-

CMP_EE_Keystore_EdDSA.p12:Zone.Identifier

@@ -0,0 +1,2 @@
+[ZoneTransfer]
+ZoneId=3

EE_CMP_ENDENTITY_EE_CMP_INTERMEDIATE_2_.cer

@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBkzCCAUWgAwIBAgIGAX5yzPlKMAUGAytlcDAgMR4wHAYDVQQDDBVFRS1DTVAt
+SU5URVJNRURJQVRFLTIwHhcNMjIwMTE5MTQ0NDQyWhcNMzIwMTE3MTQ0NDQyWjAb
+MRkwFwYDVQQDDBBFRS1DTVAtRU5ERU5USVRZMCowBQYDK2VwAyEAg1vPmf9lQibT
+Rzi1Q5iNRyvU1XFWMiynGM4fwO7FbzKjgaMwgaAwHQYDVR0OBBYEFCZ07UDlT1Ho
+pAgdvh81+E8W5JmVME0GA1UdIwRGMESAFB0PBCI8tPttQ7uYurADFQoI/vkDoSSk
+IjAgMR4wHAYDVQQDDBVFRS1DTVAtSU5URVJNRURJQVRFLTGCBgF+csz5RTAOBgNV
+HQ8BAf8EBAMCAowwIAYDVR0lAQH/BBYwFAYIKwYBBQUHAyAGCCsGAQUFBwMbMAUG
+AytlcANBAAYqCkpeSlWUYADnd5dPhJmzqi+wtkHpx6BmqzQwDfKsV9u9sMhLiDxP
+xs3+Ahd0u4zDZFDaz3I2+M5qD2vR/wQ=
+-----END CERTIFICATE-----

Makefile_cloudPKI

@@ -387,7 +387,7 @@ else
                -CAfile $(EJBCA_CMP_TRUSTED) -issuer $(EJBCA_CMP_ISSUER) \
                -cert creds/operational.crt
   ifeq ($(EJBCA_TLS_HOST),) # workaround for ephemeral TLS server certificate of ejbca-docker:
-    override EXTRA_OPTS += -tls_host cmp-sdo-dev.apps.ocp403p.eagledc.siemens.com # `cat creds/docker/TLS_ROOTCA-docker-cn.txt`
+    override EXTRA_OPTS += -tls_host broker.sdo-qa.siemens.cloud # `cat creds/docker/TLS_ROOTCA-docker-cn.txt`
 	BOOTSTRAP_CREDS = -cert creds/manufacturer.crt -key creds/manufacturer.pem
   endif
 endif

config/EJBCA - Copy.env

@@ -0,0 +1,29 @@
+export EJBCA_HOST=127.0.0.1
+export EJBCA_TLS_HOST=
+export EJBCA_HTTP_PORT=6080
+export EJBCA_HTTPS_PORT=6443
+export EJBCA_PATH_RA=cmp_RA
+export EJBCA_PATH_IMPRINT=cmp_imprint_RA
+export EJBCA_PATH_BOOTSTRAP=cmp_bootstrap_RA
+export EJBCA_PATH_P10CR=cmp_bootstrap_RA
+export EJBCA_PATH_UPDATE=cmp_client
+export EJBCA_PATH_REVOKE=cmp_client
+export EJBCA_OCSP_URL=http://${EJBCA_HOST}:${EJBCA_HTTP_PORT}/ejbca/publicweb/status/ocsp
+export EJBCA_CDP_URL_PREFIX=http://${EJBCA_HOST}:${EJBCA_HTTP_PORT}/ejbca/publicweb/webdist/certdist?cmd=crl&format=DER&issuer=CN=
+export EJBCA_CDP1=TLS_ROOTCA
+export EJBCA_CDP2=CUSTOMER_ISSUING_CA
+export EJBCA_CDP3=CMP_ROOTCA
+export EJBCA_CDP4=
+export EJBCA_CDPS=${EJBCA_CDP1} ${EJBCA_CDP2} ${EJBCA_CDP3} ${EJBCA_CDP4}
+export EJBCA_CDP_URL_POSTFIX=
+export EJBCA_CMP_CLIENT=creds/manufacturer.crt
+export EJBCA_TLS_CLIENT=creds/docker/Docker_Playground_TLS.p12
+export EJBCA_CMP_TRUSTED=creds/docker/CMP_ROOTCA.pem
+export EJBCA_TLS_TRUSTED=creds/docker/TLS_ROOTCA-docker.pem
+#export EJBCA_CMP_UNTRUSTED=creds/docker/CMP_ISSUING_CA.pem
+export EJBCA_CMP_ISSUER=creds/docker/CUSTOMER_ISSUING_CA.pem
+export EJBCA_TRUSTED=creds/docker/CUSTOMER_ROOTCA.pem
+export EJBCA_UNTRUSTED=creds/docker/CMP_ISSUING_CA.pem
+export EJBCA_CMP_RECIPIENT=/CN=CUSTOMER_ISSUING_CA
+export EJBCA_CMP_SUBJECT=/CN=test-genCMPClientDemo/OU=For testing purposes only/O=Siemens/C=DE
+export EJBCA_CMP_SUBJECT_IMPRINT=${EJBCA_CMP_SUBJECT}/OU=IDevID

config/EJBCA.env

@@ -1,4 +1,4 @@
-export EJBCA_HOST=cmp-sdo-dev.apps.ocp403p.eagledc.siemens.com
+export EJBCA_HOST=broker.sdo-qa.siemens.cloud
 export EJBCA_TLS_HOST=
 export EJBCA_PATH=ejbca/publicweb/cmp
 export EJBCA_HTTP_PORT=80
@@ -20,11 +20,11 @@ export EJBCA_CDP_URL_POSTFIX=
 export EJBCA_CMP_CLIENT=creds/manufacturer.crt
 export EJBCA_TLS_CLIENT=creds/docker/Docker_Playground_TLS.p12
 export EJBCA_CMP_TRUSTED=creds/docker/CMP_ROOTCA.pem
-export EJBCA_TLS_TRUSTED=creds/trusted/SiemensRootCA.crt
+export EJBCA_TLS_TRUSTED=creds/trusted/DigicertGlobalRootG2.crt
 #export EJBCA_CMP_UNTRUSTED=creds/docker/CMP_ISSUING_CA.pem
 export EJBCA_CMP_ISSUER=creds/docker/CUSTOMER_ISSUING_CA.pem
 export EJBCA_TRUSTED=creds/trusted/CMP_RA_Root.pem,creds/trusted/CMP_CA_Root.pem #creds/docker/CUSTOMER_ROOTCA.pem
 export EJBCA_UNTRUSTED=creds/ca-enrollment-chain.pem #creds/docker/CMP_ISSUING_CA.pem
 export EJBCA_CMP_RECIPIENT=/CN=CA-Mock
-export EJBCA_CMP_SUBJECT=/CN=Test
+export EJBCA_CMP_SUBJECT=/CN=DI-Integration-Test-User
 export EJBCA_CMP_SUBJECT_IMPRINT=${EJBCA_CMP_SUBJECT}

config/demo - Copy.cnf

@@ -0,0 +1,248 @@
+# For full documentation of the options, see ../doc/cmpClient-cli.{pod,md}
+
+[default]
+
+#verbosity = 6 # means INFO (default)
+#tls_used = 0 # (default)
+#keep_alive = 1 # means preferring to keep the connection open (default)
+#msg_timeout = 120 # in seconds (default). 0 means infinite.
+msg_timeout = 10
+#total_timeout = 0 # in seconds (default). 0 means infinite.
+total_timeout = 30
+#crls_timeout = 10 # in seconds (default). 0 means infinite.
+#ocsp_timeout = 10 # in seconds (default). 0 means infinite.
+#digest = sha256 # (default)
+#mac = hmac-sha1 # (default)
+#ignore_keyusage = 0 # (default)
+ignore_keyusage = 1
+#san_nodefault = 0 # (default)
+#popo = 1 # means SIGNATURE (default)
+#revreason = -1 # means none (default)
+#use_cdp = 0 # (default)
+#use_aia = 0 # (default)
+#disable_confirm = 0 # (default)
+#unprotected_errors = 0 # (default)
+unprotected_errors = 1
+cacertsout = creds/cacerts.pem
+extracertsout = creds/extracerts.pem
+extracerts_dir = creds/
+
+# workarounds in case the environment variables referenced via ${ENV::...} are not set
+EJBCA_HOST =
+EJBCA_TLS_HOST =
+EJBCA_HTTP_PORT =
+EJBCA_HTTPS_PORT =
+EJBCA_PATH_RA =
+EJBCA_PATH_IMPRINT =
+EJBCA_PATH_BOOTSTRAP =
+EJBCA_PATH_P10CR =
+EJBCA_PATH_UPDATE =
+EJBCA_PATH_REVOKE =
+EJBCA_OCSP_URL =
+EJBCA_CDP_URL_PREFIX =
+EJBCA_CDP1 =
+EJBCA_CDP2 =
+EJBCA_CDP3 =
+EJBCA_CDPS =
+EJBCA_CDP_URL_POSTFIX =
+EJBCA_CMP_ISSUER =
+EJBCA_CMP_CLIENT =
+EJBCA_TLS_CLIENT =
+EJBCA_CMP_TRUSTED =
+EJBCA_TLS_TRUSTED =
+EJBCA_TRUSTED =
+EJBCA_UNTRUSTED =
+EJBCA_CMP_RECIPIENT =
+EJBCA_CMP_SUBJECT =
+EJBCA_CMP_SUBJECT_IMPRINT =
+
+[EJBCA]
+server = ${ENV::EJBCA_HOST}:${ENV::EJBCA_HTTPS_PORT}
+path = ejbca/publicweb/cmp/${ENV::EJBCA_PATH_RA}
+no_proxy = 127.0.0.1,localhost,${ENV::EJBCA_HOST}
+secret = pass:SecretCmp
+cert = ${ENV::EJBCA_CMP_CLIENT}
+key = $cert
+keypass = pass:12345
+recipient = ${ENV::EJBCA_CMP_RECIPIENT}
+subject = ${ENV::EJBCA_CMP_SUBJECT}
+#srvcert = ${ENV::EJBCA_CMP_TRUSTED}
+trusted = ${ENV::EJBCA_CMP_TRUSTED}, ${ENV::EJBCA_TRUSTED}
+out_trusted = ${ENV::EJBCA_CMP_TRUSTED}, ${ENV::EJBCA_TRUSTED}
+tls_trusted = ${ENV::EJBCA_TLS_TRUSTED}
+tls_host = ${ENV::EJBCA_TLS_HOST}
+tls_cert = ${ENV::EJBCA_TLS_CLIENT}
+tls_key = $tls_cert
+tls_keypass = pass:12345
+tls_used = 1
+crls = ${ENV::EJBCA_CDP_URL_PREFIX}${ENV::EJBCA_CDP2}${ENV::EJBCA_CDP_URL_POSTFIX}, creds/crls/EJBCA-${ENV::EJBCA_CDP3}.crl, creds/crls/EJBCA-${ENV::EJBCA_CDP1}.crl
+use_cdp = 1
+cdps = ${ENV::EJBCA_CDP_URL_PREFIX}${ENV::EJBCA_CDP3}${ENV::EJBCA_CDP_URL_POSTFIX}, ${ENV::EJBCA_CDP_URL_PREFIX}${ENV::EJBCA_CDP1}${ENV::EJBCA_CDP_URL_POSTFIX}
+use_aia = 1
+ocsp = ${ENV::EJBCA_OCSP_URL}
+
+[no-tls]
+server = ${ENV::EJBCA_HOST}:${ENV::EJBCA_HTTP_PORT}
+tls_used = 0
+
+[no-certstatus]
+crls =
+use_cdp = 0
+cdps =
+use_aia = 0
+ocsp =
+
+[CmpRa] # LightweightCmpRa
+server = http://localhost:6000/lra
+secret = pass:myPresharedSecret
+ref = keyIdentification
+cert = creds/CMP_EE_Keystore.p12
+key = $cert
+cert = creds/CMP_EE_Chain.pem # workaround for cmpossl
+# if the cert file contains private key, openssl shows spurious error:
+#asn1_check_tlen:crypto/asn1/tasn_dec.c:1156:CMP error: wrong tag:
+#asn1_item_embed_d2i:crypto/asn1/tasn_dec.c:322:CMP error: nested asn1 error:Type=EC_PRIVATEKEY
+key = creds/CMP_EE_Key.pem # workaround for cmpossl
+keypass = pass:Password
+subject = "/CN=test-genCMPClientDemo"
+untrusted = creds/ENROLL_Chain.pem
+trusted = creds/trusted/CMP_LRA_DOWNSTREAM_Root.pem,credentials/CMP_CA_Root.pem
+out_trusted = creds/trusted/ENROLL_Root.pem
+#tls_used = 0
+#tls_trusted =
+#tls_host = $server
+#tls_cert = ${ENV::EJBCA_TLS_CLIENT}
+#tls_key = $tls_cert
+#tls_keypass = pass:12345
+
+[Insta]
+server = pki.certificate.fi:8700/pkix/
+secret = pass:insta
+ref = 3078
+#would need to be updated every 3 months:
+#cert = creds/insta_client.p12
+#key = $cert
+cert = creds/manufacturer.crt
+key = creds/manufacturer.pem
+keypass = pass:12345
+recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA"
+subject = "/CN=test-genCMPClientDemo"
+cacert = creds/trusted/InstaDemoCA.crt
+#srvcert = $cacert
+trusted = $cacert
+crls = creds/crls/InstaDemoCA.crl
+out_trusted = $cacert
+
+tls_used = 0
+#tls_trusted = $cacert
+#tls_host = pki.certificate.fi
+#tls_cert = $cert
+#tls_key = $key
+
+[imprint]
+path = ejbca/publicweb/cmp/${ENV::EJBCA_PATH_IMPRINT}
+subject = ${ENV::EJBCA_CMP_SUBJECT_IMPRINT}
+cmd = ir
+cert =
+key =
+newkeytype = EC:secp521r1
+newkey = creds/manufacturer.pem # fallback for cmpossl
+newkeypass = pass:12345
+reqexts = empty # is ignored by EJBCA
+policies = empty
+certout = creds/manufacturer.crt
+cacerts_dir = creds/trusted
+
+[bootstrap]
+path = ejbca/publicweb/cmp/${ENV::EJBCA_PATH_BOOTSTRAP}
+cmd = cr
+# cert = $imprint::certout
+# key = $imprint::newkey
+secret =
+newkeytype = EC:prime256v1 # an alias of EC:secp256r1
+newkey = creds/operational.pem # fallback for cmpossl
+newkeypass = pass:12345
+reqexts = reqexts
+policies = certificatePolicies
+san_nodefault = 1
+certout = creds/operational.crt
+
+[update]
+path = ejbca/publicweb/cmp/${ENV::EJBCA_PATH_UPDATE}
+cmd = kur
+secret =
+cert = $bootstrap::certout
+key = $bootstrap::newkey
+keypass = $bootstrap::newkeypass
+newkeytype = $bootstrap::newkeytype
+newkey = $bootstrap::newkey # fallback for cmpossl
+newkeypass = $bootstrap::newkeypass
+reqexts = ""
+policies = ""
+oldcert = $bootstrap::certout # == cert
+subject = ""
+implicit_confirm = 1
+certout = $bootstrap::certout
+
+[revoke]
+path = ejbca/publicweb/cmp/${ENV::EJBCA_PATH_REVOKE}
+cmd = rr
+secret =
+cert = $bootstrap::certout
+key = $bootstrap::newkey
+keypass = $bootstrap::newkeypass
+oldcert = $update::certout # == cert
+revreason = 5 #CRL_REASON_CESSATION_OF_OPERATION
+subject =
+
+[pkcs10]
+path = ejbca/publicweb/cmp/${ENV::EJBCA_PATH_P10CR}
+cmd = p10cr
+# Insta will respond with CMP body popdecc POPODecKeyChallContent, --pop Challenge
+secret =
+ref = dummy # in EJBCA case there is no ref - fallback for sender as no cert and subject is given
+csr = creds/operational.csr # generated by transforming operational.crt
+subject =
+certout = $bootstrap::certout
+
+[genm]
+ref = 3078 # in EJBCA case there is no ref - fallback for sender as no cert and subject is given
+cmd = genm
+infotype = signKeyPairTypes # default
+
+[validate]
+keypass = pass:12345
+tls_keypass = $keypass
+check_all = 1
+use_aia = 0
+use_cdp = 1
+crl_cache_dir = creds/crls/
+verbosity = 6
+
+[empty]
+#keyUsage =
+#extendedKeyUsage =
+#subjectAltName =
+
+[reqexts]
+#basicConstraints = CA:FASE
+keyUsage = "critical, digitalSignature" # is ignored by EJBCA
+extendedKeyUsage = "critical, serverAuth, 1.3.6.1.5.5.7.3.2" # is ignored by EJBCA
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.0 = localhost
+IP.0 = 127.0.0.1
+IP.1 = 192.168.0.1
+URI.0 = http://192.168.0.2
+
+[certificatePolicies]
+certificatePolicies = "critical, @pkiPolicy"
+
+[pkiPolicy]
+policyIdentifier = 1.3.6.1.4.1.4329.38.4.2.2
+CPS = http://www.my-company.com/pki-policy/
+userNotice.1 = @notice
+
+[notice]
+explicitText=policy text