From d9a2c41533a95044b021d94b53081a07424b90b4 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Tue, 1 Aug 2017 04:59:54 +0200
Subject: Updated OCSP scripts.

---
 scripts/ocsp-create.sh                | 46 +++++++++++++++++++++++++++-
 scripts/ocsp-standalone-ca-sign.sh    | 10 ++++++
 scripts/ocsp-standalone-sign.sh       | 57 -----------------------------------
 scripts/ocsp-standalone-step1.sh      |  6 +++-
 scripts/ocsp-standalone-step2.sh      | 19 +++++-------
 scripts/ocsp.cfg                      | 29 ------------------
 scripts/ocsp_admin-ca-sign.sh         | 13 ++++++++
 scripts/ocsp_audit_signing-ca-sign.sh | 14 +++++++++
 scripts/ocsp_signing-ca-sign.sh       | 14 +++++++++
 9 files changed, 108 insertions(+), 100 deletions(-)
 create mode 100755 scripts/ocsp-standalone-ca-sign.sh
 delete mode 100755 scripts/ocsp-standalone-sign.sh
 delete mode 100644 scripts/ocsp.cfg
 create mode 100755 scripts/ocsp_admin-ca-sign.sh
 create mode 100755 scripts/ocsp_audit_signing-ca-sign.sh
 create mode 100755 scripts/ocsp_signing-ca-sign.sh

(limited to 'scripts')

diff --git a/scripts/ocsp-create.sh b/scripts/ocsp-create.sh
index f76101e..ad018a4 100755
--- a/scripts/ocsp-create.sh
+++ b/scripts/ocsp-create.sh
@@ -1,3 +1,47 @@
 #!/bin/sh -x
 
-pkispawn -v -f ocsp.cfg -s OCSP -v
+mkdir -p tmp
+
+cat > tmp/ocsp.cfg << EOF
+[DEFAULT]
+#pki_pin=Secret.123
+
+[OCSP]
+pki_admin_cert_file=/root/.dogtag/pki-tomcat/ca_admin.cert
+pki_admin_email=ocspadmin@example.com
+pki_admin_name=ocspadmin
+pki_admin_nickname=ocspadmin
+pki_admin_password=Secret.123
+pki_admin_uid=ocspadmin
+
+pki_backup_keys=True
+pki_backup_password=Secret.123
+
+pki_client_database_password=Secret.123
+pki_client_database_purge=False
+pki_client_pkcs12_password=Secret.123
+
+pki_ds_base_dn=dc=ocsp,dc=pki,dc=example,dc=com
+#pki_ds_database=userRoot
+pki_ds_database=ocsp
+#pki_ds_create_new_db=False
+pki_ds_password=Secret.123
+
+pki_clone_pkcs12_password=Secret.123
+
+pki_security_domain_name=EXAMPLE
+pki_security_domain_user=caadmin
+pki_security_domain_password=Secret.123
+
+pki_token_password=Secret.123
+
+#pki_profiles_in_ldap=False
+#pki_share_db=False
+
+pki_ocsp_signing_nickname=ocsp_signing
+pki_audit_signing_nickname=ocsp_audit_signing
+pki_ssl_server_nickname=sslserver
+pki_subsystem_nickname=subsystem
+EOF
+
+pkispawn -v -f tmp/ocsp.cfg -s OCSP -v
diff --git a/scripts/ocsp-standalone-ca-sign.sh b/scripts/ocsp-standalone-ca-sign.sh
new file mode 100755
index 0000000..63ab317
--- /dev/null
+++ b/scripts/ocsp-standalone-ca-sign.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+./ca_signing-export.sh
+
+./ocsp_admin-ca-sign.sh
+./ocsp_signing-ca-sign.sh
+./ocsp_audit_signing-ca-sign.sh
+
+./sslserver-ca-sign.sh
+./subsystem-ca-sign.sh
diff --git a/scripts/ocsp-standalone-sign.sh b/scripts/ocsp-standalone-sign.sh
deleted file mode 100755
index f60b655..0000000
--- a/scripts/ocsp-standalone-sign.sh
+++ /dev/null
@@ -1,57 +0,0 @@
-#!/bin/sh
-
-#### CA Cert ####
-
-pki cert-show --output tmp/ca_signing.crt 0x1
-#pki cert-show --output cert_chain.p7b 0x1
-
-#### Admin Cert ####
-
-REQUEST_ID=`pki ca-cert-request-submit --profile caUserCert --csr-file tmp/ocsp_admin.csr --subject uid=ocspadmin | grep "Request ID:" | awk -F ': ' '{print $2;}'`
-echo Request ID: $REQUEST_ID
-
-CERT_ID=`pki -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'`
-echo Certificate ID: $CERT_ID
-
-pki cert-show --output tmp/ocsp_admin.crt $CERT_ID
-
-#### OCSP Signing Cert ####
-
-REQUEST_ID=`pki ca-cert-request-submit --profile caOCSPCert --csr-file tmp/ocsp_signing.csr | grep "Request ID:" | awk -F ': ' '{print $2;}'`
-echo Request ID: $REQUEST_ID
-
-CERT_ID=`pki -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'`
-echo Certificate ID: $CERT_ID
-
-pki cert-show --output tmp/ocsp_signing.crt $CERT_ID
-
-#### Server Cert ####
-
-REQUEST_ID=`pki ca-cert-request-submit --profile caServerCert --csr-file tmp/sslserver.csr | grep "Request ID:" | awk -F ': ' '{print $2;}'`
-echo Request ID: $REQUEST_ID
-
-CERT_ID=`pki -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'`
-echo Certificate ID: $CERT_ID
-
-pki cert-show --output tmp/sslserver.crt $CERT_ID
-
-#### Subsystem Cert ####
-
-REQUEST_ID=`pki ca-cert-request-submit --profile caSubsystemCert --csr-file tmp/subsystem.csr | grep "Request ID:" | awk -F ': ' '{print $2;}'`
-echo Request ID: $REQUEST_ID
-
-CERT_ID=`pki -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'`
-echo Certificate ID: $CERT_ID
-
-pki cert-show --output tmp/subsystem.crt $CERT_ID
-
-#### Audit Signing Cert ####
-
-REQUEST_ID=`pki ca-cert-request-submit --profile caSignedLogCert --csr-file tmp/ocsp_audit_signing.csr | grep "Request ID:" | awk -F ': ' '{print $2;}'`
-echo Request ID: $REQUEST_ID
-
-CERT_ID=`pki -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID | grep "Certificate ID:" | awk -F ': ' '{print $2;}'`
-echo Certificate ID: $CERT_ID
-
-pki cert-show --output tmp/ocsp_audit_signing.crt $CERT_ID
-
diff --git a/scripts/ocsp-standalone-step1.sh b/scripts/ocsp-standalone-step1.sh
index 7cd161e..50c9df7 100755
--- a/scripts/ocsp-standalone-step1.sh
+++ b/scripts/ocsp-standalone-step1.sh
@@ -3,6 +3,9 @@
 mkdir -p tmp
 
 cat > tmp/ocsp-standalone-step1.cfg << EOF
+[DEFAULT]
+pki_pin=Secret.123
+
 [OCSP]
 pki_admin_email=ocspadmin@example.com
 pki_admin_name=ocspadmin
@@ -27,10 +30,11 @@ pki_token_password=Secret.123
 pki_standalone=True
 pki_external_step_two=False
 
-pki_signing_nickname=ocsp_signing
+pki_ocsp_signing_nickname=ocsp_signing
 pki_audit_signing_nickname=ocsp_audit_signing
 pki_ssl_server_nickname=sslserver
 pki_subsystem_nickname=subsystem
+pki_cert_chain_nickname=ca_signing
 
 pki_external_admin_csr_path=$PWD/tmp/ocsp_admin.csr
 pki_external_audit_signing_csr_path=$PWD/tmp/ocsp_audit_signing.csr
diff --git a/scripts/ocsp-standalone-step2.sh b/scripts/ocsp-standalone-step2.sh
index e2d5162..91a15bc 100755
--- a/scripts/ocsp-standalone-step2.sh
+++ b/scripts/ocsp-standalone-step2.sh
@@ -2,16 +2,10 @@
 
 mkdir -p tmp
 
-cp external_ca.cert /etc/pki/pki-tomcat
-cp external_ca_chain.cert /etc/pki/pki-tomcat
-
-cp ocsp_admin.cert /etc/pki/pki-tomcat
-cp ocsp_signing.cert /etc/pki/pki-tomcat
-cp ocsp_sslserver.cert /etc/pki/pki-tomcat
-cp ocsp_subsystem.cert /etc/pki/pki-tomcat
-cp ocsp_audit_signing.cert /etc/pki/pki-tomcat
-
 cat > tmp/ocsp-standalone-step2.cfg << EOF
+[DEFAULT]
+pki_pin=Secret.123
+
 [OCSP]
 pki_admin_email=ocspadmin@example.com
 pki_admin_name=ocspadmin
@@ -36,16 +30,17 @@ pki_token_password=Secret.123
 pki_standalone=True
 pki_external_step_two=True
 
+pki_ocsp_signing_nickname=ocsp_signing
 pki_audit_signing_nickname=ocsp_audit_signing
-pki_signing_nickname=ocsp_signing
 pki_ssl_server_nickname=sslserver
 pki_subsystem_nickname=subsystem
+pki_cert_chain_nickname=ca_signing
 
-pki_external_ca_cert_chain_path=$PWD/tmp/cert_chain.p7b
+#pki_external_ca_cert_chain_path=$PWD/tmp/cert_chain.p7b
 pki_external_ca_cert_path=$PWD/tmp/ca_signing.crt
 pki_external_admin_cert_path=$PWD/tmp/ocsp_admin.crt
-pki_external_audit_signing_cert_path=$PWD/tmp/ocsp_audit_signing.crt
 pki_external_signing_cert_path=$PWD/tmp/ocsp_signing.crt
+pki_external_audit_signing_cert_path=$PWD/tmp/ocsp_audit_signing.crt
 pki_external_sslserver_cert_path=$PWD/tmp/sslserver.crt
 pki_external_subsystem_cert_path=$PWD/tmp/subsystem.crt
 EOF
diff --git a/scripts/ocsp.cfg b/scripts/ocsp.cfg
deleted file mode 100644
index f0c1218..0000000
--- a/scripts/ocsp.cfg
+++ /dev/null
@@ -1,29 +0,0 @@
-[OCSP]
-pki_admin_cert_file=/root/.dogtag/pki-tomcat/ca_admin.cert
-pki_admin_email=ocspadmin@example.com
-pki_admin_name=ocspadmin
-pki_admin_nickname=ocspadmin
-pki_admin_password=Secret123
-pki_admin_uid=ocspadmin
-
-pki_backup_keys=True
-pki_backup_password=Secret123
-
-pki_client_database_password=Secret123
-pki_client_database_purge=False
-pki_client_pkcs12_password=Secret123
-
-pki_ds_base_dn=dc=ocsp,dc=example,dc=com
-pki_ds_database=ocsp
-pki_ds_password=Secret123
-
-pki_clone_pkcs12_password=Secret123
-
-pki_security_domain_name=EXAMPLE
-pki_security_domain_user=caadmin
-pki_security_domain_password=Secret123
-
-pki_token_password=Secret123
-
-#pki_profiles_in_ldap=False
-#pki_share_db=False
diff --git a/scripts/ocsp_admin-ca-sign.sh b/scripts/ocsp_admin-ca-sign.sh
new file mode 100755
index 0000000..6b5e4eb
--- /dev/null
+++ b/scripts/ocsp_admin-ca-sign.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+CMD="pki ca-cert-request-submit --profile caUserCert --csr-file tmp/ocsp_admin.csr --subject uid=ocspadmin"
+echo $CMD
+REQUEST_ID=`$CMD | grep "Request ID:" | awk -F ': ' '{print $2;}'`
+echo Request ID: $REQUEST_ID
+
+CMD="pki -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID"
+echo $CMD
+CERT_ID=`$CMD | grep "Certificate ID:" | awk -F ': ' '{print $2;}'`
+echo Certificate ID: $CERT_ID
+
+pki cert-show --output tmp/ocsp_admin.crt $CERT_ID
diff --git a/scripts/ocsp_audit_signing-ca-sign.sh b/scripts/ocsp_audit_signing-ca-sign.sh
new file mode 100755
index 0000000..decbf57
--- /dev/null
+++ b/scripts/ocsp_audit_signing-ca-sign.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+CMD="pki ca-cert-request-submit --profile caSignedLogCert --csr-file tmp/ocsp_audit_signing.csr"
+echo $CMD
+REQUEST_ID=`$CMD | grep "Request ID:" | awk -F ': ' '{print $2;}'`
+echo Request ID: $REQUEST_ID
+
+CMD="pki -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID"
+echo $CMD
+CERT_ID=`$CMD | grep "Certificate ID:" | awk -F ': ' '{print $2;}'`
+echo Certificate ID: $CERT_ID
+
+pki cert-show --output tmp/ocsp_audit_signing.crt $CERT_ID
+
diff --git a/scripts/ocsp_signing-ca-sign.sh b/scripts/ocsp_signing-ca-sign.sh
new file mode 100755
index 0000000..d6f1c3d
--- /dev/null
+++ b/scripts/ocsp_signing-ca-sign.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+CMD="pki ca-cert-request-submit --profile caOCSPCert --csr-file tmp/ocsp_signing.csr"
+echo $CMD
+REQUEST_ID=`$CMD | grep "Request ID:" | awk -F ': ' '{print $2;}'`
+echo Request ID: $REQUEST_ID
+
+CMD="pki -c Secret.123 -n caadmin ca-cert-request-review --action approve $REQUEST_ID"
+echo $CMD
+CERT_ID=`$CMD | grep "Certificate ID:" | awk -F ': ' '{print $2;}'`
+echo Certificate ID: $CERT_ID
+
+pki cert-show --output tmp/ocsp_signing.crt $CERT_ID
+
-- 
cgit