#!/bin/bash # Fix locale echo de_DE UTF-8 >> /etc/locale.gen /sbin/locale-gen # Add openxpki repo wget https://packages.openxpki.org/v3/debian/Release.key -O - | apt-key add - echo "deb http://packages.openxpki.org/v3/debian/ buster release" > /etc/apt/sources.list.d/openxpki.list # Install dependencies apt update apt install -y default-mysql-server libdbd-mysql-perl apache2 libapache2-mod-fcgid libopenxpki-perl openxpki-cgi-session-driver openxpki-i18n git net-tools openssh-server apache2 # Create database mysql -e "CREATE DATABASE openxpki CHARSET utf8;" mysql -e "CREATE USER 'openxpki'@'localhost' IDENTIFIED BY 'openxpki';" mysql -e "GRANT ALL ON openxpki.* TO 'openxpki'@'localhost';" mysql -e "flush privileges;" zcat /usr/share/doc/libopenxpki-perl/examples/schema-mariadb.sql.gz | mysql --database openxpki # Clone openxpki community config rm -rf /etc/openxpki git clone https://github.com/openxpki/openxpki-config.git --branch=community /etc/openxpki # Create a new realm from realm.tpl mkdir -p /etc/openxpki/config.d/realm/testca cp -a /etc/openxpki/config.d/realm.tpl/* /etc/openxpki/config.d/realm/testca/ rm /etc/openxpki/config.d/realm/democa # Enable realm cat << EOF > /etc/openxpki/config.d/system/realms.yaml testca: label: Test CA baseurl: https://10.132.139.130/openxpki/ EOF # Create CA and certificates echo "[req] distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no [req_distinguished_name] C = DE ST = FOO L = Bar O = foobar OU = Test CN = test [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth" > /tmp/req.conf echo "[req] distinguished_name = req_distinguished_name req_extensions = v3_ca prompt = no [req_distinguished_name] C = DE ST = FOO L = Bar O = foobar OU = Test CN = CA [v3_ca] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always basicConstraints = critical,CA:true" > /tmp/ca-req.conf openssl genrsa -out /root/ca-key.pem openssl req -x509 -new -nodes -key /root/ca-key.pem -days 7300 -out /root/ca-root.pem -sha512 -config /tmp/ca-req.conf openssl genrsa -out /root/pki.key 4096 openssl req -new -out /root/pki.csr -key /root/pki.key -config /tmp/req.conf openssl x509 -req -days 7300 -in /root/pki.csr -CA /root/ca-root.pem -CAkey /root/ca-key.pem -CAcreateserial -out /root/pki.crt openssl req -new -x509 -keyout /root/vault.key -out /root/vault.crt -days 1100 -config /etc/openxpki/contrib/vault.openssl.cnf # Create directories for TLS certificates for apache2 mkdir -p /etc/openxpki/tls/endentity cp /root/pki.crt /etc/openxpki/tls/endentity/openxpki.crt mkdir -p /etc/openxpki/tls/private cp /root/pki.key /etc/openxpki/tls/private/openxpki.pem mkdir -p /etc/openxpki/tls/chain cp /root/pki.crt /etc/openxpki/tls/chain/openxpki.crt c_rehash /etc/openxpki/tls/chain/ # Enable ssl apache2 module /sbin/a2enmod ssl systemctl restart apache2 # Start openxpki openxpkictl start # Import certificates mkdir -p /etc/openxpki/local/keys/ openxpkiadm certificate import --file /root/ca-root.pem openxpkiadm certificate import --file /root/vault.crt openxpkictl restart openxpkiadm alias --realm testca --token datasafe --file /root/vault.crt --key /root/vault.key openxpkictl restart openxpkiadm alias --realm testca --token certsign --file /root/ca-root.pem --key /root/ca-key.pem openxpkictl restart openxpkiadm alias --realm testca openxpkicli get_token_info --arg alias=vault-1 openxpkicmd --realm testca crl_issuance