#!

/bin/bash

Cai_RootCA ()
{
yum install -y gcc-c++
yum install -y gcc-c++ openssl openssl-devel db4 db4-devel mysql mysql-server
mysql-devel expat-devel perl-XML-Parser httpd mod_ssl perl-ExtUtils-MakeMaker perl-
DBIx-Simple perl-DBI.i686 openldap openldap-devel libxml2 libxml2-devel -y
groupadd openca
useradd -g openca -u 1201 openca
### For Mysql 5.7
### /etc/init.d/mysqld stop
### mysqld_safe --skip-grant-tables &
### use mysql;
### UPDATE mysql.user
### update user set password=PASSWORD("Abc.123456") where user='root';
### mysql -u root -pAbc.123456 -e "grant all privileges on dbrootca.* to
'openca'@'localhost' identified by 'Abc.123456';"

## mysql -u root -p
##
## mysql>show databases;
## mysql>create database dbrootca;
## mysql>grant all privileges on dbrootca.* to 'openca'@'localhost' identified by
'Abc.123456';
## mysql>FLUSH PRIVILEGES;
## mysql>exit;
## mysql -u root -p

mysql -uroot -pAbc.123456 -e "create database dbrootca;"

mysql -uroot -pAbc.123456 -e "grant all privileges on dbrootca.* to
'openca'@'localhost' identified by 'Abc.123456';"
mysql -uroot -pAbc.123456 -e "FLUSH PRIVILEGES;"

### On mysql 8.0:

### mysql> CREATE USER 'openca'@'localhost' IDENTIFIED BY 'Abc.123456';

### Query OK, 0 rows affected (0.00 sec)

###
### mysql> GRANT ALL PRIVILEGES ON dbrootca.* TO 'openca'@'localhost' WITH GRANT
OPTION;
### mysql -uroot -pAbc.123456 -e "CREATE USER 'openca'@'localhost' IDENTIFIED BY
'Abc.123456';"
### mysql -uroot -pAbc.123456 -e "GRANT ALL PRIVILEGES ON dbrootca.* TO
'openca'@'localhost' WITH GRANT OPTION;"
### mysql -uroot -pAbc.123456 -e "FLUSH PRIVILEGES;"
### Query OK, 0 rows affected (0.00 sec)

#### Sửa file hosts: Sửa file /etc/hosts thêm vào cuối file như sau
### diachiipcuamay diachi.local diachi
#Ví dụ : 192.168.1.2 rootca.kmm rootca

## Download openca-tools:
wget https://netix.dl.sourceforge.net/project/openca/openca-
ocspd/releases/v3.1.2/sources/openca-ocspd-3.1.2.tar.gz
wget https://netix.dl.sourceforge.net/project/openca/openca-
tools/releases/v1.3.1/sources/openca-tools-1.3.1.tar.gz
wget https://svwh.dl.sourceforge.net/project/openca/openca-
base/releases/v1.5.1/sources/openca-base-1.5.1.tar.gz
wget https://ftp.openca.org/libpki/releases/v0.8.9/sources/libpki-0.8.9.tar.gz
## Giải nén openca-tools
tar -xzvf openca-tools-1.3.1.tar.gz openca-base-1.5.1.tar.gz

## Cài đặt openca-tools:

cd openca-tools-1.3.1
./configure
make clean
make
make install
# Download openca-base:

# Giải nén openca-base:

tar -xzvf openca-base-1.5.1.tar.gz
./configure --prefix="/opt/openca" \
--with-ca-oganization="kmm_ca" \
--with-httpd-fs-prefix="/var/www/openca" \
--with-httpd-main-dir="pki" \
--with-htdocs-fs-prefix="/var/www/pki" \
--with-cgi-fs-prefix="/var/www/cgi-bin/pki" \
--with-cgi-url-prefix="/var/www/cgi-bin" \
--enable-db \
--with--db-type="mysql" \
--with-db-name="dbrootca" \
--with-db-host="localhost" \
--with-db-user="openca" \
--with-db-passwd="Abc.123456" \
--enable-ocspd \
--with-ocspd-uri="http://ocspd.rootca.kmm" \
--with-hierarchy-level="ca" \
--with-openca-user="openca" \
--with-openca-group="openca" \
--with-db-service-mail-account=admin@kmm

## OpenCA sẽ được cài đặt vào /opt/openca. Sử dụng cơ sở dữ liệu MySQL với
## database openca, user là openca password Abc.123456. Web quản trị được lưu
## tại thư mục /var/www/pki

# Tiếp theo là biên dịch

make clean
make
make install-online && make install-ca && make install-ldap && make install-node &&
make install-pub && make install-ra
service httpd restart
## Lưu ý là trong openca 1.1.1 sẽ có lỗi, vì vậy cần tiên hành fix lỗi này.
##
## # wget https://www.dropbox.com/s/x5k5mgdneymuuq6/initServer
## #wget https://www.dropbox.com/s/bzpsnsvnn97yuys/User.pm
## Ghi đè 2 file này:
##
## #

cp /opt/openca/lib/openca/perl_modules/perl5/OpenCA/User.pm
/opt/openca/lib/openca/perl_modules/perl5/OpenCA/User.pm.bk
cp User.pm /opt/openca/lib/openca/perl_modules/perl5/OpenCA/
##
## #
cp /opt/openca/lib/openca/functions/initServer
/opt/openca/lib/openca/functions/initServer.bk
cp initServer /opt/openca/lib/openca/functions/
##
## Chọn yes để thay thế file cũ.

cd /opt/openca/etc/openca
#
cp access_control/node.xml.template access_control/node.xml.template.bk

#vim access_control/node.xml.template
## Trong thẻ:
##
## <channel>
## ..
## <protocol>ssl</protocol> ----> <protocol>.*</protocol>
sed -i 's_<protocol>ssl</protocol>_<protocol>.*</protocol>_g'
/opt/openca/etc/openca/access_control/node.xml.template

## ..
## <symmetric_keylength>128</symmetric_keylength> ---->
<symmetric_keylength>0</symmetric_keylength>
sed -i
's#<symmetric_keylength>128</symmetric_keylength>#<symmetric_keylength>0</symmetric
_keylength>#g' /opt/openca/etc/openca/access_control/node.xml.template

## ..
## </channel>
##

## Tiếp theo sửa file /opt/openca/etc/openca/config.xml

##
cp config.xml config.xml.bk
#vim config.xml
##
## :$ để đến cuối file
##
## <name>dataexchange_device_up</name>
## <value>/dev/fd0</value> ---> <value>/tmp/openca_up</value>
#sed '0,/<value>\/dev\/fd0<\/value>/! {0,/<value>\/dev\/fd0<\/value>/
s/<value>\/dev\/fd0<\/value>/<value>\/tmp\/openca_up<\/value>/}'
/opt/openca/etc/openca/config.xml
sed -i
0,/'<value>\/dev\/fd0<\/value>'/{s/'<value>\/dev\/fd0<\/value>/<value>\/tmp\/openca
_up<\/value>/}' /opt/openca/etc/openca/config.xml

## /opt/openca/var/openca/tmp/
## <name>dataexchange_device_down</name>
## <value>/dev/fd0</value> ---> <value>/tmp/openca_down</value>
#sed -i 's#<value>/dev/fd0</value>#<value>/tmp/openca_down</value>#'
/opt/openca/etc/openca/config.xml
sed -i
0,/'<value>\/dev\/fd0<\/value>'/{s/'<value>\/dev\/fd0<\/value>/<value>\/tmp\/openca
_down<\/value>/}' /opt/openca/etc/openca/config.xml
## Thay the o lan gap thu 2: sed '0,/<value>\/dev\/fd0<\/value>/!
{0,/<value>\/dev\/fd0<\/value>/
s/<value>\/dev\/fd0<\/value>/<value>\/tmp\/openca_up<\/value>/}'
/opt/openca/etc/openca/config.xml

##
## Lưu lại.
##
## Tiếp theo sửa file: openssl/openssl.cnf.template
##
cp openssl/openssl.cnf.template openssl/openssl.cnf.template.bk
#vim openssl/openssl.cnf.template
##
## Trong [req] và [CA_defaut] tìm dòng:
##
## default_md = sha256 ---> đổi thành default_md = sha1
##
## Lưu lại.

sed -i 's_sha256_sha1_g' /opt/openca/etc/openca/openssl/openssl.cnf.template

##
### /opt/openca/etc/openca/openssl/openssl/User.conf
chown apache:apache /opt/openca/var/openca/log -R

## Để các sửa đổi có hiệu lực:

./configure_etc.sh
##
## Tạo symlink cho openca:
##
## #cd /usr/sbin/
## #ln -s /opt/openca/etc/init.d/openca openca
##
## Khởi động openca:
## #cd ~
## #openca start
## ===> Nhập password admin:
## Quá trình cài đặt RootCA đã xong, bạn kiểm tra kết quả bằng cách gõ vào trình
duyệt: http://diachimaycairooca/pki
## Accout là admin và pass lúc bạn start openca trên.

## Khi bi loi signature verification failed on SPKAC public key

## Sua file: ./lib/openca/perl_modules/perl5/i386-linux-thread-
multi/OpenCA/OpenSSL.pm
## Tim den dong co tu khoa: # running the OpenSSL command
## Them tu khoa: $ENV{OPENSSL_ENABLE_MD5_VERIFY} = 0; vao sau dong: $ENV{'pwd'} =
"$passwd";
## Khoi dong lai openca: openca restart
###\
sed -i '/$ENV{'\''pwd'\''} = "$passwd";/a\
$ENV{OPENSSL_ENABLE_MD5_VERIFY} = 0;'
/opt/openca/lib/openca/perl_modules/perl5/i386-linux-thread-multi/OpenCA/OpenSSL.pm
### For x86_64
sed -i '/$ENV{'\''pwd'\''} = "$passwd";/a\
$ENV{OPENSSL_ENABLE_MD5_VERIFY} = 0;'
/opt/openca/lib/openca/perl_modules/perl5/x86_64-linux-thread-
multi/OpenCA/OpenSSL.pm
cd /usr/sbin/
ln -s /opt/openca/etc/init.d/openca /usr/sbin/openca
cd -
###Khai bao CA Certificate Signing Request
###DC=kmm,DC=rootca,DC=pki,CN=rootca,OU=kmmca,O=KMM_CA,ST=HaNoi,L=HVM,C=VN
###DC=kmm,DC=root,DC=ca,CN=rootca_server,OU=kmm_ca,O=OpenCA
Labs,ST=HaDong,L=HaNoi,C=VN
###Self Signed CA Certificate
}
Cai_SubCA ()
{
yum install -y gcc-c++
yum install -y gcc-c++ openssl openssl-devel db4 db4-devel mysql-server mysql-devel
expat-devel perl-XML-Parser httpd mod_ssl perl-ExtUtils-MakeMaker perl-DBIx-Simple
perl-DBI.i686 openldap openldap-devel libxml2 libxml2-devel -y
groupadd openca
useradd -g openca -u 1201 openca
### For Mysql 5.7
### /etc/init.d/mysqld stop
### mysqld_safe --skip-grant-tables &
### use mysql;
### UPDATE mysql.user
### update user set password=PASSWORD("Abc.123456") where user='root';
mysql -u root -p
#mysql>show databases;
mysql -u root -pAbc.123456 -e "create database dbsubca;"
#mysql>create database dbsubca;
#mysql>grant all privileges on dbsubca.* to 'openca'@'localhost' identified by
'Abc.123456';
mysql -u root -pAbc.123456 -e "grant all privileges on dbsubca.* to
'openca'@'localhost' identified by 'Abc.123456';"
mysql -u root -pAbc.123456 -e "FLUSH PRIVILEGES;"

#mysql>FLUSH PRIVILEGES;
#mysql>exit;

### On mysql 8.0:

### mysql> CREATE USER 'openca'@'localhost' IDENTIFIED BY 'Abc.123456';
### Query OK, 0 rows affected (0.00 sec)
###
### mysql> GRANT ALL PRIVILEGES ON dbrootca.* TO 'openca'@'localhost' WITH GRANT
OPTION;
### Query OK, 0 rows affected (0.00 sec)

#### Sửa file hosts: Sửa file /etc/hosts thêm vào cuối file như sau
### diachiipcuamay diachi.local diachi
#Ví dụ : 192.168.1.2 rootca.kmm rootca

## Download openca-tools:
wget https://netix.dl.sourceforge.net/project/openca/openca-
ocspd/releases/v3.1.2/sources/openca-ocspd-3.1.2.tar.gz
wget https://netix.dl.sourceforge.net/project/openca/openca-
tools/releases/v1.3.1/sources/openca-tools-1.3.1.tar.gz
wget https://svwh.dl.sourceforge.net/project/openca/openca-
base/releases/v1.5.1/sources/openca-base-1.5.1.tar.gz
## Giải nén openca-tools
tar -xzvf openca-tools-1.3.1.tar.gz openca-base-1.5.1.tar.gz

## Cài đặt openca-tools:

cd openca-tools-1.3.1
./configure
make clean
make
make install
# Download openca-base:

# Giải nén openca-base:

tar -xzvf openca-base-1.5.1.tar.gz
./configure --prefix="/opt/openca" \
--with-ca-oganization="kmm_ca" \
--with-httpd-fs-prefix="/var/www/openca" \
--with-httpd-main-dir="pki" \
--with-htdocs-fs-prefix="/var/www/pki" \
--with-cgi-fs-prefix="/var/www/cgi-bin/pki" \
--with-cgi-url-prefix="/var/www/cgi-bin" \
--with-db-name="dbsubca" \
--with-db-host="localhost" \
--with-db-user="openca" \
--with-db-passwd="Abc.123456" \
--with--db-type="mysql" \
--enable-ocspd \
--enable-db \
--with-hierarchy-level="ca" \
--with-openca-user="openca" \
--with-openca-group="openca" \
--with--db-service-mail-account=admin@kmm

## OpenCA sẽ được cài đặt vào /opt/openca. Sử dụng cơ sở dữ liệu MySQL với
## database openca, user là openca password Abc.123456. Web quản trị được lưu
## tại thư mục /var/www/pki

# Tiếp theo là biên dịch

make clean
make
make install-online && make install-ca && make install-ldap && make install-node &&
make install-pub && make install-ra
service httpd restart
## Lưu ý là trong openca 1.1.1 sẽ có lỗi, vì vậy cần tiên hành fix lỗi này.
##
## # wget https://www.dropbox.com/s/x5k5mgdneymuuq6/initServer
## #wget https://www.dropbox.com/s/bzpsnsvnn97yuys/User.pm
## Ghi đè 2 file này:
##
## #

cp /opt/openca/lib/openca/perl_modules/perl5/OpenCA/User.pm
/opt/openca/lib/openca/perl_modules/perl5/OpenCA/User.pm.bk
cp User.pm /opt/openca/lib/openca/perl_modules/perl5/OpenCA/
##
## #
cp /opt/openca/lib/openca/functions/initServer
/opt/openca/lib/openca/functions/initServer.bk
cp initServer /opt/openca/lib/openca/functions/
##
## Chọn yes để thay thế file cũ.

cd /opt/openca/etc/openca
#
cp access_control/node.xml.template access_control/node.xml.template.bk

#vim access_control/node.xml.template
## Trong thẻ:
##
## <channel>
## ..
## <protocol>ssl</protocol> ----> <protocol>.*</protocol>
sed -i 's_<protocol>ssl</protocol>_<protocol>.*</protocol>_g'
/opt/openca/etc/openca/access_control/node.xml.template

## ..
## <symmetric_keylength>128</symmetric_keylength> ---->
<symmetric_keylength>0</symmetric_keylength>
sed -i
's#<symmetric_keylength>128</symmetric_keylength>#<symmetric_keylength>0</symmetric
_keylength>#g' /opt/openca/etc/openca/access_control/node.xml.template

## ..
## </channel>
##

## Tiếp theo sửa file /opt/openca/etc/openca/config.xml

##
cp config.xml config.xml.bk
#vim config.xml
##
## :$ để đến cuối file
##
## <name>dataexchange_device_up</name>
## <value>/dev/fd0</value> ---> <value>/tmp/openca_up</value>
#sed '0,/<value>\/dev\/fd0<\/value>/! {0,/<value>\/dev\/fd0<\/value>/
s/<value>\/dev\/fd0<\/value>/<value>\/tmp\/openca_up<\/value>/}'
/opt/openca/etc/openca/config.xml
sed -i
0,/'<value>\/dev\/fd0<\/value>'/{s/'<value>\/dev\/fd0<\/value>/<value>\/tmp\/openca
_up<\/value>/}' /opt/openca/etc/openca/config.xml

## /opt/openca/var/openca/tmp/
## <name>dataexchange_device_down</name>
## <value>/dev/fd0</value> ---> <value>/tmp/openca_down</value>
#sed -i 's#<value>/dev/fd0</value>#<value>/tmp/openca_down</value>#'
/opt/openca/etc/openca/config.xml
sed -i
0,/'<value>\/dev\/fd0<\/value>'/{s/'<value>\/dev\/fd0<\/value>/<value>\/tmp\/openca
_down<\/value>/}' /opt/openca/etc/openca/config.xml

## Thay the o lan gap thu 2: sed '0,/<value>\/dev\/fd0<\/value>/!

{0,/<value>\/dev\/fd0<\/value>/
s/<value>\/dev\/fd0<\/value>/<value>\/tmp\/openca_up<\/value>/}'
/opt/openca/etc/openca/config.xml

##
## Lưu lại.
##
## Tiếp theo sửa file: openssl/openssl.cnf.template
##
cp openssl/openssl.cnf.template openssl/openssl.cnf.template.bk
#vim openssl/openssl.cnf.template
##
## Trong [req] và [CA_defaut] tìm dòng:
##
## default_md = sha256 ---> đổi thành default_md = sha1
##
## Lưu lại.

sed -i 's_sha256_sha1_g' /opt/openca/etc/openca/openssl/openssl.cnf.template

##
### /opt/openca/etc/openca/openssl/openssl/User.conf
chown apache:apache /opt/openca/var/openca/log -R

## Để các sửa đổi có hiệu lực:

./configure_etc.sh
##
## Tạo symlink cho openca:
##
## #cd /usr/sbin/
## #ln -s /opt/openca/etc/init.d/openca openca
##
## Khởi động openca:
## #cd ~
## #openca start
## ===> Nhập password admin:
## Quá trình cài đặt RootCA đã xong, bạn kiểm tra kết quả bằng cách gõ vào trình
duyệt: http://diachimaycairooca/pki
## Accout là admin và pass lúc bạn start openca trên.

## Khi bi loi signature verification failed on SPKAC public key

## Sua file: ./lib/openca/perl_modules/perl5/i386-linux-thread-
multi/OpenCA/OpenSSL.pm
## Tim den dong co tu khoa: # running the OpenSSL command
## Them tu khoa: $ENV{OPENSSL_ENABLE_MD5_VERIFY} = 0; vao sau dong: $ENV{'pwd'} =
"$passwd";
## Khoi dong lai openca: openca restart
###\
sed -i '/$ENV{'\''pwd'\''} = "$passwd";/a\
$ENV{OPENSSL_ENABLE_MD5_VERIFY} = 0;'
/opt/openca/lib/openca/perl_modules/perl5/i386-linux-thread-multi/OpenCA/OpenSSL.pm