From ec842e618d1def4eab56a56db315fca83e53b48c Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Fri, 2 Feb 2018 18:47:17 +0100 Subject: Updated sub CA scripts. --- scripts/level3ca-create.sh | 62 ++++++++++++++++++ scripts/rootca-admin-init.sh | 4 +- scripts/rootca-create.sh | 8 +-- scripts/subca-admin-init.sh | 11 +++- scripts/subca-ca-sign.sh | 13 ++++ scripts/subca-cmc-sign.sh | 74 +-------------------- scripts/subca-create.sh | 58 +++++++++-------- scripts/subca-external-step1.sh | 34 ++++++---- scripts/subca-external-step2.sh | 36 ++++++----- scripts/subca-lunasa-create.sh | 72 +++++++++++++++++++++ scripts/subca-lunasa-external-step1.sh | 63 ++++++++++++++++++ scripts/subca-lunasa-external-step2.sh | 65 +++++++++++++++++++ scripts/subca-nfast-external-step1.sh | 62 ++++++++++++++++++ scripts/subca-nfast-external-step2.sh | 65 +++++++++++++++++++ scripts/subca-nss-sign.sh | 66 +++++++++++++++++++ scripts/subca-openssl-sign.sh | 106 +++++++++++++++++++++++++++++++ scripts/subca-softcard-external-step1.sh | 61 ++++++++++++++++++ scripts/subca-softcard-external-step2.sh | 63 ++++++++++++++++++ 18 files changed, 787 insertions(+), 136 deletions(-) create mode 100755 scripts/level3ca-create.sh create mode 100755 scripts/subca-ca-sign.sh create mode 100755 scripts/subca-lunasa-create.sh create mode 100755 scripts/subca-lunasa-external-step1.sh create mode 100755 scripts/subca-lunasa-external-step2.sh create mode 100755 scripts/subca-nfast-external-step1.sh create mode 100755 scripts/subca-nfast-external-step2.sh create mode 100755 scripts/subca-nss-sign.sh create mode 100755 scripts/subca-openssl-sign.sh create mode 100755 scripts/subca-softcard-external-step1.sh create mode 100755 scripts/subca-softcard-external-step2.sh (limited to 'scripts') diff --git a/scripts/level3ca-create.sh b/scripts/level3ca-create.sh new file mode 100755 index 0000000..0cc8994 --- /dev/null +++ b/scripts/level3ca-create.sh @@ -0,0 +1,62 @@ +#!/bin/sh -x + +mkdir -p tmp + +SUBCA=`cat tmp/subca.hostname` + +cat > tmp/level3ca.cfg << EOF +[DEFAULT] +pki_pin=Secret.123 + +[CA] +pki_admin_email=caadmin@example.com +pki_admin_name=caadmin +pki_admin_nickname=caadmin +pki_admin_password=Secret.123 +pki_admin_uid=caadmin + +pki_client_database_password=Secret.123 +pki_client_database_purge=False +pki_client_pkcs12_password=Secret.123 + +pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com +pki_ds_password=Secret.123 +pki_ds_database=ca + +pki_subordinate=True + +pki_issuing_ca_hostname=$SUBCA + +pki_security_domain_hostname=$SUBCA +#pki_security_domain_name=EXAMPLE +pki_security_domain_user=caadmin +pki_security_domain_password=Secret.123 + +pki_subordinate_create_new_security_domain=True +pki_subordinate_security_domain_name=LEVEL3 + +pki_ca_signing_nickname=${PREFIX}ca_signing +pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=EXAMPLE +pki_ca_signing_token=$TOKEN + +pki_ocsp_signing_nickname=${PREFIX}ca_ocsp_signing +pki_ocsp_signing_subject_dn=cn=CA OCSP Signing Certificate,o=EXAMPLE +pki_ocsp_signing_token=$TOKEN + +pki_audit_signing_nickname=${PREFIX}ca_audit_signing +pki_audit_signing_subject_dn=cn=CA Audit Signing Certificate,o=EXAMPLE +pki_audit_signing_token=$TOKEN + +pki_sslserver_nickname=${PREFIX}sslserver/$HOSTNAME +pki_sslserver_subject_dn=cn=$HOSTNAME,o=EXAMPLE +pki_sslserver_token=$TOKEN + +pki_subsystem_nickname=${PREFIX}subsystem/$HOSTNAME +pki_subsystem_subject_dn=cn=Subsystem Certificate,o=EXAMPLE +pki_subsystem_token=$TOKEN +EOF + +pkispawn -v -f tmp/level3ca.cfg -s CA + +echo $HOSTNAME > tmp/level3ca.hostname + diff --git a/scripts/rootca-admin-init.sh b/scripts/rootca-admin-init.sh index f30990f..85bef92 100755 --- a/scripts/rootca-admin-init.sh +++ b/scripts/rootca-admin-init.sh @@ -2,7 +2,9 @@ pki -c Secret.123 client-init --force -pki -c Secret.123 client-cert-import "Root CA Signing Certificate" --ca-server +#pki -c Secret.123 client-cert-import "Root CA Signing Certificate" --ca-server +pki-server cert-export ca_signing --cert-file tmp/rootca_signing.crt +pki -c Secret.123 client-cert-import --ca-cert tmp/rootca_signing.crt pki -c Secret.123 client-cert-import \ --pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \ diff --git a/scripts/rootca-create.sh b/scripts/rootca-create.sh index 62506ff..4cbb688 100755 --- a/scripts/rootca-create.sh +++ b/scripts/rootca-create.sh @@ -14,7 +14,7 @@ pki_admin_password=Secret.123 pki_admin_uid=caadmin pki_client_database_password=Secret.123 -#pki_client_database_purge=False +pki_client_database_purge=False pki_client_pkcs12_password=Secret.123 pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com @@ -24,7 +24,7 @@ pki_ds_database=ca pki_security_domain_name=ROOT pki_ca_signing_nickname=ca_signing -pki_ca_signing_subject_dn=cn=Root CA Signing Certificate,o=ROOT +#pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=ROOT pki_ocsp_signing_nickname=ca_ocsp_signing pki_audit_signing_nickname=ca_audit_signing @@ -32,6 +32,6 @@ pki_sslserver_nickname=sslserver pki_subsystem_nickname=subsystem EOF -pkispawn -f tmp/rootca.cfg -s CA +pkispawn -vvv -f tmp/rootca.cfg -s CA -echo $HOSTNAME > tmp/rootca.txt +echo $HOSTNAME > tmp/rootca.hostname diff --git a/scripts/subca-admin-init.sh b/scripts/subca-admin-init.sh index 7e7db59..a128d08 100755 --- a/scripts/subca-admin-init.sh +++ b/scripts/subca-admin-init.sh @@ -1,11 +1,16 @@ #!/bin/sh -ROOT=`cat tmp/rootca.txt` +#ROOTCA=`cat tmp/rootca.hostname` pki -c Secret.123 client-init --force -pki -h $ROOT -c Secret.123 client-cert-import "Root CA Signing Certificate" --ca-server -pki -h $ROOT -c Secret.123 client-cert-import "Subordinate CA Signing Certificate" --serial 0x7 +#pki -h $ROOTCA -c Secret.123 client-cert-import "Root CA Signing Certificate" --ca-server +pki -c Secret.123 client-cert-import --ca-cert tmp/rootca_signing.crt + +#pki -h $ROOTCA -c Secret.123 client-cert-import "Subordinate CA Signing Certificate" --serial 0x7 + +pki-server cert-export ca_signing --cert-file tmp/subca_signing.crt +pki -c Secret.123 client-cert-import --ca-cert tmp/subca_signing.crt pki -c Secret.123 client-cert-import \ --pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \ diff --git a/scripts/subca-ca-sign.sh b/scripts/subca-ca-sign.sh new file mode 100755 index 0000000..a55249f --- /dev/null +++ b/scripts/subca-ca-sign.sh @@ -0,0 +1,13 @@ +#!/bin/sh + +#pki cert-show 0x1 --output tmp/external.crt +#openssl crl2pkcs7 -nocrl -certfile tmp/external.crt -out tmp/cert_chain.p7b +#pki -d /etc/pki/pki-tomcat/alias -c Secret.123 client-cert-show ca_signing --cert tmp/external.crt +pki-server cert-export ca_signing --cert-file tmp/external.crt + +./ca_signing-ca-sign.sh + +openssl crl2pkcs7 -nocrl \ + -certfile tmp/external.crt \ + -certfile tmp/ca_signing.crt \ + -out tmp/ca_signing.p7b diff --git a/scripts/subca-cmc-sign.sh b/scripts/subca-cmc-sign.sh index 9a512ad..42daebd 100755 --- a/scripts/subca-cmc-sign.sh +++ b/scripts/subca-cmc-sign.sh @@ -1,74 +1,6 @@ #!/bin/sh -mkdir -p tmp +#pki cert-show 0x1 --output tmp/external.crt +#openssl crl2pkcs7 -nocrl -certfile tmp/external.crt -out tmp/cert_chain.p7b -cat > tmp/subca-cmc-request.cfg << EOF -# NSS database directory. -dbdir=$HOME/.dogtag/nssdb - -# NSS database password. -password=Secret.123 - -# Token name (default is internal). -tokenname=internal - -# Nickname for agent certificate. -nickname=caadmin - -# Request format: pkcs10 or crmf. -format=pkcs10 - -# Total number of PKCS10/CRMF requests. -numRequests=1 - -# Path to the PKCS10/CRMF request. -# The content must be in Base-64 encoded format. -# Multiple files are supported. They must be separated by space. -input=$PWD/tmp/subca.csr - -# Path for the CMC request in binary format -output=$PWD/tmp/subca-cmc-request.bin -EOF - -CMCRequest tmp/subca-cmc-request.cfg - -cat > tmp/subca-cmc-submit.cfg << EOF -# PKI server host name. -host=$HOSTNAME - -# PKI server port number. -port=8443 - -# Use secure connection. -# For secure connection with ECC, set environment variable 'export NSS_USE_DECODED_CKA_EC_POINT=1'. -secure=true - -# Use client authentication. -clientmode=true - -# NSS database directory. -dbdir=$HOME/.dogtag/nssdb - -# NSS database password. -password=Secret.123 - -# Token name (default: internal). -tokenname=internal - -# Nickname of agent certificate. -nickname=caadmin - -# CMC servlet path -#servlet=/ca/ee/ca/profileSubmitCMCFull -servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caCMCcaCert - -# Path for the CMC request. -input=tmp/subca-cmc-request.bin - -# Path for the CMC response. -output=tmp/subca-cmc-response.bin -EOF - -HttpClient tmp/subca-cmc-submit.cfg - -CMCResponse -i tmp/subca-cmc-response.bin -o tmp/subca.crt +./ca_signing-cmc-sign.sh diff --git a/scripts/subca-create.sh b/scripts/subca-create.sh index eaef0f5..940f06e 100755 --- a/scripts/subca-create.sh +++ b/scripts/subca-create.sh @@ -2,19 +2,12 @@ mkdir -p tmp -ROOT=`cat tmp/rootca.txt` +ROOTCA=`cat tmp/rootca.hostname` cat > tmp/subca.cfg << EOF [DEFAULT] pki_pin=Secret.123 -#pki_https_port=9443 -#pki_http_port=9443 - -#[Tomcat] -#pki_ajp_port=9009 -#pki_tomcat_server_port=9005 - [CA] pki_admin_email=caadmin@example.com pki_admin_name=caadmin @@ -22,38 +15,47 @@ pki_admin_nickname=caadmin pki_admin_password=Secret.123 pki_admin_uid=caadmin -pki_subordinate=True -pki_issuing_ca_hostname=$ROOT -pki_issuing_ca_https_port=8443 -pki_ca_signing_subject_dn=cn=Subordinate CA Signing Certificate,o=SUBORDINATE - pki_client_database_password=Secret.123 pki_client_database_purge=False pki_client_pkcs12_password=Secret.123 pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com -pki_ds_database=ca pki_ds_password=Secret.123 +pki_ds_database=ca -pki_security_domain_hostname=$ROOT -pki_security_domain_https_port=8443 +pki_subordinate=True + +pki_issuing_ca_hostname=$ROOTCA + +pki_security_domain_hostname=$ROOTCA +#pki_security_domain_name=EXAMPLE pki_security_domain_user=caadmin pki_security_domain_password=Secret.123 -#pki_subordinate_create_new_security_domain=True -#pki_subordinate_security_domain_name=SUBORDINATE +pki_subordinate_create_new_security_domain=True +pki_subordinate_security_domain_name=EXAMPLE + +pki_ca_signing_nickname=${PREFIX}ca_signing +pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=EXAMPLE +pki_ca_signing_token=$TOKEN -#pki_ca_signing_nickname=edewata/%(pki_instance_name)s/ca_signing -#pki_ocsp_signing_nickname=edewata/%(pki_instance_name)s/ca_ocsp_signing -#pki_audit_signing_nickname=edewata/%(pki_instance_name)s/ca_audit_signing -#pki_sslserver_nickname=edewata/%(pki_instance_name)s/sslserver -#pki_subsystem_nickname=edewata/%(pki_instance_name)s/subsystem +pki_ocsp_signing_nickname=${PREFIX}ca_ocsp_signing +pki_ocsp_signing_subject_dn=cn=CA OCSP Signing Certificate,o=EXAMPLE +pki_ocsp_signing_token=$TOKEN -pki_ca_signing_nickname=ca_signing -pki_ocsp_signing_nickname=ca_ocsp_signing -pki_audit_signing_nickname=ca_audit_signing -pki_sslserver_nickname=sslserver -pki_subsystem_nickname=subsystem +pki_audit_signing_nickname=${PREFIX}ca_audit_signing +pki_audit_signing_subject_dn=cn=CA Audit Signing Certificate,o=EXAMPLE +pki_audit_signing_token=$TOKEN + +pki_sslserver_nickname=${PREFIX}sslserver/$HOSTNAME +pki_sslserver_subject_dn=cn=$HOSTNAME,o=EXAMPLE +pki_sslserver_token=$TOKEN + +pki_subsystem_nickname=${PREFIX}subsystem/$HOSTNAME +pki_subsystem_subject_dn=cn=Subsystem Certificate,o=EXAMPLE +pki_subsystem_token=$TOKEN EOF pkispawn -v -f tmp/subca.cfg -s CA + +echo $HOSTNAME > tmp/subca.hostname diff --git a/scripts/subca-external-step1.sh b/scripts/subca-external-step1.sh index d02ef72..cc0f51d 100755 --- a/scripts/subca-external-step1.sh +++ b/scripts/subca-external-step1.sh @@ -2,9 +2,7 @@ mkdir -p tmp -ROOT=`cat tmp/rootca.txt` - -cat > tmp/subca.cfg << EOF +cat > tmp/subca-step1.cfg << EOF [DEFAULT] pki_pin=Secret.123 @@ -20,23 +18,31 @@ pki_client_database_purge=False pki_client_pkcs12_password=Secret.123 pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com -pki_ds_database=ca pki_ds_password=Secret.123 +pki_ds_database=ca -pki_security_domain_name=SUBORDINATE -pki_token_password=Secret.123 +pki_security_domain_name=EXAMPLE pki_external=True pki_external_step_two=False -pki_external_csr_path=tmp/subca.csr -pki_ca_signing_subject_dn=cn=Subordinate CA Signing Certificate,o=SUBORDINATE +pki_cert_chain_nickname=${PREFIX}external + +pki_ca_signing_nickname=${PREFIX}ca_signing +pki_ca_signing_token=$TOKEN +pki_external_csr_path=tmp/ca_signing.csr + +pki_ocsp_signing_nickname=${PREFIX}ca_ocsp_signing +pki_ocsp_signing_token=$TOKEN + +pki_audit_signing_nickname=${PREFIX}ca_audit_signing +pki_audit_signing_token=$TOKEN + +pki_sslserver_nickname=${PREFIX}sslserver/$HOSTNAME +pki_sslserver_token=$TOKEN -pki_ca_signing_nickname=ca_signing -pki_ocsp_signing_nickname=ca_ocsp_signing -pki_audit_signing_nickname=ca_audit_signing -pki_sslserver_nickname=sslserver -pki_subsystem_nickname=subsystem +pki_subsystem_nickname=${PREFIX}subsystem/$HOSTNAME +pki_subsystem_token=$TOKEN EOF -pkispawn -v -f tmp/subca.cfg -s CA +pkispawn -vvv -f tmp/subca-step1.cfg -s CA diff --git a/scripts/subca-external-step2.sh b/scripts/subca-external-step2.sh index 3c50934..cdadf8b 100755 --- a/scripts/subca-external-step2.sh +++ b/scripts/subca-external-step2.sh @@ -2,7 +2,7 @@ mkdir -p tmp -cat > tmp/subca.cfg << EOF +cat > tmp/subca-step2.cfg << EOF [DEFAULT] pki_pin=Secret.123 @@ -18,27 +18,33 @@ pki_client_database_purge=False pki_client_pkcs12_password=Secret.123 pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com -pki_ds_database=ca pki_ds_password=Secret.123 +pki_ds_database=ca -pki_security_domain_name=SUBORDINATE -pki_token_password=Secret.123 +pki_security_domain_name=EXAMPLE pki_external=True pki_external_step_two=True -pki_external_csr_path=tmp/subca.csr -pki_external_ca_cert_path=tmp/subca.crt -#pki_external_ca_cert_chain_nickname=Root CA Signing Certificate - ROOT -#pki_external_ca_cert_chain_path=tmp/root.crt +pki_cert_chain_nickname=${PREFIX}external +pki_external_ca_cert_chain_path=tmp/external.crt + +pki_ca_signing_nickname=${PREFIX}ca_signing +pki_ca_signing_token=$TOKEN +pki_external_csr_path=tmp/ca_signing.csr +pki_external_ca_cert_path=tmp/ca_signing.crt + +pki_ocsp_signing_nickname=${PREFIX}ca_ocsp_signing +pki_ocsp_signing_token=$TOKEN + +pki_audit_signing_nickname=${PREFIX}ca_audit_signing +pki_audit_signing_token=$TOKEN -pki_ca_signing_subject_dn=cn=Subordinate CA Signing Certificate,o=SUBORDINATE +pki_sslserver_nickname=${PREFIX}sslserver/$HOSTNAME +pki_sslserver_token=$TOKEN -pki_ca_signing_nickname=ca_signing -pki_ocsp_signing_nickname=ca_ocsp_signing -pki_audit_signing_nickname=ca_audit_signing -pki_sslserver_nickname=sslserver -pki_subsystem_nickname=subsystem +pki_subsystem_nickname=${PREFIX}subsystem/$HOSTNAME +pki_subsystem_token=$TOKEN EOF -pkispawn -v -f tmp/subca.cfg -s CA +pkispawn -vvv -f tmp/subca-step2.cfg -s CA diff --git a/scripts/subca-lunasa-create.sh b/scripts/subca-lunasa-create.sh new file mode 100755 index 0000000..5a7315b --- /dev/null +++ b/scripts/subca-lunasa-create.sh @@ -0,0 +1,72 @@ +#!/bin/sh -x + +mkdir -p tmp + +ROOT=`cat tmp/rootca.hostname` +USER=`cat user.txt` +PREFIX=$USER/ + +TOKEN=lunasaDEV +PASSWORD=devLuna555 + +cat > tmp/subca.cfg << EOF +[DEFAULT] +pki_pin=Secret.123 + +pki_hsm_enable=True +pki_hsm_libfile=/usr/safenet/lunaclient/lib/libCryptoki2_64.so +pki_hsm_modulename=lunasa +pki_token_name=$TOKEN +pki_token_password=$PASSWORD + +[CA] +pki_admin_email=caadmin@example.com +pki_admin_name=caadmin +pki_admin_nickname=caadmin +pki_admin_password=Secret.123 +pki_admin_uid=caadmin + +pki_client_database_password=Secret.123 +pki_client_database_purge=False +pki_client_pkcs12_password=Secret.123 + +pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com +pki_ds_password=Secret.123 +pki_ds_database=ca + +pki_subordinate=True + +pki_issuing_ca_hostname=$ROOT + +pki_security_domain_hostname=$ROOT +pki_security_domain_name=EXAMPLE +pki_security_domain_user=caadmin +pki_security_domain_password=Secret.123 + +pki_subordinate_create_new_security_domain=True +pki_subordinate_security_domain_name=EXAMPLE + +pki_ca_signing_nickname=${PREFIX}ca_signing +pki_ca_signing_subject_dn=CN=CA Signing Certificate,O=EXAMPLE +pki_ca_signing_token=$TOKEN + +pki_ocsp_signing_nickname=${PREFIX}ca_ocsp_signing +pki_ocsp_signing_subject_dn=CN=CA OCSP Signing Certificate,O=EXAMPLE +pki_ocsp_signing_token=$TOKEN + +pki_audit_signing_nickname=${PREFIX}ca_audit_signing +pki_audit_signing_subject_dn=CN=CA Audit Signing Certificate,O=EXAMPLE +pki_audit_signing_token=$TOKEN + +pki_sslserver_nickname=${PREFIX}sslserver/$HOSTNAME +pki_sslserver_subject_dn=CN=$HOSTNAME,O=EXAMPLE +pki_sslserver_token=$TOKEN + +pki_subsystem_nickname=${PREFIX}subsystem/$HOSTNAME +pki_subsystem_subject_dn=CN=Subsystem Certificate,O=EXAMPLE +pki_subsystem_token=$TOKEN +EOF + +pkispawn -v -f tmp/subca.cfg -s CA + +echo $HOSTNAME > tmp/ca.hostname diff --git a/scripts/subca-lunasa-external-step1.sh b/scripts/subca-lunasa-external-step1.sh new file mode 100755 index 0000000..c7be635 --- /dev/null +++ b/scripts/subca-lunasa-external-step1.sh @@ -0,0 +1,63 @@ +#!/bin/sh -x + +mkdir -p tmp + +USER=`cat user.txt` +PREFIX=$USER/ + +TOKEN=lunasaDEV +PASSWORD=devLuna555 + +cat > tmp/subca-step1.cfg << EOF +[DEFAULT] +pki_pin=Secret.123 + +pki_hsm_enable=True +pki_hsm_libfile=/usr/safenet/lunaclient/lib/libCryptoki2_64.so +#pki_hsm_libfile=/usr/lib/libcklog2.so +pki_hsm_modulename=lunasa +pki_token_name=$TOKEN +pki_token_password=$PASSWORD + +[CA] +pki_admin_email=caadmin@example.com +pki_admin_name=caadmin +pki_admin_nickname=caadmin +pki_admin_password=Secret.123 +pki_admin_uid=caadmin + +pki_client_database_password=Secret.123 +pki_client_database_purge=False +pki_client_pkcs12_password=Secret.123 + +pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com +pki_ds_password=Secret.123 +pki_ds_database=ca + +pki_external=True +pki_external_step_two=False + +pki_security_domain_name=EXAMPLE + +pki_cert_chain_nickname=${PREFIX}external + +pki_ca_signing_nickname=${PREFIX}ca_signing +pki_ca_signing_token=$TOKEN +pki_external_csr_path=tmp/ca_signing.csr + +pki_ocsp_signing_nickname=${PREFIX}ca_ocsp_signing +pki_ocsp_signing_token=$TOKEN + +pki_audit_signing_nickname=${PREFIX}ca_audit_signing +pki_audit_signing_token=$TOKEN + +pki_sslserver_nickname=${PREFIX}sslserver/$HOSTNAME +pki_sslserver_token=$TOKEN + +pki_subsystem_nickname=${PREFIX}subsystem/$HOSTNAME +pki_subsystem_token=$TOKEN +EOF + +pkispawn -vvv -f tmp/subca-step1.cfg -s CA + +#/bin/cp -f tmp/ca_signing.csr . diff --git a/scripts/subca-lunasa-external-step2.sh b/scripts/subca-lunasa-external-step2.sh new file mode 100755 index 0000000..2ab1dc8 --- /dev/null +++ b/scripts/subca-lunasa-external-step2.sh @@ -0,0 +1,65 @@ +#!/bin/sh -x + +mkdir -p tmp + +USER=`cat user.txt` +PREFIX=$USER/ + +TOKEN=lunasaDEV +PASSWORD=devLuna555 + +cat > tmp/subca-step2.cfg << EOF +[DEFAULT] +pki_pin=Secret.123 + +pki_hsm_enable=True +pki_hsm_libfile=/usr/safenet/lunaclient/lib/libCryptoki2_64.so +#pki_hsm_libfile=/usr/lib/libcklog2.so +pki_hsm_modulename=lunasa +pki_token_name=$TOKEN +pki_token_password=$PASSWORD + +[CA] +pki_admin_email=caadmin@example.com +pki_admin_name=caadmin +pki_admin_nickname=caadmin +pki_admin_password=Secret.123 +pki_admin_uid=caadmin + +pki_client_database_password=Secret.123 +pki_client_database_purge=False +pki_client_pkcs12_password=Secret.123 + +pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com +pki_ds_password=Secret.123 +pki_ds_database=ca + +pki_external=True +pki_external_step_two=True + +pki_security_domain_name=EXAMPLE + +pki_cert_chain_nickname=${PREFIX}external +pki_external_ca_cert_chain_path=tmp/external.crt +#pki_external_ca_cert_chain_path=tmp/cert_chain.p7b + +pki_ca_signing_nickname=${PREFIX}ca_signing +pki_ca_signing_token=$TOKEN +pki_external_csr_path=tmp/ca_signing.csr +pki_external_ca_cert_path=tmp/ca_signing.crt +#pki_external_ca_cert_path=tmp/ca_signing.p7b + +pki_ocsp_signing_nickname=${PREFIX}ca_ocsp_signing +pki_ocsp_signing_token=$TOKEN + +pki_audit_signing_nickname=${PREFIX}ca_audit_signing +pki_audit_signing_token=$TOKEN + +pki_sslserver_nickname=${PREFIX}sslserver/$HOSTNAME +pki_sslserver_token=$TOKEN + +pki_subsystem_nickname=${PREFIX}subsystem +pki_subsystem_token=$TOKEN +EOF + +pkispawn -vvv -f tmp/subca-step2.cfg -s CA diff --git a/scripts/subca-nfast-external-step1.sh b/scripts/subca-nfast-external-step1.sh new file mode 100755 index 0000000..91341de --- /dev/null +++ b/scripts/subca-nfast-external-step1.sh @@ -0,0 +1,62 @@ +#!/bin/sh -x + +mkdir -p tmp + +USER=`cat user.txt` +PREFIX=$USER/ + +TOKEN=NHSM6000-OCS +PASSWORD=`cat NHSM6000-OCS.txt` + +cat > tmp/subca-step1.cfg << EOF +[DEFAULT] +pki_pin=Secret.123 + +pki_hsm_enable=True +pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so +pki_hsm_modulename=nfast +pki_token_name=$TOKEN +pki_token_password=$PASSWORD + +[CA] +pki_admin_email=caadmin@example.com +pki_admin_name=caadmin +pki_admin_nickname=caadmin +pki_admin_password=Secret.123 +pki_admin_uid=caadmin + +pki_client_database_password=Secret.123 +pki_client_database_purge=False +pki_client_pkcs12_password=Secret.123 + +pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com +pki_ds_password=Secret.123 +pki_ds_database=ca + +pki_security_domain_name=EXAMPLE + +pki_external=True +pki_external_step_two=False + +#pki_cert_chain_nickname=${PREFIX}external + +pki_ca_signing_nickname=${PREFIX}ca_signing +pki_ca_signing_token=$TOKEN +#pki_external_csr_path=tmp/ca_signing.csr +pki_ca_signing_csr_path=tmp/ca_signing.csr + +pki_ocsp_signing_nickname=${PREFIX}ca_ocsp_signing +pki_ocsp_signing_token=$TOKEN + +pki_audit_signing_nickname=${PREFIX}ca_audit_signing +pki_audit_signing_token=$TOKEN + +pki_sslserver_nickname=${PREFIX}sslserver/$HOSTNAME +pki_sslserver_token=$TOKEN + +pki_subsystem_nickname=${PREFIX}subsystem/$HOSTNAME +pki_subsystem_token=$TOKEN +EOF + +pkispawn -vvv -f tmp/subca-step1.cfg -s CA + diff --git a/scripts/subca-nfast-external-step2.sh b/scripts/subca-nfast-external-step2.sh new file mode 100755 index 0000000..8b8949d --- /dev/null +++ b/scripts/subca-nfast-external-step2.sh @@ -0,0 +1,65 @@ +#!/bin/sh -x + +mkdir -p tmp + +USER=`cat user.txt` +PREFIX=$USER/ + +TOKEN=NHSM6000-OCS +PASSWORD=`cat NHSM6000-OCS.txt` + +cat > tmp/subca-step2.cfg << EOF +[DEFAULT] +pki_pin=Secret.123 + +pki_hsm_enable=True +pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so +pki_hsm_modulename=nfast +pki_token_name=$TOKEN +pki_token_password=$PASSWORD + +[CA] +pki_admin_email=caadmin@example.com +pki_admin_name=caadmin +pki_admin_nickname=caadmin +pki_admin_password=Secret.123 +pki_admin_uid=caadmin + +pki_client_database_password=Secret.123 +pki_client_database_purge=False +pki_client_pkcs12_password=Secret.123 + +pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com +pki_ds_password=Secret.123 +pki_ds_database=ca + +pki_security_domain_name=EXAMPLE + +pki_external=True +pki_external_step_two=True + +pki_cert_chain_nickname=${PREFIX}external +pki_external_ca_cert_chain_path=tmp/external.crt +#pki_external_ca_cert_chain_path=tmp/cert_chain.p7b + +pki_ca_signing_nickname=${PREFIX}ca_signing +pki_ca_signing_token=$TOKEN +#pki_external_csr_path=tmp/ca_signing.csr +pki_ca_signing_csr_path=tmp/ca_signing.csr +#pki_external_ca_cert_path=tmp/ca_signing.crt +pki_ca_signing_cert_path=tmp/ca_signing.crt + +pki_ocsp_signing_nickname=${PREFIX}ca_ocsp_signing +pki_ocsp_signing_token=$TOKEN + +pki_audit_signing_nickname=${PREFIX}ca_audit_signing +pki_audit_signing_token=$TOKEN + +pki_sslserver_nickname=${PREFIX}sslserver/$HOSTNAME +pki_sslserver_token=$TOKEN + +pki_subsystem_nickname=${PREFIX}subsystem/$HOSTNAME +pki_subsystem_token=$TOKEN +EOF + +pkispawn -vvv -f tmp/subca-step2.cfg -s CA diff --git a/scripts/subca-nss-sign.sh b/scripts/subca-nss-sign.sh new file mode 100755 index 0000000..67682ec --- /dev/null +++ b/scripts/subca-nss-sign.sh @@ -0,0 +1,66 @@ +#!/bin/sh + +rm -rf tmp/external +mkdir -p tmp/external +certutil -N -d tmp/external -f password.txt +openssl rand -out tmp/external/noise.bin 2048 + +echo "## Generating external CA certificate..." + +ROOTCA_SKID="0x`openssl rand -hex 20`" + +echo -e "y\n\ny\n${ROOTCA_SKID}\n\n" | \ + certutil -S \ + -d tmp/external \ + -f password.txt \ + -z tmp/external/noise.bin \ + -n "External CA" \ + -s "CN=External CA,O=EXTERNAL" \ + -x \ + -t "CTu,Cu,Cu" \ + -m $RANDOM\ + -2 \ + --keyUsage digitalSignature,nonRepudiation,certSigning,crlSigning,critical \ + --extSKID + +# --nsCertType sslCA,smimeCA,objectSigningCA + +echo "## Exporting external CA certificate..." + +certutil -L -d tmp/external -n "External CA" -a > tmp/external.crt + +echo "## Signing the CA signing certificate..." + +SUBCA_SKID="0x`openssl rand -hex 20`" +SUBCA_OCSP="http://$HOSTNAME:8080/ca/ocsp" + +echo -e "y\n\ny\ny\n${ROOTCA_SKID}\n\n\n\n${SUBCA_SKID}\n\n2\n7\n${SUBCA_OCSP}\n\n\n\n" | \ + certutil -C \ + -d tmp/external \ + -f password.txt \ + -m $RANDOM \ + -a \ + -i tmp/ca_signing.csr \ + -o tmp/ca_signing.crt \ + -c "External CA" \ + --extSKID \ + -2 -3 \ + --keyUsage digitalSignature,nonRepudiation,certSigning,crlSigning,critical \ + --extAIA \ + --extSKID + +echo "## Generating certificate chain..." + +certutil -A -d tmp/external -n "CA Signing Certificate" -t "CT,C,C" -a -i tmp/ca_signing.crt + +#openssl crl2pkcs7 -nocrl -certfile tmp/external.crt -out tmp/cert_chain.p7b +#openssl crl2pkcs7 -nocrl -certfile tmp/external.crt -certfile tmp/ca_signing.crt -out tmp/cert_chain.p7b + +#certutil -C \ +# -d tmp/external \ +# -f password.txt \ +# -m $RANDOM \ +# -a \ +# -i tmp/ca_signing.csr \ +# -o tmp/ca_signing.crt \ +# -c "External CA" diff --git a/scripts/subca-openssl-sign.sh b/scripts/subca-openssl-sign.sh new file mode 100755 index 0000000..1d76d0d --- /dev/null +++ b/scripts/subca-openssl-sign.sh @@ -0,0 +1,106 @@ +#!/bin/sh + +mkdir -p tmp + +cat > tmp/external.cfg << EOF +HOME = tmp +RANDFILE = tmp/random.bin + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +[ CA_default ] + +default_days = 1000 # how long to certify for +default_crl_days = 30 # how long before next CRL +default_md = sha256 # use public key default MD +preserve = no # keep passed DN ordering + +x509_extensions = ca_extensions # The extensions to add to the cert + +email_in_dn = no # Don't concat the email in the DN +copy_extensions = copy # Required to copy SANs from CSR to cert + +#################################################################### +[ req ] +default_bits = 4096 +default_keyfile = tmp/external.key +distinguished_name = ca_distinguished_name +x509_extensions = ca_extensions +string_mask = utf8only + +#################################################################### +[ ca_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = US + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Maryland + +localityName = Locality Name (eg, city) +localityName_default = Baltimore + +organizationName = Organization Name (eg, company) +organizationName_default = Test CA, Limited + +organizationalUnitName = Organizational Unit (eg, division) +organizationalUnitName_default = Server Research Department + +commonName = Common Name (e.g. server FQDN or YOUR name) +commonName_default = Test CA + +emailAddress = Email Address +emailAddress_default = test@example.com + +#################################################################### +[ ca_extensions ] + +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always, issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, nonRepudiation, keyCertSign, cRLSign +EOF + +openssl req \ + -config tmp/external.cfg \ + -newkey rsa:2048 \ + -keyout tmp/external.key \ + -nodes \ + -x509 \ + -out tmp/external.crt \ + -subj "/O=EXTERNAL/CN=External CA" \ + -days 365 + +openssl x509 -text -noout -in tmp/external.crt + +################################################################################ +# Issuing CA signing certificate + +cat > tmp/ca_signing-ext.cfg << EOF +[ ca_extensions ] + +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always, issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, nonRepudiation, keyCertSign, cRLSign +EOF + +openssl x509 -req \ + -CA tmp/external.crt \ + -CAkey tmp/external.key \ + -CAcreateserial \ + -in tmp/ca_signing.csr \ + -out tmp/ca_signing.crt \ + -extfile tmp/external.cfg \ + -extensions ca_extensions \ + -set_serial 1 + +openssl x509 -text -noout -in tmp/ca_signing.crt + +################################################################################ +# Exporting certificate chain + +openssl crl2pkcs7 -nocrl \ + -certfile tmp/external.crt \ + -out tmp/cert_chain.p7b diff --git a/scripts/subca-softcard-external-step1.sh b/scripts/subca-softcard-external-step1.sh new file mode 100755 index 0000000..37c331d --- /dev/null +++ b/scripts/subca-softcard-external-step1.sh @@ -0,0 +1,61 @@ +#!/bin/sh -x + +mkdir -p tmp + +USER=`cat user.txt` +PREFIX=$USER/ + +TOKEN=softcard +PASSWORD=Secret.123 + +cat > tmp/subca-step1.cfg << EOF +[DEFAULT] +pki_pin=Secret.123 + +pki_hsm_enable=True +pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so +pki_hsm_modulename=nfast +pki_token_name=$TOKEN +pki_token_password=$PASSWORD + +[CA] +pki_admin_email=caadmin@example.com +pki_admin_name=caadmin +pki_admin_nickname=caadmin +pki_admin_password=Secret.123 +pki_admin_uid=caadmin + +pki_client_database_password=Secret.123 +pki_client_database_purge=False +pki_client_pkcs12_password=Secret.123 + +pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com +pki_ds_password=Secret.123 +pki_ds_database=ca + +pki_security_domain_name=EXAMPLE + +pki_external=True +pki_external_step_two=False + +#pki_cert_chain_nickname=${PREFIX}external + +#pki_ca_signing_nickname=${PREFIX}ca_signing +pki_ca_signing_token=$TOKEN +pki_external_csr_path=tmp/ca_signing.csr + +pki_ocsp_signing_nickname=${PREFIX}ca_ocsp_signing +pki_ocsp_signing_token=$TOKEN + +pki_audit_signing_nickname=${PREFIX}ca_audit_signing +pki_audit_signing_token=$TOKEN + +pki_ssl_server_nickname=${PREFIX}sslserver/$HOSTNAME +pki_ssl_server_token=$TOKEN + +pki_subsystem_nickname=${PREFIX}subsystem/$HOSTNAME +pki_subsystem_token=$TOKEN +EOF + +pkispawn -vvv -f tmp/subca-step1.cfg -s CA + diff --git a/scripts/subca-softcard-external-step2.sh b/scripts/subca-softcard-external-step2.sh new file mode 100755 index 0000000..cd6b534 --- /dev/null +++ b/scripts/subca-softcard-external-step2.sh @@ -0,0 +1,63 @@ +#!/bin/sh -x + +mkdir -p tmp + +USER=`cat user.txt` +PREFIX=USER/ + +TOKEN=softcard +PASSWORD=Secret.123 + +cat > tmp/subca-step2.cfg << EOF +[DEFAULT] +pki_pin=Secret.123 + +pki_hsm_enable=True +pki_hsm_libfile=/opt/nfast/toolkits/pkcs11/libcknfast.so +pki_hsm_modulename=nfast +pki_token_name=$TOKEN +pki_token_password=$PASSWORD + +[CA] +pki_admin_email=caadmin@example.com +pki_admin_name=caadmin +pki_admin_nickname=caadmin +pki_admin_password=Secret.123 +pki_admin_uid=caadmin + +pki_client_database_password=Secret.123 +pki_client_database_purge=False +pki_client_pkcs12_password=Secret.123 + +pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com +pki_ds_password=Secret.123 +pki_ds_database=ca + +pki_security_domain_name=EXAMPLE + +pki_external=True +pki_external_step_two=True + +#pki_cert_chain_nickname=${PREFIX}external +pki_external_ca_cert_chain_path=tmp/external.crt +#pki_external_ca_cert_chain_path=tmp/cert_chain.p7b + +#pki_ca_signing_nickname=${PREFIX}ca_signing +pki_ca_signing_token=$TOKEN +pki_external_csr_path=tmp/ca_signing.csr +pki_external_ca_cert_path=tmp/ca_signing.crt + +pki_ocsp_signing_nickname=${PREFIX}ca_ocsp_signing +pki_ocsp_signing_token=$TOKEN + +pki_audit_signing_nickname=${PREFIX}ca_audit_signing +pki_audit_signing_token=$TOKEN + +pki_ssl_server_nickname=${PREFIX}sslserver/$HOSTNAME +pki_ssl_server_token=$TOKEN + +pki_subsystem_nickname=${PREFIX}subsystem/$HOSTNAME +pki_subsystem_token=$TOKEN +EOF + +pkispawn -vvv -f tmp/subca-step2.cfg -s CA -- cgit