diff --git a/.github/workflows/ca-container-test.yml b/.github/workflows/ca-container-test.yml index cece910e94c..fc0ac934907 100644 --- a/.github/workflows/ca-container-test.yml +++ b/.github/workflows/ca-container-test.yml @@ -395,6 +395,78 @@ jobs: echo "0" > expected diff expected nsTaskExitCode + - name: Import CA signing cert into CA database + run: | + docker exec ca pki-server ca-cert-request-import \ + --csr /certs/ca_signing.csr \ + --profile /usr/share/pki/ca/conf/caCert.profile | tee output + REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) + + docker exec ca pki-server ca-cert-import \ + --cert /certs/ca_signing.crt \ + --profile /usr/share/pki/ca/conf/caCert.profile \ + --request $REQUEST_ID + + - name: Import CA OCSP signing cert into CA database + run: | + docker exec ca pki-server ca-cert-request-import \ + --csr /certs/ocsp_signing.csr \ + --profile /usr/share/pki/ca/conf/caOCSPCert.profile | tee output + REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) + + docker exec ca pki-server ca-cert-import \ + --cert /certs/ocsp_signing.crt \ + --profile /usr/share/pki/ca/conf/caOCSPCert.profile \ + --request $REQUEST_ID + + - name: Import CA audit signing cert into CA database + run: | + docker exec ca pki-server ca-cert-request-import \ + --csr /certs/audit_signing.csr \ + --profile /usr/share/pki/ca/conf/caAuditSigningCert.profile | tee output + REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) + + docker exec ca pki-server ca-cert-import \ + --cert /certs/audit_signing.crt \ + --profile /usr/share/pki/ca/conf/caAuditSigningCert.profile \ + --request $REQUEST_ID + + - name: Import subsystem cert into CA database + run: | + docker exec ca pki-server ca-cert-request-import \ + --csr /certs/subsystem.csr \ + --profile /usr/share/pki/ca/conf/rsaSubsystemCert.profile | tee output + REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) + + docker exec ca pki-server ca-cert-import \ + --cert /certs/subsystem.crt \ + --profile /usr/share/pki/ca/conf/rsaSubsystemCert.profile \ + --request $REQUEST_ID + + - name: Import SSL server cert into CA database + run: | + docker exec ca pki-server ca-cert-request-import \ + --csr /certs/sslserver.csr \ + --profile /usr/share/pki/ca/conf/rsaServerCert.profile | tee output + REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) + + docker exec ca pki-server ca-cert-import \ + --cert /certs/sslserver.crt \ + --profile /usr/share/pki/ca/conf/rsaServerCert.profile \ + --request $REQUEST_ID + + - name: Import admin cert into CA database + run: | + docker exec ca pki-server ca-cert-request-import \ + --csr /certs/admin.csr \ + --profile /usr/share/pki/ca/conf/rsaAdminCert.profile | tee output + REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) + + docker exec ca pki-server ca-cert-import \ + --cert /certs/admin.crt \ + --profile /usr/share/pki/ca/conf/rsaAdminCert.profile \ + --request $REQUEST_ID + # https://github.com/dogtagpki/pki/wiki/Setting-up-CA-Admin-User - name: Add admin user run: | @@ -659,10 +731,10 @@ jobs: run: | docker exec ca bash -c "cat /var/log/pki/pki-tomcat/ca/debug.*" - - name: Gather artifacts from CA container + - name: Gather artifacts if: always() run: | - tests/bin/ds-artifacts-save.sh --output=/tmp/artifacts/ca ds + tests/bin/ds-artifacts-save.sh ds docker exec ca ls -la /etc/pki mkdir -p /tmp/artifacts/ca/etc/pki @@ -674,24 +746,13 @@ jobs: docker cp ca:/var/log/pki /tmp/artifacts/ca/var/log docker logs ca > /tmp/artifacts/ca/container.out 2> /tmp/artifacts/ca/container.err - continue-on-error: true - - name: Gather artifacts from client container - if: always() - run: | mkdir -p /tmp/artifacts/client docker logs client > /tmp/artifacts/client/container.out 2> /tmp/artifacts/client/container.err - - name: Upload artifacts from CA container - if: always() - uses: actions/upload-artifact@v3 - with: - name: ca-container-ca - path: /tmp/artifacts/ca - - - name: Upload artifacts from client container + - name: Upload artifacts if: always() uses: actions/upload-artifact@v3 with: - name: ca-container-client - path: /tmp/artifacts/client + name: ca-container + path: /tmp/artifacts diff --git a/.github/workflows/ca-existing-ds-test.yml b/.github/workflows/ca-existing-ds-test.yml index 1dabf31fed3..9c277915d4d 100644 --- a/.github/workflows/ca-existing-ds-test.yml +++ b/.github/workflows/ca-existing-ds-test.yml @@ -160,9 +160,17 @@ jobs: --maxConns 15 \ --minConns 3 - # configure user/group subsystem to use DS + # configure CA user/group subsystem docker exec pki pki-server ca-config-set usrgrp.ldap internaldb + # configure CA database subsystem + docker exec pki pki-server ca-config-set dbs.ldap internaldb + docker exec pki pki-server ca-config-set dbs.newSchemaEntryAdded true + docker exec pki pki-server ca-config-set dbs.requestDN ou=ca,ou=requests + docker exec pki pki-server ca-config-set dbs.request.id.generator random + docker exec pki pki-server ca-config-set dbs.serialDN ou=certificateRepository,ou=ca + docker exec pki pki-server ca-config-set dbs.cert.id.generator random + - name: Check connection to CA database run: | docker exec pki pki-server ca-db-info @@ -188,6 +196,78 @@ jobs: run: | docker exec pki pki-server ca-db-vlv-reindex -v + - name: Import CA signing cert into CA database + run: | + docker exec pki pki-server ca-cert-request-import \ + --csr /etc/pki/pki-tomcat/certs/ca_signing.csr \ + --profile /usr/share/pki/ca/conf/caCert.profile | tee output + REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) + + docker exec pki pki-server ca-cert-import \ + --cert /etc/pki/pki-tomcat/certs/ca_signing.crt \ + --profile /usr/share/pki/ca/conf/caCert.profile \ + --request $REQUEST_ID + + - name: Import CA OCSP signing cert into CA database + run: | + docker exec pki pki-server ca-cert-request-import \ + --csr /etc/pki/pki-tomcat/certs/ca_ocsp_signing.csr \ + --profile /usr/share/pki/ca/conf/caOCSPCert.profile | tee output + REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) + + docker exec pki pki-server ca-cert-import \ + --cert /etc/pki/pki-tomcat/certs/ca_ocsp_signing.crt \ + --profile /usr/share/pki/ca/conf/caOCSPCert.profile \ + --request $REQUEST_ID + + - name: Import CA audit signing cert into CA database + run: | + docker exec pki pki-server ca-cert-request-import \ + --csr /etc/pki/pki-tomcat/certs/ca_audit_signing.csr \ + --profile /usr/share/pki/ca/conf/caAuditSigningCert.profile | tee output + REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) + + docker exec pki pki-server ca-cert-import \ + --cert /etc/pki/pki-tomcat/certs/ca_audit_signing.crt \ + --profile /usr/share/pki/ca/conf/caAuditSigningCert.profile \ + --request $REQUEST_ID + + - name: Import subsystem cert into CA database + run: | + docker exec pki pki-server ca-cert-request-import \ + --csr /etc/pki/pki-tomcat/certs/subsystem.csr \ + --profile /usr/share/pki/ca/conf/rsaSubsystemCert.profile | tee output + REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) + + docker exec pki pki-server ca-cert-import \ + --cert /etc/pki/pki-tomcat/certs/subsystem.crt \ + --profile /usr/share/pki/ca/conf/rsaSubsystemCert.profile \ + --request $REQUEST_ID + + - name: Import SSL server cert into CA database + run: | + docker exec pki pki-server ca-cert-request-import \ + --csr /etc/pki/pki-tomcat/certs/sslserver.csr \ + --profile /usr/share/pki/ca/conf/rsaServerCert.profile | tee output + REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) + + docker exec pki pki-server ca-cert-import \ + --cert /etc/pki/pki-tomcat/certs/sslserver.crt \ + --profile /usr/share/pki/ca/conf/rsaServerCert.profile \ + --request $REQUEST_ID + + - name: Import admin cert into CA database + run: | + docker exec pki pki-server ca-cert-request-import \ + --csr admin.csr \ + --profile /usr/share/pki/ca/conf/rsaAdminCert.profile | tee output + REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) + + docker exec pki pki-server ca-cert-import \ + --cert admin.crt \ + --profile /usr/share/pki/ca/conf/rsaAdminCert.profile \ + --request $REQUEST_ID + # https://github.com/dogtagpki/pki/wiki/Setting-up-CA-Database-User - name: Add database user run: | @@ -365,6 +445,4 @@ jobs: uses: actions/upload-artifact@v3 with: name: ca-existing-ds - path: | - /tmp/artifacts/ds - /tmp/artifacts/pki + path: /tmp/artifacts diff --git a/base/ca/bin/pki-ca-run b/base/ca/bin/pki-ca-run index f876afc3b76..1dedbdeeb2a 100755 --- a/base/ca/bin/pki-ca-run +++ b/base/ca/bin/pki-ca-run @@ -33,8 +33,9 @@ echo "########################################################################## rc=0 pki \ -d /etc/pki/pki-tomcat/alias \ - nss-cert-show \ - ca_signing > /dev/null 2>&1 || rc=$? + nss-cert-export \ + --output-file /certs/ca_signing.crt \ + ca_signing || rc=$? if [ $rc -ne 0 ] then @@ -76,8 +77,9 @@ echo "########################################################################## rc=0 pki \ -d /etc/pki/pki-tomcat/alias \ - nss-cert-show \ - ocsp_signing > /dev/null 2>&1 || rc=$? + nss-cert-export \ + --output-file /certs/ocsp_signing.crt \ + ocsp_signing || rc=$? if [ $rc -ne 0 ] then @@ -117,8 +119,9 @@ echo "########################################################################## rc=0 pki \ -d /etc/pki/pki-tomcat/alias \ - nss-cert-show \ - audit_signing > /dev/null 2>&1 || rc=$? + nss-cert-export \ + --output-file /certs/audit_signing.crt \ + audit_signing || rc=$? if [ $rc -ne 0 ] then @@ -159,8 +162,9 @@ echo "########################################################################## rc=0 pki \ -d /etc/pki/pki-tomcat/alias \ - nss-cert-show \ - subsystem > /dev/null 2>&1 || rc=$? + nss-cert-export \ + --output-file /certs/subsystem.crt \ + subsystem || rc=$? if [ $rc -ne 0 ] then @@ -200,7 +204,8 @@ rc=0 pki \ -d /etc/pki/pki-tomcat/alias \ nss-cert-show \ - sslserver > /dev/null 2>&1 || rc=$? + --output-file /certs/sslserver.crt \ + sslserver || rc=$? if [ $rc -ne 0 ] then @@ -238,7 +243,9 @@ echo "########################################################################## # check if admin cert exists rc=0 -pki nss-cert-show admin > /dev/null 2>&1 || rc=$? +pki nss-cert-export \ + --output-file /certs/admin.crt \ + admin || rc=$? if [ $rc -ne 0 ] then diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py index 52e3899860d..c5d905e07e1 100644 --- a/base/server/python/pki/server/deployment/__init__.py +++ b/base/server/python/pki/server/deployment/__init__.py @@ -3289,7 +3289,8 @@ def setup_system_cert(self, nssdb, subsystem, tag, system_cert, request): # might conflict with system certificates to be created later. # Also create the certificate request record for renewals. - if config.str2bool(self.mdict['pki_import_system_certs']): + if config.str2bool(self.mdict['pki_import_system_certs']) and \ + config.str2bool(self.mdict['pki_ds_setup']): self.import_cert_request(subsystem, tag, request) self.import_cert(subsystem, tag, request, system_cert['data']) @@ -3382,8 +3383,9 @@ def setup_system_cert(self, nssdb, subsystem, tag, system_cert, request): # selfsign or local - # import request into CA database and get a request ID - self.import_cert_request(subsystem, tag, request) + if config.str2bool(self.mdict['pki_ds_setup']): + # import request into CA database and get a request ID + self.import_cert_request(subsystem, tag, request) if cert_info: logger.info('Reusing %s cert in NSS database', tag) @@ -3402,8 +3404,9 @@ def setup_system_cert(self, nssdb, subsystem, tag, system_cert, request): cert_format='base64', token=request.systemCert.token) - # import cert into CA database - self.import_cert(subsystem, tag, request, system_cert['data']) + if config.str2bool(self.mdict['pki_ds_setup']): + # import cert into CA database + self.import_cert(subsystem, tag, request, system_cert['data']) def setup_system_certs(self, nssdb, subsystem): @@ -3759,10 +3762,13 @@ def create_admin_cert(self, subsystem, csr): request.systemCert.keyAlgorithm = self.get_signing_algorithm(subsystem, profile) logger.info('Signing algorithm: %s', request.systemCert.keyAlgorithm) - self.import_cert_request(subsystem, 'admin', request) + if config.str2bool(self.mdict['pki_ds_setup']): + self.import_cert_request(subsystem, 'admin', request) cert_data = self.create_cert(subsystem, 'admin', request) - self.import_cert(subsystem, 'admin', request, cert_data) + + if config.str2bool(self.mdict['pki_ds_setup']): + self.import_cert(subsystem, 'admin', request, cert_data) cert_pem = pki.nssdb.convert_cert(cert_data, 'base64', 'pem') cert_obj = x509.load_pem_x509_certificate(cert_pem.encode(), backend=default_backend())