Below is the script I created to manage this certificate creation steps....
# cat DsCreateCert
#!/bin/ksh -a
# If the following flag is set to 1, certutil will be used. If set to 0, openssl will be used
flagUseCertutil=1
# DER: a binary format
# PEM: base-64 encoded DER format with header and footer
# certutil: Default is DER. For PEM, use "-a"
# openssl: Default is PEM. For DER, use "-inform DER" and/or "-outform DER"
flagUseDer=0
flagUsePem=1
openSslPath=/usr/local/ssl
SSL=${openSslPath}/bin/openssl
CERT=/usr/sfw/bin/certutil
PK12=/usr/sfw/bin/pk12util
# Fake CA (Certification Authority) database
caDbPath=/store/bnz/cacertdb
caId="ca-"
caDbId="-d ${caDbPath} -P ${caId}"
# LDAP server certification database
serverRoot="/var/ldap_data_files/ds"
serverDbPrefix="slapd-"
serverDbPath="${serverRoot}/alias"
serverDbId="-d ${serverDbPath} -P ${serverDbPrefix}"
# Certificate
subjectSuffix="ou=BTS,o=Bank of New Zealand,l=Andreas Berendsen,st=NI,c=NZ"
subjectCA="cn=BNZ_CA,${subjectSuffix}"
subjectCert="cn=$(hostname).$(domainname),${subjectSuffix}"
#===============================================================================
#===============================================================================
ShowChapter() {
echo "
********************************************************************************
* ${1}
********************************************************************************
"
}
#===============================================================================
#===============================================================================
ShowStep() {
echo "+------------------------------------------------------------------------"
while [[ "${1}" != "" ]]; do
echo "| ${1}"
shift
done
echo "+------------------------------------------------------------------------"
}
#===============================================================================
#===============================================================================
rm -rf /store/bnz/cacertdb
#rm -rf /store/bnz/cacertdb ${serverDbPath}/${serverDbPrefix}*.db
ShowChapter "Checking NSS database password protection"
if [[ $( echo $(dsadm get-flags ${serverRoot} | grep cert-pwd-prompt|cut -d':' -f2) ) = off ]]; then
ShowStep "Stooping DS"
dsadm stop ${serverRoot}
ShowStep "Setting NSS database password" \
" " \
"At prompt 'Choose the new certificate database password:', type password" \
"At prompt 'Confirm the new certificate database password:', type password"
dsadm set-flags ${serverRoot} cert-pwd-prompt=on
echo "Internal (Software) Token:password" > ${serverDbPath}/${serverDbPrefix}pin.txt
chmod 400 ${serverDbPath}/${serverDbPrefix}pin.txt
ShowStep "Starting DS" \
" " \
"At prompt 'Enter PIN fro Internal (Software) Token', type password"
dsadm start ${serverRoot} 2>/dev/null
fi
ShowChapter "NSS database clean-up"
certutil -L ${serverDbId}|grep -v "defaultCert"|cut -d' ' -f1|while read certName; do
echo "----- Removing certificate ${certName}"
certutil -D ${serverDbId} -n ${certName}
done
#-----
#----- Prepare Test Certification Authority (CA) environment
#-----
if [[ ! -e ${caDbPath}/ca-cert8.db ]]; then
ShowChapter "Creating CA environment and database"
if [[ ${flagUseCertutil} -eq 0 ]]; then
#.....................................................................
# Using OpenSSL to create CA database
#.....................................................................
if [[ $( grep -c "${caDbPath}" ${openSslPath}/misc/CA.pl ) -eq 0 ]]; then
ShowStep "Updating ${openSslPath}/misc/CA.pl"
[[ -e ${openSslPath}/misc/CA.pl ]] && cp ${openSslPath}/misc/CA.pl ${openSslPath}/misc/CA.pl.backup.$$
sed -e "/^$CATOP=/s_=.*$_=\"${caDbPath}\";_" ${openSslPath}/misc/CA.pl.backup.$$ > ${openSslPath}/misc/CA.pl
fi
if [[ $( grep -c "${caDbPath}" ${openSslPath}/openssl.cnf ) -eq 0 ]]; then
ShowStep "Updating ${openSslPath}/openssl.cnf"
[[ -e ${openSslPath}/openssl.cnf ]] && cp ${openSslPath}/openssl.cnf ${openSslPath}/openssl.cnf.backup.$$
sed "/^dir/s_=.*$_=${caDbPath}_" ${openSslPath}/openssl.cnf.backup.$$ > ${openSslPath}/openssl.cnf
fi
ShowStep "Creating CA directory structure at ${caDbPath}" \
" " \
"At prompt 'CA certificate filename (or enter to create)' press ENTER" \
"At prompt 'Enter PEM pass phrase:', type password" \
"At prompt 'Verifying - Enter PEM pass phrase:' type password"\
"At subsequente prompts, press ENTER"
perl ${openSslPath}/misc/CA.pl -newca
else
#.....................................................................
# Using certutil to create CA database
#.....................................................................
[[ ! -e ${caDbPath} ]] && mkdir ${caDbPath}
cd ${caDbPath}
ShowStep "Create CA certificate DB" \
" " \
"At prompt 'Enter new password:' type password" \
"At prompt 'Re-enter password:' type password"
${CERT} -N ${caDbId}
ShowStep "Create a self-signed CA certificate" \
" " \
"At prompt 'Enter Password or Pin for \"NSS Certificate DB\":' type password" \
"After the key creation is finished, choose option 5 and then 9" \
"At prompt 'Is this a critical extension [y/N]?', type Y"
${CERT} -S ${caDbId} -x -n "ca-cert" -s "${subjectCA}" -t CTPu -v 120 -5
if [[ ${flagUsePem} -eq 1 ]]; then
#..................................................export CA in text (PEM)
ShowStep "Export the CA cert into an output file in PEM format" \
"" \
"At prompt 'Enter Password or Pin for \"NSS Certificate DB\":', type password" \
"At subsequent prompts, simply press ENTER and accept the default values"
${CERT} -L ${caDbId} -n "ca-cert" -a > cacert.pem
fi
if [[ ${flagUseDer} -eq 1 ]]; then
#................................................export CA in binary (DER)
ShowStep "Export the CA cert into an output file in DER format" \
"" \
"At prompt 'Enter Password or Pin for \"NSS Certificate DB\":', type password" \
"At subsequent prompts, simply press ENTER and accept the default values"
${CERT} -L ${caDbId} -n "ca-cert" > cacert.der
fi
fi
fi
#-----
#----- Create NSS DB for Directory Server
#-----
# This block needs to be adjusted to use currect directory (DS) server database
ShowChapter "Create NSS DB for Directory Server"
if [[ ! -e ${serverDbPath}/${serverDbPrefix}cert8.db ]]; then
${CERT} -N ${serverDbId}
else
echo "***** Database already craeted. Nothing to do"
fi
#------
#----- Generate Certificate Signing Request (CSR) for server cert
#-----
ShowChapter "Generate Certificate Signing Request (CSR) for server cert"
if [[ ${flagUseCertutil} -eq 1 ]]; then
ShowStep "At prompt 'Enter Password or Pin for \"NSS Certificate DB\":', type password"
[[ ${flagUseDer} -eq 1 ]] && ${CERT} -R ${serverDbId} -s "${subjectCert}" -o DER.csr
[[ ${flagUsePem} -eq 1 ]] && ${CERT} -R ${serverDbId} -s "${subjectCert}" -o PEM.csr -a
else
ShowStep "Generate 2048-bit RSA private key"
${SSL} genrsa -out privkey.pem 2048
ShowStep "Generate the certificate request" \
" " \
"At all prompts, press ENTER to accept the default value"
${SSL} req -new -key privkey.pem -out PEM.csr
ShowStep "Display the content and public key from the certificate request"
${SSL} req -in PEM.csr -text -pubkey
fi
#-----
#----- Sign CSR using Fake CA
#-----
ShowChapter "Sign CSR using Fake CA"
if [[ ${flagUseCertutil} -eq 1 ]]; then
if [[ ${flagUseDer} -eq 1 ]]; then
ShowStep "Sign DER CSR" \
"" \
"After the key creation is finished, choose option 5 and then 9" \
"At prompt 'Is this a critical extension [y/N]?', type Y" \
"At prompt 'Enter Password or Pin for \"NSS Certificate DB\":' type password"
${CERT} -C ${caDbId} -c "ca-cert" -i DER.csr -o ./cert.der -v 12 -5
fi
if [[ ${flagUsePem} -eq 1 ]]; then
ShowStep "Sign PEM CSR" \
"" \
"After the key creation is finished, choose option 5 and then 9" \
"At prompt 'Is this a critical extension [y/N]?', type Y" \
"At prompt 'Enter Password or Pin for \"NSS Certificate DB\":' type password"
${CERT} -C ${caDbId} -c "ca-cert" -i PEM.csr -o ./cert.pem -v 12 -5 -a
fi
else
ShowStep "openssl" \
"" \
"At prompt 'Enter pass phrase for /store/bnz/cacertdb/private/cakey.pem:' type password"
${SSL} ca -policy policy_anything -cert cacert.pem -in PEM.csr -out ./cert.pem
fi
#-----
#----- Import signed certs into NSS DB
#-----
ShowChapter "Import signed certs into NSS DB"
if [[ ${flagUseCertutil} -eq 1 ]]; then
if [[ ${flagUsePem} -eq 1 ]]; then
ShowStep "Import PEM server cert"
${CERT} -A ${serverDbId} -n "server-cert" -i cert.pem -t Pu -a
ShowStep "mport PEM CA cert"
${CERT} -A ${serverDbId} -n "ca-cert" -i cacert.pem -t CT -a
fi
if [[ ${flagUseDer} -eq 1 ]]; then
ShowStep "Import DER server cert"
${CERT} -A ${serverDbId} -n "server-cert" -i cert.der -t Pu
ShowStep "mport DER CA cert"
${CERT} -A ${serverDbId} -n "ca-cert" -i cacert.der -t CT
fi
ShowStep "List all certificates"
echo ""|${CERT} -L ${serverDbId}
ShowStep "List the conetnst of server certificate"
echo ""|${CERT} -L ${serverDbId} -n "server-cert"
ShowStep "List the contents of CA certificate"
echo ""|${CERT} -L ${serverDbId} -n "ca-cert"
else
${SSL} pkcs12 -export -in cert.pem -inkey privkey.pem -certfile cacert.pem -name "MY CERTIFICATE" -out mycert.p12
${PK12} -i mycert.p12 ${serverDbId} -v
fi
#-----
#----- Enable SSl
#-----
ShowChapter "Enable SSl"
echo "Total ciphers allowed: $( dsconf get-server-prop -D "cn=Directory Manager" -h wgtsinf01 -p 389 -c ssl-supported-ciphers|wc -l)"
dsconf set-server-prop -D "cn=Directory Manager" -h wgtsinf01 -p 389 ssl-cipher-family:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ssl-cipher-family:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ssl-cipher-family:TLS_DHE_RSA_WITH_AES_256_CBC_SHA ssl-cipher-family:TLS_DHE_DSS_WITH_AES_256_CBC_SHA ssl-cipher-family:TLS_ECDH_RSA_WITH_AES_256_CBC_SHA ssl-cipher-family:TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA ssl-cipher-family:TLS_RSA_WITH_AES_256_CBC_SHA ssl-cipher-family:TLS_ECDHE_ECDSA_WITH_RC4_128_SHA ssl-cipher-family:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ssl-cipher-family:TLS_ECDHE_RSA_WITH_RC4_128_SHA ssl-cipher-family:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ssl-cipher-family:TLS_DHE_DSS_WITH_RC4_128_SHA ssl-cipher-family:TLS_DHE_RSA_WITH_AES_128_CBC_SHA ssl-cipher-family:TLS_DHE_DSS_WITH_AES_128_CBC_SHA ssl-cipher-family:TLS_ECDH_RSA_WITH_RC4_128_SHA ssl-cipher-family:TLS_ECDH_RSA_WITH_AES_128_CBC_SHA ssl-cipher-family:TLS_ECDH_ECDSA_WITH_RC4_128_SHA ssl-cipher-family:TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA ssl-cipher-family:SSL_RSA_WITH_RC4_128_MD5 ssl-cipher-family:SSL_RSA_WITH_RC4_128_SHA ssl-cipher-family:TLS_RSA_WITH_AES_128_CBC_SHA ssl-cipher-family:TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA ssl-cipher-family:TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ssl-cipher-family:SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA ssl-cipher-family:SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA ssl-cipher-family:TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA ssl-cipher-family:TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA ssl-cipher-family:SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA ssl-cipher-family:SSL_RSA_WITH_3DES_EDE_CBC_SHA ssl-cipher-family:SSL_DHE_RSA_WITH_DES_CBC_SHA ssl-cipher-family:SSL_DHE_DSS_WITH_DES_CBC_SHA ssl-cipher-family:SSL_RSA_FIPS_WITH_DES_CBC_SHA ssl-cipher-family:SSL_RSA_WITH_DES_CBC_SHA ssl-cipher-family:TLS_RSA_EXPORT1024_WITH_RC4_56_SHA ssl-cipher-family:TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA ssl-cipher-family:SSL_RSA_EXPORT_WITH_RC4_40_MD5 ssl-cipher-family:SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 ssl-cipher-family:TLS_ECDHE_ECDSA_WITH_NULL_SHA ssl-cipher-family:TLS_ECDHE_RSA_WITH_NULL_SHA ssl-cipher-family:TLS_ECDH_RSA_WITH_NULL_SHA ssl-cipher-family:TLS_ECDH_ECDSA_WITH_NULL_SHA ssl-cipher-family:SSL_RSA_WITH_NULL_SHA ssl-cipher-family:SSL_RSA_WITH_NULL_MD5 ssl-cipher-family:SSL_CK_RC4_128_WITH_MD5 ssl-cipher-family:SSL_CK_RC2_128_CBC_WITH_MD5 ssl-cipher-family:SSL_CK_DES_192_EDE3_CBC_WITH_MD5 ssl-cipher-family:SSL_CK_DES_64_CBC_WITH_MD5 ssl-cipher-family:SSL_CK_RC4_128_EXPORT40_WITH_MD5 ssl-cipher-family:SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
dsadm restart ${serverRoot} 2>/dev/nullThis drawing shows how the computers are connected. This subnet is isolated from other subnets and is used solely for testings.
+---------+ +---------+ +---------+ +---------+
|wgtsinf01| |wgls01 | |wgls02 | |wgls03 |
|Solaris9 | |Solaris10| |Solaris9 | |Solaris8 |
|DSEE6.1 | | | | | | |
+---------+ +---------+ +---------+ +---------+
|.50 |.11 |.12 |.13
| | | |
================================================== 10.64.47.x/24 (Test subnet)Cheers,
Andreas
Comments
Post a Comment