diff options
Diffstat (limited to 'plans')
3 files changed, 27 insertions, 5 deletions
diff --git a/plans/oom-platform-cert-service/certservice/cmpServers.json b/plans/oom-platform-cert-service/certservice/cmpServers.json index 72564949..0d883eae 100644 --- a/plans/oom-platform-cert-service/certservice/cmpServers.json +++ b/plans/oom-platform-cert-service/certservice/cmpServers.json @@ -3,8 +3,7 @@ { "caName": "Client", "url": "http://oomcert-ejbca:8080/ejbca/publicweb/cmp/cmp", - "issuerDN": "CN=ManagementCA", - "caMode": "CLIENT", + "issuerDN": "O=EJBCA Container Quickstart,CN=ManagementCA,UID=12345", "authentication": { "iak": "mypassword", "rv": "mypassword" @@ -13,8 +12,7 @@ { "caName": "RA", "url": "http://oomcert-ejbca:8080/ejbca/publicweb/cmp/cmpRA", - "issuerDN": "CN=ManagementCA", - "caMode": "RA", + "issuerDN": "O=EJBCA Container Quickstart,CN=ManagementCA,UID=12345", "authentication": { "iak": "mypassword", "rv": "mypassword" diff --git a/plans/oom-platform-cert-service/certservice/docker-compose.yml b/plans/oom-platform-cert-service/certservice/docker-compose.yml index 734ea131..dff46881 100644 --- a/plans/oom-platform-cert-service/certservice/docker-compose.yml +++ b/plans/oom-platform-cert-service/certservice/docker-compose.yml @@ -8,6 +8,8 @@ services: ports: - "80:8080" - "443:8443" + environment: + - NO_CREATE_CA=true volumes: - $RESOURCES_PATH/ejbca-configuration.sh:/opt/primekey/scripts/ejbca-configuration.sh - $RESOURCES_PATH/certprofile_CUSTOM_ENDUSER-1834889499.xml:/opt/primekey/custom_profiles/certprofile_CUSTOM_ENDUSER-1834889499.xml diff --git a/plans/oom-platform-cert-service/certservice/resources/ejbca-configuration.sh b/plans/oom-platform-cert-service/certservice/resources/ejbca-configuration.sh index 3eb146db..3094b7f7 100755 --- a/plans/oom-platform-cert-service/certservice/resources/ejbca-configuration.sh +++ b/plans/oom-platform-cert-service/certservice/resources/ejbca-configuration.sh @@ -1,15 +1,30 @@ #!/bin/bash configureEjbca() { + ejbca.sh ca init \ + --caname ManagementCA \ + --dn "O=EJBCA Container Quickstart,CN=ManagementCA,UID=12345" \ + --tokenType soft \ + --keyspec 3072 \ + --keytype RSA \ + -v 3652 \ + --policy null \ + -s SHA256WithRSA \ + -type "x509" ejbca.sh config cmp addalias --alias cmpRA ejbca.sh config cmp updatealias --alias cmpRA --key operationmode --value ra ejbca.sh ca editca --caname ManagementCA --field cmpRaAuthSecret --value mypassword - ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value pbe + ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value signature + ejbca.sh config cmp updatealias --alias cmpRA --key authenticationmodule --value 'HMAC;EndEntityCertificate' + ejbca.sh config cmp updatealias --alias cmpRA --key authenticationparameters --value '-;ManagementCA' + ejbca.sh config cmp updatealias --alias cmpRA --key allowautomatickeyupdate --value true ejbca.sh ca importprofiles -d /opt/primekey/custom_profiles #Profile name taken from certprofile filename (certprofile_<profile-name>-<id>.xml) ejbca.sh config cmp updatealias --alias cmpRA --key ra.certificateprofile --value CUSTOM_ENDUSER #ID taken from entityprofile filename (entityprofile_<profile-name>-<id>.xml) ejbca.sh config cmp updatealias --alias cmpRA --key ra.endentityprofileid --value 1356531849 + caSubject=$(ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout | grep 'Subject' | sed -e "s/^Subject: //" | sed -n '1p') + ejbca.sh config cmp updatealias --alias cmpRA --key defaultca --value "$caSubject" ejbca.sh config cmp dumpalias --alias cmpRA ejbca.sh config cmp addalias --alias cmp ejbca.sh config cmp updatealias --alias cmp --key allowautomatickeyupdate --value true @@ -19,6 +34,13 @@ configureEjbca() { ejbca.sh config cmp updatealias --alias cmp --key extractusernamecomponent --value CN ejbca.sh config cmp dumpalias --alias cmp ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout > cacert.pem + #Add "Certificate Update Admin" role to allow performing KUR/CR for certs within specific organization (e.g. Linux-Foundation) + ejbca.sh roles addrole "Certificate Update Admin" + ejbca.sh roles changerule "Certificate Update Admin" /ca/ManagementCA/ ACCEPT + ejbca.sh roles changerule "Certificate Update Admin" /ca_functionality/create_certificate/ ACCEPT + ejbca.sh roles changerule "Certificate Update Admin" /endentityprofilesrules/Custom_EndEntity/ ACCEPT + ejbca.sh roles changerule "Certificate Update Admin" /ra_functionality/edit_end_entity/ ACCEPT + ejbca.sh roles addrolemember "Certificate Update Admin" ManagementCA WITH_ORGANIZATION --value "Linux-Foundation" } configureEjbca |