From f0f39288d640a0b0a755c49fdc08f1219c386ca7 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 20 Jul 2017 08:00:56 +0200
Subject: Added existing CA scripts.

---
 scripts/existing-hsm-create.sh | 27 +++++++++++++++++++++++++++
 scripts/existing-hsm-export.sh | 34 ++++++++++++++++++++++++++++++++++
 scripts/existing-nss-export.sh |  7 +++++++
 scripts/existing-nss-step1.sh  |  5 +++++
 scripts/existing-nss-step2.sh  | 15 +++++++++++++++
 scripts/existing-step1-p12.sh  |  3 +++
 scripts/existing-step2-p12.sh  | 23 +++++++++++++++++++++++
 scripts/existing-step2.sh      |  4 +---
 8 files changed, 115 insertions(+), 3 deletions(-)
 create mode 100755 scripts/existing-hsm-create.sh
 create mode 100755 scripts/existing-hsm-export.sh
 create mode 100755 scripts/existing-nss-export.sh
 create mode 100755 scripts/existing-nss-step1.sh
 create mode 100755 scripts/existing-nss-step2.sh
 create mode 100755 scripts/existing-step1-p12.sh
 create mode 100755 scripts/existing-step2-p12.sh

(limited to 'scripts')

diff --git a/scripts/existing-hsm-create.sh b/scripts/existing-hsm-create.sh
new file mode 100755
index 0000000..9ab138e
--- /dev/null
+++ b/scripts/existing-hsm-create.sh
@@ -0,0 +1,27 @@
+#!/bin/sh -x
+
+rm -rf /tmp/ca_signing.csr
+rm -rf /tmp/ca_signing.crt
+rm -rf /tmp/ca_ocsp_signing.csr
+rm -rf /tmp/ca_ocsp_signing.crt
+rm -rf /tmp/ca_audit_signing.csr
+rm -rf /tmp/ca_audit_signing.crt
+rm -rf /tmp/subsystem.csr
+rm -rf /tmp/subsystem.crt
+rm -rf /tmp/sslserver.csr
+rm -rf /tmp/sslserver.crt
+rm -rf /tmp/external.crt
+
+/bin/cp ca_signing.csr /tmp
+/bin/cp ca_signing.crt /tmp
+/bin/cp ca_ocsp_signing.csr /tmp
+/bin/cp ca_ocsp_signing.crt /tmp
+/bin/cp ca_audit_signing.csr /tmp
+/bin/cp ca_audit_signing.crt /tmp
+/bin/cp subsystem.csr /tmp
+/bin/cp subsystem.crt /tmp
+/bin/cp sslserver.csr /tmp
+/bin/cp sslserver.crt /tmp
+/bin/cp external.crt /tmp
+
+pkispawn -v -f existing-hsm.cfg -s CA
diff --git a/scripts/existing-hsm-export.sh b/scripts/existing-hsm-export.sh
new file mode 100755
index 0000000..7003ef6
--- /dev/null
+++ b/scripts/existing-hsm-export.sh
@@ -0,0 +1,34 @@
+#!/bin/sh -x
+
+rm -rf ca_signing.csr
+rm -rf ca_ocsp_signing.csr
+rm -rf ca_audit_signing.csr
+rm -rf subsystem.csr
+rm -rf sslserver.csr
+
+
+certutil -L -d /var/lib/pki/pki-tomcat/alias -n "edewata/pki-tomcat/ca_signing" -a > ca_signing.crt
+#certutil -L -d /var/lib/pki/pki-tomcat/alias -n "edewata/pki-tomcat/ca_ocsp_signing" -a > ca_ocsp_signing.crt
+#certutil -L -d /var/lib/pki/pki-tomcat/alias -n "edewata/pki-tomcat/ca_audit_signing" -a > ca_audit_signing.crt
+#certutil -L -d /var/lib/pki/pki-tomcat/alias -n "edewata/pki-tomcat/subsystem" -a > subsystem.crt
+#certutil -L -d /var/lib/pki/pki-tomcat/alias -n "edewata/pki-tomcat/sslserver" -a > sslserver.crt
+
+echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_signing.csr
+sed -n "/^ca.signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> ca_signing.csr
+echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_signing.csr
+
+#echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_ocsp_signing.csr
+#sed -n "/^ca.ocsp_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> ca_ocsp_signing.csr
+#echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_ocsp_signing.csr
+
+#echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > ca_audit_signing.csr
+#sed -n "/^ca.audit_signing.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> ca_audit_signing.csr
+#echo "-----END NEW CERTIFICATE REQUEST-----" >> ca_audit_signing.csr
+
+#echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > subsystem.csr
+#sed -n "/^ca.subsystem.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> subsystem.csr
+#echo "-----END NEW CERTIFICATE REQUEST-----" >> subsystem.csr
+
+#echo "-----BEGIN NEW CERTIFICATE REQUEST-----" > sslserver.csr
+#sed -n "/^ca.sslserver.certreq=/ s/^[^=]*=// p" < /var/lib/pki/pki-tomcat/ca/conf/CS.cfg >> sslserver.csr
+#echo "-----END NEW CERTIFICATE REQUEST-----" >> sslserver.csr
diff --git a/scripts/existing-nss-export.sh b/scripts/existing-nss-export.sh
new file mode 100755
index 0000000..07008f7
--- /dev/null
+++ b/scripts/existing-nss-export.sh
@@ -0,0 +1,7 @@
+#!/bin/sh -x
+
+grep internal= /var/lib/pki/pki-tomcat/conf/password.conf | awk -F= '{print $2;}' > internal.txt
+
+tar chzvf nssdb.tar.gz -C /var/lib/pki/pki-tomcat/alias .
+
+pki-server subsystem-cert-export ca signing --csr-file ca_signing.csr
diff --git a/scripts/existing-nss-step1.sh b/scripts/existing-nss-step1.sh
new file mode 100755
index 0000000..8feccf3
--- /dev/null
+++ b/scripts/existing-nss-step1.sh
@@ -0,0 +1,5 @@
+#!/bin/sh -x
+
+rm -rf /tmp/ca_signing.csr
+
+pkispawn -v -f existing-nss-step1.cfg -s CA
diff --git a/scripts/existing-nss-step2.sh b/scripts/existing-nss-step2.sh
new file mode 100755
index 0000000..ae7c040
--- /dev/null
+++ b/scripts/existing-nss-step2.sh
@@ -0,0 +1,15 @@
+#!/bin/sh -x
+
+/bin/cp -f ca_signing.csr /tmp
+/bin/cp -f internal.txt /tmp
+/bin/cp -f nssdb.tar.gz /tmp
+
+sed -i "s/internal=.*/internal=`cat /tmp/internal.txt`/" /var/lib/pki/pki-tomcat/conf/password.conf
+
+tar xvf /tmp/nssdb.tar.gz -C /var/lib/pki/pki-tomcat/alias
+#certutil -F -d /var/lib/pki/pki-tomcat/alias -f /tmp/internal.txt -n "Server-Cert cert-pki-tomcat" 
+certutil -F -d /var/lib/pki/pki-tomcat/alias -f /tmp/internal.txt -n "subsystemCert cert-pki-tomcat"
+certutil -F -d /var/lib/pki/pki-tomcat/alias -f /tmp/internal.txt -n "ocspSigningCert cert-pki-tomcat CA"
+certutil -F -d /var/lib/pki/pki-tomcat/alias -f /tmp/internal.txt -n "auditSigningCert cert-pki-tomcat CA"
+
+pkispawn -v -f existing-nss-step2.cfg -s CA
diff --git a/scripts/existing-step1-p12.sh b/scripts/existing-step1-p12.sh
new file mode 100755
index 0000000..9bb61a7
--- /dev/null
+++ b/scripts/existing-step1-p12.sh
@@ -0,0 +1,3 @@
+#!/bin/sh -x
+
+pkispawn -v -f existing-step1-p12.cfg -s CA
diff --git a/scripts/existing-step2-p12.sh b/scripts/existing-step2-p12.sh
new file mode 100755
index 0000000..c169960
--- /dev/null
+++ b/scripts/existing-step2-p12.sh
@@ -0,0 +1,23 @@
+#!/bin/sh -x
+
+rm -rf /tmp/ca.p12
+rm -rf /tmp/external.crt
+rm -rf /tmp/ca_signing.csr
+rm -rf /tmp/ca_ocsp_signing.csr
+rm -rf /tmp/ca_audit_signing.csr
+rm -rf /tmp/sslserver.csr
+rm -rf /tmp/subsystem.csr
+
+/bin/cp ca.p12 /tmp
+/bin/cp external.crt /tmp
+/bin/cp ca_signing.csr /tmp
+/bin/cp ca_ocsp_signing.csr /tmp
+/bin/cp ca_audit_signing.csr /tmp
+/bin/cp sslserver.csr /tmp
+/bin/cp subsystem.csr /tmp
+
+#/bin/cp -f ca_signing.csr /tmp
+#/bin/cp -f ca_signing.p12 /tmp
+#/bin/cp -f cert_chain.p7b /tmp
+
+pkispawn -v -f existing-step2-p12.cfg -s CA
diff --git a/scripts/existing-step2.sh b/scripts/existing-step2.sh
index 079d2c9..fd8a96d 100755
--- a/scripts/existing-step2.sh
+++ b/scripts/existing-step2.sh
@@ -1,8 +1,6 @@
 #!/bin/sh -x
 
-mkdir -p build
-
 /bin/cp -f ca_signing.csr /tmp
 /bin/cp -f ca.p12 /tmp
 
-pkispawn -v -f existing-step2.cfg -s CA 2>&1 | tee build/existing-step2.log
+pkispawn -v -f existing-step2.cfg -s CA
-- 
cgit