From 22e674e7c17cdd861805200cac5be740f9374060 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Mon, 30 Sep 2024 18:24:41 -0500 Subject: [PATCH] Update CA renewal tests to use pki ca-cert-issue --- .../ca-renewal-system-certs-hsm-test.yml | 109 ++++++------------ .../ca-renewal-system-certs-test.yml | 109 ++++++------------ 2 files changed, 68 insertions(+), 150 deletions(-) diff --git a/.github/workflows/ca-renewal-system-certs-hsm-test.yml b/.github/workflows/ca-renewal-system-certs-hsm-test.yml index d113babe985..3acb74dacdd 100644 --- a/.github/workflows/ca-renewal-system-certs-hsm-test.yml +++ b/.github/workflows/ca-renewal-system-certs-hsm-test.yml @@ -185,8 +185,12 @@ jobs: --pkcs12-password Secret.123 docker exec pki pki nss-cert-show caadmin + # check CA admin cert docker exec pki pki -n caadmin ca-user-show caadmin + # check CA admin password + docker exec pki pki -u caadmin -w Secret.123 ca-user-show caadmin + - name: Restart PKI server with expired certs run: | # wait for SSL server cert to expire @@ -263,24 +267,15 @@ jobs: docker exec pki pki-server cert-show sslserver | tee output CERT_ID=$(sed -n "s/^\s*Serial Number:\s*\(\S*\)$/\1/p" output) - # submit renewal request - docker exec pki pki ca-cert-request-submit \ - --profile caManualRenewal \ - --serial $CERT_ID \ - --renewal | tee output - REQUEST_ID=$(sed -n "s/^\s*Request ID:\s*\(\S*\)$/\1/p" output) - - # approve renewal request + # renew cert docker exec pki pki \ -u caadmin \ -w Secret.123 \ - ca-cert-request-approve \ - $REQUEST_ID \ - --force | tee output - CERT_ID=$(sed -n "s/^\s*Certificate ID:\s*\(\S*\)$/\1/p" output) - - # export new cert - docker exec pki pki ca-cert-export $CERT_ID --output-file sslserver.crt + ca-cert-issue \ + --profile caManualRenewal \ + --serial $CERT_ID \ + --renewal \ + --output-file sslserver.crt # delete current cert docker exec pki pki-server cert-del sslserver @@ -297,24 +292,15 @@ jobs: docker exec pki pki-server cert-show subsystem | tee output CERT_ID=$(sed -n "s/^\s*Serial Number:\s*\(\S*\)$/\1/p" output) - # submit renewal request - docker exec pki pki ca-cert-request-submit \ - --profile caManualRenewal \ - --serial $CERT_ID \ - --renewal | tee output - REQUEST_ID=$(sed -n "s/^\s*Request ID:\s*\(\S*\)$/\1/p" output) - - # approve renewal request + # renew cert docker exec pki pki \ -u caadmin \ -w Secret.123 \ - ca-cert-request-approve \ - $REQUEST_ID \ - --force | tee output - CERT_ID=$(sed -n "s/^\s*Certificate ID:\s*\(\S*\)$/\1/p" output) - - # export new cert - docker exec pki pki ca-cert-export $CERT_ID --output-file subsystem.crt + ca-cert-issue \ + --profile caManualRenewal \ + --serial $CERT_ID \ + --renewal \ + --output-file subsystem.crt # delete current cert docker exec pki pki-server cert-del subsystem @@ -348,24 +334,15 @@ jobs: docker exec pki pki-server cert-show ca_audit_signing | tee output CERT_ID=$(sed -n "s/^\s*Serial Number:\s*\(\S*\)$/\1/p" output) - # submit renewal request - docker exec pki pki ca-cert-request-submit \ - --profile caManualRenewal \ - --serial $CERT_ID \ - --renewal | tee output - REQUEST_ID=$(sed -n "s/^\s*Request ID:\s*\(\S*\)$/\1/p" output) - - # approve renewal request + # renew cert docker exec pki pki \ -u caadmin \ -w Secret.123 \ - ca-cert-request-approve \ - $REQUEST_ID \ - --force | tee output - CERT_ID=$(sed -n "s/^\s*Certificate ID:\s*\(\S*\)$/\1/p" output) - - # export new cert - docker exec pki pki ca-cert-export $CERT_ID --output-file ca_audit_signing.crt + ca-cert-issue \ + --profile caManualRenewal \ + --serial $CERT_ID \ + --renewal \ + --output-file ca_audit_signing.crt # delete current cert docker exec pki pki-server cert-del ca_audit_signing @@ -382,24 +359,15 @@ jobs: docker exec pki pki-server cert-show ca_ocsp_signing | tee output CERT_ID=$(sed -n "s/^\s*Serial Number:\s*\(\S*\)$/\1/p" output) - # submit renewal request - docker exec pki pki ca-cert-request-submit \ - --profile caManualRenewal \ - --serial $CERT_ID \ - --renewal | tee output - REQUEST_ID=$(sed -n "s/^\s*Request ID:\s*\(\S*\)$/\1/p" output) - - # approve renewal request + # renew cert docker exec pki pki \ -u caadmin \ -w Secret.123 \ - ca-cert-request-approve \ - $REQUEST_ID \ - --force | tee output - CERT_ID=$(sed -n "s/^\s*Certificate ID:\s*\(\S*\)$/\1/p" output) - - # export new cert - docker exec pki pki ca-cert-export $CERT_ID --output-file ca_ocsp_signing.crt + ca-cert-issue \ + --profile caManualRenewal \ + --serial $CERT_ID \ + --renewal \ + --output-file ca_ocsp_signing.crt # delete current cert docker exec pki pki-server cert-del ca_ocsp_signing @@ -416,24 +384,15 @@ jobs: docker exec pki pki nss-cert-show caadmin | tee output CERT_ID=$(sed -n "s/^\s*Serial Number:\s*\(\S*\)$/\1/p" output) - # submit renewal request - docker exec pki pki ca-cert-request-submit \ - --profile caManualRenewal \ - --serial $CERT_ID \ - --renewal | tee output - REQUEST_ID=$(sed -n "s/^\s*Request ID:\s*\(\S*\)$/\1/p" output) - - # approve renewal request + # renew cert docker exec pki pki \ -u caadmin \ -w Secret.123 \ - ca-cert-request-approve \ - $REQUEST_ID \ - --force | tee output - CERT_ID=$(sed -n "s/^\s*Certificate ID:\s*\(\S*\)$/\1/p" output) - - # export new cert - docker exec pki pki ca-cert-export $CERT_ID --output-file caadmin.crt + ca-cert-issue \ + --profile caManualRenewal \ + --serial $CERT_ID \ + --renewal \ + --output-file caadmin.crt # delete current cert docker exec pki pki nss-cert-del caadmin diff --git a/.github/workflows/ca-renewal-system-certs-test.yml b/.github/workflows/ca-renewal-system-certs-test.yml index 5c1ed4b756b..a6cc2f91f75 100644 --- a/.github/workflows/ca-renewal-system-certs-test.yml +++ b/.github/workflows/ca-renewal-system-certs-test.yml @@ -148,8 +148,12 @@ jobs: --pkcs12-password Secret.123 docker exec pki pki nss-cert-show caadmin + # check CA admin cert docker exec pki pki -n caadmin ca-user-show caadmin + # check CA admin password + docker exec pki pki -u caadmin -w Secret.123 ca-user-show caadmin + - name: Restart PKI server with expired certs run: | # wait for SSL server cert to expire @@ -226,24 +230,15 @@ jobs: docker exec pki pki-server cert-show sslserver | tee output CERT_ID=$(sed -n "s/^\s*Serial Number:\s*\(\S*\)$/\1/p" output) - # submit renewal request - docker exec pki pki ca-cert-request-submit \ - --profile caManualRenewal \ - --serial $CERT_ID \ - --renewal | tee output - REQUEST_ID=$(sed -n "s/^\s*Request ID:\s*\(\S*\)$/\1/p" output) - - # approve renewal request + # renew cert docker exec pki pki \ -u caadmin \ -w Secret.123 \ - ca-cert-request-approve \ - $REQUEST_ID \ - --force | tee output - CERT_ID=$(sed -n "s/^\s*Certificate ID:\s*\(\S*\)$/\1/p" output) - - # export new cert - docker exec pki pki ca-cert-export $CERT_ID --output-file sslserver.crt + ca-cert-issue \ + --profile caManualRenewal \ + --serial $CERT_ID \ + --renewal \ + --output-file sslserver.crt # delete current cert docker exec pki pki-server cert-del sslserver @@ -260,24 +255,15 @@ jobs: docker exec pki pki-server cert-show subsystem | tee output CERT_ID=$(sed -n "s/^\s*Serial Number:\s*\(\S*\)$/\1/p" output) - # submit renewal request - docker exec pki pki ca-cert-request-submit \ - --profile caManualRenewal \ - --serial $CERT_ID \ - --renewal | tee output - REQUEST_ID=$(sed -n "s/^\s*Request ID:\s*\(\S*\)$/\1/p" output) - - # approve renewal request + # renew cert docker exec pki pki \ -u caadmin \ -w Secret.123 \ - ca-cert-request-approve \ - $REQUEST_ID \ - --force | tee output - CERT_ID=$(sed -n "s/^\s*Certificate ID:\s*\(\S*\)$/\1/p" output) - - # export new cert - docker exec pki pki ca-cert-export $CERT_ID --output-file subsystem.crt + ca-cert-issue \ + --profile caManualRenewal \ + --serial $CERT_ID \ + --renewal \ + --output-file subsystem.crt # delete current cert docker exec pki pki-server cert-del subsystem @@ -311,24 +297,15 @@ jobs: docker exec pki pki-server cert-show ca_audit_signing | tee output CERT_ID=$(sed -n "s/^\s*Serial Number:\s*\(\S*\)$/\1/p" output) - # submit renewal request - docker exec pki pki ca-cert-request-submit \ - --profile caManualRenewal \ - --serial $CERT_ID \ - --renewal | tee output - REQUEST_ID=$(sed -n "s/^\s*Request ID:\s*\(\S*\)$/\1/p" output) - - # approve renewal request + # renew cert docker exec pki pki \ -u caadmin \ -w Secret.123 \ - ca-cert-request-approve \ - $REQUEST_ID \ - --force | tee output - CERT_ID=$(sed -n "s/^\s*Certificate ID:\s*\(\S*\)$/\1/p" output) - - # export new cert - docker exec pki pki ca-cert-export $CERT_ID --output-file ca_audit_signing.crt + ca-cert-issue \ + --profile caManualRenewal \ + --serial $CERT_ID \ + --renewal \ + --output-file ca_audit_signing.crt # delete current cert docker exec pki pki-server cert-del ca_audit_signing @@ -345,24 +322,15 @@ jobs: docker exec pki pki-server cert-show ca_ocsp_signing | tee output CERT_ID=$(sed -n "s/^\s*Serial Number:\s*\(\S*\)$/\1/p" output) - # submit renewal request - docker exec pki pki ca-cert-request-submit \ - --profile caManualRenewal \ - --serial $CERT_ID \ - --renewal | tee output - REQUEST_ID=$(sed -n "s/^\s*Request ID:\s*\(\S*\)$/\1/p" output) - - # approve renewal request + # renew cert docker exec pki pki \ -u caadmin \ -w Secret.123 \ - ca-cert-request-approve \ - $REQUEST_ID \ - --force | tee output - CERT_ID=$(sed -n "s/^\s*Certificate ID:\s*\(\S*\)$/\1/p" output) - - # export new cert - docker exec pki pki ca-cert-export $CERT_ID --output-file ca_ocsp_signing.crt + ca-cert-issue \ + --profile caManualRenewal \ + --serial $CERT_ID \ + --renewal \ + --output-file ca_ocsp_signing.crt # delete current cert docker exec pki pki-server cert-del ca_ocsp_signing @@ -379,24 +347,15 @@ jobs: docker exec pki pki nss-cert-show caadmin | tee output CERT_ID=$(sed -n "s/^\s*Serial Number:\s*\(\S*\)$/\1/p" output) - # submit renewal request - docker exec pki pki ca-cert-request-submit \ - --profile caManualRenewal \ - --serial $CERT_ID \ - --renewal | tee output - REQUEST_ID=$(sed -n "s/^\s*Request ID:\s*\(\S*\)$/\1/p" output) - - # approve renewal request + # renew cert docker exec pki pki \ -u caadmin \ -w Secret.123 \ - ca-cert-request-approve \ - $REQUEST_ID \ - --force | tee output - CERT_ID=$(sed -n "s/^\s*Certificate ID:\s*\(\S*\)$/\1/p" output) - - # export new cert - docker exec pki pki ca-cert-export $CERT_ID --output-file caadmin.crt + ca-cert-issue \ + --profile caManualRenewal \ + --serial $CERT_ID \ + --renewal \ + --output-file caadmin.crt # delete current cert docker exec pki pki nss-cert-del caadmin