| 1 |
----------------------------------------------------------------------------- |
| 2 |
TCS Generation 4 (2020 edition) |
| 3 |
----------------------------------------------------------------------------- |
| 4 |
|
| 5 |
About |
| 6 |
----- |
| 7 |
The "tcsg4" and "sg*" scripts are for use with the 4th generation GEANT TCS |
| 8 |
service (using Sectigo as a back-end operator). The scripts for TCSG3, that |
| 9 |
used DigiCert as a back-end, are available under tcsg3/, and may still be |
| 10 |
useful for other DigiCert customers. |
| 11 |
We apologize for the rather haphazard code layout, which is most certainly |
| 12 |
'hackish' and originated as demonstrators or local scripts. We encourage |
| 13 |
everyone to make improvements or do code cleanup. The shell scripts are |
| 14 |
written so as to require minimal dependencies (usually only OpenSSL and |
| 15 |
basic utilities like ls, awk, or grep) |
| 16 |
|
| 17 |
! This also includes the scripts to request and retrieve certificates that are |
| 18 |
! issued through the Sectigo interface SCM. Using SCM without fixing up what |
| 19 |
! it returns to you can cause serious issues - always post-process server |
| 20 |
! certificates issued by and retrieved via SCM to correct for the SCM bugs! |
| 21 |
|
| 22 |
*** tcsg4-install-servercert.sh |
| 23 |
Retrieve and regularize SSL server certificates for use |
| 24 |
|
| 25 |
Import/regularisation scripts that rectify certificate chain issues for |
| 26 |
server certificates. Required for web servers to fix ordering and get |
| 27 |
appropriate chain files for Apache, IIS, and NGinx |
| 28 |
|
| 29 |
Usage: tcsg4-install-servercert.sh [-d destdir] [-r|-R] [-f] |
| 30 |
[-b backupprefix] <PKCS7.p7b> | EnrollmentID | p7b-URL |
| 31 |
|
| 32 |
-d destdir write result files to <destdir> |
| 33 |
-r use EEC commonName as basis for new filenames |
| 34 |
--no-rename use the base filename of the P7B file for new filenames |
| 35 |
-R use EEC commonName and date as basis for filenames |
| 36 |
-f do not make backups of existing files |
| 37 |
-b bckprefix prefix of the filename to use when making backups |
| 38 |
|
| 39 |
<PKCS7.p7b> filename of the blob produced by Sectigo |
| 40 |
or URL to the PKCS#7 blob from the success email |
| 41 |
(https://cer.../ssl?action=download&sslId=1234567&format=bin) |
| 42 |
remember to "quote" the URL to preserve the ampersands |
| 43 |
or Self-Enrollment ID number (numeric) |
| 44 |
|
| 45 |
|
| 46 |
*** tcsg4-request.sh |
| 47 |
Create certificate requests (CSR) with alternative names |
| 48 |
|
| 49 |
Create the most compatible CSRs, that will work with both OV and EV requests |
| 50 |
and for EV anchors. Supports unlimited alternative names, wildcard certs, and |
| 51 |
can generate both RSA and ECC requests. Can be fed with the output of existing |
| 52 |
certificates ("openssl x509 -text") and will automatically remove any "DNS:" |
| 53 |
and superfluous comma's in the list. |
| 54 |
For ECC, use only P256 and P384. Sectigo does not support ec25519 :( |
| 55 |
|
| 56 |
Usage: tcsg4-request.sh [-d destdir] hostname [hostname ...] |
| 57 |
|
| 58 |
-d destdir write result files to <destdir> |
| 59 |
(default: ./tcs-<hostname>/) |
| 60 |
-b bits use <bits> for RSA key length (default: 2048) or curve for |
| 61 |
ECC (e.g. "prime256v1", set explicitly) |
| 62 |
-f | --force overwrite existing files |
| 63 |
-E | --ecc generate ECC cert (remember to set -b to the curve!) |
| 64 |
|
| 65 |
hostname hostname (FQDN) to be included in the request |
| 66 |
Any literal string "WILDCARD" will be replaced by |
| 67 |
a "*" in the hostname - it should ONLY be included as |
| 68 |
the first element of the fqdn, and MUST be on its own |
| 69 |
(the list of hostnames may be separated by spaces or commas) |
| 70 |
|
| 71 |
|
| 72 |
*** tcsg4-install-credential.sh |
| 73 |
Unpack, regularise, and install personal and IGTF personal credentials |
| 74 |
|
| 75 |
Convert the "p12" blob you get from Sectigo into useful formats with the |
| 76 |
script below. Never use the blob as-is, not even for import into a browser |
| 77 |
or email client! - on Linux, MacOS, and Cygwin systems, always regularise |
| 78 |
it first with the install script, or it may break both you and the world. |
| 79 |
Especially useful for IGTF client certificates, as it automatically |
| 80 |
installs also your .globus/ unpacked credentials! |
| 81 |
See the step-by-step guide at |
| 82 |
https://ca.dutchgrid.nl/tcs/TCS-enduser-request-guide-NL-2020-04.pdf |
| 83 |
and the documentation pages from https://ca.dutchgrid.nl/tcs/ |
| 84 |
|
| 85 |
Usage: tcsg4-install-credential.sh [-d destdir] [-p passfile] [-r|-R] [-f] |
| 86 |
[-n name] [-b backupprefix] <PKCS12.p12> |
| 87 |
|
| 88 |
-d destdir write result files to <destdir> |
| 89 |
if <destdir> contains "globus", also make the |
| 90 |
symlinks userkey.pem and usercert.pem for GCT tools |
| 91 |
-p passfile file with the password to use (same for input |
| 92 |
and for output PKCS#12 and private keys) |
| 93 |
-r use EEC commonName as basis for new filenames |
| 94 |
-R use EEC commonName and date as basis for filenames |
| 95 |
-f do not make backups of existing files |
| 96 |
-n name set friendly name of the credential in corrected |
| 97 |
PKCS#12 (.p12) file produced. If unset, is taken |
| 98 |
from the commonName of the EEC and issuance date |
| 99 |
-b bckprefix prefix of the filename to use when making backups |
| 100 |
--csr generate a CSR request file for future use in destdir |
| 101 |
|
| 102 |
<PKCS12.p12> filename of the blob produced by Sectigo |
| 103 |
|
| 104 |
Notice: do NOT import the blob from Sectigo directly into |
| 105 |
anything, since it will corrupt your key chain. Always use |
| 106 |
the "package-<name>.p12" file created by this script |
| 107 |
|
| 108 |
----------------------------------------------------------------------------- |
| 109 |
@(#)$Id$ |
| 110 |
Shell scripts by David Groep, Nikhef. |
| 111 |
API tool sgcli.py by Dennis van Dok, Nikhef. |
| 112 |
Apache 2.0 License - https://www.apache.org/licenses/LICENSE-2.0 |
Parent Directory
| 
Revision Log