summaryrefslogtreecommitdiffstats
path: root/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh
diff options
context:
space:
mode:
authorPiotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com>2021-06-29 16:15:49 +0200
committerPiotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com>2021-09-06 10:42:00 +0200
commit31dceea4851d67ec706185f9d6f5bd0bf427b2c3 (patch)
treec66e3b75b83cb4ef6f5aff7d81bbcb0c02f0145b /kubernetes/contrib/components/ejbca/resources/ejbca-config.sh
parentf94a5f639cb670fbc4d3902f80d3b5b6714b1ec6 (diff)
[CONTRIB] Introduce certificate update use case in CertService
1. Make changes in order to allow performing KUR/CR in EJBCA: - Add Certificate Update Admin role - Enable EndEntityAuthentication module - Create and set CA with constant UID - Add configuration for provider. 2. Update CertService, which provides with new certificate update endpoint. 3. Update release-notes. Issue-ID: OOM-2753 Issue-ID: OOM-2754 Signed-off-by: Piotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com> Change-Id: I9cb0cb4d6d6939ad229a4ea254f2bc35d45a3d52 Signed-off-by: Joanna Jeremicz <joanna.jeremicz@nokia.com>
Diffstat (limited to 'kubernetes/contrib/components/ejbca/resources/ejbca-config.sh')
-rwxr-xr-xkubernetes/contrib/components/ejbca/resources/ejbca-config.sh24
1 files changed, 23 insertions, 1 deletions
diff --git a/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh b/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh
index ad10240b94..2c672e2f07 100755
--- a/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh
+++ b/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh
@@ -8,16 +8,31 @@ waitForEjbcaToStart() {
}
configureEjbca() {
+ ejbca.sh ca init \
+ --caname ManagementCA \
+ --dn "O=EJBCA Container Quickstart,CN=ManagementCA,UID=12345" \
+ --tokenType soft \
+ --keyspec 3072 \
+ --keytype RSA \
+ -v 3652 \
+ --policy null \
+ -s SHA256WithRSA \
+ -type "x509"
ejbca.sh config cmp addalias --alias cmpRA
ejbca.sh config cmp updatealias --alias cmpRA --key operationmode --value ra
ejbca.sh ca editca --caname ManagementCA --field cmpRaAuthSecret --value ${RA_IAK}
- ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value pbe
+ ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value signature
+ ejbca.sh config cmp updatealias --alias cmpRA --key authenticationmodule --value 'HMAC;EndEntityCertificate'
+ ejbca.sh config cmp updatealias --alias cmpRA --key authenticationparameters --value '-;ManagementCA'
+ ejbca.sh config cmp updatealias --alias cmpRA --key allowautomatickeyupdate --value true
#Custom EJBCA cert profile and endentity are imported to allow issuing certificates with correct extended usage (containing serverAuth)
ejbca.sh ca importprofiles -d /opt/primekey/custom_profiles
#Profile name taken from certprofile filename (certprofile_<profile-name>-<id>.xml)
ejbca.sh config cmp updatealias --alias cmpRA --key ra.certificateprofile --value CUSTOM_ENDUSER
#ID taken from entityprofile filename (entityprofile_<profile-name>-<id>.xml)
ejbca.sh config cmp updatealias --alias cmpRA --key ra.endentityprofileid --value 1356531849
+ caSubject=$(ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout | grep 'Subject' | sed -e "s/^Subject: //" | sed -n '1p')
+ ejbca.sh config cmp updatealias --alias cmpRA --key defaultca --value "$caSubject"
ejbca.sh config cmp dumpalias --alias cmpRA
ejbca.sh config cmp addalias --alias cmp
ejbca.sh config cmp updatealias --alias cmp --key allowautomatickeyupdate --value true
@@ -27,6 +42,13 @@ configureEjbca() {
ejbca.sh config cmp updatealias --alias cmp --key extractusernamecomponent --value CN
ejbca.sh config cmp dumpalias --alias cmp
ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout > cacert.pem
+ #Add "Certificate Update Admin" role to allow performing KUR/CR for certs within specific organization (e.g. Linux-Foundation)
+ ejbca.sh roles addrole "Certificate Update Admin"
+ ejbca.sh roles changerule "Certificate Update Admin" /ca/ManagementCA/ ACCEPT
+ ejbca.sh roles changerule "Certificate Update Admin" /ca_functionality/create_certificate/ ACCEPT
+ ejbca.sh roles changerule "Certificate Update Admin" /endentityprofilesrules/Custom_EndEntity/ ACCEPT
+ ejbca.sh roles changerule "Certificate Update Admin" /ra_functionality/edit_end_entity/ ACCEPT
+ ejbca.sh roles addrolemember "Certificate Update Admin" ManagementCA WITH_ORGANIZATION --value "{{ .Values.cmpv2Config.global.certificate.default.subject.organization }}"
}