Skip to content

[RHCS-5445] Implement new SSN legacy2 generator for CA #5590

[RHCS-5445] Implement new SSN legacy2 generator for CA

[RHCS-5445] Implement new SSN legacy2 generator for CA #5590

Workflow file for this run

name: CA Tests
on: [push, pull_request]
jobs:
init:
name: Initialization
uses: ./.github/workflows/init.yml
secrets: inherit
build:
name: Waiting for build
needs: init
runs-on: ubuntu-latest
steps:
- name: Wait for build
uses: lewagon/[email protected]
with:
ref: ${{ github.ref }}
check-name: 'Building PKI'
repo-token: ${{ secrets.GITHUB_TOKEN }}
wait-interval: 30
if: github.event_name == 'push'
- name: Wait for build
uses: lewagon/[email protected]
with:
ref: ${{ github.event.pull_request.head.sha }}
check-name: 'Building PKI'
repo-token: ${{ secrets.GITHUB_TOKEN }}
wait-interval: 30
if: github.event_name == 'pull_request'
# docs/installation/ca/Installing_CA.md
ca-test:
name: Testing CA
needs: [init, build]
runs-on: ubuntu-latest
env:
PKIDIR: /tmp/workdir/pki
steps:
- name: Clone repository
uses: actions/checkout@v3
- name: Retrieve pki-runner image
uses: actions/cache@v3
with:
key: pki-runner-${{ github.sha }}
path: pki-runner.tar
- name: Load runner image
run: docker load --input pki-runner.tar
- name: Run container
run: |
IMAGE=pki-runner \
NAME=pki \
HOSTNAME=pki.example.com \
tests/bin/runner-init.sh
- name: Install dependencies
run: docker exec pki dnf install -y 389-ds-base
- name: Install DS
run: docker exec pki ${PKIDIR}/tests/bin/ds-create.sh
- name: Install CA
run: |
docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/ca.cfg -s CA -v
# set buffer size to 0 so that revocation takes effect immediately
docker exec pki pki-server ca-config-set auths.revocationChecking.bufferSize 0
docker exec pki pki-server restart --wait
- name: Run PKI healthcheck
run: docker exec pki pki-healthcheck --failures-only
- name: Verify CA admin
run: |
docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt
docker exec pki pki client-cert-import ca_signing --ca-cert ca_signing.crt
docker exec pki pki client-cert-import \
--pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
--pkcs12-password-file /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
docker exec pki pki -n caadmin ca-user-show caadmin
- name: Verify creating CA agent
run: |
docker exec pki /usr/share/pki/tests/ca/bin/ca-agent-create.sh
- name: Verify creating, revoking, and unrevoking CA agent cert
run: |
docker exec pki /usr/share/pki/tests/ca/bin/ca-agent-cert-create.sh
docker exec pki /usr/share/pki/tests/ca/bin/ca-agent-cert-revoke.sh
docker exec pki /usr/share/pki/tests/ca/bin/ca-agent-cert-unrevoke.sh
- name: Gather artifacts
if: always()
run: |
tests/bin/ds-artifacts-save.sh pki
tests/bin/pki-artifacts-save.sh pki
- name: Remove CA
run: docker exec pki pkidestroy -i pki-tomcat -s CA -v
- name: Remove DS
run: docker exec pki ${PKIDIR}/tests/bin/ds-remove.sh
- name: Upload artifacts
if: always()
uses: actions/upload-artifact@v3
with:
name: ca
path: |
/tmp/artifacts/pki
# docs/installation/ca/Installing_CA_with_ECC.md
ca-ecc-test:
name: Testing CA with ECC
needs: [init, build]
runs-on: ubuntu-latest
env:
PKIDIR: /tmp/workdir/pki
steps:
- name: Clone repository
uses: actions/checkout@v3
- name: Retrieve pki-runner image
uses: actions/cache@v3
with:
key: pki-runner-${{ github.sha }}
path: pki-runner.tar
- name: Load runner image
run: docker load --input pki-runner.tar
- name: Run container
run: |
IMAGE=pki-runner \
NAME=pki \
HOSTNAME=pki.example.com \
tests/bin/runner-init.sh
- name: Install dependencies
run: docker exec pki dnf install -y 389-ds-base
- name: Install DS
run: docker exec pki ${PKIDIR}/tests/bin/ds-create.sh
- name: Install CA
run: docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/ca-ecc.cfg -s CA -v
- name: Run PKI healthcheck
run: docker exec pki pki-healthcheck --failures-only
- name: Verify system keys
run: |
docker exec pki bash -c "echo Secret.123 > password.txt"
docker exec pki certutil -K -d /etc/pki/pki-tomcat/alias -f password.txt
echo "ec" > expected
docker exec pki bash -c "certutil -K -d /etc/pki/pki-tomcat/alias -f password.txt | grep ca_signing | sed -n 's/<.*>\s\(\S\+\)\s.*/\1/p' > ${PKIDIR}/actual"
diff expected actual
docker exec pki bash -c "certutil -K -d /etc/pki/pki-tomcat/alias -f password.txt | grep ca_ocsp_signing | sed -n 's/<.*>\s\(\S\+\)\s.*/\1/p' > ${PKIDIR}/actual"
diff expected actual
docker exec pki bash -c "certutil -K -d /etc/pki/pki-tomcat/alias -f password.txt | grep ca_audit_signing | sed -n 's/<.*>\s\(\S\+\)\s.*/\1/p' > ${PKIDIR}/actual"
diff expected actual
docker exec pki bash -c "certutil -K -d /etc/pki/pki-tomcat/alias -f password.txt | grep subsystem | sed -n 's/<.*>\s\(\S\+\)\s.*/\1/p' > ${PKIDIR}/actual"
diff expected actual
docker exec pki bash -c "certutil -K -d /etc/pki/pki-tomcat/alias -f password.txt | grep sslserver | sed -n 's/<.*>\s\(\S\+\)\s.*/\1/p' > ${PKIDIR}/actual"
diff expected actual
- name: Verify CA admin
run: |
docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt
docker exec pki pki client-cert-import ca_signing --ca-cert ca_signing.crt
docker exec pki pki client-cert-import \
--pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
--pkcs12-password-file /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
docker exec pki pki -n caadmin ca-user-show caadmin
- name: Gather artifacts
if: always()
run: |
tests/bin/ds-artifacts-save.sh pki
tests/bin/pki-artifacts-save.sh pki
- name: Remove CA
run: docker exec pki pkidestroy -i pki-tomcat -s CA -v
- name: Remove DS
run: docker exec pki ${PKIDIR}/tests/bin/ds-remove.sh
- name: Upload artifacts
if: always()
uses: actions/upload-artifact@v3
with:
name: ca-ecc
path: |
/tmp/artifacts/pki
# docs/installation/ca/Installing_Subordinate_CA.md
subca-test:
name: Testing subordinate CA
needs: [init, build]
runs-on: ubuntu-latest
env:
PKIDIR: /tmp/workdir/pki
steps:
- name: Clone repository
uses: actions/checkout@v3
- name: Retrieve pki-runner image
uses: actions/cache@v3
with:
key: pki-runner-${{ github.sha }}
path: pki-runner.tar
- name: Load runner image
run: docker load --input pki-runner.tar
- name: Create network
run: docker network create example
- name: Run root container
run: |
IMAGE=pki-runner \
NAME=root \
HOSTNAME=root.example.com \
tests/bin/runner-init.sh
- name: Connect root container to network
run: docker network connect example root --alias root.example.com
- name: Install dependencies in root container
run: docker exec root dnf install -y 389-ds-base
- name: Install DS in root container
run: docker exec root ${PKIDIR}/tests/bin/ds-create.sh
- name: Install root CA in root container
run: docker exec root pkispawn -f /usr/share/pki/server/examples/installation/ca.cfg -s CA -v
- name: Install banner in root container
run: docker exec root cp /usr/share/pki/server/examples/banner/banner.txt /etc/pki/pki-tomcat
- name: Setup subordinate container
run: |
IMAGE=pki-runner \
NAME=subordinate \
HOSTNAME=sub.example.com \
tests/bin/runner-init.sh
- name: Connect subordinate container to network
run: docker network connect example subordinate --alias sub.example.com
- name: Install dependencies in subordinate container
run: docker exec subordinate dnf install -y 389-ds-base
- name: Install DS in subordinate container
run: docker exec subordinate ${PKIDIR}/tests/bin/ds-create.sh
- name: Install subordinate CA in subordinate container
run: |
docker exec root pki-server cert-export ca_signing --cert-file ${PKIDIR}/root-ca_signing.crt
docker exec subordinate cp ${PKIDIR}/root-ca_signing.crt .
docker exec subordinate pkispawn -f /usr/share/pki/server/examples/installation/subca.cfg -s CA -v
- name: Install banner in subordinate container
run: docker exec subordinate cp /usr/share/pki/server/examples/banner/banner.txt /etc/pki/pki-tomcat
- name: Run PKI healthcheck
run: docker exec subordinate pki-healthcheck --failures-only
- name: Verify CA admin
run: |
docker exec subordinate pki client-cert-import ca_signing --ca-cert root-ca_signing.crt
docker exec subordinate pki client-cert-import \
--pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
--pkcs12-password-file /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
docker exec subordinate pki -n caadmin --ignore-banner ca-user-show caadmin
- name: Gather artifacts from root container
if: always()
run: |
tests/bin/ds-artifacts-save.sh root
tests/bin/pki-artifacts-save.sh root
- name: Gather artifacts from subordinate container
if: always()
run: |
tests/bin/ds-artifacts-save.sh subordinate
tests/bin/pki-artifacts-save.sh subordinate
- name: Remove subordinate CA from subordinate container
run: docker exec subordinate pkidestroy -i pki-tomcat -s CA -v
- name: Remove DS from subordinate container
run: docker exec subordinate ${PKIDIR}/tests/bin/ds-remove.sh
- name: Disconnect subordinate container from network
run: docker network disconnect example subordinate
- name: Remove root CA from root container
run: docker exec root pkidestroy -i pki-tomcat -s CA -v
- name: Remove DS from root container
run: docker exec root ${PKIDIR}/tests/bin/ds-remove.sh
- name: Disconnect root container from network
run: docker network disconnect example root
- name: Remove network
run: docker network rm example
- name: Upload artifacts from root container
if: always()
uses: actions/upload-artifact@v3
with:
name: ca-root
path: |
/tmp/artifacts/root
- name: Upload artifacts from subordinate container
if: always()
uses: actions/upload-artifact@v3
with:
name: ca-subordinate
path: |
/tmp/artifacts/subordinate
# docs/installation/ca/Installing_CA_with_External_CA_Signing_Certificate.md
ca-external-cert-test:
name: Testing CA with external signing certificate
needs: [init, build]
runs-on: ubuntu-latest
env:
PKIDIR: /tmp/workdir/pki
steps:
- name: Clone repository
uses: actions/checkout@v3
- name: Retrieve pki-runner image
uses: actions/cache@v3
with:
key: pki-runner-${{ github.sha }}
path: pki-runner.tar
- name: Load runner image
run: docker load --input pki-runner.tar
- name: Setup PKI container
run: |
IMAGE=pki-runner \
NAME=pki \
HOSTNAME=pki.example.com \
tests/bin/runner-init.sh
- name: Install dependencies
run: docker exec pki dnf install -y 389-ds-base
- name: Install DS
run: docker exec pki ${PKIDIR}/tests/bin/ds-create.sh
- name: Create root CA in NSS database
run: |
docker exec pki pki -d nssdb nss-cert-request \
--subject "CN=Root CA Signing Certificate" \
--ext /usr/share/pki/server/certs/ca_signing.conf \
--csr root-ca_signing.csr
docker exec pki pki -d nssdb nss-cert-issue \
--csr root-ca_signing.csr \
--ext /usr/share/pki/server/certs/ca_signing.conf \
--cert root-ca_signing.crt
docker exec pki pki -d nssdb nss-cert-import \
--cert root-ca_signing.crt \
--trust CT,C,C \
root-ca_signing
- name: Install subordinate CA
run: |
docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/ca-external-cert-step1.cfg -s CA -v
docker exec pki pki -d nssdb nss-cert-issue \
--issuer root-ca_signing \
--csr ca_signing.csr \
--ext /usr/share/pki/server/certs/ca_signing.conf \
--cert ca_signing.crt
docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/ca-external-cert-step2.cfg -s CA -v
- name: Run PKI healthcheck
run: docker exec pki pki-healthcheck --failures-only
- name: Verify CA admin
run: |
docker exec pki pki client-cert-import ca_signing --ca-cert root-ca_signing.crt
docker exec pki pki client-cert-import \
--pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
--pkcs12-password-file /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
docker exec pki pki -n caadmin ca-user-show caadmin
- name: Gather artifacts
if: always()
run: |
tests/bin/ds-artifacts-save.sh pki
tests/bin/pki-artifacts-save.sh pki
- name: Remove subordinate CA
run: docker exec pki pkidestroy -i pki-tomcat -s CA -v
- name: Remove DS
run: docker exec pki ${PKIDIR}/tests/bin/ds-remove.sh
- name: Upload artifacts
if: always()
uses: actions/upload-artifact@v3
with:
name: ca-external-cert
path: |
/tmp/artifacts/pki
# docs/installation/ca/Installing_CA_with_Existing_Keys_in_Internal_Token.md
ca-existing-certs-test:
name: Testing CA with existing certificates
needs: [init, build]
runs-on: ubuntu-latest
env:
PKIDIR: /tmp/workdir/pki
steps:
- name: Clone repository
uses: actions/checkout@v3
- name: Retrieve pki-runner image
uses: actions/cache@v3
with:
key: pki-runner-${{ github.sha }}
path: pki-runner.tar
- name: Load runner image
run: docker load --input pki-runner.tar
- name: Setup PKI container
run: |
IMAGE=pki-runner \
NAME=pki \
HOSTNAME=pki.example.com \
tests/bin/runner-init.sh
- name: Install dependencies
run: docker exec pki dnf install -y 389-ds-base
- name: Install DS
run: docker exec pki ${PKIDIR}/tests/bin/ds-create.sh
- name: Create CA signing cert
run: |
docker exec pki pki -d nssdb nss-cert-request \
--subject "CN=CA Signing Certificate" \
--ext /usr/share/pki/server/certs/ca_signing.conf \
--csr ca_signing.csr
docker exec pki pki -d nssdb nss-cert-issue \
--csr ca_signing.csr \
--ext /usr/share/pki/server/certs/ca_signing.conf \
--serial 1 \
--cert ca_signing.crt
docker exec pki pki -d nssdb nss-cert-import \
--cert ca_signing.crt \
--trust CT,C,C \
ca_signing
docker exec pki bash -c "certutil -K -d nssdb | grep ca_signing | sed 's/<.*>\s\+\S\+\s\+\(\S\+\).*/\1/' > ca_signing.key"
- name: Create CA OCSP signing cert
run: |
docker exec pki pki -d nssdb nss-cert-request \
--subject "CN=OCSP Signing Certificate" \
--ext /usr/share/pki/server/certs/ocsp_signing.conf \
--csr ca_ocsp_signing.csr
docker exec pki pki -d nssdb nss-cert-issue \
--issuer ca_signing \
--csr ca_ocsp_signing.csr \
--ext /usr/share/pki/server/certs/ocsp_signing.conf \
--serial 2 \
--cert ca_ocsp_signing.crt
docker exec pki pki -d nssdb nss-cert-import \
--cert ca_ocsp_signing.crt \
ca_ocsp_signing
docker exec pki bash -c "certutil -K -d nssdb | grep ca_ocsp_signing | sed 's/<.*>\s\+\S\+\s\+\(\S\+\).*/\1/' > ca_ocsp_signing.key"
- name: Create CA audit signing cert
run: |
docker exec pki pki -d nssdb nss-cert-request \
--subject "CN=Audit Signing Certificate" \
--ext /usr/share/pki/server/certs/audit_signing.conf \
--csr ca_audit_signing.csr
docker exec pki pki -d nssdb nss-cert-issue \
--issuer ca_signing \
--csr ca_audit_signing.csr \
--ext /usr/share/pki/server/certs/audit_signing.conf \
--serial 3 \
--cert ca_audit_signing.crt
docker exec pki pki -d nssdb nss-cert-import \
--cert ca_audit_signing.crt \
--trust ,,P \
ca_audit_signing
docker exec pki bash -c "certutil -K -d nssdb | grep ca_audit_signing | sed 's/<.*>\s\+\S\+\s\+\(\S\+\).*/\1/' > ca_audit_signing.key"
- name: Export CA certs
run: |
docker exec pki pki -d nssdb pkcs12-export \
--pkcs12 ca-certs.p12 \
--password Secret.123
docker exec pki pki pkcs12-cert-find \
--pkcs12 ca-certs.p12 \
--password Secret.123
- name: Install CA with existing certs
run: |
docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/ca-existing-certs-step1.cfg -s CA -v
sleep 1 # avoid pkispawn log conflict due to identical timestamps
docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/ca-existing-certs-step2.cfg -s CA -v
- name: Run PKI healthcheck
run: docker exec pki pki-healthcheck --failures-only
- name: Verify CA keys
run: |
docker exec pki bash -c "echo Secret.123 > password.txt"
docker exec pki bash -c "certutil -K -d /etc/pki/pki-tomcat/alias -f password.txt | grep ca_signing | sed 's/<.*>\s\+\S\+\s\+\(\S\+\).*/\1/' > ca_signing.key.new"
docker exec pki diff ca_signing.key ca_signing.key.new
docker exec pki bash -c "certutil -K -d /etc/pki/pki-tomcat/alias -f password.txt | grep ca_ocsp_signing | sed 's/<.*>\s\+\S\+\s\+\(\S\+\).*/\1/' > ca_ocsp_signing.key.new"
docker exec pki diff ca_ocsp_signing.key ca_ocsp_signing.key.new
docker exec pki bash -c "certutil -K -d /etc/pki/pki-tomcat/alias -f password.txt | grep ca_audit_signing | sed 's/<.*>\s\+\S\+\s\+\(\S\+\).*/\1/' > ca_audit_signing.key.new"
docker exec pki diff ca_audit_signing.key ca_audit_signing.key.new
- name: Verify CA admin
run: |
docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt
docker exec pki pki client-cert-import ca_signing --ca-cert ca_signing.crt
docker exec pki pki client-cert-import \
--pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
--pkcs12-password-file /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
docker exec pki pki -n caadmin ca-user-show caadmin
- name: Gather artifacts
if: always()
run: |
tests/bin/ds-artifacts-save.sh pki
tests/bin/pki-artifacts-save.sh pki
- name: Remove CA
run: docker exec pki pkidestroy -i pki-tomcat -s CA -v
- name: Remove DS
run: docker exec pki ${PKIDIR}/tests/bin/ds-remove.sh
- name: Upload artifacts
if: always()
uses: actions/upload-artifact@v3
with:
name: ca-existing-certs
path: |
/tmp/artifacts/pki
# docs/installation/ca/Installing_CA_Clone.md
ca-clone-test:
name: Testing CA clone
needs: [init, build]
runs-on: ubuntu-latest
env:
PKIDIR: /tmp/workdir/pki
steps:
- name: Clone repository
uses: actions/checkout@v3
- name: Retrieve pki-runner image
uses: actions/cache@v3
with:
key: pki-runner-${{ github.sha }}
path: pki-runner.tar
- name: Load runner image
run: docker load --input pki-runner.tar
- name: Create network
run: docker network create example
- name: Run primary container
run: |
IMAGE=pki-runner \
NAME=primary \
HOSTNAME=primary.example.com \
tests/bin/runner-init.sh
- name: Connect primary container to network
run: docker network connect example primary --alias primary.example.com
- name: Install dependencies in primary container
run: docker exec primary dnf install -y 389-ds-base
- name: Install DS in primary container
run: docker exec primary ${PKIDIR}/tests/bin/ds-create.sh
- name: Install CA in primary container
run: docker exec primary pkispawn -f /usr/share/pki/server/examples/installation/ca.cfg -s CA -v
- name: Setup secondary container
run: |
IMAGE=pki-runner \
NAME=secondary \
HOSTNAME=secondary.example.com \
tests/bin/runner-init.sh
- name: Connect secondary container to network
run: docker network connect example secondary --alias secondary.example.com
- name: Install dependencies in secondary container
run: docker exec secondary dnf install -y 389-ds-base
- name: Install DS in secondary container
run: docker exec secondary ${PKIDIR}/tests/bin/ds-create.sh
- name: Install CA in secondary container
run: |
docker exec primary pki-server cert-export ca_signing --cert-file ${PKIDIR}/ca_signing.crt
docker exec primary pki-server ca-clone-prepare --pkcs12-file ${PKIDIR}/ca-certs.p12 --pkcs12-password Secret.123
docker exec secondary cp ${PKIDIR}/ca_signing.crt .
docker exec secondary cp ${PKIDIR}/ca-certs.p12 .
docker exec secondary pkispawn -f /usr/share/pki/server/examples/installation/ca-clone.cfg -s CA -v
- name: Verify CA admin in secondary container
run: |
docker exec primary cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 ${PKIDIR}/ca_admin_cert.p12
docker exec primary cp /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf ${PKIDIR}/pkcs12_password.conf
docker exec secondary pki client-cert-import ca_signing --ca-cert ca_signing.crt
docker exec secondary pki client-cert-import \
--pkcs12 ${PKIDIR}/ca_admin_cert.p12 \
--pkcs12-password-file ${PKIDIR}/pkcs12_password.conf
docker exec secondary pki -n caadmin ca-user-show caadmin
- name: Setup tertiary container
run: |
IMAGE=pki-runner \
NAME=tertiary \
HOSTNAME=tertiary.example.com \
tests/bin/runner-init.sh
- name: Connect tertiary container to network
run: docker network connect example tertiary --alias tertiary.example.com
- name: Install dependencies in tertiary container
run: docker exec tertiary dnf install -y 389-ds-base
- name: Install DS in tertiary container
run: docker exec tertiary ${PKIDIR}/tests/bin/ds-create.sh
- name: Install CA in tertiary container
run: |
docker exec secondary pki-server cert-export ca_signing --cert-file ${PKIDIR}/ca_signing.crt
docker exec secondary pki-server ca-clone-prepare --pkcs12-file ${PKIDIR}/ca-certs.p12 --pkcs12-password Secret.123
docker exec tertiary cp ${PKIDIR}/ca_signing.crt .
docker exec tertiary cp ${PKIDIR}/ca-certs.p12 .
docker exec tertiary pkispawn -f /usr/share/pki/server/examples/installation/ca-clone-of-clone.cfg -s CA -v
- name: Verify CA admin in tertiary container
run: |
docker exec tertiary pki client-cert-import ca_signing --ca-cert ca_signing.crt
docker exec tertiary pki client-cert-import \
--pkcs12 ${PKIDIR}/ca_admin_cert.p12 \
--pkcs12-password-file ${PKIDIR}/pkcs12_password.conf
docker exec tertiary pki -n caadmin ca-user-show caadmin
- name: Gather artifacts from primary container
if: always()
run: |
tests/bin/ds-artifacts-save.sh primary
tests/bin/pki-artifacts-save.sh primary
- name: Gather artifacts from secondary container
if: always()
run: |
tests/bin/ds-artifacts-save.sh secondary
tests/bin/pki-artifacts-save.sh secondary
- name: Gather artifacts from tertiary container
if: always()
run: |
tests/bin/ds-artifacts-save.sh tertiary
tests/bin/pki-artifacts-save.sh tertiary
- name: Remove CA from tertiary container
run: docker exec tertiary pkidestroy -i pki-tomcat -s CA -v
- name: Remove DS from tertiary container
run: docker exec tertiary ${PKIDIR}/tests/bin/ds-remove.sh
- name: Disconnect tertiary container from network
run: docker network disconnect example tertiary
- name: Remove CA from secondary container
run: docker exec secondary pkidestroy -i pki-tomcat -s CA -v
- name: Remove DS from secondary container
run: docker exec secondary ${PKIDIR}/tests/bin/ds-remove.sh
- name: Disconnect secondary container from network
run: docker network disconnect example secondary
- name: Remove CA from primary container
run: docker exec primary pkidestroy -i pki-tomcat -s CA -v
- name: Remove DS from primary container
run: docker exec primary ${PKIDIR}/tests/bin/ds-remove.sh
- name: Disconnect primary container from network
run: docker network disconnect example primary
- name: Remove network
run: docker network rm example
- name: Upload artifacts from primary container
if: always()
uses: actions/upload-artifact@v3
with:
name: ca-clone-primary
path: |
/tmp/artifacts/primary
- name: Upload artifacts from secondary container
if: always()
uses: actions/upload-artifact@v3
with:
name: ca-clone-secondary
path: |
/tmp/artifacts/secondary
- name: Upload artifacts from tertiary container
if: always()
uses: actions/upload-artifact@v3
with:
name: ca-clone-tertiary
path: |
/tmp/artifacts/tertiary
# docs/installation/ca/Installing_CA_with_Secure_Database_Connection.md
ca-secure-ds-test:
name: Testing CA with secure DS
needs: [init, build]
runs-on: ubuntu-latest
env:
PKIDIR: /tmp/workdir/pki
steps:
- name: Clone repository
uses: actions/checkout@v3
- name: Retrieve pki-runner image
uses: actions/cache@v3
with:
key: pki-runner-${{ github.sha }}
path: pki-runner.tar
- name: Load runner image
run: docker load --input pki-runner.tar
- name: Run container
run: |
IMAGE=pki-runner \
NAME=pki \
HOSTNAME=pki.example.com \
tests/bin/runner-init.sh
- name: Install dependencies
run: docker exec pki dnf install -y 389-ds-base
- name: Install DS
run: docker exec pki ${PKIDIR}/tests/bin/ds-create.sh
- name: Create DS signing cert
run: |
docker exec pki pki \
-d /etc/dirsrv/slapd-localhost \
-C /etc/dirsrv/slapd-localhost/pwdfile.txt \
nss-cert-request \
--subject "CN=DS Signing Certificate" \
--ext /usr/share/pki/server/certs/ca_signing.conf \
--csr ds_signing.csr
docker exec pki pki \
-d /etc/dirsrv/slapd-localhost \
-C /etc/dirsrv/slapd-localhost/pwdfile.txt \
nss-cert-issue \
--csr ds_signing.csr \
--ext /usr/share/pki/server/certs/ca_signing.conf \
--cert ds_signing.crt
docker exec pki pki \
-d /etc/dirsrv/slapd-localhost \
-C /etc/dirsrv/slapd-localhost/pwdfile.txt \
nss-cert-import \
--cert ds_signing.crt \
--trust CT,C,C \
Self-Signed-CA
docker exec pki certutil -L -d /etc/dirsrv/slapd-localhost
- name: Create DS server cert
run: |
docker exec pki pki \
-d /etc/dirsrv/slapd-localhost \
-C /etc/dirsrv/slapd-localhost/pwdfile.txt \
nss-cert-request \
--subject "CN=pki.example.com" \
--ext /usr/share/pki/server/certs/sslserver.conf \
--csr ds_server.csr
docker exec pki pki \
-d /etc/dirsrv/slapd-localhost \
-C /etc/dirsrv/slapd-localhost/pwdfile.txt \
nss-cert-issue \
--issuer Self-Signed-CA \
--csr ds_server.csr \
--ext /usr/share/pki/server/certs/sslserver.conf \
--cert ds_server.crt
docker exec pki pki \
-d /etc/dirsrv/slapd-localhost \
-C /etc/dirsrv/slapd-localhost/pwdfile.txt \
nss-cert-import \
--cert ds_server.crt \
Server-Cert
docker exec pki certutil -L -d /etc/dirsrv/slapd-localhost
- name: Enable DS security
run: |
docker exec pki dsconf localhost config replace nsslapd-security=on
docker exec pki dsctl localhost restart
docker exec pki sleep 10
docker exec -e LDAPTLS_CACERT=/ds_signing.crt pki ldapsearch -H ldaps://pki.example.com:636 -x -b "" -s base \* +
- name: Install CA
run: docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/ca-secure-ds.cfg -s CA -v
- name: Run PKI healthcheck
run: docker exec pki pki-healthcheck --failures-only
- name: Verify DS connection
run: |
docker exec pki pki-server ca-db-config-show > output
cat output
echo "pki.example.com" > expected
sed -n 's/^\s\+Hostname:\s\+\(\S\+\)$/\1/p' output > actual
diff expected actual
echo "636" > expected
sed -n 's/^\s\+Port:\s\+\(\S\+\)$/\1/p' output > actual
diff expected actual
echo "true" > expected
sed -n 's/^\s\+Secure:\s\+\(\S\+\)$/\1/p' output > actual
diff expected actual
- name: Verify CA admin
run: |
docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt
docker exec pki pki client-cert-import ca_signing --ca-cert ca_signing.crt
docker exec pki pki client-cert-import \
--pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
--pkcs12-password-file /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
docker exec pki pki -n caadmin ca-user-show caadmin
- name: Gather artifacts
if: always()
run: |
tests/bin/ds-artifacts-save.sh pki
tests/bin/pki-artifacts-save.sh pki
- name: Remove CA
run: docker exec pki pkidestroy -i pki-tomcat -s CA -v
- name: Remove DS
run: docker exec pki ${PKIDIR}/tests/bin/ds-remove.sh
- name: Upload artifacts
if: always()
uses: actions/upload-artifact@v3
with:
name: ca-secure-ds
path: |
/tmp/artifacts/pki
# docs/installation/ca/Installing_CA_Clone.md
# docs/installation/ca/Installing_CA_with_Secure_Database_Connection.md
ca-clone-secure-ds-test:
name: Testing CA clone with secure DS
needs: [init, build]
runs-on: ubuntu-latest
env:
PKIDIR: /tmp/workdir/pki
steps:
- name: Clone repository
uses: actions/checkout@v3
- name: Retrieve pki-runner image
uses: actions/cache@v3
with:
key: pki-runner-${{ github.sha }}
path: pki-runner.tar
- name: Load runner image
run: docker load --input pki-runner.tar
- name: Create network
run: docker network create example
- name: Run primary container
run: |
IMAGE=pki-runner \
NAME=primary \
HOSTNAME=primary.example.com \
tests/bin/runner-init.sh
- name: Connect primary container to network
run: docker network connect example primary --alias primary.example.com
- name: Install dependencies in primary container
run: docker exec primary dnf install -y 389-ds-base
- name: Install DS in primary container
run: docker exec primary ${PKIDIR}/tests/bin/ds-create.sh
- name: Create DS signing cert in primary container
run: |
docker exec primary pki \
-d /etc/dirsrv/slapd-localhost \
-C /etc/dirsrv/slapd-localhost/pwdfile.txt \
nss-cert-request \
--subject "CN=DS Signing Certificate" \
--ext /usr/share/pki/server/certs/ca_signing.conf \
--csr ds_signing.csr
docker exec primary pki \
-d /etc/dirsrv/slapd-localhost \
-C /etc/dirsrv/slapd-localhost/pwdfile.txt \
nss-cert-issue \
--csr ds_signing.csr \
--ext /usr/share/pki/server/certs/ca_signing.conf \
--cert ds_signing.crt
docker exec primary pki \
-d /etc/dirsrv/slapd-localhost \
-C /etc/dirsrv/slapd-localhost/pwdfile.txt \
nss-cert-import \
--cert ds_signing.crt \
--trust CT,C,C \
Self-Signed-CA
docker exec primary certutil -L -d /etc/dirsrv/slapd-localhost
- name: Create DS server cert in primary container
run: |
docker exec primary pki \
-d /etc/dirsrv/slapd-localhost \
-C /etc/dirsrv/slapd-localhost/pwdfile.txt \
nss-cert-request \
--subject "CN=primary.example.com" \
--ext /usr/share/pki/server/certs/sslserver.conf \
--csr ds_server.csr
docker exec primary pki \
-d /etc/dirsrv/slapd-localhost \
-C /etc/dirsrv/slapd-localhost/pwdfile.txt \
nss-cert-issue \
--issuer Self-Signed-CA \
--csr ds_server.csr \
--ext /usr/share/pki/server/certs/sslserver.conf \
--cert ds_server.crt
docker exec primary pki \
-d /etc/dirsrv/slapd-localhost \
-C /etc/dirsrv/slapd-localhost/pwdfile.txt \
nss-cert-import \
--cert ds_server.crt \
Server-Cert
docker exec primary certutil -L -d /etc/dirsrv/slapd-localhost
- name: Enable DS security in primary container
run: |
docker exec primary dsconf localhost config replace nsslapd-security=on
docker exec primary dsctl localhost restart
docker exec primary sleep 10
docker exec -e LDAPTLS_CACERT=/ds_signing.crt primary ldapsearch -H ldaps://primary.example.com:636 -x -b "" -s base \* +
- name: Install CA in primary container
run: docker exec primary pkispawn -f /usr/share/pki/server/examples/installation/ca-secure-ds-primary.cfg -s CA -v
- name: Run PKI healthcheck in primary container
run: docker exec primary pki-healthcheck --failures-only
- name: Verify DS connection in primary container
run: |
docker exec primary pki-server ca-db-config-show > output
cat output
echo "primary.example.com" > expected
sed -n 's/^\s\+Hostname:\s\+\(\S\+\)$/\1/p' output > actual
diff expected actual
echo "636" > expected
sed -n 's/^\s\+Port:\s\+\(\S\+\)$/\1/p' output > actual
diff expected actual
echo "true" > expected
sed -n 's/^\s\+Secure:\s\+\(\S\+\)$/\1/p' output > actual
diff expected actual
- name: Verify CA admin in primary container
run: |
docker exec primary pki-server cert-export ca_signing --cert-file ca_signing.crt
docker exec primary pki client-cert-import ca_signing --ca-cert ca_signing.crt
docker exec primary pki client-cert-import \
--pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
--pkcs12-password-file /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
docker exec primary pki -n caadmin ca-user-show caadmin
- name: Run secondary container
run: |
IMAGE=pki-runner \
NAME=secondary \
HOSTNAME=secondary.example.com \
tests/bin/runner-init.sh
- name: Connect secondary container to network
run: docker network connect example secondary --alias secondary.example.com
- name: Install dependencies in secondary container
run: docker exec secondary dnf install -y 389-ds-base
- name: Install DS in secondary container
run: docker exec secondary ${PKIDIR}/tests/bin/ds-create.sh
- name: Import DS signing cert into secondary container
run: |
docker exec primary pki \
-d /etc/dirsrv/slapd-localhost \
-C /etc/dirsrv/slapd-localhost/pwdfile.txt \
pkcs12-export \
--pkcs12-file ${PKIDIR}/ds_signing.p12 \
--pkcs12-password Secret.123 \
Self-Signed-CA
docker exec secondary pki \
-d /etc/dirsrv/slapd-localhost \
-C /etc/dirsrv/slapd-localhost/pwdfile.txt \
pkcs12-import \
--pkcs12-file ${PKIDIR}/ds_signing.p12 \
--pkcs12-password Secret.123
docker exec secondary certutil -L -d /etc/dirsrv/slapd-localhost
- name: Create DS server cert in secondary container
run: |
docker exec secondary pki \
-d /etc/dirsrv/slapd-localhost \
-C /etc/dirsrv/slapd-localhost/pwdfile.txt \
nss-cert-request \
--subject "CN=secondary.example.com" \
--ext /usr/share/pki/server/certs/sslserver.conf \
--csr ds_server.csr
docker exec secondary pki \
-d /etc/dirsrv/slapd-localhost \
-C /etc/dirsrv/slapd-localhost/pwdfile.txt \
nss-cert-issue \
--issuer Self-Signed-CA \
--csr ds_server.csr \
--ext /usr/share/pki/server/certs/sslserver.conf \
--cert ds_server.crt
docker exec secondary pki \
-d /etc/dirsrv/slapd-localhost \
-C /etc/dirsrv/slapd-localhost/pwdfile.txt \
nss-cert-import \
--cert ds_server.crt \
Server-Cert
docker exec secondary certutil -L -d /etc/dirsrv/slapd-localhost
- name: Enable DS security in secondary container
run: |
docker exec secondary dsconf localhost config replace nsslapd-security=on
docker exec secondary dsctl localhost restart
docker exec secondary sleep 10
docker exec secondary bash -c "certutil -L -d /etc/dirsrv/slapd-localhost -n Self-Signed-CA -a > ds_signing.crt"
docker exec -e LDAPTLS_CACERT=/ds_signing.crt secondary ldapsearch -d 65535 -H ldaps://secondary.example.com:636 -x -b "" -s base \* +
- name: Install CA in secondary container
run: |
docker exec primary pki-server cert-export ca_signing --cert-file ${PKIDIR}/ca_signing.crt
docker exec primary pki-server ca-clone-prepare --pkcs12-file ${PKIDIR}/ca-certs.p12 --pkcs12-password Secret.123
docker exec secondary cp ${PKIDIR}/ca_signing.crt .
docker exec secondary cp ${PKIDIR}/ca-certs.p12 .
docker exec secondary pkispawn -f /usr/share/pki/server/examples/installation/ca-secure-ds-secondary.cfg -s CA -v
- name: Run PKI healthcheck in secondary container
run: docker exec secondary pki-healthcheck --failures-only
- name: Verify DS connection in secondary container
run: |
docker exec secondary pki-server ca-db-config-show > output
cat output
echo "secondary.example.com" > expected
sed -n 's/^\s\+Hostname:\s\+\(\S\+\)$/\1/p' output > actual
diff expected actual
echo "636" > expected
sed -n 's/^\s\+Port:\s\+\(\S\+\)$/\1/p' output > actual
diff expected actual
echo "true" > expected
sed -n 's/^\s\+Secure:\s\+\(\S\+\)$/\1/p' output > actual
diff expected actual
- name: Verify CA admin in secondary container
run: |
docker exec primary cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 ${PKIDIR}/ca_admin_cert.p12
docker exec primary cp /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf ${PKIDIR}/pkcs12_password.conf
docker exec secondary pki-server cert-export ca_signing --cert-file ca_signing.crt
docker exec secondary pki client-cert-import ca_signing --ca-cert ca_signing.crt
docker exec secondary pki client-cert-import \
--pkcs12 ${PKIDIR}/ca_admin_cert.p12 \
--pkcs12-password-file ${PKIDIR}/pkcs12_password.conf
docker exec secondary pki -n caadmin ca-user-show caadmin
- name: Remove CA from secondary PKI container
run: |
docker exec secondary pkidestroy -i pki-tomcat -s CA -v
- name: Re-install CA in secondary PKI container
run: |
docker exec secondary pkispawn \
-f /usr/share/pki/server/examples/installation/ca-secure-ds-secondary.cfg \
-s CA \
-v
- name: Gather artifacts from primary container
if: always()
run: |
tests/bin/ds-artifacts-save.sh primary
tests/bin/pki-artifacts-save.sh primary
- name: Gather CA artifacts from secondary container
if: always()
run: |
tests/bin/ds-artifacts-save.sh secondary
tests/bin/pki-artifacts-save.sh secondary
- name: Remove CA from secondary container
run: docker exec secondary pkidestroy -i pki-tomcat -s CA -v
- name: Remove DS from secondary container
run: docker exec secondary ${PKIDIR}/tests/bin/ds-remove.sh
- name: Remove CA from primary container
run: docker exec primary pkidestroy -i pki-tomcat -s CA -v
- name: Remove DS from primary container
run: docker exec primary ${PKIDIR}/tests/bin/ds-remove.sh
- name: Upload artifacts from primary container
if: always()
uses: actions/upload-artifact@v3
with:
name: ca-secure-ds-primary
path: |
/tmp/artifacts/primary
- name: Upload artifacts from secondary container
if: always()
uses: actions/upload-artifact@v3
with:
name: ca-secure-ds-secondary
path: |
/tmp/artifacts/secondary
subca-clone-test:
name: Sub-CA clone
needs: [init, build]
uses: ./.github/workflows/subca-clone-test.yml
scep-test:
name: Testing SCEP responder
needs: [init, build]
runs-on: ubuntu-latest
env:
PKIDIR: /tmp/workdir/pki
steps:
- name: Clone repository
uses: actions/checkout@v3
- name: Retrieve pki-runner image
uses: actions/cache@v3
with:
key: pki-runner-${{ github.sha }}
path: pki-runner.tar
- name: Load runner image
run: docker load --input pki-runner.tar
- name: Create network
run: docker network create example
- name: Run PKI container
run: |
IMAGE=pki-runner \
NAME=pki \
HOSTNAME=pki.example.com \
tests/bin/runner-init.sh
- name: Connect PKI container to network
run: docker network connect example pki --alias pki.example.com
- name: Install dependencies in PKI container
run: docker exec pki dnf install -y 389-ds-base
- name: Install DS in PKI container
run: docker exec pki ${PKIDIR}/tests/bin/ds-create.sh
- name: Install CA in PKI container
run: docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/ca.cfg -s CA -v
- name: Set up client container
run: |
docker run \
--name client \
--hostname client.example.com \
--network example \
--network-alias client.example.com \
-it \
--detach \
quay.io/dogtagpki/sscep
- name: Get client's IP address
run: |
docker inspect -f '{{ .NetworkSettings.Networks.example.IPAddress }}' client > client.ip
echo "Client's IP: `cat client.ip`"
# https://github.com/dogtagpki/pki/wiki/Configuring-SCEP-Responder
- name: Configure SCEP in CA
run: |
docker exec pki pki-server ca-config-set ca.scep.enable true
docker exec pki bash -c "echo UID:$(cat client.ip) > /etc/pki/pki-tomcat/ca/flatfile.txt"
docker exec pki bash -c "echo PWD:Secret.123 >> /etc/pki/pki-tomcat/ca/flatfile.txt"
docker exec pki pki-server restart --wait
# https://github.com/dogtagpki/pki/wiki/Certificate-Enrollment-with-SSCEP
- name: Get CA certificate using SSCEP
run: |
docker exec client sscep getca \
-u http://pki.example.com:8080/ca/cgi-bin/pkiclient.exe \
-c ca.crt
docker exec client openssl x509 -text -noout -in ca.crt
- name: Enroll certificate with IP address using SSCEP
run: |
docker exec client mkrequest -ip $(cat client.ip) Secret.123
docker exec client openssl req -text -noout -in local.csr
docker exec client sscep enroll \
-u http://pki.example.com:8080/ca/cgi-bin/pkiclient.exe \
-c ca.crt \
-k local.key \
-r local.csr \
-l local.crt \
-E 3des \
-S sha256
docker exec client openssl x509 -text -noout -in local.crt
- name: Gather artifacts from PKI container
if: always()
run: |
tests/bin/ds-artifacts-save.sh pki
tests/bin/pki-artifacts-save.sh pki
- name: Remove CA from PKI container
run: docker exec pki pkidestroy -i pki-tomcat -s CA -v
- name: Remove DS from PKI container
run: docker exec pki ${PKIDIR}/tests/bin/ds-remove.sh
- name: Upload artifacts
if: always()
uses: actions/upload-artifact@v3
with:
name: scep
path: |
/tmp/artifacts/pki