Update sub CA tests

The latest NSS requires the client to have the full cert chain in order to validate a cert, so most of the sub CA tests have been updated to install the sub CA signing cert in addition to the root CA signing cert. For some reason the sub CA tests with HSM still work without these changes. That will be investigated separately later.
dogtagpki · Aug 23, 2024 · cf27359 · cf27359
1 parent 0b10570
commit cf27359
Show file tree

Hide file tree

Showing 7 changed files with 54 additions and 4 deletions.
diff --git a/.github/workflows/ipa-subca-test.yml b/.github/workflows/ipa-subca-test.yml
@@ -92,10 +92,19 @@ jobs:
 
       - name: Check Sub-CA admin
         run: |
-          docker exec ipa pki client-cert-import ca_signing --ca-cert root-ca_signing.crt
+          docker exec ipa pki nss-cert-import \
+              --cert root-ca_signing.crt \
+              --trust CT,C,C \
+              root-ca_signing
+
+          docker exec ipa pki nss-cert-import \
+              --cert ipa.crt \
+              ca_signing
+
           docker exec ipa pki pkcs12-import \
               --pkcs12 /root/ca-agent.p12 \
               --pkcs12-password Secret.123
+
           docker exec ipa pki -n ipa-ca-agent ca-user-show admin
 
       - name: Gather artifacts

diff --git a/.github/workflows/subca-basic-test.yml b/.github/workflows/subca-basic-test.yml
@@ -145,10 +145,19 @@ jobs:
 
       - name: Verify CA admin
         run: |
-          docker exec subordinate pki client-cert-import ca_signing --ca-cert ${SHARED}/root-ca_signing.crt
+          docker exec subordinate pki nss-cert-import \
+              --cert $SHARED/root-ca_signing.crt \
+              --trust CT,C,C \
+              root-ca_signing
+
+          docker exec subordinate pki nss-cert-import \
+              --cert ca_signing.crt \
+              ca_signing
+
           docker exec subordinate pki pkcs12-import \
               --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
               --pkcs12-password Secret.123
+
           docker exec subordinate pki -n caadmin --ignore-banner ca-user-show caadmin
 
       - name: Check cert requests in subordinate CA

diff --git a/.github/workflows/subca-clone-hsm-test.yml b/.github/workflows/subca-clone-hsm-test.yml
@@ -280,6 +280,7 @@ jobs:
           docker exec primary-subca pki pkcs12-import \
               --pkcs12 $SHARED/caadmin.p12 \
               --pkcs12-password Secret.123
+
           docker exec primary-subca pki -n caadmin ca-user-show caadmin
 
       - name: Set up secondary DS container

diff --git a/.github/workflows/subca-clone-test.yml b/.github/workflows/subca-clone-test.yml
@@ -113,9 +113,15 @@ jobs:
           docker exec primary-subca pki client-cert-import \
               --ca-cert $SHARED/root-ca_signing.crt \
               root-ca_signing
+
+          docker exec primary-subca pki nss-cert-import \
+              --cert $SHARED/subca_signing.crt \
+              ca_signing
+
           docker exec primary-subca pki pkcs12-import \
               --pkcs12 $SHARED/caadmin.p12 \
               --pkcs12-password Secret.123
+
           docker exec primary-subca pki -n caadmin ca-user-show caadmin
 
       - name: Export primary sub-CA certs
@@ -241,9 +247,15 @@ jobs:
           docker exec secondary-subca pki client-cert-import \
               --ca-cert $SHARED/root-ca_signing.crt \
               root-ca_signing
+
+          docker exec secondary-subca pki nss-cert-import \
+              --cert $SHARED/subca_signing.crt \
+              ca_signing
+
           docker exec secondary-subca pki pkcs12-import \
               --pkcs12 $SHARED/caadmin.p12 \
               --pkcs12-password Secret.123
+
           docker exec secondary-subca pki -n caadmin ca-user-show caadmin
 
       - name: Check users in primary sub-CA and secondary sub-CA

diff --git a/.github/workflows/subca-cmc-test.yml b/.github/workflows/subca-cmc-test.yml
@@ -182,10 +182,19 @@ jobs:
 
       - name: Verify subordinate CA admin cert
         run: |
-          docker exec subordinate pki client-cert-import ca_signing --ca-cert $SHARED/ca_signing.p7b
+          docker exec subordinate pki nss-cert-import \
+              --cert $SHARED/root-ca_signing.crt \
+              --trust CT,C,C \
+              root-ca_signing
+
+          docker exec subordinate pki nss-cert-import \
+              --cert ca_signing.crt \
+              ca_signing
+
           docker exec subordinate pki pkcs12-import \
               --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
               --pkcs12-password Secret.123
+
           docker exec subordinate pki -n caadmin ca-user-show caadmin
 
       - name: Check cert requests in subordinate CA

diff --git a/.github/workflows/subca-external-test.yml b/.github/workflows/subca-external-test.yml
@@ -111,10 +111,19 @@ jobs:
 
       - name: Verify CA admin
         run: |
-          docker exec pki pki client-cert-import ca_signing --ca-cert root-ca_signing.crt
+          docker exec pki pki nss-cert-import \
+              --cert root-ca_signing.crt \
+              --trust CT,C,C \
+              root-ca_signing
+
+          docker exec pki pki nss-cert-import \
+              --cert ca_signing.crt \
+              ca_signing
+
           docker exec pki pki pkcs12-import \
               --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
               --pkcs12-password Secret.123
+
           docker exec pki pki -n caadmin ca-user-show caadmin
 
       - name: Check cert requests in CA

diff --git a/.github/workflows/subca-hsm-test.yml b/.github/workflows/subca-hsm-test.yml
@@ -267,6 +267,7 @@ jobs:
           docker exec pki pki pkcs12-import \
               --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
               --pkcs12-password Secret.123
+
           docker exec pki pki -n caadmin ca-user-show caadmin
 
       - name: Check CA certs and requests