Initial commit

.gitignore

@@ -0,0 +1 @@
+openxpki-config/

Dockerfile

@@ -0,0 +1,40 @@
+FROM debian:buster
+
+ARG DEBIAN_FRONTEND=noninteractive
+ARG OPENXPKI_NOCONFIG=1
+
+RUN apt-get update && \
+    apt-get upgrade --assume-yes && \
+    apt-get install --assume-yes gpg libdbd-mysql-perl libapache2-mod-fcgid apache2 wget locales less gettext
+
+RUN rm /etc/locale.gen && \
+    (for lang in "en_US" "de_DE"; do echo "$lang.UTF-8 UTF-8" >> /etc/locale.gen; done) && \
+    dpkg-reconfigure --frontend=noninteractive locales
+
+RUN wget https://packages.openxpki.org/v3/debian/openxpki.list -O /etc/apt/sources.list.d/openxpki.list
+RUN wget https://packages.openxpki.org/v3/debian/Release.key -O - | apt-key add -
+RUN apt-get update && apt-get install --assume-yes libopenxpki-perl openxpki-i18n openxpki-cgi-session-driver 
+RUN apt-get clean
+
+# Hack to run rhel/sles configs in this container
+RUN /usr/bin/id -u www-data | xargs /usr/sbin/useradd apache -s /usr/sbin/nologin -b /var/www -g www-data -o -u
+RUN /usr/bin/id -u www-data | xargs /usr/sbin/useradd wwwrun -s /usr/sbin/nologin -b /var/www -g www-data -o -u
+
+ENV LANG=en_US.UTF-8 LANGUAGE=en_US:en LC_ALL=en_US.UTF-8
+VOLUME /var/log/openxpki /etc/openxpki
+WORKDIR /var/log/openxpki/
+RUN a2dissite 000-default; a2disconf serve-cgi-bin
+# look alike for the default apache setup from postinst to let a2ensite openxpki work
+RUN ln -s /etc/openxpki/contrib/apache2-openxpki-site.conf /etc/apache2/sites-available/openxpki.conf
+RUN ln -s ../sites-available/openxpki.conf /etc/apache2/sites-enabled/ 
+RUN a2enmod cgid fcgid headers rewrite ssl
+COPY bin/setup-cert.sh /usr/bin/setup-cert
+RUN chmod +x /usr/bin/setup-cert
+COPY bin/start-apache.sh /usr/bin/start-apache
+RUN chmod +x /usr/bin/start-apache
+COPY bin/update-i18n.sh /usr/bin/update-i18n
+RUN chmod +x /usr/bin/update-i18n
+
+CMD ["/usr/bin/openxpkictl","start","--no-detach"]
+
+EXPOSE 80 443

bin/setup-cert.sh

@@ -0,0 +1,104 @@
+#!/bin/bash
+BASE_PATH="/etc/openxpki/ca"
+
+#computes alias for identifier
+function alias_for_identifier() {
+  declare -n ret=$3
+  ret="$(openxpkiadm alias --realm "$1" | perl -0777 -ne "\$str=\$_; print \$str =~ /Alias\s*:\s*(.*)\s*\n\s*Identifier\s*:\s*$2/ ;")"
+}
+# carries out the whole import process
+# Parameters: [1]: realm (e.g. "ca-one") [2]: path to certificate file [3]: certificate type
+function import_cert() {
+  realm="$1"
+  file="$2"
+  type="$3"
+  echo "detected $type certificate for realm '$realm': $(basename "$file")"
+  #expected location of keyfile
+  key_file="$BASE_PATH/$realm/$(basename "$file" .crt).pem"
+  #extract optional generation parameter which is part of the file name
+  generation="$( echo "$file" | sed -rn 's/.*-([0-9]+)\.crt/\1/p')"
+  # calculate identifier for certificate
+  identifier="$(openxpkiadm certificate id --file "$file")"
+  # check if certificate is already imported
+  if openxpkicli get_cert --realm "$realm" --arg identifier="$identifier" >/dev/null 2>/dev/null; then
+    echo "IGNORING $file as it is already imported"
+  else
+      #import certificate with/without generation
+      if [ ! -z "$generation" ]; then
+        openxpkiadm certificate import --file "$file" --realm "$realm" --token "$type" --generation $generation
+      else
+        openxpkiadm certificate import --file "$file" --realm "$realm" --token "$type"
+      fi
+      if [ ! -f "$key_file" ]; then
+        echo "WARNING: '$realm'/$(basename "$file"): No matching key file exists"
+      else
+        #move keyfile to the right place so that it can be found by openxpki
+        alias=""
+        alias_for_identifier "$realm" "$identifier" alias
+        cp -n "$key_file" "$BASE_PATH/$realm/$alias.pem"
+      fi
+  fi
+
+}
+
+function do_realm_dir() {
+  realm_dir="$1"
+  realm="$(basename "$realm_dir")"
+  if openxpkiadm certificate list --realm "$realm" >/dev/null; then
+    # regular expressions for finding the right files
+    root_regex=".*/root\(-[0-9]*\)\{0,1\}\.crt"
+    vault_regex=".*/vault\(-[0-9]*\)\{0,1\}\.crt"
+    issuing_regex=".*/ca-signer\(-[0-9]*\)\{0,1\}\.crt"
+    scep_regex=".*/scep\(-[0-9]*\)\{0,1\}\.crt"
+
+    # look for global vault cert/key in ../
+    for f in $(find "$BASE_PATH" -mindepth 1 -maxdepth 1 -type f -regextype sed -iregex "$vault_regex"); do
+        key_file="$BASE_PATH/$(basename "$f" .crt).pem"
+        if [ -f "$key_file" ]; then
+          vault_identifier="$(openxpkiadm certificate id --file "$f")"
+          if openxpkicli get_cert --realm "$realm" --arg identifier="$vault_identifier" >/dev/null 2>/dev/null; then
+            echo "vault certificate already imported"
+          else
+            # import vault certificate globally
+            openxpkiadm certificate import --file "$f"
+            #set realm alias
+            openxpkiadm alias --realm "$realm" --token datasafe --identifier "$vault_identifier"
+            alias=""
+            alias_for_identifier "$realm" "$identifier" alias
+            cp -n "$key_file" "$BASE_PATH/$alias.pem"
+          fi
+        else
+          echo "IGNORING $(basename "$f"): No matching key file exists"
+        fi
+    done
+    #import root certificate
+    for f in $(find "$realm_dir" -mindepth 1 -maxdepth 1 -type f -regextype sed -iregex "$root_regex"); do
+      root_identifer="$(openxpkiadm certificate id --file "$f")"
+      if openxpkicli get_cert --realm "$realm" --arg identifier="$root_identifer" >/dev/null 2>/dev/null; then
+        echo "root certificate already imported"
+      else
+        echo "importing root"
+        openxpkiadm certificate import --file "$f"
+      fi
+      # add all roots to the tls chain
+      chainfile="/etc/openxpki/tls/chain/$root_identifer.crt"
+      -e $chainfile || cp $f $chainfile
+    done
+    c_rehash /etc/openxpki/tls/chain/
+    #generic import of certsign/scep tokens
+    for f in $(find "$realm_dir" -mindepth 1 -maxdepth 1 -type f -regextype sed -iregex "$scep_regex"); do
+      import_cert "$realm" "$f" "scep"
+    done
+    for f in $(find "$realm_dir" -mindepth 1 -maxdepth 1 -type f -regextype sed -iregex "$issuing_regex"); do
+      import_cert "$realm" "$f" "certsign"
+    done
+
+  else
+    echo "IGNORING directory $realm ..."
+  fi
+}
+
+#look for realm folders and export contained certificates
+for D in $(find "$BASE_PATH" -mindepth 1 -maxdepth 1 -type d); do
+  do_realm_dir "$D"
+done

bin/start-apache.sh

@@ -0,0 +1,97 @@
+#!/bin/bash
+CONFIG_CERT_PATH="/etc/openxpki/contrib/https"
+
+SSL_CERT_FILE="/etc/openxpki/tls/endentity/openxpki.crt"
+SSL_KEY_FILE="/etc/openxpki/tls/private/openxpki.pem"
+
+# subj for self-signed certificate
+CERT_SUBJ="/CN=OpenXPKI Test"
+# host names:
+DNS1="DNS.1 = localhost"
+DNS2="DNS.2 = openxpki"
+DNS3=""
+
+# cleanup pid file for apache
+rm -f /run/apache2/apache2.pid
+
+# handle cert file: check if corresponding key file exists and copy certificate+key to the right places
+function handle_cert_file() {
+    cert_file=$1
+    key_file="$(dirname $cert_file)/$(basename $cert_file .crt).pem"
+    # make sure all directories exist
+    mkdir -p `dirname "$SSL_CERT_FILE"`
+    mkdir -p `dirname "$SSL_KEY_FILE"`
+    if [ -f "$key_file" ]; then
+      # copy certificate and keys to apache directories
+      echo "using certificate '$cert_file' with key '$key_file' for apache"
+      cp "$cert_file" "$SSL_CERT_FILE"
+      cp "$key_file" "$SSL_KEY_FILE"
+    else
+      # if corresponding key file is missing -> exit
+      echo "[ERROR] could not find matching key file '$key_file' for certificate '$cert_file'"
+      exit 1
+    fi
+}
+# call handle_cert_file for every found certificate in CONFIG_CERT_PATH
+function handle_cert_files(){
+    for f in $(find "$CONFIG_CERT_PATH" -mindepth 1 -maxdepth 1 -type f -regextype sed -iregex ".*\.crt"); do
+      handle_cert_file $f
+    done
+}
+# generate self signed certificate and store it into CONFIG_CERT_PATH
+function generate_self_signed (){
+  TMP_FILE="/tmp/self-signed.cnf"
+  echo "authorityKeyIdentifier=keyid,issuer
+  basicConstraints=CA:FALSE
+  distinguished_name = subject
+  keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+  [ req_san ]
+  subjectAltName = @alt_names
+  [ subject ]
+  CN=OpenXPKI Test
+  [ alt_names ]
+  $DNS1
+  $DNS2
+  $DNS3
+  " > "$TMP_FILE"
+  openssl req -config "$TMP_FILE" -extensions req_san -new -x509 -sha256 -newkey rsa:2048 -nodes -keyout "/tmp/self-signed.pem" -subj "$CERT_SUBJ" -days 365 -out  "/tmp/self-signed.crt"
+  handle_cert_file /tmp/self-signed.crt
+}
+
+# count available certificate files
+if [ -d "$CONFIG_CERT_PATH" ]; then
+    crt_count="$(find "$CONFIG_CERT_PATH" -mindepth 1 -maxdepth 1 -type f -regextype sed -iregex ".*\.crt" | wc -l)"
+else
+    crt_count=0
+fi
+if [ $crt_count != 1 ]; then
+  if [ $crt_count = 0 ]; then
+    # nothing to import, check if there is already one
+    if [ ! -e "$SSL_CERT_FILE" ] || [ ! -f "$SSL_KEY_FILE" ]; then
+        echo "No certificate found, generating self-signed"
+        generate_self_signed
+    fi
+  else
+    # multiple certificates available -> exit
+    echo "[ERROR] Found too much($crt_count) possible SSL certificates, expected 1"
+    exit 1
+  fi
+else
+  #exactly one certificate found -> use it
+  handle_cert_files
+fi
+
+if [ ! -d /etc/openxpki/tls/chain/ ]; then
+    mkdir -p /etc/openxpki/tls/chain/
+    openssl req -x509 -keyout /dev/null -subj "/CN=Placeholder for TLS Client Auth" -newkey rsa:2048 -nodes -out /etc/openxpki/tls/chain/dummy.crt
+    c_rehash /etc/openxpki/tls/chain/
+fi;
+
+# check if i18n update is requested
+test -e /etc/openxpki/i18n/.update && /usr/bin/update-i18n && rm -f /etc/openxpki/i18n/.update
+
+# avoid permission problems with the log volume 
+chmod 4777 /var/log/openxpki
+
+# finally: start apache
+/usr/sbin/apache2ctl -D FOREGROUND

bin/update-i18n.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+test -d /etc/openxpki/i18n/ || exit;
+
+for lang in `ls /etc/openxpki/i18n/`; do
+    echo "Update i18n for $lang"
+    FILES=`ls /etc/openxpki/i18n/$lang/*.po`
+    test -e /etc/openxpki/contrib/i18n/$lang/openxpki.po && FILES+=" /etc/openxpki/contrib/i18n/$lang/openxpki.po"
+    mkdir -m755 -p /usr/share/locale/$lang/LC_MESSAGES/
+    msgcat --use-first $FILES | msgfmt - -o /usr/share/locale/$lang/LC_MESSAGES/openxpki.mo
+done;
+

config.env.dist

@@ -0,0 +1,23 @@
+#!/bin/sh
+
+# OpenXPKI Install Settings
+COMPANY_NAME="Swissmakers"
+REALM="swissmakers";
+FQDN="pki.swissmakers.corp";
+
+# Generate a new password with: podman exec -it openxpki_server openxpkiadm hashpwd
+TEST_ACC_PASSWD="{ssha256}xRhKru9YTCWoC+A9jCTui7ABZDHNKjfY9rSD4oI1f7dlR2J6OUF3ZHhDUEpTZFpWdzljdE1nPT0=";
+
+# unset this to get random passwords for all your private-keys (put into the .pass files)
+KEY_PASSWORD="thisshouldbeaverysecurepassword"
+
+# Do not edit below here:
+OPENXPKI_SRC_DIR="openxpki-config";
+OPENXPKI_CONFIG_DIR="/opt/openxpki/config";
+
+## Realm
+REALM_LONG_NAME="${FQDN}";
+REALM_URL="https://${FQDN}/openxpki/";
+
+# The profile cert expiration for the certificate profiles, must be before the CA Issuer expires
+PROFILE_CERT_EXPIR="0006"; 

do_config.sh

@@ -0,0 +1,500 @@
+#!/bin/bash
+
+source ./config.env
+
+echo "================================================================"
+echo "Did ou configure your './config.env' before running this script?"
+echo "================================================================"
+
+while true; do
+    read -p "Do you want to continue? y/N: " answer
+    if [[ $answer == "y" ]]; then
+        break
+    else
+        echo "Aborting..."
+	exit 1
+    fi
+done
+
+dnf -y install git-core;
+
+echo "Checking for already deployed stuff and container and cleanup all.."
+
+podman pod kill "openxpki_pod"
+podman pod rm -f "openxpki_pod"
+
+if [ -d $OPENXPKI_CONFIG_DIR ] ; then
+    echo "Found old $OPENXPKI_CONFIG_DIR - deleting.";
+    rm -Rf /opt/openxpki/
+    echo "Creating empty folders."
+    mkdir -p /opt/openxpki/{db,dbsock,pkisock,log}
+else
+    echo "No old deployments found - Creating from scratch."
+    mkdir -p /opt/openxpki/{db,dbsock,pkisock,log}
+fi
+
+if [ -d $OPENXPKI_SRC_DIR ] ; then
+    echo "Importing already cloned openxpki-config to $OPENXPKI_CONFIG_DIR";
+    cp -R $OPENXPKI_SRC_DIR $OPENXPKI_CONFIG_DIR;
+else
+    echo "Cloning new copy of openxpki-config.."
+   git clone  https://github.com/openxpki/openxpki-config --single-branch --branch=community
+    cp contrib/wait_on_init.yaml openxpki-config/config.d/system/local.yaml
+    echo "Importing freshly cloned openxpki-config to $OPENXPKI_CONFIG_DIR";
+    cp -R $OPENXPKI_SRC_DIR $OPENXPKI_CONFIG_DIR;
+fi
+
+echo "Starting to set up openxpki-config..";
+
+if [ -d $OPENXPKI_CONFIG_DIR ] ; then
+
+    echo "Update realms.yaml to reference our realm"
+    sed -i "s/^democa/$REALM/" $OPENXPKI_CONFIG_DIR/config.d/system/realms.yaml;
+    sed -i "s/label\:.*$/label: ${REALM_LONG_NAME}/" $OPENXPKI_CONFIG_DIR/config.d/system/realms.yaml;
+    sed -i "s~baseurl:.*$~baseurl: ${REALM_URL}~" $OPENXPKI_CONFIG_DIR/config.d/system/realms.yaml;
+
+    echo "Move the sample realm-tree folder to our realm"
+    rm -f $OPENXPKI_CONFIG_DIR/config.d/realm/democa
+    mv $OPENXPKI_CONFIG_DIR/config.d/realm.tpl $OPENXPKI_CONFIG_DIR/config.d/realm/$REALM/;
+    mkdir -p ${OPENXPKI_CONFIG_DIR}/local/keys
+
+    echo "Set certificate expiration date in realm/profile/*.yaml"
+    sed -i "s~notafter\:.*$~notafter: +{$PROFILE_CERT_EXPIR}~" $OPENXPKI_CONFIG_DIR/config.d/realm/$REALM/profile/*.yaml;
+
+    # Change password for TEST accounts
+    sed -i "s~digest:.*$~digest: \"${TEST_ACC_PASSWD}\"~" $OPENXPKI_CONFIG_DIR/config.d/realm/$REALM/auth/handler.yaml;
+
+    echo "Update scep/default.conf to reference our realm"
+    sed -i "s/^realm = .*$/realm = ${REALM}/" $OPENXPKI_CONFIG_DIR/scep/default.conf;
+
+    echo "Update all other files to reference our realm"
+
+    sed -i "s/democa/${REALM}/g" ${OPENXPKI_CONFIG_DIR}/config/config.d/realm/${REALM}/auth/handler.yaml \
+    ${OPENXPKI_CONFIG_DIR}/config/rpc/default.conf \
+    ${OPENXPKI_CONFIG_DIR}/config/rpc/enroll.conf \
+    ${OPENXPKI_CONFIG_DIR}/config/rpc/public.conf \
+    ${OPENXPKI_CONFIG_DIR}/config/est/default.conf \
+    ${OPENXPKI_CONFIG_DIR}/config/contrib/sampleconfig.sh \
+    ${OPENXPKI_CONFIG_DIR}/config/webui/default.conf
+else
+    echo "Error could not make configurations - missing files..."
+    exit 1
+fi
+
+OPENXPKI_CONFIG="${OPENXPKI_CONFIG_DIR}/config.d/system/server.yaml"
+if [ -f "${OPENXPKI_CONFIG}" ]
+then
+   eval `egrep '^user:|^group:' "${OPENXPKI_CONFIG}" | sed -e 's/:  */=/g'`
+else
+   echo "ERROR: It seems that openXPKI is not installed at the default location (${OPENXPKI_CONFIG_DIR})!" >&2
+   echo "Please install OpenXPKI or set OPENXPKI_CONFIG_DIR to the new PATH!" >&2
+   exit 1
+fi
+
+CA_DIR="${OPENXPKI_CONFIG_DIR}/ca"
+CONTAINER_CA_DIR="/etc/openxpki/ca"
+
+make_password() {
+
+    PASSWORD_FILE=$1;
+    touch "${PASSWORD_FILE}"
+    chown $user:root "${PASSWORD_FILE}"
+    chmod 640 "${PASSWORD_FILE}"
+    if [ -z "$KEY_PASSWORD" ]; then
+        dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64 >"${PASSWORD_FILE}"
+    else
+        echo -n "$KEY_PASSWORD" > "${PASSWORD_FILE}"
+    fi;
+
+}
+
+# CA and certificate settings
+#
+
+BACKUP_SUFFIX='~'
+GENERATION=$(date +%Y%m%d)
+
+# root CA selfsigned
+ROOT_CA="${COMPANY_NAME}_Root_CA"
+ROOT_CA_REQUEST="${CA_DIR}/${ROOT_CA}.csr"
+ROOT_CA_KEY="${CA_DIR}/${ROOT_CA}.key"
+ROOT_CA_KEY_PASSWORD="${CA_DIR}/${ROOT_CA}.pass"
+ROOT_CA_CERTIFICATE="${CA_DIR}/${ROOT_CA}.crt"
+ROOT_CA_CERTIFICATE_POD="${CONTAINER_CA_DIR}/${ROOT_CA}.crt"
+ROOT_CA_SUBJECT="/CN=${COMPANY_NAME} Root CA ${GENERATION}"
+ROOT_CA_SERVER_FQDN="${FQDN}"
+
+# issuing CA signed by root CA above
+ISSUING_CA="${COMPANY_NAME}_Issuing_CA"
+ISSUING_CA_REQUEST="${CA_DIR}/${ISSUING_CA}.csr"
+ISSUING_CA_KEY="${CA_DIR}/${ISSUING_CA}.key"
+ISSUING_CA_KEY_POD="${CONTAINER_CA_DIR}/${ISSUING_CA}.key"
+ISSUING_CA_KEY_PASSWORD="${CA_DIR}/${ISSUING_CA}.pass"
+ISSUING_CA_CERTIFICATE="${CA_DIR}/${ISSUING_CA}.crt"
+ISSUING_CA_CERTIFICATE_POD="${CONTAINER_CA_DIR}/${ISSUING_CA}.crt"
+ISSUING_CA_SUBJECT="/C=CH/O=${COMPANY_NAME}/OU=PKI/CN=${COMPANY_NAME} Issuing CA ${GENERATION}"
+
+# SCEP registration authority certificate signed by root CA above
+SCEP="${COMPANY_NAME}_SCEP_RA"
+SCEP_REQUEST="${CA_DIR}/${SCEP}.csr"
+SCEP_KEY="${CA_DIR}/${SCEP}.key"
+SCEP_KEY_POD="${CONTAINER_CA_DIR}/${SCEP}.key"
+SCEP_KEY_PASSWORD="${CA_DIR}/${SCEP}.pass"
+SCEP_CERTIFICATE="${CA_DIR}/${SCEP}.crt"
+SCEP_CERTIFICATE_POD="${CONTAINER_CA_DIR}/${SCEP}.crt"
+SCEP_SUBJECT="/CN=${FQDN}:scep-ra"
+
+# Apache WEB certificate signed by root CA above
+WEB="${COMPANY_NAME}_WebUI"
+WEB_REQUEST="${CA_DIR}/${WEB}.csr"
+WEB_KEY="${CA_DIR}/${WEB}.key"
+WEB_KEY_PASSWORD="${CA_DIR}/${WEB}.pass"
+WEB_CERTIFICATE="${CA_DIR}/${WEB}.crt"
+WEB_SUBJECT="/CN=${FQDN}"
+WEB_SERVER_FQDN="${FQDN}"
+
+# data vault certificate selfsigned
+DATAVAULT="${COMPANY_NAME}_DataVault"
+DATAVAULT_REQUEST="${CA_DIR}/${DATAVAULT}.csr"
+DATAVAULT_KEY="${CA_DIR}/${DATAVAULT}.key"
+DATAVAULT_KEY_POD="${CONTAINER_CA_DIR}/${DATAVAULT}.key"
+DATAVAULT_KEY_PASSWORD="${CA_DIR}/${DATAVAULT}.pass"
+DATAVAULT_CERTIFICATE="${CA_DIR}/${DATAVAULT}.crt"
+DATAVAULT_CERTIFICATE_POD="${CONTAINER_CA_DIR}/${DATAVAULT}.crt"
+DATAVAULT_SUBJECT='/CN=DataVault'
+
+#
+# openssl.conf
+#
+BITS=4096
+DAYS=730 # 2 years (default value not used for further enhancements)
+RDAYS="3655" # 10 years for root
+IDAYS="1828" # 5 years for issuing
+SDAYS="365" # 1 years for scep
+WDAYS="1096" # 3 years web
+DDAYS="$RDAYS" # 10 years datavault (same a root)
+
+# creation neccessary directories and files
+echo -n "creating configuration for openssl ($OPENSSL_CONF) .. "
+test -d "${CA_DIR}" || mkdir -m 755 -p "${CA_DIR}" && chown ${user}:root "${CA_DIR}"
+OPENSSL_DIR="${CA_DIR}/.openssl"
+test -d "${OPENSSL_DIR}" || mkdir -m 700 "${OPENSSL_DIR}" && chown root:root "${OPENSSL_DIR}"
+cd "${OPENSSL_DIR}";
+
+OPENSSL_CONF="${OPENSSL_DIR}/openssl.cnf"
+
+touch "${OPENSSL_DIR}/index.txt"
+touch "${OPENSSL_DIR}/index.txt.attr"
+echo 00 > "${OPENSSL_DIR}/crlnumber"
+
+echo "
+HOME			= .
+RANDFILE		= \$ENV::HOME/.rnd
+
+[ ca ]
+default_ca		= CA_default
+
+[ CA_default ]
+dir			= ${OPENSSL_DIR}
+certs			= ${OPENSSL_DIR}/certs
+crl_dir			= ${OPENSSL_DIR}/
+database		= ${OPENSSL_DIR}/index.txt
+new_certs_dir		= ${OPENSSL_DIR}/
+serial			= ${OPENSSL_DIR}/serial
+crlnumber		= ${OPENSSL_DIR}/crlnumber
+
+crl			= ${OPENSSL_DIR}/crl.pem
+private_key		= ${OPENSSL_DIR}/cakey.pem
+RANDFILE		= ${OPENSSL_DIR}/.rand
+
+default_md		= sha256
+preserve		= no
+policy			= policy_none
+default_days		= ${DAYS}
+
+# x509_extensions               = v3_ca_extensions
+# x509_extensions               = v3_issuing_extensions
+# x509_extensions               = v3_datavault_extensions
+# x509_extensions               = v3_scep_extensions
+# x509_extensions               = v3_web_extensions
+
+[policy_none]
+countryName             = optional
+organizationName        = optional
+domainComponent		= optional
+organizationalUnitName	= optional
+commonName		= supplied
+
+[ req ]
+default_bits		= ${BITS}
+distinguished_name	= req_distinguished_name
+
+# x509_extensions               = v3_ca_reqexts # not for root self signed, only for issuing
+## x509_extensions              = v3_datavault_reqexts # not required self signed
+# x509_extensions               = v3_scep_reqexts
+# x509_extensions               = v3_web_reqexts
+
+[ req_distinguished_name ]
+domainComponent		= Domain Component
+commonName		= Common Name
+
+[ v3_ca_reqexts ]
+subjectKeyIdentifier    = hash
+keyUsage                = digitalSignature, keyCertSign, cRLSign
+
+[ v3_datavault_reqexts ]
+subjectKeyIdentifier    = hash
+keyUsage                = keyEncipherment
+extendedKeyUsage        = emailProtection
+
+[ v3_scep_reqexts ]
+subjectKeyIdentifier    = hash
+
+[ v3_web_reqexts ]
+subjectKeyIdentifier    = hash
+keyUsage                = critical, digitalSignature, keyEncipherment
+extendedKeyUsage        = serverAuth, clientAuth
+
+
+[ v3_ca_extensions ]
+subjectKeyIdentifier    = hash
+keyUsage                = digitalSignature, keyCertSign, cRLSign
+basicConstraints        = critical,CA:TRUE
+authorityKeyIdentifier  = keyid:always,issuer
+
+[ v3_issuing_extensions ]
+subjectKeyIdentifier    = hash
+keyUsage                = digitalSignature, keyCertSign, cRLSign
+basicConstraints        = critical,CA:TRUE
+authorityKeyIdentifier  = keyid:always,issuer:always
+#crlDistributionPoints	= ${ROOT_CA_REVOCATION_URI}
+#authorityInfoAccess	= caIssuers;${ROOT_CA_CERTIFICATE_URI}
+
+[ v3_datavault_extensions ]
+subjectKeyIdentifier    = hash
+keyUsage                = keyEncipherment
+extendedKeyUsage        = emailProtection
+basicConstraints        = CA:FALSE
+authorityKeyIdentifier  = keyid:always,issuer
+
+[ v3_scep_extensions ]
+subjectKeyIdentifier    = hash
+keyUsage                = digitalSignature, keyEncipherment
+basicConstraints        = CA:FALSE
+authorityKeyIdentifier  = keyid,issuer
+
+[ v3_web_extensions ]
+subjectKeyIdentifier    = hash
+keyUsage                = critical, digitalSignature, keyEncipherment
+extendedKeyUsage        = serverAuth, clientAuth
+basicConstraints        = critical,CA:FALSE
+subjectAltName		= DNS:${WEB_SERVER_FQDN}
+#crlDistributionPoints	= ${ISSUING_REVOCATION_URI}
+#authorityInfoAccess	= caIssuers;${ISSUING_CERTIFICATE_URI}
+" > "${OPENSSL_CONF}"
+
+echo "done."
+
+[ "$Debug" = 'true' ] || exec 2>/dev/null
+echo "================================================================"
+echo "Creating certificates .. "
+
+# self signed root
+if [ ! -e "${ROOT_CA_CERTIFICATE}" ]
+then
+   echo "Did not find a root ca certificate file."
+   echo -n "Creating an own self signed root ca .. "
+   test -f "${ROOT_CA_KEY}" && \
+    mv "${ROOT_CA_KEY}" "${ROOT_CA_KEY}${BACKUP_SUFFIX}"
+   test -f "${ROOT_CA_KEY_PASSWORD}" && \
+    mv "${ROOT_CA_KEY_PASSWORD}" "${ROOT_CA_KEY_PASSWORD}${BACKUP_SUFFIX}"
+   make_password "${ROOT_CA_KEY_PASSWORD}"
+   openssl req -verbose -config "${OPENSSL_CONF}" -extensions v3_ca_extensions -batch -x509 -newkey rsa:$BITS -days ${RDAYS} -passout file:"${ROOT_CA_KEY_PASSWORD}" -keyout "${ROOT_CA_KEY}" -subj "${ROOT_CA_SUBJECT}" -out "${ROOT_CA_CERTIFICATE}"
+   echo "done."
+fi
+
+# signing certificate (issuing)
+if [ ! -e "${ISSUING_CA_KEY}" ]
+then
+   echo "Did not find existing issuing CA key file."
+   echo -n "Creating an issuing CA request .. "
+   test -f "${ISSUING_CA_REQUEST}" && \
+    mv "${ISSUING_CA_REQUEST}" "${ISSUING_CA_REQUEST}${BACKUP_SUFFIX}"
+   make_password "${ISSUING_CA_KEY_PASSWORD}"
+   openssl req -verbose -config "${OPENSSL_CONF}" -reqexts v3_ca_reqexts -batch -newkey rsa:$BITS -passout file:"${ISSUING_CA_KEY_PASSWORD}" -keyout "${ISSUING_CA_KEY}" -subj "${ISSUING_CA_SUBJECT}" -out "${ISSUING_CA_REQUEST}"
+   echo "done."
+   if [ -e "${ROOT_CA_KEY}" ]
+   then
+      echo -n "Signing issuing certificate with own root CA .. "
+      test -f "${ISSUING_CA_CERTIFICATE}" && \
+       mv "${ISSUING_CA_CERTIFICATE}" "${ISSUING_CA_CERTIFICATE}${BACKUP_SUFFIX}"
+      openssl ca -create_serial -config "${OPENSSL_CONF}" -extensions v3_issuing_extensions -batch -days ${IDAYS} -in "${ISSUING_CA_REQUEST}" -cert "${ROOT_CA_CERTIFICATE}" -passin file:"${ROOT_CA_KEY_PASSWORD}" -keyfile "${ROOT_CA_KEY}" -out "${ISSUING_CA_CERTIFICATE}"
+      echo "done."
+   else
+      echo "No '${ROOT_CA_KEY}' key file!"
+      echo "please sign generated request with the company's root CA key"
+      exit 0
+   fi
+else
+   if [ ! -e "${ISSUING_CA_CERTIFICATE}" ]
+   then
+      echo "No '${ISSUING_CA_CERTIFICATE}' certificate file!"
+      if [ ! -e "${ROOT_CA_KEY}" ]
+      then
+         echo "No '${ROOT_CA_KEY}' key file!"
+         echo "please sign generated request with the company's root CA key"
+         exit 0
+      else
+         echo -n "Signing issuing certificate with own root CA .. "
+         openssl ca -create_serial -config "${OPENSSL_CONF}" -extensions v3_issuing_extensions -batch -days ${IDAYS} -in "${ISSUING_CA_REQUEST}" -cert "${ROOT_CA_CERTIFICATE}" -passin file:"${ROOT_CA_KEY_PASSWORD}" -keyfile "${ROOT_CA_KEY}" -out "${ISSUING_CA_CERTIFICATE}"
+         echo "done."
+      fi
+   fi
+fi
+
+# Data Vault is only used internally, use self signed
+if [ ! -e "${DATAVAULT_KEY}" ]
+then
+   echo "Did not find existing DataVault certificate file."
+   echo -n "Creating a self signed DataVault certificate .. "
+   test -f "${DATAVAULT_CERTIFICATE}" && \
+    mv "${DATAVAULT_CERTIFICATE}" "${DATAVAULT_CERTIFICATE}${BACKUP_SUFFIX}"
+   make_password "${DATAVAULT_KEY_PASSWORD}"
+   openssl req -verbose -config "${OPENSSL_CONF}" -extensions v3_datavault_extensions -batch -x509 -newkey rsa:$BITS -days ${DDAYS} -passout file:"${DATAVAULT_KEY_PASSWORD}" -keyout "${DATAVAULT_KEY}" -subj "${DATAVAULT_SUBJECT}" -out "${DATAVAULT_CERTIFICATE}"
+   echo "done."
+fi
+
+# scep certificate
+if [ ! -e "${SCEP_KEY}" ]
+then
+   echo "Did not find existing SCEP certificate file."
+   echo -n "Creating a SCEP request .. "
+   test -f "${SCEP_REQUEST}" && \
+    mv "${SCEP_REQUEST}" "${SCEP_REQUEST}${BACKUP_SUFFIX}"
+   openssl req -verbose -config "${OPENSSL_CONF}" -reqexts v3_scep_reqexts -batch -newkey rsa:$BITS -nodes -keyout "${SCEP_KEY}" -subj "${SCEP_SUBJECT}" -out "${SCEP_REQUEST}"
+   echo "done."
+   echo -n "Signing SCEP certificate with Issuing CA .. "
+   test -f "${SCEP_CERTIFICATE}" && \
+    mv "${SCEP_CERTIFICATE}" "${SCEP_CERTIFICATE}${BACKUP_SUFFIX}"
+   openssl ca -create_serial -config "${OPENSSL_CONF}" -extensions v3_scep_extensions -batch -days ${SDAYS} -in "${SCEP_REQUEST}" -cert "${ISSUING_CA_CERTIFICATE}" -passin file:"${ISSUING_CA_KEY_PASSWORD}" -keyfile "${ISSUING_CA_KEY}" -out "${SCEP_CERTIFICATE}"
+   echo "done."
+fi
+
+# web certificate
+if [ ! -e "${WEB_KEY}" ]
+then
+   echo "Did not find existing WEB certificate file."
+   echo -n "Creating a Web request .. "
+   test -f "${WEB_REQUEST}" && \
+    mv "${WEB_REQUEST}" "${WEB_REQUEST}${BACKUP_SUFFIX}"
+   openssl req -verbose -config "${OPENSSL_CONF}" -reqexts v3_web_reqexts -batch -newkey rsa:$BITS -nodes -keyout "${WEB_KEY}" -subj "${WEB_SUBJECT}" -out "${WEB_REQUEST}"
+   echo "done."
+   echo -n "Signing Web certificate with Issuing CA .. "
+   test -f "${WEB_CERTIFICATE}" && \
+    mv "${WEB_CERTIFICATE}" "${WEB_CERTIFICATE}${BACKUP_SUFFIX}"
+   openssl ca -create_serial -config "${OPENSSL_CONF}" -extensions v3_web_extensions -batch -days ${WDAYS} -in "${WEB_REQUEST}" -cert "${ISSUING_CA_CERTIFICATE}" -passin file:"${ISSUING_CA_KEY_PASSWORD}" -keyfile "${ISSUING_CA_KEY}" -out "${WEB_CERTIFICATE}"
+   echo "done."
+fi
+
+cd $OLDPWD;
+# rm $TMP/*;
+# rmdir $TMP;
+
+# chown/chmod
+chmod 400 ${CA_DIR}/*.pass
+chmod 440 ${CA_DIR}/*.key
+chmod 444 ${CA_DIR}/*.crt
+chown root:root ${CA_DIR}/*.csr ${CA_DIR}/*.key ${CA_DIR}/*.pass
+chown root:${group} ${CA_DIR}/*.crt ${CA_DIR}/*.key
+echo "================================================================"
+
+if [ ! -e "${OPENXPKI_CONFIG_DIR}/tls/chain" ]; then
+    mkdir -m755 -p ${OPENXPKI_CONFIG_DIR}/tls/chain
+    cp ${ROOT_CA_CERTIFICATE} ${OPENXPKI_CONFIG_DIR}/tls/chain/
+    cp ${ISSUING_CA_CERTIFICATE} ${OPENXPKI_CONFIG_DIR}/tls/chain/
+    c_rehash ${OPENXPKI_CONFIG_DIR}/tls/chain/
+fi
+
+if [ ! -e "${OPENXPKI_CONFIG_DIR}/tls/endentity/openxpki.crt" ]; then
+    mkdir -m755 -p ${OPENXPKI_CONFIG_DIR}/tls/endentity
+    mkdir -m700 -p ${OPENXPKI_CONFIG_DIR}/tls/private
+    cp ${WEB_CERTIFICATE} ${OPENXPKI_CONFIG_DIR}/tls/endentity/openxpki.crt
+    cat ${ISSUING_CA_CERTIFICATE} >> ${OPENXPKI_CONFIG_DIR}/tls/endentity/openxpki.crt
+    cp ${WEB_KEY} ${OPENXPKI_CONFIG_DIR}/tls/private/openxpki.pem
+    chmod 400 ${OPENXPKI_CONFIG_DIR}/tls/private/openxpki.pem
+fi
+
+
+
+echo "================================================================"
+echo -n "Starting servers before running import ... "
+
+echo "Create new openxpki Pod"
+podman pod create --name openxpki_pod -p 8080:80 -p 8443:443
+
+echo "Creating and start MariaDB container"
+podman run -d --pod openxpki_pod \
+  --name openxpki_db \
+  -v /opt/openxpki/db:/var/lib/mysql:z \
+  -v /opt/openxpki/dbsock:/var/run/mysqld:z \
+  -v /opt/openxpki/config/contrib/sql/schema-mariadb.sql:/docker-entrypoint-initdb.d/schema-mariadb.sql:z \
+  -e MYSQL_DATABASE=openxpki \
+  -e MYSQL_USER=openxpki \
+  -e MYSQL_PASSWORD=openxpki \
+  -e MYSQL_ROOT_PASSWORD=topsecret \
+  mariadb:10 \
+  --default-authentication-plugin=mysql_native_password
+
+echo "Creating and start OpenXPKI Server container"
+
+podman run -d --pod openxpki_pod \
+  --name openxpki_server \
+  -v /opt/openxpki/config:/etc/openxpki:z \
+  -v /opt/openxpki/pkisock:/var/openxpki:z \
+  -v /opt/openxpki/dbsock:/var/run/mysqld:z \
+  -v /opt/openxpki/log:/var/log/openxpki:z \
+  -v /etc/localtime:/etc/localtime:ro \
+  whiterabbitsecurity/openxpki3 \
+  /usr/bin/openxpkictl start --no-detach
+
+echo "Creating and start OpenXPKI Frontend container"
+podman run -d --pod openxpki_pod \
+  --name openxpki_frontend \
+  -v /opt/openxpki/config:/etc/openxpki:z \
+  -v /opt/openxpki/pkisock:/var/openxpki:z \
+  -v /opt/openxpki/dbsock:/var/run/mysqld:z \
+  -v /opt/openxpki/log:/var/log/openxpki:z \
+  whiterabbitsecurity/openxpki3 \
+  /usr/bin/start-apache
+
+echo "================================================================"
+echo "Press Enter to continue..."
+read
+
+
+# the import command with the --key parameter takes care to copy the key
+# files to the datapool or filesystem locations
+podman exec -it openxpki_server openxpkiadm certificate import --file "${ROOT_CA_CERTIFICATE_POD}"
+podman exec -it openxpki_server openxpkiadm alias --file "${DATAVAULT_CERTIFICATE_POD}" --realm "${REALM}" --token datasafe --key ${DATAVAULT_KEY_POD}
+sleep 1;
+podman exec -it openxpki_server openxpkiadm alias --file "${ISSUING_CA_CERTIFICATE_POD}" --realm "${REALM}" --token certsign --key ${ISSUING_CA_KEY_POD}
+podman exec -it openxpki_server openxpkiadm alias --file "${SCEP_CERTIFICATE_POD}" --realm "${REALM}" --token scep  --key ${SCEP_KEY_POD}
+
+echo "done."
+echo ""
+
+# Setup the Webserver
+podman exec -it openxpki_frontend a2enmod ssl rewrite headers
+podman exec -it openxpki_frontend a2ensite openxpki
+podman exec -it openxpki_frontend a2dissite 000-default default-ssl
+
+podman exec -it openxpki_server cp ${ISSUING_CA_CERTIFICATE_POD} /etc/ssl/certs
+podman exec -it openxpki_server cp ${ROOT_CA_CERTIFICATE_POD} /etc/ssl/certs
+podman exec -it openxpki_server c_rehash /etc/ssl/certs
+
+podman exec -it openxpki_frontend cp ${ISSUING_CA_CERTIFICATE_POD} /etc/ssl/certs
+podman exec -it openxpki_frontend cp ${ROOT_CA_CERTIFICATE_POD} /etc/ssl/certs
+podman exec -it openxpki_frontend c_rehash /etc/ssl/certs
+
+echo "OpenXPKI configuration should be done and the server should be running..."
+echo ""