values must NEVER be displayed to the ## +## console NOR stored in log files!!! ## +############################################################################### +[Sensitive] +pki_admin_password=Secret123 +pki_backup_password=Secret123 +pki_client_database_password=Secret123 +pki_client_pkcs12_password=Secret123 +pki_clone_pkcs12_password=Secret123 +pki_ds_password=Secret123 +pki_security_domain_password=Secret123 +pki_token_password=Secret123 +############################################################################### +## 'Common' Data: ## +## ## +## Values in this section are common to more than one PKI subsystem, and ## +## contain required information which MAY be overridden by users as ## +## necessary. ## +## ## +## NOTE: Default values will be generated for any and all required ## +## 'common' data values which are left undefined. ## +############################################################################### +[Common] +pki_admin_cert_request_type=crmf +pki_admin_domain_name= +pki_admin_dualkey=False +pki_admin_email=admin@example.com +pki_admin_keysize=2048 +pki_admin_name=admin +pki_admin_nickname=admin +pki_admin_subject_dn= +pki_admin_uid=admin +pki_audit_group=pkiaudit +pki_audit_signing_key_algorithm=SHA256withRSA +pki_audit_signing_key_size=2048 +pki_audit_signing_key_type=rsa +pki_audit_signing_nickname= +pki_audit_signing_signing_algorithm=SHA256withRSA +pki_audit_signing_subject_dn= +pki_audit_signing_token= +pki_backup_keys=False +pki_client_database_dir=../../certs/pki-clone +pki_client_database_purge=False +pki_client_dir= +pki_ds_base_dn=dc=pki-clone,dc=example,dc=com +pki_ds_bind_dn=cn=Directory Manager +pki_ds_database= +pki_ds_hostname= +pki_ds_ldap_port=390 +pki_ds_ldaps_port=637 +pki_ds_remove_data=True +pki_ds_secure_connection=False +pki_group=pkiuser +pki_restart_configured_instance=True +pki_security_domain_hostname= +pki_security_domain_https_port=8443 +pki_security_domain_name=EXAMPLE +pki_security_domain_user=admin +pki_ssl_server_key_algorithm=SHA256withRSA +pki_ssl_server_key_size=2048 +pki_ssl_server_key_type=rsa +pki_ssl_server_nickname= +pki_ssl_server_subject_dn= +pki_ssl_server_token= +pki_subsystem_key_algorithm=SHA256withRSA +pki_subsystem_key_size=2048 +pki_subsystem_key_type=rsa +pki_subsystem_nickname= +pki_subsystem_subject_dn= +pki_subsystem_token= +pki_token_name=internal +pki_user=pkiuser +############################################################################### +## 'Apache' Data: ## +## ## +## Values in this section are common to PKI subsystems that run ## +## as an instance of 'Apache' (RA and TPS subsystems), and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[Apache] +pki_instance_name=pki-apache +pki_http_port=80 +pki_https_port=443 +############################################################################### +## 'Tomcat' Data: ## +## ## +## Values in this section are common to PKI subsystems that run ## +## as an instance of 'Tomcat' (CA, KRA, OCSP, and TKS subsystems ## +## including 'Clones', 'Subordinate CAs', and 'External CAs'), and contain ## +## required information which MAY be overridden by users as necessary. ## +## ## +## PKI CLONES: To specify a 'CA Clone', a 'KRA Clone', an 'OCSP Clone', ## +## or a 'TKS Clone', change the value of 'pki_clone' ## +## from 'False' to 'True'. ## +## ## +## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ## +## are MUTUALLY EXCLUSIVE entities!!! ## +############################################################################### +[Tomcat] +pki_ajp_port=8010 +pki_clone=False +pki_clone_pkcs12_path= +pki_clone_replication_security=None +pki_clone_uri= +pki_enable_java_debugger=False +pki_enable_proxy=False +pki_http_port=8013 +pki_https_port=8015 +pki_instance_name=pki-clone +pki_proxy_http_port=80 +pki_proxy_https_port=443 +pki_security_manager=false +pki_tomcat_server_port=8019 +############################################################################### +## 'CA' Data: ## +## ## +## Values in this section are common to CA subsystems including 'PKI CAs', ## +## 'Cloned CAs', 'Subordinate CAs', and 'External CAs', and contain ## +## required information which MAY be overridden by users as necessary. ## +## ## +## EXTERNAL CAs: To specify an 'External CA', change the value ## +## of 'pki_external' from 'False' to 'True'. ## +## ## +## SUBORDINATE CAs: To specify a 'Subordinate CA', change the value ## +## of 'pki_subordinate' from 'False' to 'True'. ## +## ## +## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ## +## are MUTUALLY EXCLUSIVE entities!!! ## +############################################################################### +[CA] +pki_ca_signing_key_algorithm=SHA256withRSA +pki_ca_signing_key_size=2048 +pki_ca_signing_key_type=rsa +pki_ca_signing_nickname= +pki_ca_signing_signing_algorithm=SHA256withRSA +pki_ca_signing_subject_dn= +pki_ca_signing_token= +pki_external=False +pki_external_ca_cert_chain_path= +pki_external_ca_cert_path= +pki_external_csr_path= +pki_external_step_two=False +pki_ocsp_signing_key_algorithm=SHA256withRSA +pki_ocsp_signing_key_size=2048 +pki_ocsp_signing_key_type=rsa +pki_ocsp_signing_nickname= +pki_ocsp_signing_signing_algorithm=SHA256withRSA +pki_ocsp_signing_subject_dn= +pki_ocsp_signing_token= +pki_subordinate=False +pki_subsystem=CA +pki_subsystem_name= +pki_war_file=ca.war +############################################################################### +## 'KRA' Data: ## +## ## +## Values in this section are common to KRA subsystems ## +## including 'PKI KRAs' and 'Cloned KRAs', and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[KRA] +pki_storage_key_algorithm=SHA256withRSA +pki_storage_key_size=2048 +pki_storage_key_type=rsa +pki_storage_nickname= +pki_storage_signing_algorithm=SHA256withRSA +pki_storage_subject_dn= +pki_storage_token= +pki_subsystem=KRA +pki_subsystem_name= +pki_transport_key_algorithm=SHA256withRSA +pki_transport_key_size=2048 +pki_transport_key_type=rsa +pki_transport_nickname= +pki_transport_signing_algorithm=SHA256withRSA +pki_transport_subject_dn= +pki_transport_token= +pki_war_file=kra.war +############################################################################### +## 'OCSP' Data: ## +## ## +## Values in this section are common to OCSP subsystems ## +## including 'PKI OCSPs' and 'Cloned OCSPs', and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[OCSP] +pki_ocsp_signing_key_algorithm=SHA256withRSA +pki_ocsp_signing_key_size=2048 +pki_ocsp_signing_key_type=rsa +pki_ocsp_signing_nickname= +pki_ocsp_signing_signing_algorithm=SHA256withRSA +pki_ocsp_signing_subject_dn= +pki_ocsp_signing_token= +pki_subsystem=OCSP +pki_subsystem_name= +pki_war_file=ocsp.war +############################################################################### +## 'RA' Data: ## +## ## +## Values in this section are common to PKI RA subsystems, and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[RA] +pki_subsystem=RA +pki_subsystem_name= +############################################################################### +## 'TKS' Data: ## +## ## +## Values in this section are common to TKS subsystems ## +## including 'PKI TKSs' and 'Cloned TKSs', and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[TKS] +pki_subsystem=TKS +pki_subsystem_name= +pki_war_file=tks.war +############################################################################### +## 'TPS' Data: ## +## ## +## Values in this section are common to PKI TPS subsystems, and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[TPS] +pki_subsystem=TPS +pki_subsystem_name= diff --git a/scripts/ca-create.sh b/scripts/ca-create.sh index b131f3d..12a7d75 100755 --- a/scripts/ca-create.sh +++ b/scripts/ca-create.sh @@ -1,5 +1,3 @@ #!/bin/sh -x -pkispawn -f ca.cfg -s CA -v - -./ca-restart.sh +pkispawn -f ca-master.cfg -s CA -v diff --git a/scripts/ca-master.cfg b/scripts/ca-master.cfg new file mode 100644 index 0000000..477dd2a --- /dev/null +++ b/scripts/ca-master.cfg @@ -0,0 +1,231 @@ +############################################################################### +## 'Sensitive' Data: ## +## ## +## Values in this section pertain to various PKI subsystems, and contain ## +## required 'sensitive' information which MUST ALWAYS be provided by users. ## +## ## +## IMPORTANT: Sensitive data values must NEVER be displayed to the ## +## console NOR stored in log files!!! ## +############################################################################### +[Sensitive] +pki_admin_password=Secret123 +pki_backup_password=Secret123 +pki_client_database_password=Secret123 +pki_client_pkcs12_password=Secret123 +pki_clone_pkcs12_password=Secret123 +pki_ds_password=Secret123 +pki_security_domain_password=Secret123 +pki_token_password=Secret123 +############################################################################### +## 'Common' Data: ## +## ## +## Values in this section are common to more than one PKI subsystem, and ## +## contain required information which MAY be overridden by users as ## +## necessary. ## +## ## +## NOTE: Default values will be generated for any and all required ## +## 'common' data values which are left undefined. ## +############################################################################### +[Common] +pki_admin_cert_request_type=crmf +pki_admin_domain_name= +pki_admin_dualkey=False +pki_admin_email=admin@example.com +pki_admin_keysize=2048 +pki_admin_name=admin +pki_admin_nickname=admin +pki_admin_subject_dn= +pki_admin_uid=admin +pki_audit_group=pkiaudit +pki_audit_signing_key_algorithm=SHA256withRSA +pki_audit_signing_key_size=2048 +pki_audit_signing_key_type=rsa +pki_audit_signing_nickname= +pki_audit_signing_signing_algorithm=SHA256withRSA +pki_audit_signing_subject_dn= +pki_audit_signing_token= +pki_backup_keys=False +pki_client_database_dir=../../certs/pki-master +pki_client_database_purge=False +pki_client_dir= +pki_ds_base_dn=dc=pki-master,dc=example,dc=com +pki_ds_bind_dn=cn=Directory Manager +pki_ds_database= +pki_ds_hostname= +pki_ds_ldap_port=389 +pki_ds_ldaps_port=636 +pki_ds_remove_data=True +pki_ds_secure_connection=False +pki_group=pkiuser +pki_restart_configured_instance=True +pki_security_domain_hostname= +pki_security_domain_https_port=8443 +pki_security_domain_name=EXAMPLE +pki_security_domain_user=admin +pki_ssl_server_key_algorithm=SHA256withRSA +pki_ssl_server_key_size=2048 +pki_ssl_server_key_type=rsa +pki_ssl_server_nickname= +pki_ssl_server_subject_dn= +pki_ssl_server_token= +pki_subsystem_key_algorithm=SHA256withRSA +pki_subsystem_key_size=2048 +pki_subsystem_key_type=rsa +pki_subsystem_nickname= +pki_subsystem_subject_dn= +pki_subsystem_token= +pki_token_name=internal +pki_user=pkiuser +############################################################################### +## 'Apache' Data: ## +## ## +## Values in this section are common to PKI subsystems that run ## +## as an instance of 'Apache' (RA and TPS subsystems), and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[Apache] +pki_instance_name=pki-apache +pki_http_port=80 +pki_https_port=443 +############################################################################### +## 'Tomcat' Data: ## +## ## +## Values in this section are common to PKI subsystems that run ## +## as an instance of 'Tomcat' (CA, KRA, OCSP, and TKS subsystems ## +## including 'Clones', 'Subordinate CAs', and 'External CAs'), and contain ## +## required information which MAY be overridden by users as necessary. ## +## ## +## PKI CLONES: To specify a 'CA Clone', a 'KRA Clone', an 'OCSP Clone', ## +## or a 'TKS Clone', change the value of 'pki_clone' ## +## from 'False' to 'True'. ## +## ## +## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ## +## are MUTUALLY EXCLUSIVE entities!!! ## +############################################################################### +[Tomcat] +pki_ajp_port=8009 +pki_clone=False +pki_clone_pkcs12_path= +pki_clone_replication_security=None +pki_clone_uri= +pki_enable_java_debugger=False +pki_enable_proxy=False +pki_http_port=8080 +pki_https_port=8443 +pki_instance_name=pki-master +pki_proxy_http_port=80 +pki_proxy_https_port=443 +pki_security_manager=false +pki_tomcat_server_port=8005 +############################################################################### +## 'CA' Data: ## +## ## +## Values in this section are common to CA subsystems including 'PKI CAs', ## +## 'Cloned CAs', 'Subordinate CAs', and 'External CAs', and contain ## +## required information which MAY be overridden by users as necessary. ## +## ## +## EXTERNAL CAs: To specify an 'External CA', change the value ## +## of 'pki_external' from 'False' to 'True'. ## +## ## +## SUBORDINATE CAs: To specify a 'Subordinate CA', change the value ## +## of 'pki_subordinate' from 'False' to 'True'. ## +## ## +## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ## +## are MUTUALLY EXCLUSIVE entities!!! ## +############################################################################### +[CA] +pki_ca_signing_key_algorithm=SHA256withRSA +pki_ca_signing_key_size=2048 +pki_ca_signing_key_type=rsa +pki_ca_signing_nickname= +pki_ca_signing_signing_algorithm=SHA256withRSA +pki_ca_signing_subject_dn= +pki_ca_signing_token= +pki_external=False +pki_external_ca_cert_chain_path= +pki_external_ca_cert_path= +pki_external_csr_path= +pki_external_step_two=False +pki_ocsp_signing_key_algorithm=SHA256withRSA +pki_ocsp_signing_key_size=2048 +pki_ocsp_signing_key_type=rsa +pki_ocsp_signing_nickname= +pki_ocsp_signing_signing_algorithm=SHA256withRSA +pki_ocsp_signing_subject_dn= +pki_ocsp_signing_token= +pki_subordinate=False +pki_subsystem=CA +pki_subsystem_name= +pki_war_file=ca.war +############################################################################### +## 'KRA' Data: ## +## ## +## Values in this section are common to KRA subsystems ## +## including 'PKI KRAs' and 'Cloned KRAs', and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[KRA] +pki_storage_key_algorithm=SHA256withRSA +pki_storage_key_size=2048 +pki_storage_key_type=rsa +pki_storage_nickname= +pki_storage_signing_algorithm=SHA256withRSA +pki_storage_subject_dn= +pki_storage_token= +pki_subsystem=KRA +pki_subsystem_name= +pki_transport_key_algorithm=SHA256withRSA +pki_transport_key_size=2048 +pki_transport_key_type=rsa +pki_transport_nickname= +pki_transport_signing_algorithm=SHA256withRSA +pki_transport_subject_dn= +pki_transport_token= +pki_war_file=kra.war +############################################################################### +## 'OCSP' Data: ## +## ## +## Values in this section are common to OCSP subsystems ## +## including 'PKI OCSPs' and 'Cloned OCSPs', and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[OCSP] +pki_ocsp_signing_key_algorithm=SHA256withRSA +pki_ocsp_signing_key_size=2048 +pki_ocsp_signing_key_type=rsa +pki_ocsp_signing_nickname= +pki_ocsp_signing_signing_algorithm=SHA256withRSA +pki_ocsp_signing_subject_dn= +pki_ocsp_signing_token= +pki_subsystem=OCSP +pki_subsystem_name= +pki_war_file=ocsp.war +############################################################################### +## 'RA' Data: ## +## ## +## Values in this section are common to PKI RA subsystems, and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[RA] +pki_subsystem=RA +pki_subsystem_name= +############################################################################### +## 'TKS' Data: ## +## ## +## Values in this section are common to TKS subsystems ## +## including 'PKI TKSs' and 'Cloned TKSs', and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[TKS] +pki_subsystem=TKS +pki_subsystem_name= +pki_war_file=tks.war +############################################################################### +## 'TPS' Data: ## +## ## +## Values in this section are common to PKI TPS subsystems, and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[TPS] +pki_subsystem=TPS +pki_subsystem_name= diff --git a/scripts/ca-remove.sh b/scripts/ca-remove.sh index 8394720..6c90c78 100755 --- a/scripts/ca-remove.sh +++ b/scripts/ca-remove.sh @@ -1,5 +1,6 @@ #!/bin/sh -x +SRC_DIR=`cd ../.. ; pwd` INSTANCE_NAME=pki-master pkidestroy -s CA -i $INSTANCE_NAME @@ -9,3 +10,4 @@ rm -rf /etc/sysconfig/$INSTANCE_NAME rm -rf /etc/sysconfig/pki/tomcat/$INSTANCE_NAME rm -rf /var/lib/pki/$INSTANCE_NAME rm -rf /var/log/pki/$INSTANCE_NAME +rm -rf $SRC_DIR/certs/$INSTANCE_NAME diff --git a/scripts/ca.cfg b/scripts/ca.cfg deleted file mode 100644 index c0899e3..0000000 --- a/scripts/ca.cfg +++ /dev/null @@ -1,231 +0,0 @@ -############################################################################### -## 'Sensitive' Data: ## -## ## -## Values in this section pertain to various PKI subsystems, and contain ## -## required 'sensitive' information which MUST ALWAYS be provided by users. ## -## ## -## IMPORTANT: Sensitive data values must NEVER be displayed to the ## -## console NOR stored in log files!!! ## -############################################################################### -[Sensitive] -pki_admin_password=Secret123 -pki_backup_password=Secret123 -pki_client_database_password=Secret123 -pki_client_pkcs12_password=Secret123 -pki_clone_pkcs12_password=Secret123 -pki_ds_password=Secret123 -pki_security_domain_password=Secret123 -pki_token_password=Secret123 -############################################################################### -## 'Common' Data: ## -## ## -## Values in this section are common to more than one PKI subsystem, and ## -## contain required information which MAY be overridden by users as ## -## necessary. ## -## ## -## NOTE: Default values will be generated for any and all required ## -## 'common' data values which are left undefined. ## -############################################################################### -[Common] -pki_admin_cert_request_type=crmf -pki_admin_domain_name= -pki_admin_dualkey=False -pki_admin_email= -pki_admin_keysize=2048 -pki_admin_name=admin -pki_admin_nickname=admin -pki_admin_subject_dn= -pki_admin_uid=admin -pki_audit_group=pkiaudit -pki_audit_signing_key_algorithm=SHA256withRSA -pki_audit_signing_key_size=2048 -pki_audit_signing_key_type=rsa -pki_audit_signing_nickname= -pki_audit_signing_signing_algorithm=SHA256withRSA -pki_audit_signing_subject_dn= -pki_audit_signing_token= -pki_backup_keys=False -pki_client_database_dir= -pki_client_database_purge=False -pki_client_dir= -pki_ds_base_dn= -pki_ds_bind_dn=cn=Directory Manager -pki_ds_database= -pki_ds_hostname= -pki_ds_ldap_port=389 -pki_ds_ldaps_port=636 -pki_ds_remove_data=True -pki_ds_secure_connection=False -pki_group=pkiuser -pki_restart_configured_instance=True -pki_security_domain_hostname= -pki_security_domain_https_port=8443 -pki_security_domain_name=EXAMPLE -pki_security_domain_user=admin -pki_ssl_server_key_algorithm=SHA256withRSA -pki_ssl_server_key_size=2048 -pki_ssl_server_key_type=rsa -pki_ssl_server_nickname= -pki_ssl_server_subject_dn= -pki_ssl_server_token= -pki_subsystem_key_algorithm=SHA256withRSA -pki_subsystem_key_size=2048 -pki_subsystem_key_type=rsa -pki_subsystem_nickname= -pki_subsystem_subject_dn= -pki_subsystem_token= -pki_token_name=internal -pki_user=pkiuser -############################################################################### -## 'Apache' Data: ## -## ## -## Values in this section are common to PKI subsystems that run ## -## as an instance of 'Apache' (RA and TPS subsystems), and contain ## -## required information which MAY be overridden by users as necessary. ## -############################################################################### -[Apache] -pki_instance_name=pki-apache -pki_http_port=80 -pki_https_port=443 -############################################################################### -## 'Tomcat' Data: ## -## ## -## Values in this section are common to PKI subsystems that run ## -## as an instance of 'Tomcat' (CA, KRA, OCSP, and TKS subsystems ## -## including 'Clones', 'Subordinate CAs', and 'External CAs'), and contain ## -## required information which MAY be overridden by users as necessary. ## -## ## -## PKI CLONES: To specify a 'CA Clone', a 'KRA Clone', an 'OCSP Clone', ## -## or a 'TKS Clone', change the value of 'pki_clone' ## -## from 'False' to 'True'. ## -## ## -## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ## -## are MUTUALLY EXCLUSIVE entities!!! ## -############################################################################### -[Tomcat] -pki_ajp_port=8010 -pki_clone=False -pki_clone_pkcs12_path= -pki_clone_replication_security=None -pki_clone_uri= -pki_enable_java_debugger=False -pki_enable_proxy=False -pki_http_port=8013 -pki_https_port=8015 -pki_instance_name=pki-master -pki_proxy_http_port=80 -pki_proxy_https_port=443 -pki_security_manager=false -pki_tomcat_server_port=8019 -############################################################################### -## 'CA' Data: ## -## ## -## Values in this section are common to CA subsystems including 'PKI CAs', ## -## 'Cloned CAs', 'Subordinate CAs', and 'External CAs', and contain ## -## required information which MAY be overridden by users as necessary. ## -## ## -## EXTERNAL CAs: To specify an 'External CA', change the value ## -## of 'pki_external' from 'False' to 'True'. ## -## ## -## SUBORDINATE CAs: To specify a 'Subordinate CA', change the value ## -## of 'pki_subordinate' from 'False' to 'True'. ## -## ## -## REMINDER: PKI CA Clones, Subordinate CAs, and External CAs ## -## are MUTUALLY EXCLUSIVE entities!!! ## -############################################################################### -[CA] -pki_ca_signing_key_algorithm=SHA256withRSA -pki_ca_signing_key_size=2048 -pki_ca_signing_key_type=rsa -pki_ca_signing_nickname= -pki_ca_signing_signing_algorithm=SHA256withRSA -pki_ca_signing_subject_dn= -pki_ca_signing_token= -pki_external=False -pki_external_ca_cert_chain_path= -pki_external_ca_cert_path= -pki_external_csr_path= -pki_external_step_two=False -pki_ocsp_signing_key_algorithm=SHA256withRSA -pki_ocsp_signing_key_size=2048 -pki_ocsp_signing_key_type=rsa -pki_ocsp_signing_nickname= -pki_ocsp_signing_signing_algorithm=SHA256withRSA -pki_ocsp_signing_subject_dn= -pki_ocsp_signing_token= -pki_subordinate=False -pki_subsystem=CA -pki_subsystem_name= -pki_war_file=ca.war -############################################################################### -## 'KRA' Data: ## -## ## -## Values in this section are common to KRA subsystems ## -## including 'PKI KRAs' and 'Cloned KRAs', and contain ## -## required information which MAY be overridden by users as necessary. ## -############################################################################### -[KRA] -pki_storage_key_algorithm=SHA256withRSA -pki_storage_key_size=2048 -pki_storage_key_type=rsa -pki_storage_nickname= -pki_storage_signing_algorithm=SHA256withRSA -pki_storage_subject_dn= -pki_storage_token= -pki_subsystem=KRA -pki_subsystem_name= -pki_transport_key_algorithm=SHA256withRSA -pki_transport_key_size=2048 -pki_transport_key_type=rsa -pki_transport_nickname= -pki_transport_signing_algorithm=SHA256withRSA -pki_transport_subject_dn= -pki_transport_token= -pki_war_file=kra.war -############################################################################### -## 'OCSP' Data: ## -## ## -## Values in this section are common to OCSP subsystems ## -## including 'PKI OCSPs' and 'Cloned OCSPs', and contain ## -## required information which MAY be overridden by users as necessary. ## -############################################################################### -[OCSP] -pki_ocsp_signing_key_algorithm=SHA256withRSA -pki_ocsp_signing_key_size=2048 -pki_ocsp_signing_key_type=rsa -pki_ocsp_signing_nickname= -pki_ocsp_signing_signing_algorithm=SHA256withRSA -pki_ocsp_signing_subject_dn= -pki_ocsp_signing_token= -pki_subsystem=OCSP -pki_subsystem_name= -pki_war_file=ocsp.war -############################################################################### -## 'RA' Data: ## -## ## -## Values in this section are common to PKI RA subsystems, and contain ## -## required information which MAY be overridden by users as necessary. ## -############################################################################### -[RA] -pki_subsystem=RA -pki_subsystem_name= -############################################################################### -## 'TKS' Data: ## -## ## -## Values in this section are common to TKS subsystems ## -## including 'PKI TKSs' and 'Cloned TKSs', and contain ## -## required information which MAY be overridden by users as necessary. ## -############################################################################### -[TKS] -pki_subsystem=TKS -pki_subsystem_name= -pki_war_file=tks.war -############################################################################### -## 'TPS' Data: ## -## ## -## Values in this section are common to PKI TPS subsystems, and contain ## -## required information which MAY be overridden by users as necessary. ## -############################################################################### -[TPS] -pki_subsystem=TPS -pki_subsystem_name= diff --git a/scripts/caclone-create.sh b/scripts/caclone-create.sh index 757271f..7a3bf12 100755 --- a/scripts/caclone-create.sh +++ b/scripts/caclone-create.sh @@ -1,25 +1,3 @@ #!/bin/sh -x -SRC_DIR=`cd ../.. ; pwd` - -INSTANCE_NAME=pki-caclone - -pkicreate -pki_instance_root=/var/lib \ - -pki_instance_name=$INSTANCE_NAME \ - -subsystem_type=ca \ - -secure_port=9444 \ - -unsecure_port=9181 \ - -tomcat_server_port=9702 \ - -user=pkiuser \ - -group=pkiuser \ - -redirect conf=/etc/$INSTANCE_NAME \ - -redirect logs=/var/log/$INSTANCE_NAME \ - -verbose - -ln -s /usr/share/tomcat6/bin /var/lib/$INSTANCE_NAME/bin -ln -s /usr/share/tomcat6/lib /var/lib/$INSTANCE_NAME/lib -rm -f /var/lib/$INSTANCE_NAME/webapps/ca/WEB-INF/lib/pki-* -ln -s $SRC_DIR/pki/build/classes /var/lib/$INSTANCE_NAME/webapps/ca/WEB-INF/classes - -systemctl restart pki-cad@$INSTANCE_NAME.service - +pkispawn -f ca-clone.cfg -s CA -v diff --git a/scripts/caclone-remove.sh b/scripts/caclone-remove.sh index 43523e6..cedd353 100755 --- a/scripts/caclone-remove.sh +++ b/scripts/caclone-remove.sh @@ -1,5 +1,13 @@ #!/bin/sh -x -pkiremove -pki_instance_root=/var/lib\ - -pki_instance_name=pki-caclone\ - -force +SRC_DIR=`cd ../.. ; pwd` +INSTANCE_NAME=pki-clone + +pkidestroy -s CA -i $INSTANCE_NAME + +rm -rf /etc/pki/$INSTANCE_NAME +rm -rf /etc/sysconfig/$INSTANCE_NAME +rm -rf /etc/sysconfig/pki/tomcat/$INSTANCE_NAME +rm -rf /var/lib/pki/$INSTANCE_NAME +rm -rf /var/log/pki/$INSTANCE_NAME +rm -rf $SRC_DIR/certs/$INSTANCE_NAME diff --git a/scripts/caclone-restart.sh b/scripts/caclone-restart.sh index 1ac3797..7c65fb1 100755 --- a/scripts/caclone-restart.sh +++ b/scripts/caclone-restart.sh @@ -1,3 +1,4 @@ #!/bin/sh -x -systemctl restart pki-cad@pki-caclone.service +./caclone-stop.sh +./caclone-start.sh diff --git a/scripts/caclone-start.sh b/scripts/caclone-start.sh index 037f171..9ebfd59 100755 --- a/scripts/caclone-start.sh +++ b/scripts/caclone-start.sh @@ -1,3 +1,3 @@ #!/bin/sh -x -systemctl start pki-cad@pki-caclone.service +systemctl start pki-tomcatd@ca-clone.service diff --git a/scripts/caclone-stop.sh b/scripts/caclone-stop.sh index d4d1c36..63e7b51 100755 --- a/scripts/caclone-stop.sh +++ b/scripts/caclone-stop.sh @@ -1,3 +1,3 @@ #!/bin/sh -x -systemctl stop pki-cad@pki-caclone.service +systemctl stop pki-tomcatd@ca-clone.service diff --git a/scripts/cert-request-approve.sh b/scripts/cert-request-approve.sh index dd0413a..be9b9bf 100755 --- a/scripts/cert-request-approve.sh +++ b/scripts/cert-request-approve.sh @@ -1,9 +1,8 @@ #!/bin/sh +SRC_DIR=`cd ../.. ; pwd` INSTANCE_NAME=pki-master -TEST_DIR=/tmp/${INSTANCE_NAME}_client -CLIENT_CERT_DIR=$TEST_DIR/alias -CLIENT_CERT_PASSWORD=`cat $TEST_DIR/password.conf` +CLIENT_CERT_DIR=$SRC_DIR/certs/$INSTANCE_NAME # Approve request as an agent -pki -U https://localhost:8015/ca -d $CLIENT_CERT_DIR -w $CLIENT_CERT_PASSWORD -n admin cert-request-approve cert-request-review.xml +pki -v -d $CLIENT_CERT_DIR -w Secret123 -n admin cert-request-approve cert-request-review.xml diff --git a/scripts/cert-request-review.sh b/scripts/cert-request-review.sh index a90be39..0bc736f 100755 --- a/scripts/cert-request-review.sh +++ b/scripts/cert-request-review.sh @@ -2,10 +2,9 @@ REQUEST_ID=$1 +SRC_DIR=`cd ../.. ; pwd` INSTANCE_NAME=pki-master -TEST_DIR=/tmp/${INSTANCE_NAME}_client -CLIENT_CERT_DIR=$TEST_DIR/alias -CLIENT_CERT_PASSWORD=`cat $TEST_DIR/password.conf` +CLIENT_CERT_DIR=$SRC_DIR/certs/$INSTANCE_NAME # Review request as an agent -pki -U https://localhost:8015/ca -d $CLIENT_CERT_DIR -w $CLIENT_CERT_PASSWORD -n admin cert-request-review $REQUEST_ID --output cert-request-review.xml +pki -v -d $CLIENT_CERT_DIR -w Secret123 -n admin cert-request-review $REQUEST_ID --output cert-request-review.xml diff --git a/scripts/cert-request-submit.sh b/scripts/cert-request-submit.sh index 8ef8a2d..56d8baf 100755 --- a/scripts/cert-request-submit.sh +++ b/scripts/cert-request-submit.sh @@ -1,4 +1,4 @@ #!/bin/sh # Submit request anonymously -pki -U http://localhost:8013/ca cert-request-submit cert-request.xml +pki -v cert-request-submit cert-request.xml diff --git a/scripts/firefox-certs-import.sh b/scripts/firefox-certs-import.sh index 35b6939..af25540 100755 --- a/scripts/firefox-certs-import.sh +++ b/scripts/firefox-certs-import.sh @@ -2,13 +2,20 @@ . ./ca-include.sh +SRC_DIR=`cd ../.. ; pwd` +INSTANCE_NAME=pki-master + FIREFOX_DIR=~/.mozilla/firefox PROFILE=`grep Path= $FIREFOX_DIR/profiles.ini | awk -F= '{print $2}'` -CLIENT_DIR=/tmp/pki-master_client -input=$CLIENT_DIR/ca_admin_cert.p12 +CLIENT_CERT_DIR=$SRC_DIR/certs/$INSTANCE_NAME +CLIENT_CERT_PASSWORD=$CLIENT_CERT_DIR/password.txt +CLIENT_CERT_PK12=$CLIENT_CERT_DIR/admin.p12 + +echo $PASSWORD > $CLIENT_CERT_PASSWORD +PKCS12Export -d "$CLIENT_CERT_DIR" -o "$CLIENT_CERT_PK12" -p "$CLIENT_CERT_PASSWORD" -w "$CLIENT_CERT_PASSWORD" -pk12util -i $input -d $FIREFOX_DIR/$PROFILE -W Secret123 +pk12util -i $CLIENT_CERT_PK12 -d $FIREFOX_DIR/$PROFILE -w $CLIENT_CERT_PASSWORD certutil -M -n admin -t u,u,u -d $FIREFOX_DIR/$PROFILE #pk12util -i $SRC_DIR/pki-dev/certs/kra/kra-client-certs.p12 -d $FIREFOX_DIR/$PROFILE -W Secret123 -- cgit