diff options
author | Michal Banka <michal.banka@nokia.com> | 2020-06-03 10:51:51 +0200 |
---|---|---|
committer | Michal Banka <michal.banka@nokia.com> | 2020-06-04 13:08:34 +0200 |
commit | b06189e0c1f15237519d3727aeab007fadd952cb (patch) | |
tree | eb9765ace8e647a21cf8ec8eccbebfca53193f58 /sanitycheck/pnfsimulator-secured/certservice | |
parent | e775c31a8b8efd55796cdf4fa049e72587ea6088 (diff) |
Add deployment for fetching certs from CertService
Change-Id: Icb59854a88e83b799781c227e465bfb98ed502b6
Signed-off-by: Michal Banka <michal.banka@nokia.com>
Issue-ID: INT-1612
Diffstat (limited to 'sanitycheck/pnfsimulator-secured/certservice')
4 files changed, 170 insertions, 0 deletions
diff --git a/sanitycheck/pnfsimulator-secured/certservice/certs/Makefile b/sanitycheck/pnfsimulator-secured/certservice/certs/Makefile new file mode 100644 index 0000000..d6c3855 --- /dev/null +++ b/sanitycheck/pnfsimulator-secured/certservice/certs/Makefile @@ -0,0 +1,109 @@ +all: clear step_1 step_2 step_3 step_4 step_5 step_6 step_7 step_8 step_9 step_10 step_11 step_12 step_13 step_14 step_15 +.PHONY: all +#Clear certificates +clear: + @echo "Clear certificates" + rm -f certServiceClient-keystore.jks certServiceServer-keystore.jks root.crt truststore.jks certServiceServer-keystore.p12 root-keystore.jks + @echo "#####done#####" + +#Generate root private and public keys +step_1: + @echo "Generate root private and public keys" + keytool -genkeypair -v -alias root -keyalg RSA -keysize 4096 -validity 3650 -keystore root-keystore.jks \ + -dname "CN=root.com, OU=Root Org, O=Root Company, L=Wroclaw, ST=Dolny Slask, C=PL" -keypass secret \ + -storepass secret -ext BasicConstraints:critical="ca:true" + @echo "#####done#####" + +#Export public key as certificate +step_2: + @echo "(Export public key as certificate)" + keytool -exportcert -alias root -keystore root-keystore.jks -storepass secret -file root.crt -rfc + @echo "#####done#####" + +#Self-signed root (import root certificate into truststore) +step_3: + @echo "(Self-signed root (import root certificate into truststore))" + keytool -importcert -alias root -keystore truststore.jks -file root.crt -storepass secret -noprompt + @echo "#####done#####" + +#Generate certService's client private and public keys +step_4: + @echo "Generate certService's client private and public keys" + keytool -genkeypair -v -alias certServiceClient -keyalg RSA -keysize 2048 -validity 730 \ + -keystore certServiceClient-keystore.jks -storetype JKS \ + -dname "CN=certServiceClient.com,OU=certServiceClient company,O=certServiceClient org,L=Wroclaw,ST=Dolny Slask,C=PL" \ + -keypass secret -storepass secret + @echo "####done####" + +#Generate certificate signing request for certService's client +step_5: + @echo "Generate certificate signing request for certService's client" + keytool -certreq -keystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -file certServiceClient.csr + @echo "####done####" + +#Sign certService's client certificate by root CA +step_6: + @echo "Sign certService's client certificate by root CA" + keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceClient.csr \ + -outfile certServiceClientByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth" + @echo "####done####" + +#Import root certificate into client +step_7: + @echo "Import root certificate into intermediate" + cat root.crt >> certServiceClientByRoot.crt + @echo "####done####" + +#Import signed certificate into certService's client +step_8: + @echo "Import signed certificate into certService's client" + keytool -importcert -file certServiceClientByRoot.crt -destkeystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -noprompt + @echo "####done####" + +#Generate certService private and public keys +step_9: + @echo "Generate certService private and public keys" + keytool -genkeypair -v -alias aaf-cert-service -keyalg RSA -keysize 2048 -validity 730 \ + -keystore certServiceServer-keystore.jks -storetype JKS \ + -dname "CN=aaf-cert-service,OU=certServiceServer company,O=certServiceServer org,L=Wroclaw,ST=Dolny Slask,C=PL" \ + -keypass secret -storepass secret -ext BasicConstraints:critical="ca:false" + @echo "####done####" + +#Generate certificate signing request for certService +step_10: + @echo "Generate certificate signing request for certService" + keytool -certreq -keystore certServiceServer-keystore.jks -alias aaf-cert-service -storepass secret -file certServiceServer.csr + @echo "####done####" + +#Sign certService certificate by root CA +step_11: + @echo "Sign certService certificate by root CA" + keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceServer.csr \ + -outfile certServiceServerByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth" \ + -ext SubjectAlternativeName:="DNS:aaf-cert-service,DNS:localhost" + @echo "####done####" + +#Import root certificate into server +step_12: + @echo "Import root certificate into intermediate(server)" + cat root.crt >> certServiceServerByRoot.crt + @echo "####done####" + +#Import signed certificate into certService +step_13: + @echo "Import signed certificate into certService" + keytool -importcert -file certServiceServerByRoot.crt -destkeystore certServiceServer-keystore.jks -alias aaf-cert-service \ + -storepass secret -noprompt + @echo "####done####" + +#Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12) +step_14: + @echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)" + keytool -importkeystore -srckeystore certServiceServer-keystore.jks -srcstorepass secret -destkeystore certServiceServer-keystore.p12 -deststoretype PKCS12 -deststorepass secret + @echo "#####done#####" + +#Clear unused certificates +step_15: + @echo "Clear unused certificates" + rm certServiceClientByRoot.crt certServiceClient.csr root-keystore.jks certServiceServerByRoot.crt certServiceServer.csr + @echo "#####done#####" diff --git a/sanitycheck/pnfsimulator-secured/certservice/certservice-resources/cmpServers.json b/sanitycheck/pnfsimulator-secured/certservice/certservice-resources/cmpServers.json new file mode 100644 index 0000000..79b97e6 --- /dev/null +++ b/sanitycheck/pnfsimulator-secured/certservice/certservice-resources/cmpServers.json @@ -0,0 +1,24 @@ +{ + "cmpv2Servers": [ + { + "caName": "Client", + "url": "http://172.17.0.1:80/ejbca/publicweb/cmp/cmp", + "issuerDN": "CN=ManagementCA", + "caMode": "CLIENT", + "authentication": { + "iak": "mypassword", + "rv": "mypassword" + } + }, + { + "caName": "RA", + "url": "http://172.17.0.1:80/ejbca/publicweb/cmp/cmpRA", + "issuerDN": "CN=ManagementCA", + "caMode": "RA", + "authentication": { + "iak": "mypassword", + "rv": "mypassword" + } + } + ] +} diff --git a/sanitycheck/pnfsimulator-secured/certservice/client-resources/client-configuration.env b/sanitycheck/pnfsimulator-secured/certservice/client-resources/client-configuration.env new file mode 100644 index 0000000..bc62f1f --- /dev/null +++ b/sanitycheck/pnfsimulator-secured/certservice/client-resources/client-configuration.env @@ -0,0 +1,18 @@ +#Client envs +REQUEST_URL=https://aaf-cert-service:8443/v1/certificate/ +REQUEST_TIMEOUT=10000 +OUTPUT_PATH=/var/certs +CA_NAME=RA +#Csr config envs +COMMON_NAME=onap.org +ORGANIZATION=Linux-Foundation +ORGANIZATION_UNIT=ONAP +LOCATION=San-Francisco +STATE=California +COUNTRY=US +SANS=example.org +#Tls config envs +KEYSTORE_PATH=/etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks +KEYSTORE_PASSWORD=secret +TRUSTSTORE_PATH=/etc/onap/aaf/certservice/certs/truststore.jks +TRUSTSTORE_PASSWORD=secret diff --git a/sanitycheck/pnfsimulator-secured/certservice/ejbca-resources/ejbca-configuration.sh b/sanitycheck/pnfsimulator-secured/certservice/ejbca-resources/ejbca-configuration.sh new file mode 100755 index 0000000..77f5c55 --- /dev/null +++ b/sanitycheck/pnfsimulator-secured/certservice/ejbca-resources/ejbca-configuration.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +configureEjbca() { + ejbca.sh config cmp addalias --alias cmpRA + ejbca.sh config cmp updatealias --alias cmpRA --key operationmode --value ra + ejbca.sh ca editca --caname ManagementCA --field cmpRaAuthSecret --value mypassword + ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value pbe + ejbca.sh config cmp dumpalias --alias cmpRA + ejbca.sh config cmp addalias --alias cmp + ejbca.sh config cmp updatealias --alias cmp --key allowautomatickeyupdate --value true + ejbca.sh config cmp updatealias --alias cmp --key responseprotection --value pbe + ejbca.sh ra addendentity --username Node123 --dn "CN=Node123" --caname ManagementCA --password mypassword --type 1 --token USERGENERATED + ejbca.sh ra setclearpwd --username Node123 --password mypassword + ejbca.sh config cmp updatealias --alias cmp --key extractusernamecomponent --value CN + ejbca.sh config cmp dumpalias --alias cmp + ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout > cacert.pem +} + +configureEjbca |