From d62ea0eca2a05a7059f071296250c63e9ea9b347 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Fri, 21 Jul 2017 04:32:58 +0200 Subject: Added CMC scripts. --- scripts/admin-init.sh | 13 +++++ scripts/ca-create.sh | 40 +++++++++++++++- scripts/ca-external-cmc-sign.sh | 80 +++++++++++++++++++++++++++++++ scripts/ca-external-nss-sign.sh | 37 +++++++-------- scripts/ca-external-step1.sh | 102 ++++++++++++++++++++++++++++++---------- scripts/ca-external-step2.sh | 51 ++++++++++++++++---- scripts/ca.cfg | 31 ------------ scripts/root-admin-init.sh | 13 +++++ scripts/root-ca-create.sh | 35 ++++++++++++++ 9 files changed, 316 insertions(+), 86 deletions(-) create mode 100755 scripts/admin-init.sh create mode 100755 scripts/ca-external-cmc-sign.sh delete mode 100644 scripts/ca.cfg create mode 100755 scripts/root-admin-init.sh create mode 100755 scripts/root-ca-create.sh (limited to 'scripts') diff --git a/scripts/admin-init.sh b/scripts/admin-init.sh new file mode 100755 index 0000000..abf448e --- /dev/null +++ b/scripts/admin-init.sh @@ -0,0 +1,13 @@ +#!/bin/sh + +pki -c Secret.123 client-init --force + +pki -c Secret.123 client-cert-import "CA Signing Certificate" --ca-server + +pki -c Secret.123 client-cert-import \ + --pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \ + --pkcs12-password Secret.123 + +#pki -c Secret.123 pkcs12-import \ +# --pkcs12-file ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \ +# --pkcs12-password Secret.123 diff --git a/scripts/ca-create.sh b/scripts/ca-create.sh index 48c5342..32c8925 100755 --- a/scripts/ca-create.sh +++ b/scripts/ca-create.sh @@ -1,8 +1,44 @@ #!/bin/sh -x -pkispawn -vv -f ca.cfg -s CA +mkdir -p tmp + +cat > tmp/ca.cfg << EOF +[DEFAULT] +#pki_pin=Secret.123 + +[CA] +pki_admin_email=caadmin@example.com +pki_admin_name=caadmin +pki_admin_nickname=caadmin +pki_admin_password=Secret.123 +pki_admin_uid=caadmin + +#pki_backup_keys=True +#pki_backup_password=Secret.123 + +pki_client_database_password=Secret.123 +pki_client_database_purge=False +pki_client_pkcs12_password=Secret.123 + +pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com +pki_ds_password=Secret.123 +pki_ds_database=ca + +pki_security_domain_name=EXAMPLE + +#pki_server_pkcs12_path=pki-server.p12 +#pki_server_pkcs12_password=Secret.123 + +pki_ca_signing_nickname=ca_signing +pki_ocsp_signing_nickname=ca_ocsp_signing +pki_audit_signing_nickname=ca_audit_signing +pki_ssl_server_nickname=sslserver +pki_subsystem_nickname=subsystem +EOF + +pkispawn -vv -f tmp/ca.cfg -s CA #/bin/cp /root/.dogtag/pki-tomcat/ca_admin.cert . #/bin/cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 . #/bin/cp /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf ca_admin_cert.txt -#echo $HOSTNAME > master.txt +echo $HOSTNAME > tmp/master.txt diff --git a/scripts/ca-external-cmc-sign.sh b/scripts/ca-external-cmc-sign.sh new file mode 100755 index 0000000..da20953 --- /dev/null +++ b/scripts/ca-external-cmc-sign.sh @@ -0,0 +1,80 @@ +#!/bin/sh + +mkdir -p tmp + +cat > tmp/cmc-request.cfg << EOF +# NSS database directory. +dbdir=$HOME/.dogtag/nssdb + +# NSS database password. +password=Secret.123 + +# Token name (default is internal). +tokenname=internal + +# Nickname for agent certificate. +nickname=caadmin + +# Request format: pkcs10 or crmf. +format=pkcs10 + +# Total number of PKCS10/CRMF requests. +numRequests=1 + +# Path to the PKCS10/CRMF request. +# The content must be in Base-64 encoded format. +# Multiple files are supported. They must be separated by space. +input=$PWD/tmp/ca_signing.csr + +# Path for the CMC request in binary format +output=$PWD/tmp/cmc-request.bin +EOF + +CMCRequest tmp/cmc-request.cfg + +cat > tmp/cmc-submit.cfg << EOF +# PKI server host name. +host=$HOSTNAME + +# PKI server port number. +port=8443 + +# Use secure connection. +# For secure connection with ECC, set environment variable 'export NSS_USE_DECODED_CKA_EC_POINT=1'. +secure=true + +# Use client authentication. +clientmode=true + +# NSS database directory. +dbdir=$HOME/.dogtag/nssdb + +# NSS database password. +password=Secret.123 + +# Token name (default: internal). +tokenname=internal + +# Nickname of agent certificate. +nickname=caadmin + +# CMC servlet path +servlet=/ca/ee/ca/profileSubmitCMCFullCACert + +# Path for the CMC request. +input=tmp/cmc-request.bin + +# Path for the CMC response. +output=tmp/cmc-response.bin +EOF + +HttpClient tmp/cmc-submit.cfg + +CMCResponse -d ~/.dogtag/nssdb -i tmp/cmc-response.bin + +BtoA tmp/cmc-response.bin tmp/cmc-response.b64 +echo "-----BEGIN PKCS7-----" > tmp/ca_signing.crt +cat tmp/cmc-response.b64 >> tmp/ca_signing.crt +echo "-----END PKCS7-----" >> tmp/ca_signing.crt + +pki cert-show --output tmp/external.crt 0x1 diff --git a/scripts/ca-external-nss-sign.sh b/scripts/ca-external-nss-sign.sh index f8b4bc9..b67082c 100755 --- a/scripts/ca-external-nss-sign.sh +++ b/scripts/ca-external-nss-sign.sh @@ -1,20 +1,19 @@ #!/bin/sh -rm -rf external -mkdir external -certutil -N -d external -f password.txt -openssl rand -out external/noise.bin 2048 +rm -rf tmp/external +mkdir -p tmp/external +certutil -N -d tmp/external -f password.txt +openssl rand -out tmp/external/noise.bin 2048 echo "## Generating external CA certificate..." -#ROOTCA_SKID="0x847bb8664d7a32f182974ca861fb26867ecb42cd" ROOTCA_SKID="0x`openssl rand -hex 20`" echo -e "y\n\ny\n${ROOTCA_SKID}\n\n" | \ certutil -S \ - -d external \ + -d tmp/external \ -f password.txt \ - -z external/noise.bin \ + -z tmp/external/noise.bin \ -n "External CA" \ -s "CN=External CA,O=EXTERNAL" \ -x \ @@ -24,26 +23,25 @@ echo -e "y\n\ny\n${ROOTCA_SKID}\n\n" | \ --keyUsage digitalSignature,nonRepudiation,certSigning,crlSigning,critical \ --extSKID -# --keyUsage certSigning \ # --nsCertType sslCA,smimeCA,objectSigningCA + echo "## Exporting external CA certificate..." -certutil -L -d external -n "External CA" -a > external.crt +certutil -L -d tmp/external -n "External CA" -a > tmp/external.crt echo "## Signing the CA signing certificate..." -#SUBCA_SKID="0x7d34de0374bcb294d5447479060266a52310e9ce" SUBCA_SKID="0x`openssl rand -hex 20`" SUBCA_OCSP="http://$HOSTNAME:8080/ca/ocsp" echo -e "y\n\ny\ny\n${ROOTCA_SKID}\n\n\n\n${SUBCA_SKID}\n\n2\n7\n${SUBCA_OCSP}\n\n\n\n" | \ certutil -C \ - -d external \ + -d tmp/external \ -f password.txt \ -m $RANDOM \ -a \ - -i ca_signing.csr \ - -o ca_signing.crt \ + -i tmp/ca_signing.csr \ + -o tmp/ca_signing.crt \ -c "External CA" \ --extSKID \ -2 -3 \ @@ -53,15 +51,16 @@ echo -e "y\n\ny\ny\n${ROOTCA_SKID}\n\n\n\n${SUBCA_SKID}\n\n2\n7\n${SUBCA_OCSP}\n echo "## Generating certificate chain..." -certutil -A -d external -n "CA Signing Certificate" -t "CT,C,C" -a -i ca_signing.crt +certutil -A -d tmp/external -n "CA Signing Certificate" -t "CT,C,C" -a -i tmp/ca_signing.crt -openssl crl2pkcs7 -nocrl -certfile external.crt -out cert_chain.p7b -#openssl crl2pkcs7 -nocrl -certfile external.crt -certfile ca_signing.crt -out cert_chain.p7b +openssl crl2pkcs7 -nocrl -certfile tmp/external.crt -out tmp/cert_chain.p7b +#openssl crl2pkcs7 -nocrl -certfile tmp/external.crt -certfile tmp/ca_signing.crt -out tmp/cert_chain.p7b #certutil -C \ -# -d external \ +# -d tmp/external \ # -f password.txt \ # -m $RANDOM \ -# -a -i ca_signing.csr \ -# -o ca_signing.crt \ +# -a \ +# -i tmp/ca_signing.csr \ +# -o tmp/ca_signing.crt \ # -c "External CA" diff --git a/scripts/ca-external-step1.sh b/scripts/ca-external-step1.sh index 19eca2b..a9d6df9 100755 --- a/scripts/ca-external-step1.sh +++ b/scripts/ca-external-step1.sh @@ -1,28 +1,78 @@ #!/bin/sh -x -rm -f /tmp/ca_signing.csr -rm -f /tmp/ca_ocsp_signing.csr -rm -f /tmp/ca_audit_signing.csr -rm -f /tmp/sslserver.csr -rm -f /tmp/subsystem.csr - -rm -r /tmp/external.crt -rm -r /tmp/cert_chain.p7b -rm -f /tmp/ca_signing.crt - -rm -f /tmp/example.crt -rm -f /tmp/example2.crt -rm -f /tmp/example.p7 -rm -f /tmp/example2.p7 -rm -f /tmp/example.p7b -rm -f /tmp/example2.p7b -rm -f /tmp/example3.csr -rm -f /tmp/example3.crt - -pkispawn -vv -f ca-external-step1.cfg -s CA - -/bin/cp -f /tmp/ca_signing.csr . -/bin/cp -f /tmp/ca_ocsp_signing.csr . -/bin/cp -f /tmp/ca_audit_signing.csr . -/bin/cp -f /tmp/sslserver.csr . -/bin/cp -f /tmp/subsystem.csr . +mkdir -p tmp + +rm -f tmp/ca_signing.csr +rm -f tmp/ca_ocsp_signing.csr +rm -f tmp/ca_audit_signing.csr +rm -f tmp/sslserver.csr +rm -f tmp/subsystem.csr + +rm -r tmp/external.crt +rm -r tmp/cert_chain.p7b +rm -f tmp/ca_signing.crt + +rm -f tmp/example.crt +rm -f tmp/example2.crt +rm -f tmp/example.p7 +rm -f tmp/example2.p7 +rm -f tmp/example.p7b +rm -f tmp/example2.p7b +rm -f tmp/example3.csr +rm -f tmp/example3.crt + +cat > tmp/ca-external-step1.cfg << EOF +#[DEFAULT] +#pki_instance_name=pki-child +#pki_pin=Secret.123 + +[CA] +pki_admin_email=caadmin@example.com +pki_admin_name=caadmin +pki_admin_nickname=caadmin +pki_admin_password=Secret.123 +pki_admin_uid=caadmin + +pki_backup_keys=True +pki_backup_password=Secret.123 + +pki_client_database_password=Secret.123 +pki_client_database_purge=False +pki_client_pkcs12_password=Secret.123 + +pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com +pki_ds_database=ca +pki_ds_password=Secret.123 + +pki_security_domain_name=EXAMPLE + +pki_token_password=Secret.123 + +pki_external=True +pki_external_step_two=False +pki_external_csr_path=$PWD/tmp/ca_signing.csr + +#pki_ca_signing_csr_path=$PWD/tmp/ca_signing.csr +pki_ocsp_signing_csr_path=$PWD/tmp/ca_ocsp_signing.csr +pki_audit_signing_csr_path=$PWD/tmp/ca_audit_signing.csr +pki_ssl_server_csr_path=$PWD/tmp/sslserver.csr +pki_subsystem_csr_path=$PWD/tmp/subsystem.csr + +#pki_security_domain_name=CHILD +#pki_ca_signing_csr_path=$PWD/tmp/example2.csr +#pki_ca_signing_subject_dn=CN=Child Cert,O=CHILD + +#pki_security_domain_name=GRANDCHILD +#pki_ca_signing_csr_path=$PWD/tmp/example3.csr +#pki_ca_signing_subject_dn=CN=Grandchild Cert,O=GRANDCHILD + +#pki_req_ext_add=True + +pki_ca_signing_nickname=ca_signing +pki_ocsp_signing_nickname=ca_ocsp_signing +pki_audit_signing_nickname=ca_audit_signing +pki_ssl_server_nickname=sslserver +pki_subsystem_nickname=subsystem +EOF + +pkispawn -vv -f tmp/ca-external-step1.cfg -s CA diff --git a/scripts/ca-external-step2.sh b/scripts/ca-external-step2.sh index 801bd1f..a45afdc 100755 --- a/scripts/ca-external-step2.sh +++ b/scripts/ca-external-step2.sh @@ -1,13 +1,48 @@ #!/bin/sh -x -cp ca_signing.crt /tmp -cp external.crt /tmp -cp cert_chain.p7b /tmp +mkdir -p tmp -#cp level1.crt /tmp -#cp level2.crt /tmp +cat > tmp/ca-external-step2.cfg << EOF +#[DEFAULT] +#pki_instance_name=pki-child +#pki_pin=Secret.123 -#cp example.crt /tmp -#cp example2.p7b /tmp +[CA] +pki_admin_email=caadmin@example.com +pki_admin_name=caadmin +pki_admin_nickname=caadmin +pki_admin_password=Secret.123 +pki_admin_uid=caadmin -pkispawn -vv -f ca-external-step2.cfg -s CA +pki_backup_keys=True +pki_backup_password=Secret.123 + +pki_client_database_password=Secret.123 +pki_client_database_purge=False +pki_client_pkcs12_password=Secret.123 + +pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com +pki_ds_database=ca +pki_ds_password=Secret.123 + +pki_security_domain_name=EXAMPLE +pki_token_password=Secret.123 + +pki_external=True +pki_external_step_two=True +pki_external_csr_path=$PWD/tmp/ca_signing.csr +pki_external_ca_cert_path=$PWD/tmp/ca_signing.crt + +pki_external_ca_cert_chain_nickname=external +pki_external_ca_cert_chain_path=$PWD/tmp/external.crt +#pki_external_ca_cert_chain_path=$PWD/tmp/cert_chain.p7b +#pki_external_ca_cert_chain_path=$PWD/tmp/level2.crt + +pki_ca_signing_nickname=ca_signing +pki_ocsp_signing_nickname=ca_ocsp_signing +pki_audit_signing_nickname=ca_audit_signing +pki_ssl_server_nickname=sslserver +pki_subsystem_nickname=subsystem +EOF + +pkispawn -vv -f tmp/ca-external-step2.cfg -s CA diff --git a/scripts/ca.cfg b/scripts/ca.cfg deleted file mode 100644 index 3181abe..0000000 --- a/scripts/ca.cfg +++ /dev/null @@ -1,31 +0,0 @@ -[DEFAULT] -#pki_pin=Secret.123 - -[CA] -pki_admin_email=caadmin@example.com -pki_admin_name=caadmin -pki_admin_nickname=caadmin -pki_admin_password=Secret.123 -pki_admin_uid=caadmin - -#pki_backup_keys=True -#pki_backup_password=Secret.123 - -pki_client_database_password=Secret.123 -pki_client_database_purge=False -pki_client_pkcs12_password=Secret.123 - -pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com -pki_ds_password=Secret.123 -pki_ds_database=ca - -pki_security_domain_name=EXAMPLE - -#pki_server_pkcs12_path=pki-server.p12 -#pki_server_pkcs12_password=Secret.123 - -pki_ca_signing_nickname=ca_signing -pki_ocsp_signing_nickname=ca_ocsp_signing -pki_audit_signing_nickname=ca_audit_signing -pki_ssl_server_nickname=sslserver -pki_subsystem_nickname=subsystem diff --git a/scripts/root-admin-init.sh b/scripts/root-admin-init.sh new file mode 100755 index 0000000..f30990f --- /dev/null +++ b/scripts/root-admin-init.sh @@ -0,0 +1,13 @@ +#!/bin/sh + +pki -c Secret.123 client-init --force + +pki -c Secret.123 client-cert-import "Root CA Signing Certificate" --ca-server + +pki -c Secret.123 client-cert-import \ + --pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \ + --pkcs12-password Secret.123 + +#pki -c Secret.123 pkcs12-import \ +# --pkcs12-file ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \ +# --pkcs12-password Secret.123 diff --git a/scripts/root-ca-create.sh b/scripts/root-ca-create.sh new file mode 100755 index 0000000..bf2cea6 --- /dev/null +++ b/scripts/root-ca-create.sh @@ -0,0 +1,35 @@ +#!/bin/sh -x + +mkdir -p tmp + +cat > tmp/root-ca.cfg << EOF +[CA] +pki_admin_email=caadmin@example.com +pki_admin_name=caadmin +pki_admin_nickname=caadmin +pki_admin_password=Secret.123 +pki_admin_uid=caadmin + +#pki_client_database_password=Secret.123 +#pki_client_database_purge=False +pki_client_pkcs12_password=Secret.123 + +pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com +pki_ds_password=Secret.123 +pki_ds_database=ca + +pki_security_domain_name=ROOT + +#pki_server_pkcs12_path=pki-server.p12 +#pki_server_pkcs12_password=Secret.123 + +pki_ca_signing_nickname=ca_signing +pki_ca_signing_subject_dn=cn=Root CA Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s + +pki_ocsp_signing_nickname=ca_ocsp_signing +pki_audit_signing_nickname=ca_audit_signing +pki_ssl_server_nickname=sslserver +pki_subsystem_nickname=subsystem +EOF + +pkispawn -vv -f tmp/root-ca.cfg -s CA -- cgit