[COMMON] Enforce checkbashisms tox profile

[oom.git] / kubernetes / contrib / components / ejbca / resources / ejbca-config.sh

diff --git a/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh b/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh
index ad10240..94c95d6 100755 (executable)
--- a/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh
+++ b/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 
 waitForEjbcaToStart() {
     until $(curl -kI https://localhost:8443/ejbca/publicweb/healthcheck/ejbcahealth --output /dev/null --silent --head --fail)
@@ -8,16 +8,31 @@ waitForEjbcaToStart() {
 }
 
 configureEjbca() {
+    ejbca.sh ca init \
+      --caname ManagementCA \
+      --dn "O=EJBCA Container Quickstart,CN=ManagementCA,UID=12345" \
+      --tokenType soft \
+      --keyspec 3072 \
+      --keytype RSA \
+      -v 3652 \
+      --policy null \
+      -s SHA256WithRSA \
+      -type "x509"
     ejbca.sh config cmp addalias --alias cmpRA
     ejbca.sh config cmp updatealias --alias cmpRA --key operationmode --value ra
     ejbca.sh ca editca --caname ManagementCA --field cmpRaAuthSecret --value ${RA_IAK}
-    ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value pbe
+    ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value signature
+    ejbca.sh config cmp updatealias --alias cmpRA --key authenticationmodule --value 'HMAC;EndEntityCertificate'
+    ejbca.sh config cmp updatealias --alias cmpRA --key authenticationparameters --value '-;ManagementCA'
+    ejbca.sh config cmp updatealias --alias cmpRA --key allowautomatickeyupdate --value true
     #Custom EJBCA cert profile and endentity are imported to allow issuing certificates with correct extended usage (containing serverAuth)
     ejbca.sh ca importprofiles -d /opt/primekey/custom_profiles
     #Profile name taken from certprofile filename (certprofile_<profile-name>-<id>.xml)
     ejbca.sh config cmp updatealias --alias cmpRA --key ra.certificateprofile --value CUSTOM_ENDUSER
     #ID taken from entityprofile filename (entityprofile_<profile-name>-<id>.xml)
     ejbca.sh config cmp updatealias --alias cmpRA --key ra.endentityprofileid --value 1356531849
+    caSubject=$(ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout | grep 'Subject' | sed -e "s/^Subject: //" | sed -n '1p')
+    ejbca.sh config cmp updatealias --alias cmpRA --key defaultca --value "$caSubject"
     ejbca.sh config cmp dumpalias --alias cmpRA
     ejbca.sh config cmp addalias --alias cmp
     ejbca.sh config cmp updatealias --alias cmp --key allowautomatickeyupdate --value true
@@ -27,6 +42,13 @@ configureEjbca() {
     ejbca.sh config cmp updatealias --alias cmp --key extractusernamecomponent --value CN
     ejbca.sh config cmp dumpalias --alias cmp
     ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout > cacert.pem
+    #Add "Certificate Update Admin" role to allow performing KUR/CR for certs within specific organization (e.g. Linux-Foundation)
+    ejbca.sh roles addrole "Certificate Update Admin"
+    ejbca.sh roles changerule "Certificate Update Admin" /ca/ManagementCA/ ACCEPT
+    ejbca.sh roles changerule "Certificate Update Admin" /ca_functionality/create_certificate/ ACCEPT
+    ejbca.sh roles changerule "Certificate Update Admin" /endentityprofilesrules/Custom_EndEntity/ ACCEPT
+    ejbca.sh roles changerule "Certificate Update Admin" /ra_functionality/edit_end_entity/ ACCEPT
+    ejbca.sh roles addrolemember "Certificate Update Admin" ManagementCA WITH_ORGANIZATION --value "{{ .Values.cmpv2Config.global.certificate.default.subject.organization }}"
 }