Skip to content

Commit

Permalink
Update sub CA tests
Browse files Browse the repository at this point in the history
The latest NSS requires the client to have the full cert chain
in order to validate a cert, so most of the sub CA tests have
been updated to install the sub CA signing cert in addition to
the root CA signing cert. For some reason the sub CA tests with
HSM still work without these changes. That will be investigated
separately later.
  • Loading branch information
edewata committed Aug 21, 2024
1 parent 64f3239 commit 458f1a8
Show file tree
Hide file tree
Showing 7 changed files with 37 additions and 1 deletion.
5 changes: 5 additions & 0 deletions .github/workflows/ipa-subca-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -96,11 +96,16 @@ jobs:
docker exec ipa pki nss-cert-import \
--cert root-ca_signing.crt \
--trust CT,C,C \
root-ca_signing
docker exec ipa pki nss-cert-import \
--cert ipa.crt \
ca_signing
docker exec ipa pki pkcs12-import \
--pkcs12 /root/ca-agent.p12 \
--pkcs12-password Secret.123
docker exec ipa pki -n ipa-ca-agent ca-user-show admin
- name: Check lightweight CAs
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/subca-basic-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -172,11 +172,16 @@ jobs:
docker exec subordinate pki nss-cert-import \
--cert $SHARED/root-ca_signing.crt \
--trust CT,C,C \
root-ca_signing
docker exec subordinate pki nss-cert-import \
--cert ca_signing.crt \
ca_signing
docker exec subordinate pki pkcs12-import \
--pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
--pkcs12-password Secret.123
docker exec subordinate pki -n caadmin --ignore-banner ca-user-show caadmin
- name: Check cert requests in subordinate CA
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/subca-clone-hsm-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -283,6 +283,7 @@ jobs:
docker exec primary-subca pki pkcs12-import \
--pkcs12 $SHARED/caadmin.p12 \
--pkcs12-password Secret.123
docker exec primary-subca pki -n caadmin ca-user-show caadmin
- name: Set up secondary DS container
Expand Down
10 changes: 10 additions & 0 deletions .github/workflows/subca-clone-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -116,9 +116,14 @@ jobs:
--trust CT,C,C \
root-ca_signing
docker exec primary-subca pki nss-cert-import \
--cert $SHARED/subca_signing.crt \
ca_signing
docker exec primary-subca pki pkcs12-import \
--pkcs12 $SHARED/caadmin.p12 \
--pkcs12-password Secret.123
docker exec primary-subca pki -n caadmin ca-user-show caadmin
- name: Export primary sub-CA certs
Expand Down Expand Up @@ -246,9 +251,14 @@ jobs:
--trust CT,C,C \
root-ca_signing
docker exec secondary-subca pki nss-cert-import \
--cert $SHARED/subca_signing.crt \
ca_signing
docker exec secondary-subca pki pkcs12-import \
--pkcs12 $SHARED/caadmin.p12 \
--pkcs12-password Secret.123
docker exec secondary-subca pki -n caadmin ca-user-show caadmin
- name: Check users in primary sub-CA and secondary sub-CA
Expand Down
11 changes: 10 additions & 1 deletion .github/workflows/subca-cmc-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -187,10 +187,19 @@ jobs:

- name: Verify subordinate CA admin cert
run: |
docker exec subordinate pki client-cert-import ca_signing --ca-cert $SHARED/ca_signing.p7b
docker exec subordinate pki nss-cert-import \
--cert $SHARED/root-ca_signing.crt \
--trust CT,C,C \
root-ca_signing
docker exec subordinate pki nss-cert-import \
--cert ca_signing.crt \
ca_signing
docker exec subordinate pki pkcs12-import \
--pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
--pkcs12-password Secret.123
docker exec subordinate pki -n caadmin ca-user-show caadmin
- name: Check cert requests in subordinate CA
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/subca-external-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -117,11 +117,16 @@ jobs:
docker exec pki pki nss-cert-import \
--cert root-ca_signing.crt \
--trust CT,C,C \
root-ca_signing
docker exec pki pki nss-cert-import \
--cert ca_signing.crt \
ca_signing
docker exec pki pki pkcs12-import \
--pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
--pkcs12-password Secret.123
docker exec pki pki -n caadmin ca-user-show caadmin
- name: Check cert requests in CA
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/subca-hsm-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -272,6 +272,7 @@ jobs:
docker exec pki pki pkcs12-import \
--pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
--pkcs12-password Secret.123
docker exec pki pki -n caadmin ca-user-show caadmin
- name: Check CA certs and requests
Expand Down

0 comments on commit 458f1a8

Please sign in to comment.