-
Notifications
You must be signed in to change notification settings - Fork 138
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
A new test has been added to install a subordinate CA with external cert then clone it into another instance. The test will also compare the CS.cfg, the users, and the certs in these instances to ensure that they are (mostly) identical.
- Loading branch information
Showing
2 changed files
with
343 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,336 @@ | ||
name: Sub-CA clone | ||
|
||
on: | ||
workflow_call: | ||
inputs: | ||
db-image: | ||
required: false | ||
type: string | ||
|
||
jobs: | ||
test: | ||
name: Test | ||
runs-on: ubuntu-latest | ||
env: | ||
SHARED: /tmp/workdir/pki | ||
steps: | ||
- name: Clone repository | ||
uses: actions/checkout@v3 | ||
|
||
- name: Retrieve PKI images | ||
uses: actions/cache@v3 | ||
with: | ||
key: pki-images-${{ github.sha }} | ||
path: pki-images.tar | ||
|
||
- name: Load PKI images | ||
run: docker load --input pki-images.tar | ||
|
||
- name: Create network | ||
run: docker network create example | ||
|
||
- name: Set up root CA container | ||
run: | | ||
tests/bin/runner-init.sh root-ca | ||
env: | ||
HOSTNAME: root-ca.example.com | ||
|
||
- name: Connect root CA container to network | ||
run: docker network connect example root-ca --alias root-ca.example.com | ||
|
||
- name: Create root CA in NSS database | ||
run: | | ||
# https://github.com/dogtagpki/pki/wiki/Creating-Self-Signed-CA-Signing-Certificate-with-PKI-NSS | ||
docker exec root-ca pki nss-cert-request \ | ||
--subject "CN=Root CA Signing Certificate" \ | ||
--ext /usr/share/pki/server/certs/ca_signing.conf \ | ||
--csr $SHARED/root-ca_signing.csr | ||
docker exec root-ca pki nss-cert-issue \ | ||
--csr $SHARED/root-ca_signing.csr \ | ||
--ext /usr/share/pki/server/certs/ca_signing.conf \ | ||
--cert $SHARED/root-ca_signing.crt | ||
docker exec root-ca pki nss-cert-import \ | ||
--cert $SHARED/root-ca_signing.crt \ | ||
--trust CT,C,C \ | ||
root-ca_signing | ||
- name: Set up primary DS container | ||
run: | | ||
tests/bin/ds-container-create.sh primary-ds | ||
env: | ||
IMAGE: ${{ inputs.db-image }} | ||
HOSTNAME: primary-ds.example.com | ||
PASSWORD: Secret.123 | ||
|
||
- name: Connect primary DS container to network | ||
run: docker network connect example primary-ds --alias primary-ds.example.com | ||
|
||
- name: Set up primary sub-CA container | ||
run: | | ||
tests/bin/runner-init.sh primary-subca | ||
env: | ||
HOSTNAME: primary-subca.example.com | ||
|
||
- name: Connect primary sub-CA container to network | ||
run: docker network connect example primary-subca --alias primary-subca.example.com | ||
|
||
- name: Install primary sub-CA (step 1) | ||
run: | | ||
# docs/installation/ca/Installing_CA_with_External_CA_Signing_Certificate.md | ||
docker exec primary-subca pkispawn \ | ||
-f /usr/share/pki/server/examples/installation/ca-external-cert-step1.cfg \ | ||
-s CA \ | ||
-D pki_ds_hostname=primary-ds.example.com \ | ||
-D pki_ds_ldap_port=3389 \ | ||
-D pki_ca_signing_csr_path=$SHARED/subca_signing.csr \ | ||
-D pki_cert_id_generator=random \ | ||
-D pki_request_id_generator=random \ | ||
-D pki_client_admin_cert_p12=$SHARED/caadmin.p12 \ | ||
-v | ||
- name: Issue primary sub-CA signing cert | ||
run: | | ||
# https://github.com/dogtagpki/pki/wiki/Issuing-CA-Signing-Certificate-with-PKI-NSS | ||
docker exec root-ca pki nss-cert-issue \ | ||
--issuer root-ca_signing \ | ||
--csr $SHARED/subca_signing.csr \ | ||
--ext /usr/share/pki/server/certs/subca_signing.conf \ | ||
--cert $SHARED/subca_signing.crt | ||
- name: Install primary sub-CA (step 2) | ||
run: | | ||
# docs/installation/ca/Installing_CA_with_External_CA_Signing_Certificate.md | ||
docker exec primary-subca pkispawn \ | ||
-f /usr/share/pki/server/examples/installation/ca-external-cert-step2.cfg \ | ||
-s CA \ | ||
-D pki_ds_hostname=primary-ds.example.com \ | ||
-D pki_ds_ldap_port=3389 \ | ||
-D pki_cert_chain_path=$SHARED/root-ca_signing.crt \ | ||
-D pki_ca_signing_csr_path=$SHARED/subca_signing.csr \ | ||
-D pki_ca_signing_cert_path=$SHARED/subca_signing.crt \ | ||
-D pki_cert_id_generator=random \ | ||
-D pki_request_id_generator=random \ | ||
-D pki_client_admin_cert_p12=$SHARED/caadmin.p12 \ | ||
-v | ||
docker exec primary-subca pki-server cert-find | ||
- name: Run PKI healthcheck | ||
run: docker exec primary-subca pki-healthcheck --failures-only | ||
|
||
- name: Check primary sub-CA admin | ||
run: | | ||
# https://github.com/dogtagpki/pki/wiki/Importing-Admin-Certificate-into-PKI-CLI | ||
docker exec primary-subca pki client-cert-import \ | ||
--ca-cert $SHARED/root-ca_signing.crt \ | ||
root-ca_signing | ||
docker exec primary-subca pki pkcs12-import \ | ||
--pkcs12 $SHARED/caadmin.p12 \ | ||
--pkcs12-password Secret.123 | ||
docker exec primary-subca pki -n caadmin ca-user-show caadmin | ||
- name: Export primary sub-CA certs | ||
run: | | ||
docker exec primary-subca pki-server ca-clone-prepare \ | ||
--pkcs12-file $SHARED/subca-certs.p12 \ | ||
--pkcs12-password Secret.123 | ||
- name: Set up secondary DS container | ||
run: | | ||
tests/bin/ds-container-create.sh secondary-ds | ||
env: | ||
IMAGE: ${{ inputs.db-image }} | ||
HOSTNAME: secondary-ds.example.com | ||
PASSWORD: Secret.123 | ||
|
||
- name: Connect secondary DS container to network | ||
run: docker network connect example secondary-ds --alias secondary-ds.example.com | ||
|
||
- name: Set up secondary sub-CA container | ||
run: | | ||
tests/bin/runner-init.sh secondary-subca | ||
env: | ||
HOSTNAME: secondary-subca.example.com | ||
|
||
- name: Connect secondary sub-CA container to network | ||
run: docker network connect example secondary-subca --alias secondary-subca.example.com | ||
|
||
- name: Install secondary sub-CA | ||
run: | | ||
# get CS.cfg from primary sub-CA before cloning | ||
docker cp primary-subca:/etc/pki/pki-tomcat/ca/CS.cfg CS.cfg.primary | ||
# docs/installation/ca/Installing_CA_Clone.md | ||
docker exec secondary-subca pkispawn \ | ||
-f /usr/share/pki/server/examples/installation/ca-clone.cfg \ | ||
-s CA \ | ||
-D pki_cert_chain_path=$SHARED/root-ca_signing.crt \ | ||
-D pki_security_domain_hostname=primary-subca.example.com \ | ||
-D pki_clone_pkcs12_path=$SHARED/subca-certs.p12 \ | ||
-D pki_clone_pkcs12_password=Secret.123 \ | ||
-D pki_ds_hostname=secondary-ds.example.com \ | ||
-D pki_ds_ldap_port=3389 \ | ||
-D pki_cert_id_generator=random \ | ||
-D pki_request_id_generator=random \ | ||
-D pki_clone_uri=https://primary-subca.example.com:8443 \ | ||
-v | ||
docker exec secondary-subca pki-server cert-find | ||
- name: Check CS.cfg in primary sub-CA after cloning | ||
run: | | ||
# get CS.cfg from primary sub-CA after cloning | ||
docker cp primary-subca:/etc/pki/pki-tomcat/ca/CS.cfg CS.cfg.primary.after | ||
# normalize expected result: | ||
# - remove params that cannot be compared | ||
# - set dbs.enableSerialManagement to true (automatically enabled when cloned) | ||
sed -e '/^dbs.beginReplicaNumber=/d' \ | ||
-e '/^dbs.endReplicaNumber=/d' \ | ||
-e '/^dbs.nextBeginReplicaNumber=/d' \ | ||
-e '/^dbs.nextEndReplicaNumber=/d' \ | ||
-e 's/^\(dbs.enableSerialManagement\)=.*$/\1=true/' \ | ||
CS.cfg.primary \ | ||
| sort > expected | ||
# normalize actual result: | ||
# - remove params that cannot be compared | ||
# - remove params added by bugs (fixed in PKI 11.5) | ||
sed -e '/^dbs.beginReplicaNumber=/d' \ | ||
-e '/^dbs.endReplicaNumber=/d' \ | ||
-e '/^dbs.nextBeginReplicaNumber=/d' \ | ||
-e '/^dbs.nextEndReplicaNumber=/d' \ | ||
-e '/^auths.instance.flatFileAuth.authAttributes=/d' \ | ||
-e '/^auths.instance.flatFileAuth.deferOnFailure=/d' \ | ||
-e '/^auths.instance.flatFileAuth.keyAttributes=/d' \ | ||
-e '/^ca.ocsp_signing.newNickname=/d' \ | ||
-e '/^ca.signing.newNickname=/d' \ | ||
CS.cfg.primary.after \ | ||
| sort > actual | ||
diff expected actual | ||
- name: Check CS.cfg in secondary sub-CA | ||
run: | | ||
# get CS.cfg from secondary sub-CA | ||
docker cp secondary-subca:/etc/pki/pki-tomcat/ca/CS.cfg CS.cfg.secondary | ||
# normalize expected result: | ||
# - remove params that cannot be compared | ||
# - replace primary-subca.example.com with secondary-subca.example.com | ||
# - replace primary-ds.example.com with secondary-ds.example.com | ||
# - set ca.crl.MasterCRL.enableCRLCache to false (automatically disabled in the clone) | ||
# - set ca.crl.MasterCRL.enableCRLUpdates to false (automatically disabled in the clone) | ||
# - add params for the clone | ||
# - remove params added by bugs (fixed in PKI 11.5) | ||
# - remove params no longer used in PKI 11.5 | ||
sed -e '/^installDate=/d' \ | ||
-e '/^dbs.beginReplicaNumber=/d' \ | ||
-e '/^dbs.endReplicaNumber=/d' \ | ||
-e '/^dbs.nextBeginReplicaNumber=/d' \ | ||
-e '/^dbs.nextEndReplicaNumber=/d' \ | ||
-e '/^ca.sslserver.cert=/d' \ | ||
-e '/^ca.sslserver.certreq=/d' \ | ||
-e 's/primary-subca.example.com/secondary-subca.example.com/' \ | ||
-e 's/primary-ds.example.com/secondary-ds.example.com/' \ | ||
-e 's/^\(ca.crl.MasterCRL.enableCRLCache\)=.*$/\1=false/' \ | ||
-e 's/^\(ca.crl.MasterCRL.enableCRLUpdates\)=.*$/\1=false/' \ | ||
-e '$ a ca.certStatusUpdateInterval=0' \ | ||
-e '$ a ca.listenToCloneModifications=false' \ | ||
-e '$ a master.ca.agent.host=primary-subca.example.com' \ | ||
-e '$ a master.ca.agent.port=8443' \ | ||
-e '/^auths.instance.flatFileAuth.authAttributes=/d' \ | ||
-e '/^auths.instance.flatFileAuth.deferOnFailure=/d' \ | ||
-e '/^auths.instance.flatFileAuth.keyAttributes=/d' \ | ||
-e '/^ca.sslserver.defaultSigningAlgorithm=/d' \ | ||
-e '/^hierarchy.select=/d' \ | ||
-e '/^subsystem.select=/d' \ | ||
CS.cfg.primary.after \ | ||
| sort > expected | ||
# normalize actual result: | ||
# - remove params that cannot be compared | ||
# - normalize ca.sslserver.tokenname (fixed in PKI 11.5) | ||
# - remove params no longer used in PKI 11.5 | ||
sed -e '/^installDate=/d' \ | ||
-e '/^dbs.beginReplicaNumber=/d' \ | ||
-e '/^dbs.endReplicaNumber=/d' \ | ||
-e '/^dbs.nextBeginReplicaNumber=/d' \ | ||
-e '/^dbs.nextEndReplicaNumber=/d' \ | ||
-e '/^ca.sslserver.cert=/d' \ | ||
-e '/^ca.sslserver.certreq=/d' \ | ||
-e 's/^\(ca.sslserver.tokenname\)=.*$/\1=internal/' \ | ||
-e '/^hierarchy.select=/d' \ | ||
-e '/^subsystem.select=/d' \ | ||
CS.cfg.secondary \ | ||
| sort > actual | ||
diff expected actual | ||
- name: Run PKI healthcheck | ||
run: docker exec secondary-subca pki-healthcheck --failures-only | ||
|
||
- name: Check secondary sub-CA admin | ||
run: | | ||
# https://github.com/dogtagpki/pki/wiki/Importing-Admin-Certificate-into-PKI-CLI | ||
docker exec secondary-subca pki client-cert-import \ | ||
--ca-cert $SHARED/root-ca_signing.crt \ | ||
root-ca_signing | ||
docker exec secondary-subca pki pkcs12-import \ | ||
--pkcs12 $SHARED/caadmin.p12 \ | ||
--pkcs12-password Secret.123 | ||
docker exec secondary-subca pki -n caadmin ca-user-show caadmin | ||
- name: Check users in primary sub-CA and secondary sub-CA | ||
run: | | ||
docker exec primary-subca pki -n caadmin ca-user-find | tee subca-users.primary | ||
docker exec secondary-subca pki -n caadmin ca-user-find > subca-users.secondary | ||
diff subca-users.primary subca-users.secondary | ||
- name: Check certs in primary sub-CA and secondary sub-CA | ||
run: | | ||
docker exec primary-subca pki ca-cert-find | tee subca-certs.primary | ||
docker exec secondary-subca pki ca-cert-find > subca-certs.secondary | ||
diff subca-certs.primary subca-certs.secondary | ||
- name: Gather artifacts from primary sub-CA | ||
if: always() | ||
run: | | ||
tests/bin/ds-artifacts-save.sh --output=/tmp/artifacts/pki primary-ds | ||
tests/bin/pki-artifacts-save.sh primary-subca | ||
continue-on-error: true | ||
|
||
- name: Gather artifacts from secondary sub-CA | ||
if: always() | ||
run: | | ||
tests/bin/ds-artifacts-save.sh --output=/tmp/artifacts/pki secondary-ds | ||
tests/bin/pki-artifacts-save.sh secondary-subca | ||
continue-on-error: true | ||
|
||
- name: Remove secondary sub-CA | ||
run: docker exec secondary-subca pkidestroy -i pki-tomcat -s CA -v | ||
|
||
- name: Remove primary sub-CA | ||
run: docker exec primary-subca pkidestroy -i pki-tomcat -s CA -v | ||
|
||
- name: Upload artifacts from primary sub-CA | ||
if: always() | ||
uses: actions/upload-artifact@v3 | ||
with: | ||
name: subca-clone-primary | ||
path: | | ||
/tmp/artifacts/primary-subca | ||
- name: Upload artifacts from secondary sub-CA | ||
if: always() | ||
uses: actions/upload-artifact@v3 | ||
with: | ||
name: subca-clone-secondary | ||
path: | | ||
/tmp/artifacts/secondary-subca |