/[pdpsoft]/nl.nikhef.pdp.tcs/nl.nikhef.pdp.tcs.tcsg4-tools/trunk/README.txt
ViewVC logotype

Contents of /nl.nikhef.pdp.tcs/nl.nikhef.pdp.tcs.tcsg4-tools/trunk/README.txt

Parent Directory Parent Directory | Revision Log Revision Log


Revision 3294 - (show annotations) (download)
Sat Jun 20 09:01:57 2020 UTC (2 years, 1 month ago) by davidg
File MIME type: text/plain
File size: 5584 byte(s)
clarify that server-installs cript snca take URL or number

1 -----------------------------------------------------------------------------
2 TCS Generation 4 (2020 edition)
3 -----------------------------------------------------------------------------
4
5 About
6 -----
7 The "tcsg4" and "sg*" scripts are for use with the 4th generation GEANT TCS
8 service (using Sectigo as a back-end operator). The scripts for TCSG3, that
9 used DigiCert as a back-end, are available under tcsg3/, and may still be
10 useful for other DigiCert customers.
11 We apologize for the rather haphazard code layout, which is most certainly
12 'hackish' and originated as demonstrators or local scripts. We encourage
13 everyone to make improvements or do code cleanup. The shell scripts are
14 written so as to require minimal dependencies (usually only OpenSSL and
15 basic utilities like ls, awk, or grep)
16
17 ! This also includes the scripts to request and retrieve certificates that are
18 ! issued through the Sectigo interface SCM. Using SCM without fixing up what
19 ! it returns to you can cause serious issues - always post-process server
20 ! certificates issued by and retrieved via SCM to correct for the SCM bugs!
21
22 *** tcsg4-install-servercert.sh
23 Retrieve and regularize SSL server certificates for use
24
25 Import/regularisation scripts that rectify certificate chain issues for
26 server certificates. Required for web servers to fix ordering and get
27 appropriate chain files for Apache, IIS, and NGinx
28
29 Usage: tcsg4-install-servercert.sh [-d destdir] [-r|-R] [-f]
30 [-b backupprefix] <PKCS7.p7b> | EnrollmentID | p7b-URL
31
32 -d destdir write result files to <destdir>
33 -r use EEC commonName as basis for new filenames
34 --no-rename use the base filename of the P7B file for new filenames
35 -R use EEC commonName and date as basis for filenames
36 -f do not make backups of existing files
37 -b bckprefix prefix of the filename to use when making backups
38
39 <PKCS7.p7b> filename of the blob produced by Sectigo
40 or URL to the PKCS#7 blob from the success email
41 (https://cer.../ssl?action=download&sslId=1234567&format=bin)
42 remember to "quote" the URL to preserve the ampersands
43 or Self-Enrollment ID number (numeric)
44
45
46 *** tcsg4-request.sh
47 Create certificate requests (CSR) with alternative names
48
49 Create the most compatible CSRs, that will work with both OV and EV requests
50 and for EV anchors. Supports unlimited alternative names, wildcard certs, and
51 can generate both RSA and ECC requests. Can be fed with the output of existing
52 certificates ("openssl x509 -text") and will automatically remove any "DNS:"
53 and superfluous comma's in the list.
54 For ECC, use only P256 and P384. Sectigo does not support ec25519 :(
55
56 Usage: tcsg4-request.sh [-d destdir] hostname [hostname ...]
57
58 -d destdir write result files to <destdir>
59 (default: ./tcs-<hostname>/)
60 -b bits use <bits> for RSA key length (default: 2048) or curve for
61 ECC (e.g. "prime256v1", set explicitly)
62 -f | --force overwrite existing files
63 -E | --ecc generate ECC cert (remember to set -b to the curve!)
64
65 hostname hostname (FQDN) to be included in the request
66 Any literal string "WILDCARD" will be replaced by
67 a "*" in the hostname - it should ONLY be included as
68 the first element of the fqdn, and MUST be on its own
69 (the list of hostnames may be separated by spaces or commas)
70
71
72 *** tcsg4-install-credential.sh
73 Unpack, regularise, and install personal and IGTF personal credentials
74
75 Convert the "p12" blob you get from Sectigo into useful formats with the
76 script below. Never use the blob as-is, not even for import into a browser
77 or email client! - on Linux, MacOS, and Cygwin systems, always regularise
78 it first with the install script, or it may break both you and the world.
79 Especially useful for IGTF client certificates, as it automatically
80 installs also your .globus/ unpacked credentials!
81 See the step-by-step guide at
82 https://ca.dutchgrid.nl/tcs/TCS-enduser-request-guide-NL-2020-04.pdf
83 and the documentation pages from https://ca.dutchgrid.nl/tcs/
84
85 Usage: tcsg4-install-credential.sh [-d destdir] [-p passfile] [-r|-R] [-f]
86 [-n name] [-b backupprefix] <PKCS12.p12>
87
88 -d destdir write result files to <destdir>
89 if <destdir> contains "globus", also make the
90 symlinks userkey.pem and usercert.pem for GCT tools
91 -p passfile file with the password to use (same for input
92 and for output PKCS#12 and private keys)
93 -r use EEC commonName as basis for new filenames
94 -R use EEC commonName and date as basis for filenames
95 -f do not make backups of existing files
96 -n name set friendly name of the credential in corrected
97 PKCS#12 (.p12) file produced. If unset, is taken
98 from the commonName of the EEC and issuance date
99 -b bckprefix prefix of the filename to use when making backups
100 --csr generate a CSR request file for future use in destdir
101
102 <PKCS12.p12> filename of the blob produced by Sectigo
103
104 Notice: do NOT import the blob from Sectigo directly into
105 anything, since it will corrupt your key chain. Always use
106 the "package-<name>.p12" file created by this script
107
108 -----------------------------------------------------------------------------
109 @(#)$Id$
110 Shell scripts by David Groep, Nikhef.
111 API tool sgcli.py by Dennis van Dok, Nikhef.
112 Apache 2.0 License - https://www.apache.org/licenses/LICENSE-2.0

grid.support@nikhef.nl
ViewVC Help
Powered by ViewVC 1.1.28