ejbca-config.sh 2.11 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
#!/bin/sh

cd /opt/primekey/bin/ || exit

# Use the existing CA (see comment below)
CA=ManagementCA
ALIAS=ecsecCMP
CN=sam.docker.reqesidta.de
PW=testtest

# Create a CMP config
./ejbca.sh config cmp addalias $ALIAS

./ejbca.sh config cmp updatealias $ALIAS --key operationmode --value ra

./ejbca.sh config cmp updatealias $ALIAS --key authenticationmodule --value EndEntityCertificate
./ejbca.sh config cmp updatealias $ALIAS --key authenticationparameters --value $CA

./ejbca.sh config cmp updatealias $ALIAS --key allowraverifypopo --value true

./ejbca.sh config cmp updatealias $ALIAS --key ra.caname --value $CA
./ejbca.sh config cmp updatealias $ALIAS --key defaultca --value $CA

# Make script idempotent by always deleting the user first
./ejbca.sh ra delendentity -force --username $CN

# Add end entity for the server key pair
./ejbca.sh ra addendentity --username $CN --password $PW \
  --dn "CN=$CN" --caname $CA --type 1 --token P12

# Add entity to admin role
./ejbca.sh roles addrolemember --role "Super Administrator Role" --caname $CA \
  --with "CertificateAuthenticationToken:WITH_COMMONNAME" --value $CN

# Enable batch mode
./ejbca.sh ra setclearpwd $CN $PW

# Create p12 file (saved in p12 subfolder)
./ejbca.sh batch

# Various (currently) unused commands:

# Create a new CA. As you can't set auto-activation to true here, you will have
# to do this manually or create custom cryptotokens (see below).
# ./ejbca.sh ca init \
	# --caname $CA \
	# --dn "C=DE,O=ecsec GmbH,CN=ecsec Docker Root CA" \
	# --tokenType soft \
	# --tokenPass ecsecCATokenPass \
	# --keytype ECDSA \
	# --keyspec secp256r1 \
	# -s SHA256withECDSA \
	# -v 3650 \
	# --policy null

# ./ejbca.sh cryptotoken create --autoactivate true --pin 1234 --token $TOKEN --type SoftCryptoToken
# ./ejbca.sh cryptotoken generatekey --alias signKey --keyspec secp256r1 --token $TOKEN
# ./ejbca.sh cryptotoken generatekey --alias encryptKey --keyspec 2048 --token $TOKEN
# ./ejbca.sh ca changecatoken --caname $CA --cryptotoken $TOKEN --execute
# ./ejbca.sh ca activateca $CA --code ecsecCATokenPass
# ./ejbca.sh ca changecatokensignalg --caname $CA --sigalg SHA256withECDSA