blob: 94c95d6c30a7c60fe28d270162b8f0fd804850ba [file] [log] [blame]
Guillaume Lambert85b14922021-03-12 13:53:18 +01001#!/bin/sh
Sylvain Desbureauxd1ca1ee2020-04-07 14:52:20 +02002
3waitForEjbcaToStart() {
4 until $(curl -kI https://localhost:8443/ejbca/publicweb/healthcheck/ejbcahealth --output /dev/null --silent --head --fail)
5 do
6 sleep 5
7 done
8}
9
10configureEjbca() {
Piotr Marcinkiewicz31dceea2021-06-29 16:15:49 +020011 ejbca.sh ca init \
12 --caname ManagementCA \
13 --dn "O=EJBCA Container Quickstart,CN=ManagementCA,UID=12345" \
14 --tokenType soft \
15 --keyspec 3072 \
16 --keytype RSA \
17 -v 3652 \
18 --policy null \
19 -s SHA256WithRSA \
20 -type "x509"
Sylvain Desbureauxd1ca1ee2020-04-07 14:52:20 +020021 ejbca.sh config cmp addalias --alias cmpRA
22 ejbca.sh config cmp updatealias --alias cmpRA --key operationmode --value ra
23 ejbca.sh ca editca --caname ManagementCA --field cmpRaAuthSecret --value ${RA_IAK}
Piotr Marcinkiewicz31dceea2021-06-29 16:15:49 +020024 ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value signature
25 ejbca.sh config cmp updatealias --alias cmpRA --key authenticationmodule --value 'HMAC;EndEntityCertificate'
26 ejbca.sh config cmp updatealias --alias cmpRA --key authenticationparameters --value '-;ManagementCA'
27 ejbca.sh config cmp updatealias --alias cmpRA --key allowautomatickeyupdate --value true
Remigiusz Janeczeked6e6212020-09-08 13:00:50 +020028 #Custom EJBCA cert profile and endentity are imported to allow issuing certificates with correct extended usage (containing serverAuth)
29 ejbca.sh ca importprofiles -d /opt/primekey/custom_profiles
30 #Profile name taken from certprofile filename (certprofile_<profile-name>-<id>.xml)
31 ejbca.sh config cmp updatealias --alias cmpRA --key ra.certificateprofile --value CUSTOM_ENDUSER
32 #ID taken from entityprofile filename (entityprofile_<profile-name>-<id>.xml)
33 ejbca.sh config cmp updatealias --alias cmpRA --key ra.endentityprofileid --value 1356531849
Piotr Marcinkiewicz31dceea2021-06-29 16:15:49 +020034 caSubject=$(ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout | grep 'Subject' | sed -e "s/^Subject: //" | sed -n '1p')
35 ejbca.sh config cmp updatealias --alias cmpRA --key defaultca --value "$caSubject"
Sylvain Desbureauxd1ca1ee2020-04-07 14:52:20 +020036 ejbca.sh config cmp dumpalias --alias cmpRA
37 ejbca.sh config cmp addalias --alias cmp
38 ejbca.sh config cmp updatealias --alias cmp --key allowautomatickeyupdate --value true
39 ejbca.sh config cmp updatealias --alias cmp --key responseprotection --value pbe
40 ejbca.sh ra addendentity --username Node123 --dn "CN=Node123" --caname ManagementCA --password ${CLIENT_IAK} --type 1 --token USERGENERATED
41 ejbca.sh ra setclearpwd --username Node123 --password ${CLIENT_IAK}
42 ejbca.sh config cmp updatealias --alias cmp --key extractusernamecomponent --value CN
43 ejbca.sh config cmp dumpalias --alias cmp
44 ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout > cacert.pem
Piotr Marcinkiewicz31dceea2021-06-29 16:15:49 +020045 #Add "Certificate Update Admin" role to allow performing KUR/CR for certs within specific organization (e.g. Linux-Foundation)
46 ejbca.sh roles addrole "Certificate Update Admin"
47 ejbca.sh roles changerule "Certificate Update Admin" /ca/ManagementCA/ ACCEPT
48 ejbca.sh roles changerule "Certificate Update Admin" /ca_functionality/create_certificate/ ACCEPT
49 ejbca.sh roles changerule "Certificate Update Admin" /endentityprofilesrules/Custom_EndEntity/ ACCEPT
50 ejbca.sh roles changerule "Certificate Update Admin" /ra_functionality/edit_end_entity/ ACCEPT
51 ejbca.sh roles addrolemember "Certificate Update Admin" ManagementCA WITH_ORGANIZATION --value "{{ .Values.cmpv2Config.global.certificate.default.subject.organization }}"
Sylvain Desbureauxd1ca1ee2020-04-07 14:52:20 +020052}
53
54
55waitForEjbcaToStart
56configureEjbca