Add est test for Postgresql realm

Adding a new test to verify the connection between the EST subsystem and a realm user database handled with Postgresql. Additionally, the realm test on separate instance has been modified to authenticate the EST subsystem into the CA using a certificate.
dogtagpki · Sep 25, 2024 · 25df286 · 25df286
1 parent 5f645bc
commit 25df286
Show file tree

Hide file tree

Showing 4 changed files with 485 additions and 3 deletions.
diff --git a/.github/workflows/est-ds-realm-separate-test.yml b/.github/workflows/est-ds-realm-separate-test.yml
@@ -83,14 +83,33 @@ jobs:
 
           docker exec ca pki nss-cert-import --cert estSSLServer.crt sslserver
 
-          docker exec ca pk12util -d /root/.dogtag/nssdb -o $SHARED/est_server.p12 -n sslserver -W Secret.123
+          docker exec ca pki pkcs12-cert-import sslserver --pkcs12-file $SHARED/est_server.p12 --pkcs12-password Secret.123
 
       - name: Add CA EST user
         run: |
           docker exec ca pki -n caadmin ca-group-add "EST RA Agents"
           docker exec ca pki -n caadmin ca-user-add \
               est-ra-1 --fullName "EST RA 1" --password Secret.est
           docker exec ca pki -n caadmin ca-group-member-add "EST RA Agents" est-ra-1
+
+      - name: Create CA EST user certificate end store top p12
+        run: |
+          docker exec ca pki nss-cert-request --csr estUser.csr \
+              --ext /usr/share/pki/server/certs/admin.conf --subject 'UID=estUser'
+
+          docker exec ca pki \
+              -n caadmin \
+              ca-cert-issue \
+              --csr-file estUser.csr \
+              --profile caUserCert \
+              --output-file estUser.crt
+
+          docker exec ca pki nss-cert-import --cert estUser.crt estUser
+          
+          CERT_ID=$(docker exec ca openssl x509 -in estUser.crt --noout --serial | sed -n "s/^serial=\(\S*\)$/0x\1/p")
+          docker exec ca pki -n caadmin ca-user-cert-add est-ra-1 --serial $CERT_ID
+
+          docker exec ca pki pkcs12-cert-import estUser --pkcs12-file $SHARED/est_server.p12 --pkcs12-password Secret.123 --append
           
       - name: Configure CA est profile
         run: |
@@ -159,10 +178,17 @@ jobs:
               -s EST \
               -D est_realm_url=ldap://estds.example.com:3389 \
               -D pki_ca_uri=https://ca.example.com:8443 \
-              -D pki_server_pkcs12_path=$SHARED/est_server.p12 \
+              -D est_ca_user_password= \
+              -D est_ca_user_certificate=estUser \
+              -D pki_server_pkcs11_path=$SHARED/est_server.p12 \
               -D pki_server_pkcs12_password=Secret.123 \
               -v
 
+      - name: Import EST CA user certificate
+        run: |
+          docker exec est pk12util -d /etc/pki/pki-tomcat/alias -i $SHARED/est_user.p12 -K Secret.123 -W Secret.123
+          docker exec est pki-server restart --wait
+        
       - name: Check EST server base dir after installation
         run: |
           # check file types, owners, and permissions