diff --git a/.github/workflows/acme-postgresql-test.yml b/.github/workflows/acme-postgresql-test.yml index ff7950e34b6..76ad5e35058 100644 --- a/.github/workflows/acme-postgresql-test.yml +++ b/.github/workflows/acme-postgresql-test.yml @@ -85,13 +85,14 @@ jobs: --subject "CN=postgresql.example.com" \ --ext /usr/share/pki/server/certs/sslserver.conf \ --csr sslserver.csr - REC_ID=$(docker exec pki pki ca-cert-request-submit \ + + docker exec pki pki \ + -n caadmin \ + ca-cert-issue \ --profile caServerCert \ --csr-file sslserver.csr \ - --subject "CN=postgresql.example.com" | grep "Request ID") - CERT_ID=$(docker exec pki pki -n caadmin ca-cert-request-approve ${REC_ID:14} --force | \ - grep "Certificate ID") - docker exec pki pki ca-cert-export ${CERT_ID:18} --output-file sslserver.crt + --subject "CN=postgresql.example.com" \ + --output-file sslserver.crt docker exec pki pki nss-cert-import \ --cert sslserver.crt \ diff --git a/.github/workflows/acme-separate-test.yml b/.github/workflows/acme-separate-test.yml index 5455a0e7f49..3a0782c6c96 100644 --- a/.github/workflows/acme-separate-test.yml +++ b/.github/workflows/acme-separate-test.yml @@ -120,18 +120,13 @@ jobs: docker exec acme cp /var/lib/pki/pki-tomcat/conf/certs/sslserver.csr $SHARED docker exec ca openssl req -text -noout -in $SHARED/sslserver.csr - # submit cert request - docker exec ca pki ca-cert-request-submit \ + # issue cert + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile caServerCert \ - --csr-file $SHARED/sslserver.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - # approve cert request - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - # export cert - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/sslserver.crt + --csr-file $SHARED/sslserver.csr \ + --output-file $SHARED/sslserver.crt docker exec ca openssl x509 -text -noout -in $SHARED/sslserver.crt # install cert diff --git a/.github/workflows/est-ds-realm-separate-test.yml b/.github/workflows/est-ds-realm-separate-test.yml index 7c359b9be6d..6601e1aa727 100644 --- a/.github/workflows/est-ds-realm-separate-test.yml +++ b/.github/workflows/est-ds-realm-separate-test.yml @@ -74,13 +74,13 @@ jobs: docker exec ca pki nss-cert-request --csr estSSLServer.csr \ --ext /usr/share/pki/server/certs/sslserver.conf --subject 'CN=est.example.com' - docker exec ca pki ca-cert-request-submit --csr-file estSSLServer.csr --profile caServerCert | tee output - REQUEST_ID=$(sed -n "s/^\s*Request ID:\s*\(\S*\)$/\1/p" output) + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --csr-file estSSLServer.csr \ + --profile caServerCert \ + --output-file estSSLServer.crt - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n "s/^\s*Certificate ID:\s*\(\S*\)$/\1/p" output) - - docker exec ca pki -n caadmin ca-cert-export --output-file estSSLServer.crt $CERT_ID docker exec ca pki nss-cert-import --cert estSSLServer.crt sslserver docker exec ca pk12util -d /root/.dogtag/nssdb -o $SHARED/est_server.p12 -n sslserver -W Secret.123 diff --git a/.github/workflows/kra-existing-certs-test.yml b/.github/workflows/kra-existing-certs-test.yml index 0ab858f26a2..310f2dcfd1b 100644 --- a/.github/workflows/kra-existing-certs-test.yml +++ b/.github/workflows/kra-existing-certs-test.yml @@ -94,15 +94,12 @@ jobs: --csr $SHARED/kra_storage.csr docker exec ca openssl req -text -noout -in $SHARED/kra_storage.csr - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile caStorageCert \ - --csr-file $SHARED/kra_storage.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_storage.crt + --csr-file $SHARED/kra_storage.csr \ + --output-file $SHARED/kra_storage.crt docker exec ca openssl x509 -text -noout -in $SHARED/kra_storage.crt docker exec kra pki nss-cert-import \ @@ -125,15 +122,12 @@ jobs: --csr $SHARED/kra_transport.csr docker exec ca openssl req -text -noout -in $SHARED/kra_transport.csr - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile caTransportCert \ - --csr-file $SHARED/kra_transport.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_transport.crt + --csr-file $SHARED/kra_transport.csr \ + --output-file $SHARED/kra_transport.crt docker exec ca openssl x509 -text -noout -in $SHARED/kra_transport.crt docker exec kra pki nss-cert-import \ @@ -156,15 +150,12 @@ jobs: --csr $SHARED/kra_audit_signing.csr docker exec ca openssl req -text -noout -in $SHARED/kra_audit_signing.csr - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile caAuditSigningCert \ - --csr-file $SHARED/kra_audit_signing.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_audit_signing.crt + --csr-file $SHARED/kra_audit_signing.csr \ + --output-file $SHARED/kra_audit_signing.crt docker exec ca openssl x509 -text -noout -in $SHARED/kra_audit_signing.crt docker exec kra pki nss-cert-import \ @@ -188,15 +179,12 @@ jobs: --csr $SHARED/subsystem.csr docker exec ca openssl req -text -noout -in $SHARED/subsystem.csr - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile caSubsystemCert \ - --csr-file $SHARED/subsystem.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/subsystem.crt + --csr-file $SHARED/subsystem.csr \ + --output-file $SHARED/subsystem.crt docker exec ca openssl x509 -text -noout -in $SHARED/subsystem.crt docker exec kra pki nss-cert-import \ @@ -219,15 +207,12 @@ jobs: --csr $SHARED/sslserver.csr docker exec ca openssl req -text -noout -in $SHARED/sslserver.csr - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile caServerCert \ - --csr-file $SHARED/sslserver.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/sslserver.crt + --csr-file $SHARED/sslserver.csr \ + --output-file $SHARED/sslserver.crt docker exec ca openssl x509 -text -noout -in $SHARED/sslserver.crt docker exec kra pki nss-cert-import \ @@ -250,15 +235,12 @@ jobs: --csr $SHARED/kra_admin.csr docker exec ca openssl req -text -noout -in $SHARED/kra_admin.csr - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile AdminCert \ - --csr-file $SHARED/kra_admin.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_admin.crt + --csr-file $SHARED/kra_admin.csr \ + --output-file $SHARED/kra_admin.crt docker exec ca openssl x509 -text -noout -in $SHARED/kra_admin.crt docker exec kra pki nss-cert-import \ diff --git a/.github/workflows/kra-existing-ds-test.yml b/.github/workflows/kra-existing-ds-test.yml index 5b039bf8b29..c2bd24b57d1 100644 --- a/.github/workflows/kra-existing-ds-test.yml +++ b/.github/workflows/kra-existing-ds-test.yml @@ -95,18 +95,13 @@ jobs: docker exec kra cp /var/lib/pki/pki-tomcat/conf/certs/kra_storage.csr $SHARED docker exec kra openssl req -text -noout -in $SHARED/kra_storage.csr - # submit cert request - docker exec ca pki ca-cert-request-submit \ - --profile caStorageCert \ - --csr-file $SHARED/kra_storage.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - # issue cert - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - # retrieve cert - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_storage.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caStorageCert \ + --csr-file $SHARED/kra_storage.csr \ + --output-file $SHARED/kra_storage.crt docker exec ca openssl x509 -text -noout -in $SHARED/kra_storage.crt docker exec kra cp $SHARED/kra_storage.crt /var/lib/pki/pki-tomcat/conf/certs @@ -137,18 +132,13 @@ jobs: docker exec kra cp /var/lib/pki/pki-tomcat/conf/certs/kra_transport.csr $SHARED docker exec ca openssl req -text -noout -in $SHARED/kra_transport.csr - # submit cert request - docker exec ca pki ca-cert-request-submit \ - --profile caTransportCert \ - --csr-file $SHARED/kra_transport.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - # issue cert - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - # retrieve cert - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_transport.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caTransportCert \ + --csr-file $SHARED/kra_transport.csr \ + --output-file $SHARED/kra_transport.crt docker exec ca openssl x509 -text -noout -in $SHARED/kra_transport.crt docker exec kra cp $SHARED/kra_transport.crt /var/lib/pki/pki-tomcat/conf/certs @@ -179,18 +169,13 @@ jobs: docker exec kra cp /var/lib/pki/pki-tomcat/conf/certs/kra_audit_signing.csr $SHARED docker exec ca openssl req -text -noout -in $SHARED/kra_audit_signing.csr - # submit cert request - docker exec ca pki ca-cert-request-submit \ - --profile caAuditSigningCert \ - --csr-file $SHARED/kra_audit_signing.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - # issue cert - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - # retrieve cert - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_audit_signing.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caAuditSigningCert \ + --csr-file $SHARED/kra_audit_signing.csr \ + --output-file $SHARED/kra_audit_signing.crt docker exec ca openssl x509 -text -noout -in $SHARED/kra_audit_signing.crt docker exec kra cp $SHARED/kra_audit_signing.crt /var/lib/pki/pki-tomcat/conf/certs @@ -221,18 +206,13 @@ jobs: docker exec kra cp /var/lib/pki/pki-tomcat/conf/certs/subsystem.csr $SHARED docker exec ca openssl req -text -noout -in $SHARED/subsystem.csr - # submit cert request - docker exec ca pki ca-cert-request-submit \ - --profile caSubsystemCert \ - --csr-file $SHARED/subsystem.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - # issue cert - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - # retrieve cert - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/subsystem.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caSubsystemCert \ + --csr-file $SHARED/subsystem.csr \ + --output-file $SHARED/subsystem.crt docker exec ca openssl x509 -text -noout -in $SHARED/subsystem.crt docker exec kra cp $SHARED/subsystem.crt /var/lib/pki/pki-tomcat/conf/certs @@ -263,18 +243,13 @@ jobs: docker exec kra cp /var/lib/pki/pki-tomcat/conf/certs/sslserver.csr $SHARED docker exec ca openssl req -text -noout -in $SHARED/sslserver.csr - # submit cert request - docker exec ca pki ca-cert-request-submit \ - --profile caServerCert \ - --csr-file $SHARED/sslserver.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - # issue cert - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - # retrieve cert - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/sslserver.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caServerCert \ + --csr-file $SHARED/sslserver.csr \ + --output-file $SHARED/sslserver.crt docker exec ca openssl x509 -text -noout -in $SHARED/sslserver.crt docker exec kra cp $SHARED/sslserver.crt /var/lib/pki/pki-tomcat/conf/certs @@ -304,18 +279,13 @@ jobs: --csr $SHARED/kra_admin.csr docker exec ca openssl req -text -noout -in $SHARED/kra_admin.csr - # submit cert request - docker exec ca pki ca-cert-request-submit \ - --profile AdminCert \ - --csr-file $SHARED/kra_admin.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - # issue cert - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - # retrieve cert - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_admin.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile AdminCert \ + --csr-file $SHARED/kra_admin.csr \ + --output-file $SHARED/kra_admin.crt docker exec ca openssl x509 -text -noout -in $SHARED/kra_admin.crt # import cert diff --git a/.github/workflows/kra-existing-hsm-test.yml b/.github/workflows/kra-existing-hsm-test.yml index b4e202b5e7b..b2020731191 100644 --- a/.github/workflows/kra-existing-hsm-test.yml +++ b/.github/workflows/kra-existing-hsm-test.yml @@ -124,15 +124,12 @@ jobs: docker exec kra cp /var/lib/pki/pki-tomcat/conf/certs/kra_storage.csr $SHARED docker exec kra openssl req -text -noout -in $SHARED/kra_storage.csr - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile caStorageCert \ - --csr-file $SHARED/kra_storage.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_storage.crt + --csr-file $SHARED/kra_storage.csr \ + --output-file $SHARED/kra_storage.crt docker exec ca openssl x509 -text -noout -in $SHARED/kra_storage.crt docker exec kra cp $SHARED/kra_storage.crt /var/lib/pki/pki-tomcat/conf/certs @@ -166,15 +163,12 @@ jobs: docker exec kra cp /var/lib/pki/pki-tomcat/conf/certs/kra_transport.csr $SHARED docker exec ca openssl req -text -noout -in $SHARED/kra_transport.csr - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile caTransportCert \ - --csr-file $SHARED/kra_transport.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_transport.crt + --csr-file $SHARED/kra_transport.csr \ + --output-file $SHARED/kra_transport.crt docker exec ca openssl x509 -text -noout -in $SHARED/kra_transport.crt docker exec kra cp $SHARED/kra_transport.crt /var/lib/pki/pki-tomcat/conf/certs @@ -208,15 +202,12 @@ jobs: docker exec kra cp /var/lib/pki/pki-tomcat/conf/certs/kra_audit_signing.csr $SHARED docker exec ca openssl req -text -noout -in $SHARED/kra_audit_signing.csr - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile caAuditSigningCert \ - --csr-file $SHARED/kra_audit_signing.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_audit_signing.crt + --csr-file $SHARED/kra_audit_signing.csr \ + --output-file $SHARED/kra_audit_signing.crt docker exec ca openssl x509 -text -noout -in $SHARED/kra_audit_signing.crt docker exec kra cp $SHARED/kra_audit_signing.crt /var/lib/pki/pki-tomcat/conf/certs @@ -250,15 +241,12 @@ jobs: docker exec kra cp /var/lib/pki/pki-tomcat/conf/certs/subsystem.csr $SHARED docker exec ca openssl req -text -noout -in $SHARED/subsystem.csr - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile caSubsystemCert \ - --csr-file $SHARED/subsystem.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/subsystem.crt + --csr-file $SHARED/subsystem.csr \ + --output-file $SHARED/subsystem.crt docker exec ca openssl x509 -text -noout -in $SHARED/subsystem.crt docker exec kra cp $SHARED/subsystem.crt /var/lib/pki/pki-tomcat/conf/certs @@ -291,15 +279,12 @@ jobs: docker exec kra cp /var/lib/pki/pki-tomcat/conf/certs/sslserver.csr $SHARED docker exec ca openssl req -text -noout -in $SHARED/sslserver.csr - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile caServerCert \ - --csr-file $SHARED/sslserver.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/sslserver.crt + --csr-file $SHARED/sslserver.csr \ + --output-file $SHARED/sslserver.crt docker exec ca openssl x509 -text -noout -in $SHARED/sslserver.crt docker exec kra cp $SHARED/sslserver.crt /var/lib/pki/pki-tomcat/conf/certs @@ -328,15 +313,12 @@ jobs: --csr $SHARED/kra_admin.csr docker exec ca openssl req -text -noout -in $SHARED/kra_admin.csr - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile AdminCert \ - --csr-file $SHARED/kra_admin.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_admin.crt + --csr-file $SHARED/kra_admin.csr \ + --output-file $SHARED/kra_admin.crt docker exec ca openssl x509 -text -noout -in $SHARED/kra_admin.crt docker exec kra pki nss-cert-import \ diff --git a/.github/workflows/kra-existing-nssdb-test.yml b/.github/workflows/kra-existing-nssdb-test.yml index ef682a25327..0d7618fb30c 100644 --- a/.github/workflows/kra-existing-nssdb-test.yml +++ b/.github/workflows/kra-existing-nssdb-test.yml @@ -100,15 +100,12 @@ jobs: docker exec kra cp /var/lib/pki/pki-tomcat/conf/certs/kra_storage.csr $SHARED docker exec kra openssl req -text -noout -in $SHARED/kra_storage.csr - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile caStorageCert \ - --csr-file $SHARED/kra_storage.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_storage.crt + --csr-file $SHARED/kra_storage.csr \ + --output-file $SHARED/kra_storage.crt docker exec ca openssl x509 -text -noout -in $SHARED/kra_storage.crt docker exec kra cp $SHARED/kra_storage.crt /var/lib/pki/pki-tomcat/conf/certs @@ -138,15 +135,12 @@ jobs: docker exec kra cp /var/lib/pki/pki-tomcat/conf/certs/kra_transport.csr $SHARED docker exec ca openssl req -text -noout -in $SHARED/kra_transport.csr - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile caTransportCert \ - --csr-file $SHARED/kra_transport.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_transport.crt + --csr-file $SHARED/kra_transport.csr \ + --output-file $SHARED/kra_transport.crt docker exec ca openssl x509 -text -noout -in $SHARED/kra_transport.crt docker exec kra cp $SHARED/kra_transport.crt /var/lib/pki/pki-tomcat/conf/certs @@ -176,15 +170,12 @@ jobs: docker exec kra cp /var/lib/pki/pki-tomcat/conf/certs/kra_audit_signing.csr $SHARED docker exec ca openssl req -text -noout -in $SHARED/kra_audit_signing.csr - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile caAuditSigningCert \ - --csr-file $SHARED/kra_audit_signing.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_audit_signing.crt + --csr-file $SHARED/kra_audit_signing.csr \ + --output-file $SHARED/kra_audit_signing.crt docker exec ca openssl x509 -text -noout -in $SHARED/kra_audit_signing.crt docker exec kra cp $SHARED/kra_audit_signing.crt /var/lib/pki/pki-tomcat/conf/certs @@ -214,15 +205,12 @@ jobs: docker exec kra cp /var/lib/pki/pki-tomcat/conf/certs/subsystem.csr $SHARED docker exec ca openssl req -text -noout -in $SHARED/subsystem.csr - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile caSubsystemCert \ - --csr-file $SHARED/subsystem.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/subsystem.crt + --csr-file $SHARED/subsystem.csr \ + --output-file $SHARED/subsystem.crt docker exec ca openssl x509 -text -noout -in $SHARED/subsystem.crt docker exec kra cp $SHARED/subsystem.crt /var/lib/pki/pki-tomcat/conf/certs @@ -252,15 +240,12 @@ jobs: docker exec kra cp /var/lib/pki/pki-tomcat/conf/certs/sslserver.csr $SHARED docker exec ca openssl req -text -noout -in $SHARED/sslserver.csr - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile caServerCert \ - --csr-file $SHARED/sslserver.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/sslserver.crt + --csr-file $SHARED/sslserver.csr \ + --output-file $SHARED/sslserver.crt docker exec ca openssl x509 -text -noout -in $SHARED/sslserver.crt docker exec kra cp $SHARED/sslserver.crt /var/lib/pki/pki-tomcat/conf/certs @@ -289,15 +274,12 @@ jobs: --csr $SHARED/kra_admin.csr docker exec ca openssl req -text -noout -in $SHARED/kra_admin.csr - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile AdminCert \ - --csr-file $SHARED/kra_admin.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_admin.crt + --csr-file $SHARED/kra_admin.csr \ + --output-file $SHARED/kra_admin.crt docker exec ca openssl x509 -text -noout -in $SHARED/kra_admin.crt docker exec kra pki nss-cert-import \ diff --git a/.github/workflows/kra-external-certs-test.yml b/.github/workflows/kra-external-certs-test.yml index 63f65327b00..ebb9f3fec74 100644 --- a/.github/workflows/kra-external-certs-test.yml +++ b/.github/workflows/kra-external-certs-test.yml @@ -109,61 +109,67 @@ jobs: - name: Issue KRA storage cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/kra_storage.csr - docker exec ca pki ca-cert-request-submit --profile caStorageCert --csr-file ${SHARED}/kra_storage.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/kra_storage.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caStorageCert \ + --csr-file ${SHARED}/kra_storage.csr \ + --output-file ${SHARED}/kra_storage.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/kra_storage.crt - name: Issue KRA transport cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/kra_transport.csr - docker exec ca pki ca-cert-request-submit --profile caTransportCert --csr-file ${SHARED}/kra_transport.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/kra_transport.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caTransportCert \ + --csr-file ${SHARED}/kra_transport.csr \ + --output-file ${SHARED}/kra_transport.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/kra_transport.crt - name: Issue subsystem cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/subsystem.csr - docker exec ca pki ca-cert-request-submit --profile caSubsystemCert --csr-file ${SHARED}/subsystem.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/subsystem.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caSubsystemCert \ + --csr-file ${SHARED}/subsystem.csr \ + --output-file ${SHARED}/subsystem.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/subsystem.crt - name: Issue SSL server cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/sslserver.csr - docker exec ca pki ca-cert-request-submit --profile caServerCert --csr-file ${SHARED}/sslserver.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/sslserver.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caServerCert \ + --csr-file ${SHARED}/sslserver.csr \ + --output-file ${SHARED}/sslserver.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/sslserver.crt - name: Issue KRA audit signing cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/kra_audit_signing.csr - docker exec ca pki ca-cert-request-submit --profile caAuditSigningCert --csr-file ${SHARED}/kra_audit_signing.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/kra_audit_signing.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caAuditSigningCert \ + --csr-file ${SHARED}/kra_audit_signing.csr \ + --output-file ${SHARED}/kra_audit_signing.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/kra_audit_signing.crt - name: Issue KRA admin cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/kra_admin.csr - docker exec ca pki ca-cert-request-submit --profile AdminCert --csr-file ${SHARED}/kra_admin.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/kra_admin.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile AdminCert \ + --csr-file ${SHARED}/kra_admin.csr \ + --output-file ${SHARED}/kra_admin.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/kra_admin.crt - name: Install KRA in KRA container (step 2) diff --git a/.github/workflows/kra-standalone-test.yml b/.github/workflows/kra-standalone-test.yml index 48a1cae1b91..4a58252dfb8 100644 --- a/.github/workflows/kra-standalone-test.yml +++ b/.github/workflows/kra-standalone-test.yml @@ -112,61 +112,67 @@ jobs: - name: Issue KRA storage cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/kra_storage.csr - docker exec ca pki ca-cert-request-submit --profile caStorageCert --csr-file ${SHARED}/kra_storage.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/kra_storage.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caStorageCert \ + --csr-file ${SHARED}/kra_storage.csr \ + --output-file ${SHARED}/kra_storage.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/kra_storage.crt - name: Issue KRA transport cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/kra_transport.csr - docker exec ca pki ca-cert-request-submit --profile caTransportCert --csr-file ${SHARED}/kra_transport.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/kra_transport.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caTransportCert \ + --csr-file ${SHARED}/kra_transport.csr \ + --output-file ${SHARED}/kra_transport.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/kra_transport.crt - name: Issue subsystem cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/subsystem.csr - docker exec ca pki ca-cert-request-submit --profile caSubsystemCert --csr-file ${SHARED}/subsystem.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/subsystem.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caSubsystemCert \ + --csr-file ${SHARED}/subsystem.csr \ + --output-file ${SHARED}/subsystem.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/subsystem.crt - name: Issue SSL server cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/sslserver.csr - docker exec ca pki ca-cert-request-submit --profile caServerCert --csr-file ${SHARED}/sslserver.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/sslserver.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caServerCert \ + --csr-file ${SHARED}/sslserver.csr \ + --output-file ${SHARED}/sslserver.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/sslserver.crt - name: Issue KRA audit signing cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/kra_audit_signing.csr - docker exec ca pki ca-cert-request-submit --profile caAuditSigningCert --csr-file ${SHARED}/kra_audit_signing.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/kra_audit_signing.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caAuditSigningCert \ + --csr-file ${SHARED}/kra_audit_signing.csr \ + --output-file ${SHARED}/kra_audit_signing.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/kra_audit_signing.crt - name: Issue KRA admin cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/kra_admin.csr - docker exec ca pki ca-cert-request-submit --profile AdminCert --csr-file ${SHARED}/kra_admin.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/kra_admin.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile AdminCert \ + --csr-file ${SHARED}/kra_admin.csr \ + --output-file ${SHARED}/kra_admin.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/kra_admin.crt - name: Install standalone KRA (step 2) diff --git a/.github/workflows/ocsp-crl-direct-test.yml b/.github/workflows/ocsp-crl-direct-test.yml index 22a6aa791eb..1f5f9078c51 100644 --- a/.github/workflows/ocsp-crl-direct-test.yml +++ b/.github/workflows/ocsp-crl-direct-test.yml @@ -112,51 +112,56 @@ jobs: - name: Issue OCSP signing cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/ocsp_signing.csr - docker exec ca pki ca-cert-request-submit --profile caOCSPCert --csr-file ${SHARED}/ocsp_signing.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/ocsp_signing.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caOCSPCert \ + --csr-file ${SHARED}/ocsp_signing.csr \ + --output-file ${SHARED}/ocsp_signing.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/ocsp_signing.crt - name: Issue subsystem cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/subsystem.csr - docker exec ca pki ca-cert-request-submit --profile caSubsystemCert --csr-file ${SHARED}/subsystem.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/subsystem.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caSubsystemCert \ + --csr-file ${SHARED}/subsystem.csr \ + --output-file ${SHARED}/subsystem.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/subsystem.crt - name: Issue SSL server cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/sslserver.csr - docker exec ca pki ca-cert-request-submit --profile caServerCert --csr-file ${SHARED}/sslserver.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/sslserver.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caServerCert \ + --csr-file ${SHARED}/sslserver.csr \ + --output-file ${SHARED}/sslserver.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/sslserver.crt - name: Issue OCSP audit signing cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/ocsp_audit_signing.csr - docker exec ca pki ca-cert-request-submit --profile caAuditSigningCert --csr-file ${SHARED}/ocsp_audit_signing.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/ocsp_audit_signing.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caAuditSigningCert \ + --csr-file ${SHARED}/ocsp_audit_signing.csr \ + --output-file ${SHARED}/ocsp_audit_signing.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/ocsp_audit_signing.crt - name: Issue OCSP admin cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/ocsp_admin.csr - docker exec ca pki ca-cert-request-submit --profile AdminCert --csr-file ${SHARED}/ocsp_admin.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/ocsp_admin.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile AdminCert \ + --csr-file ${SHARED}/ocsp_admin.csr \ + --output-file ${SHARED}/ocsp_admin.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/ocsp_admin.crt - name: Install OCSP in OCSP container (step 2) diff --git a/.github/workflows/ocsp-crl-ldap-test.yml b/.github/workflows/ocsp-crl-ldap-test.yml index cf838dd049d..c5d894985bb 100644 --- a/.github/workflows/ocsp-crl-ldap-test.yml +++ b/.github/workflows/ocsp-crl-ldap-test.yml @@ -113,51 +113,56 @@ jobs: - name: Issue OCSP signing cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/ocsp_signing.csr - docker exec ca pki ca-cert-request-submit --profile caOCSPCert --csr-file ${SHARED}/ocsp_signing.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/ocsp_signing.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caOCSPCert \ + --csr-file ${SHARED}/ocsp_signing.csr \ + --output-file ${SHARED}/ocsp_signing.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/ocsp_signing.crt - name: Issue subsystem cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/subsystem.csr - docker exec ca pki ca-cert-request-submit --profile caSubsystemCert --csr-file ${SHARED}/subsystem.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/subsystem.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caSubsystemCert \ + --csr-file ${SHARED}/subsystem.csr \ + --output-file ${SHARED}/subsystem.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/subsystem.crt - name: Issue SSL server cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/sslserver.csr - docker exec ca pki ca-cert-request-submit --profile caServerCert --csr-file ${SHARED}/sslserver.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/sslserver.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caServerCert \ + --csr-file ${SHARED}/sslserver.csr \ + --output-file ${SHARED}/sslserver.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/sslserver.crt - name: Issue OCSP audit signing cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/ocsp_audit_signing.csr - docker exec ca pki ca-cert-request-submit --profile caAuditSigningCert --csr-file ${SHARED}/ocsp_audit_signing.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/ocsp_audit_signing.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caAuditSigningCert \ + --csr-file ${SHARED}/ocsp_audit_signing.csr \ + --output-file ${SHARED}/ocsp_audit_signing.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/ocsp_audit_signing.crt - name: Issue OCSP admin cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/ocsp_admin.csr - docker exec ca pki ca-cert-request-submit --profile AdminCert --csr-file ${SHARED}/ocsp_admin.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/ocsp_admin.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile AdminCert \ + --csr-file ${SHARED}/ocsp_admin.csr \ + --output-file ${SHARED}/ocsp_admin.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/ocsp_admin.crt - name: Install OCSP in OCSP container (step 2) diff --git a/.github/workflows/ocsp-external-certs-test.yml b/.github/workflows/ocsp-external-certs-test.yml index d1f33f0f89e..099456896a2 100644 --- a/.github/workflows/ocsp-external-certs-test.yml +++ b/.github/workflows/ocsp-external-certs-test.yml @@ -108,51 +108,56 @@ jobs: - name: Issue OCSP signing cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/ocsp_signing.csr - docker exec ca pki ca-cert-request-submit --profile caOCSPCert --csr-file ${SHARED}/ocsp_signing.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/ocsp_signing.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caOCSPCert \ + --csr-file ${SHARED}/ocsp_signing.csr \ + --output-file ${SHARED}/ocsp_signing.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/ocsp_signing.crt - name: Issue subsystem cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/subsystem.csr - docker exec ca pki ca-cert-request-submit --profile caSubsystemCert --csr-file ${SHARED}/subsystem.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/subsystem.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caSubsystemCert \ + --csr-file ${SHARED}/subsystem.csr \ + --output-file ${SHARED}/subsystem.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/subsystem.crt - name: Issue SSL server cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/sslserver.csr - docker exec ca pki ca-cert-request-submit --profile caServerCert --csr-file ${SHARED}/sslserver.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/sslserver.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caServerCert \ + --csr-file ${SHARED}/sslserver.csr \ + --output-file ${SHARED}/sslserver.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/sslserver.crt - name: Issue OCSP audit signing cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/ocsp_audit_signing.csr - docker exec ca pki ca-cert-request-submit --profile caAuditSigningCert --csr-file ${SHARED}/ocsp_audit_signing.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/ocsp_audit_signing.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caAuditSigningCert \ + --csr-file ${SHARED}/ocsp_audit_signing.csr \ + --output-file ${SHARED}/ocsp_audit_signing.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/ocsp_audit_signing.crt - name: Issue OCSP admin cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/ocsp_admin.csr - docker exec ca pki ca-cert-request-submit --profile AdminCert --csr-file ${SHARED}/ocsp_admin.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/ocsp_admin.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile AdminCert \ + --csr-file ${SHARED}/ocsp_admin.csr \ + --output-file ${SHARED}/ocsp_admin.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/ocsp_admin.crt - name: Install OCSP in OCSP container (step 2) diff --git a/.github/workflows/ocsp-standalone-test.yml b/.github/workflows/ocsp-standalone-test.yml index 40a2be685a7..1f04271941e 100644 --- a/.github/workflows/ocsp-standalone-test.yml +++ b/.github/workflows/ocsp-standalone-test.yml @@ -112,51 +112,56 @@ jobs: - name: Issue OCSP signing cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/ocsp_signing.csr - docker exec ca pki ca-cert-request-submit --profile caOCSPCert --csr-file ${SHARED}/ocsp_signing.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/ocsp_signing.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caOCSPCert \ + --csr-file ${SHARED}/ocsp_signing.csr \ + --output-file ${SHARED}/ocsp_signing.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/ocsp_signing.crt - name: Issue subsystem cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/subsystem.csr - docker exec ca pki ca-cert-request-submit --profile caSubsystemCert --csr-file ${SHARED}/subsystem.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/subsystem.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caSubsystemCert \ + --csr-file ${SHARED}/subsystem.csr \ + --output-file ${SHARED}/subsystem.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/subsystem.crt - name: Issue SSL server cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/sslserver.csr - docker exec ca pki ca-cert-request-submit --profile caServerCert --csr-file ${SHARED}/sslserver.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/sslserver.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caServerCert \ + --csr-file ${SHARED}/sslserver.csr \ + --output-file ${SHARED}/sslserver.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/sslserver.crt - name: Issue OCSP audit signing cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/ocsp_audit_signing.csr - docker exec ca pki ca-cert-request-submit --profile caAuditSigningCert --csr-file ${SHARED}/ocsp_audit_signing.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/ocsp_audit_signing.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caAuditSigningCert \ + --csr-file ${SHARED}/ocsp_audit_signing.csr \ + --output-file ${SHARED}/ocsp_audit_signing.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/ocsp_audit_signing.crt - name: Issue OCSP admin cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/ocsp_admin.csr - docker exec ca pki ca-cert-request-submit --profile AdminCert --csr-file ${SHARED}/ocsp_admin.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/ocsp_admin.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile AdminCert \ + --csr-file ${SHARED}/ocsp_admin.csr \ + --output-file ${SHARED}/ocsp_admin.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/ocsp_admin.crt - name: Install standalone OCSP (step 2) diff --git a/.github/workflows/tks-external-certs-test.yml b/.github/workflows/tks-external-certs-test.yml index f4a73bf66f1..5bb875c813b 100644 --- a/.github/workflows/tks-external-certs-test.yml +++ b/.github/workflows/tks-external-certs-test.yml @@ -110,41 +110,45 @@ jobs: - name: Issue subsystem cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/subsystem.csr - docker exec ca pki ca-cert-request-submit --profile caSubsystemCert --csr-file ${SHARED}/subsystem.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/subsystem.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caSubsystemCert \ + --csr-file ${SHARED}/subsystem.csr \ + --output-file ${SHARED}/subsystem.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/subsystem.crt - name: Issue SSL server cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/sslserver.csr - docker exec ca pki ca-cert-request-submit --profile caServerCert --csr-file ${SHARED}/sslserver.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/sslserver.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caServerCert \ + --csr-file ${SHARED}/sslserver.csr \ + --output-file ${SHARED}/sslserver.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/sslserver.crt - name: Issue TKS audit signing cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/tks_audit_signing.csr - docker exec ca pki ca-cert-request-submit --profile caAuditSigningCert --csr-file ${SHARED}/tks_audit_signing.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/tks_audit_signing.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caAuditSigningCert \ + --csr-file ${SHARED}/tks_audit_signing.csr \ + --output-file ${SHARED}/tks_audit_signing.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/tks_audit_signing.crt - name: Issue TKS admin cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/tks_admin.csr - docker exec ca pki ca-cert-request-submit --profile AdminCert --csr-file ${SHARED}/tks_admin.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/tks_admin.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile AdminCert \ + --csr-file ${SHARED}/tks_admin.csr \ + --output-file ${SHARED}/tks_admin.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/tks_admin.crt - name: Install TKS in TKS container (step 2) diff --git a/.github/workflows/tps-external-certs-test.yml b/.github/workflows/tps-external-certs-test.yml index e44eccaa645..0f412e40ce5 100644 --- a/.github/workflows/tps-external-certs-test.yml +++ b/.github/workflows/tps-external-certs-test.yml @@ -184,33 +184,45 @@ jobs: - name: Issue subsystem cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/subsystem.csr - docker exec ca pki ca-cert-request-submit --profile caSubsystemCert --csr-file ${SHARED}/subsystem.csr | sed -n 's/Request ID: *\(.*\)/\1/p' > subsystem.reqid - docker exec ca pki -n caadmin ca-cert-request-approve `cat subsystem.reqid` --force | sed -n 's/Certificate ID: *\(.*\)/\1/p' > subsystem.certid - docker exec ca pki ca-cert-export `cat subsystem.certid` --output-file ${SHARED}/subsystem.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caSubsystemCert \ + --csr-file ${SHARED}/subsystem.csr \ + --output-file ${SHARED}/subsystem.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/subsystem.crt - name: Issue SSL server cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/sslserver.csr - docker exec ca pki ca-cert-request-submit --profile caServerCert --csr-file ${SHARED}/sslserver.csr | sed -n 's/Request ID: *\(.*\)/\1/p' > sslserver.reqid - docker exec ca pki -n caadmin ca-cert-request-approve `cat sslserver.reqid` --force | sed -n 's/Certificate ID: *\(.*\)/\1/p' > sslserver.certid - docker exec ca pki ca-cert-export `cat sslserver.certid` --output-file ${SHARED}/sslserver.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caServerCert \ + --csr-file ${SHARED}/sslserver.csr \ + --output-file ${SHARED}/sslserver.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/sslserver.crt - name: Issue TPS audit signing cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/tps_audit_signing.csr - docker exec ca pki ca-cert-request-submit --profile caAuditSigningCert --csr-file ${SHARED}/tps_audit_signing.csr | sed -n 's/Request ID: *\(.*\)/\1/p' > tps_audit_signing.reqid - docker exec ca pki -n caadmin ca-cert-request-approve `cat tps_audit_signing.reqid` --force | sed -n 's/Certificate ID: *\(.*\)/\1/p' > tps_audit_signing.certid - docker exec ca pki ca-cert-export `cat tps_audit_signing.certid` --output-file ${SHARED}/tps_audit_signing.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caAuditSigningCert \ + --csr-file ${SHARED}/tps_audit_signing.csr \ + --output-file ${SHARED}/tps_audit_signing.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/tps_audit_signing.crt - name: Issue TPS admin cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/tps_admin.csr - docker exec ca pki ca-cert-request-submit --profile AdminCert --csr-file ${SHARED}/tps_admin.csr | sed -n 's/Request ID: *\(.*\)/\1/p' > tps_admin.reqid - docker exec ca pki -n caadmin ca-cert-request-approve `cat tps_admin.reqid` --force | sed -n 's/Certificate ID: *\(.*\)/\1/p' > tps_admin.certid - docker exec ca pki ca-cert-export `cat tps_admin.certid` --output-file ${SHARED}/tps_admin.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile AdminCert \ + --csr-file ${SHARED}/tps_admin.csr \ + --output-file ${SHARED}/tps_admin.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/tps_admin.crt - name: Install TPS in TPS container (step 2) diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py index 5cba57fc89f..ba4a00b68de 100644 --- a/base/server/python/pki/server/deployment/__init__.py +++ b/base/server/python/pki/server/deployment/__init__.py @@ -3681,7 +3681,7 @@ def issue_cert( '-f', self.instance.password_conf, '-U', url, '--ignore-banner', - 'ca-cert-request-submit', + 'ca-cert-issue', '--request-type', request_type, '--csr-file', request_file, '--profile', profile, diff --git a/base/tools/src/main/java/com/netscape/cmstools/ca/CACertCLI.java b/base/tools/src/main/java/com/netscape/cmstools/ca/CACertCLI.java index 07e1a523bed..5f424b4eb42 100644 --- a/base/tools/src/main/java/com/netscape/cmstools/ca/CACertCLI.java +++ b/base/tools/src/main/java/com/netscape/cmstools/ca/CACertCLI.java @@ -45,6 +45,7 @@ public CACertCLI(CLI parent) { super("cert", "Certificate management commands", parent); addModule(new CACertFindCLI(this)); + addModule(new CACertIssueCLI(this)); addModule(new CACertShowCLI(this)); addModule(new CACertExportCLI(this)); addModule(new CACertRevokeCLI(this)); diff --git a/base/tools/src/main/java/com/netscape/cmstools/ca/CACertIssueCLI.java b/base/tools/src/main/java/com/netscape/cmstools/ca/CACertIssueCLI.java new file mode 100644 index 00000000000..f0daf41a5ec --- /dev/null +++ b/base/tools/src/main/java/com/netscape/cmstools/ca/CACertIssueCLI.java @@ -0,0 +1,501 @@ +package com.netscape.cmstools.ca; + +import java.io.Console; +import java.io.File; +import java.io.FileNotFoundException; +import java.io.FileOutputStream; +import java.io.IOException; +import java.io.PrintWriter; +import java.io.StringWriter; +import java.nio.file.Files; +import java.nio.file.Paths; +import java.util.Collection; +import java.util.HashMap; +import java.util.Map; +import java.util.Scanner; +import java.util.Vector; + +import org.apache.commons.cli.CommandLine; +import org.apache.commons.cli.Option; +import org.dogtagpki.cli.CLIException; +import org.dogtagpki.cli.CommandCLI; +import org.dogtagpki.util.cert.CertUtil; +import org.mozilla.jss.netscape.security.pkcs.PKCS10; +import org.mozilla.jss.netscape.security.util.Cert; +import org.mozilla.jss.netscape.security.util.Utils; +import org.mozilla.jss.netscape.security.x509.X500Name; +import org.mozilla.jss.netscape.security.x509.X509CertImpl; + +import com.netscape.certsrv.ca.AuthorityID; +import com.netscape.certsrv.ca.CACertClient; +import com.netscape.certsrv.cert.CertData; +import com.netscape.certsrv.cert.CertEnrollmentRequest; +import com.netscape.certsrv.cert.CertRequestInfo; +import com.netscape.certsrv.cert.CertRequestInfos; +import com.netscape.certsrv.cert.CertReviewResponse; +import com.netscape.certsrv.dbs.certdb.CertId; +import com.netscape.certsrv.profile.ProfileAttribute; +import com.netscape.certsrv.profile.ProfileInput; +import com.netscape.certsrv.request.RequestId; +import com.netscape.certsrv.request.RequestStatus; +import com.netscape.cmstools.cli.MainCLI; + +import netscape.ldap.util.DN; +import netscape.ldap.util.RDN; + +public class CACertIssueCLI extends CommandCLI { + + public static org.slf4j.Logger logger = org.slf4j.LoggerFactory.getLogger(CACertIssueCLI.class); + + CACertCLI certCLI; + + public CACertIssueCLI(CACertCLI certCLI) { + super("issue", "Issue certificate", certCLI); + this.certCLI = certCLI; + } + + @Override + public void createOptions() { + + Option option = new Option(null, "issuer-id", true, "Authority ID (host authority if omitted)"); + option.setArgName("ID"); + options.addOption(option); + + option = new Option(null, "issuer-dn", true, "Authority DN (host authority if omitted)"); + option.setArgName("DN"); + options.addOption(option); + + option = new Option(null, "username", true, "Username for enrollment"); + option.setArgName("username"); + options.addOption(option); + + option = new Option(null, "password-file", true, "File containing enrollment password"); + options.addOption(option); + + option = new Option(null, "password", false, "Prompt for enrollment password"); + options.addOption(option); + + option = new Option(null, "pin-file", true, "File containing enrollment PIN"); + options.addOption(option); + + option = new Option(null, "pin", false, "Prompt for enrollment PIN"); + options.addOption(option); + + option = new Option(null, "profile", true, "Certificate profile"); + option.setArgName("profile"); + options.addOption(option); + + option = new Option(null, "request-type", true, "Request type (default: pkcs10)"); + option.setArgName("type"); + options.addOption(option); + + option = new Option(null, "renewal", false, "Submit renewal request"); + options.addOption(option); + + option = new Option(null, "csr-file", true, "File containing the CSR"); + option.setArgName("path"); + options.addOption(option); + + option = new Option(null, "serial", true, "Serial number of certificate for renewal"); + option.setArgName("number"); + options.addOption(option); + + option = new Option(null, "subject", true, "Subject DN"); + option.setArgName("DN"); + options.addOption(option); + + option = new Option(null, "dns-names", true, "Comma-separated list of DNS names"); + option.setArgName("names"); + options.addOption(option); + + option = new Option(null, "requestor", true, "Requestor"); + option.setArgName("requestor"); + options.addOption(option); + + option = new Option(null, "session", true, "Session ID"); + option.setArgName("ID"); + options.addOption(option); + + option = new Option(null, "install-token", true, "Install token"); + option.setArgName("path"); + options.addOption(option); + + option = new Option(null, "input-file", true, "Input file"); + option.setArgName("file"); + options.addOption(option); + + option = new Option(null, "output-file", true, "Output file"); + option.setArgName("file"); + options.addOption(option); + + option = new Option(null, "output-format", true, "Output format: PEM (default), DER"); + option.setArgName("format"); + options.addOption(option); + } + + @Override + public void printHelp() { + formatter.printHelp(getFullName() + " [OPTIONS...]", options); + } + + private String loadFile(String fileName) throws FileNotFoundException { + try (Scanner scanner = new Scanner(new File(fileName))) { + return scanner.useDelimiter("\\A").next(); + } + } + + public byte[] issueCert( + CACertClient certClient, + CertEnrollmentRequest request, + AuthorityID authorityID, + X500Name authorityDN, + String outputFormat) + throws Exception { + + logger.info("Submitting certificate request"); + CertRequestInfos cri = certClient.enrollRequest(request, authorityID, authorityDN); + + Collection entries = cri.getEntries(); + if (entries.size() == 0) { + throw new CLIException("Unable to submit certificate request"); + } + + // get first request info + CertRequestInfo requestInfo = entries.iterator().next(); + RequestId requestId = requestInfo.getRequestID(); + RequestStatus status = requestInfo.getRequestStatus(); + + if (status == RequestStatus.PENDING) { + logger.info("Reviewing certificate request " + requestId.toHexString()); + CertReviewResponse reviewInfo = certClient.reviewRequest(requestId); + + logger.info("Approving certificate request " + requestId.toHexString()); + certClient.approveRequest(requestId, reviewInfo); + + logger.info("Retrieving certificate request " + requestId.toHexString()); + requestInfo = certClient.getRequest(requestId); + + status = requestInfo.getRequestStatus(); + } + + if (status != RequestStatus.COMPLETE) { + String message = "Request " + status; + String errorMessage = requestInfo.getErrorMessage(); + if (errorMessage != null) { + message += ": " + errorMessage; + } + throw new CLIException(message); + } + + CertId certID = requestInfo.getCertId(); + + logger.info("Retrieving certificate " + certID.toHexString()); + CertData certData = certClient.getCert(certID); + + if (outputFormat == null || "PEM".equalsIgnoreCase(outputFormat)) { + return certData.getEncoded().getBytes(); + + } else if ("DER".equalsIgnoreCase(outputFormat)) { + return Cert.parseCertificate(certData.getEncoded()); + + } else { + throw new CLIException("Unsupported format: " + outputFormat); + } + } + + public byte[] issueCert( + CACertClient certClient, + String requestType, + String csr, + String profileID, + String subjectDN, + String[] dnsNames, + String requestor, + String sessionID, + String outputFormat) + throws Exception { + + logger.info("Submitting certificate request"); + X509CertImpl cert = certClient.submitRequest( + requestType, + csr, + profileID, + subjectDN, + dnsNames, + requestor, + sessionID); + + if (outputFormat == null || "PEM".equalsIgnoreCase(outputFormat)) { + StringWriter sw = new StringWriter(); + + try (PrintWriter out = new PrintWriter(sw, true)) { + out.println(Cert.HEADER); + out.print(Utils.base64encodeMultiLine(cert.getEncoded())); + out.println(Cert.FOOTER); + } + + return sw.toString().getBytes(); + + } else if ("DER".equalsIgnoreCase(outputFormat)) { + return cert.getEncoded(); + + } else { + throw new CLIException("Unsupported format: " + outputFormat); + } + } + + @Override + public void execute(CommandLine cmd) throws Exception { + + String[] cmdArgs = cmd.getArgs(); + + String inputFile = cmd.getOptionValue("input-file"); + String profileID = cmd.getOptionValue("profile"); + + if (inputFile == null && profileID == null) { + throw new CLIException("Missing request file or profile ID."); + } + + if (inputFile != null && profileID != null) { + throw new CLIException("Request file and profile ID are mutually exclusive."); + } + + AuthorityID authorityID = null; + if (cmd.hasOption("issuer-id")) { + String aidString = cmd.getOptionValue("issuer-id"); + try { + authorityID = new AuthorityID(aidString); + } catch (IllegalArgumentException e) { + throw new Exception("Bad AuthorityID: " + aidString, e); + } + } + + X500Name authorityDN = null; + if (cmd.hasOption("issuer-dn")) { + String adnString = cmd.getOptionValue("issuer-dn"); + try { + authorityDN = new X500Name(adnString); + } catch (IOException e) { + throw new Exception("Bad DN: " + adnString, e); + } + } + + if (authorityID != null && authorityDN != null) { + throw new CLIException("--issuer-id and --issuer-dn options are mutually exclusive"); + } + + String requestType = cmd.getOptionValue("request-type"); + + CertEnrollmentRequest request; + if (inputFile == null) { // if no request file specified, generate new request from profile + + logger.info("Retrieving " + profileID + " profile"); + + CACertClient certClient = certCLI.getCertClient(); + request = certClient.getEnrollmentTemplate(profileID); + + // set default request type for new request + if (requestType == null) requestType = "pkcs10"; + + } else { // otherwise, load request from file + + logger.info("Loading request from " + inputFile); + + String xml = loadFile(inputFile); + request = CertEnrollmentRequest.fromXML(xml); + } + + if (requestType != null) { + + logger.info("Request type: " + requestType); + + for (ProfileInput input : request.getInputs()) { + ProfileAttribute typeAttr = input.getAttribute("cert_request_type"); + if (typeAttr != null) { + typeAttr.setValue(requestType); + } + } + } + + request.setRenewal(cmd.hasOption("renewal")); + + String csrFilename = cmd.getOptionValue("csr-file"); + String csr = null; + PKCS10 pkcs10 = null; + + if (csrFilename != null) { + + csr = loadFile(csrFilename); + logger.debug("CSR:\n" + csr); + + byte[] bytes = CertUtil.parseCSR(csr); + if ("pkcs10".equals(requestType)) { + pkcs10 = new PKCS10(bytes); + } + + for (ProfileInput input : request.getInputs()) { + ProfileAttribute csrAttr = input.getAttribute("cert_request"); + if (csrAttr != null) { + csrAttr.setValue(csr); + } + } + } + + String serial = cmd.getOptionValue("serial"); + if (serial != null) { + + logger.info("Serial: " + serial); + + request.setSerialNum(new CertId(serial)); + + // store serial number in profile input if available + for (ProfileInput input : request.getInputs()) { + ProfileAttribute serialAttr = input.getAttribute("serial_num"); + if (serialAttr != null) { + serialAttr.setValue(serial); + } + } + } + + String subjectDN = cmd.getOptionValue("subject"); + + if (subjectDN == null) { + // if no subject DN provided, get from CSR + if (pkcs10 != null) { + subjectDN = pkcs10.getSubjectName().toLdapDNString(); + } + } + + if (subjectDN != null) { + DN dn = new DN(subjectDN); + Vector rdns = dn.getRDNs(); + + Map subjectAttributes = new HashMap<>(); + for (int i=0; i< rdns.size(); i++) { + RDN rdn = (RDN)rdns.elementAt(i); + String type = rdn.getTypes()[0].toLowerCase(); + String value = rdn.getValues()[0]; + subjectAttributes.put(type, value); + } + + ProfileInput sn = request.getInput("Subject Name"); + if (sn != null) { + logger.info("Subject Name:"); + + for (ProfileAttribute attribute : sn.getAttributes()) { + String name = attribute.getName(); + String value = null; + + if (name.equals("subject")) { + // get the whole subject DN + value = subjectDN; + + } else if (name.startsWith("sn_")) { + // get value from subject DN + value = subjectAttributes.get(name.substring(3)); + + } else { + // unknown attribute, ignore + logger.info("- " + name); + continue; + } + + if (value == null) continue; + + logger.info("- " + name + ": " + value); + attribute.setValue(value); + } + } + } + + String enrollmentUsername = cmd.getOptionValue("username"); + if (enrollmentUsername != null) { + request.setAttribute("uid", enrollmentUsername); + } + + String passwordFile = cmd.getOptionValue("password-file"); + if (passwordFile != null) { + String enrollmentPassword = Files.readString(Paths.get(passwordFile)).trim(); + request.setAttribute("pwd", enrollmentPassword); + + } else if (cmd.hasOption("password")) { + Console console = System.console(); + String enrollmentPassword = new String(console.readPassword("Password: ")); + request.setAttribute("pwd", enrollmentPassword); + } + + String pinFile = cmd.getOptionValue("pin-file"); + if (pinFile != null) { + String enrollmentPIN = Files.readString(Paths.get(pinFile)).trim(); + request.setAttribute("pin", enrollmentPIN); + + } else if (cmd.hasOption("pin")) { + Console console = System.console(); + String enrollmentPIN = new String(console.readPassword("PIN: ")); + request.setAttribute("pin", enrollmentPIN); + } + + logger.info("Request:\n" + request); + + String list = cmd.getOptionValue("dns-names"); + logger.info("DNS names: " + list); + + String[] dnsNames = null; + if (list != null) { + dnsNames = list.split(","); + } + + String requestor = cmd.getOptionValue("requestor"); + logger.info("Requestor: " + requestor); + + String outputFormat = cmd.getOptionValue("output-format"); + + MainCLI mainCLI = (MainCLI) getRoot(); + mainCLI.init(); + + CACertClient certClient = certCLI.getCertClient(); + + String installToken = cmd.getOptionValue("install-token"); + String sessionID; + + if (installToken != null) { + sessionID = new String(Files.readAllBytes(Paths.get(installToken))); + } else { + sessionID = cmd.getOptionValue("session"); + } + + byte[] bytes; + if (sessionID == null) { + // issue cert without install token + bytes = issueCert( + certClient, + request, + authorityID, + authorityDN, + outputFormat); + + } else { + // issue cert with install token + bytes = issueCert( + certClient, + requestType, + csr, + profileID, + subjectDN, + dnsNames, + requestor, + sessionID, + outputFormat); + } + + String outputFile = cmd.getOptionValue("output-file"); + if (outputFile != null) { + try (FileOutputStream out = new FileOutputStream(outputFile)) { + out.write(bytes); + } + + } else { + System.out.write(bytes); + } + } +} diff --git a/base/tools/src/main/java/com/netscape/cmstools/ca/CACertRequestSubmitCLI.java b/base/tools/src/main/java/com/netscape/cmstools/ca/CACertRequestSubmitCLI.java index 3255b5d7e91..1102cc2ef32 100644 --- a/base/tools/src/main/java/com/netscape/cmstools/ca/CACertRequestSubmitCLI.java +++ b/base/tools/src/main/java/com/netscape/cmstools/ca/CACertRequestSubmitCLI.java @@ -105,11 +105,11 @@ public void createOptions() { option.setArgName("requestor"); options.addOption(option); - option = new Option(null, "session", true, "Session ID"); + option = new Option(null, "session", true, "DEPRECATED: Session ID"); option.setArgName("ID"); options.addOption(option); - option = new Option(null, "install-token", true, "Install token"); + option = new Option(null, "install-token", true, "DEPRECATED: Install token"); option.setArgName("path"); options.addOption(option); @@ -337,12 +337,13 @@ public void execute(CommandLine cmd) throws Exception { CACertClient certClient = certRequestCLI.getCertClient(); String installToken = cmd.getOptionValue("install-token"); - String sessionID; + String sessionID = cmd.getOptionValue("session"); if (installToken != null) { + logger.warn("The --install-token option has been deprecated. Use pki ca-cert-issue instead."); sessionID = new String(Files.readAllBytes(Paths.get(installToken))); } else { - sessionID = cmd.getOptionValue("session"); + logger.warn("The --session option has been deprecated. Use pki ca-cert-issue instead."); } if (sessionID == null) { diff --git a/tests/ansible/ocsp/tasks/certificate_self_validation_with_crl.yml b/tests/ansible/ocsp/tasks/certificate_self_validation_with_crl.yml index a01d7d1eccc..3349296dab1 100644 --- a/tests/ansible/ocsp/tasks/certificate_self_validation_with_crl.yml +++ b/tests/ansible/ocsp/tasks/certificate_self_validation_with_crl.yml @@ -211,108 +211,68 @@ -D pki_admin_csr_path={{ shared_workspace }}/ocsp_admin.csr -v -- name: Issue OCSP signing cert - submit +- name: Issue OCSP signing cert community.docker.docker_container_exec: container: "{{ ca_container }}" - command: pki ca-cert-request-submit --profile caOCSPCert --csr-file {{ shared_workspace }}/ocsp_signing.csr - register: - ca_command - -- name: Issue OCSP signing cert - approve - community.docker.docker_container_exec: - container: "{{ ca_container }}" - command: "pki -n caadmin ca-cert-request-approve {{ ca_command.stdout | regex_search('Request ID: *(.*)', '\\1') | first }} --force" - register: - ca_command - -- name: Issue OCSP signing cert - export - community.docker.docker_container_exec: - container: "{{ ca_container }}" - command: "pki ca-cert-export {{ ca_command.stdout | regex_search('Certificate ID: *(.*)', '\\1') | first }} --output-file {{ shared_workspace }}/ocsp_signing.crt" - register: - ca_command - -- name: Issue subsystem cert - submit - community.docker.docker_container_exec: - container: "{{ ca_container }}" - command: pki ca-cert-request-submit --profile caSubsystemCert --csr-file {{ shared_workspace }}/subsystem.csr - register: - ca_command - -- name: Issue subsystem cert - approve - community.docker.docker_container_exec: - container: "{{ ca_container }}" - command: "pki -n caadmin ca-cert-request-approve {{ ca_command.stdout | regex_search('Request ID: *(.*)', '\\1') | first }} --force" - register: - ca_command - -- name: Issue subsystem cert - export - community.docker.docker_container_exec: - container: "{{ ca_container }}" - command: "pki ca-cert-export {{ ca_command.stdout | regex_search('Certificate ID: *(.*)', '\\1') | first }} --output-file {{ shared_workspace }}/subsystem.crt" - register: - ca_command - -- name: Issue SSL server cert - submit - community.docker.docker_container_exec: - container: "{{ ca_container }}" - command: pki ca-cert-request-submit --profile caServerCert --csr-file {{ shared_workspace }}/sslserver.csr - register: - ca_command - -- name: Issue SSL server cert - approve - community.docker.docker_container_exec: - container: "{{ ca_container }}" - command: "pki -n caadmin ca-cert-request-approve {{ ca_command.stdout | regex_search('Request ID: *(.*)', '\\1') | first }} --force" - register: - ca_command - -- name: Issue SSL server cert - export - community.docker.docker_container_exec: - container: "{{ ca_container }}" - command: "pki ca-cert-export {{ ca_command.stdout | regex_search('Certificate ID: *(.*)', '\\1') | first }} --output-file {{ shared_workspace }}/sslserver.crt" - register: - ca_command - -- name: Issue OCSP audit signing cert - submit - community.docker.docker_container_exec: - container: "{{ ca_container }}" - command: pki ca-cert-request-submit --profile caAuditSigningCert --csr-file {{ shared_workspace }}/ocsp_audit_signing.csr - register: - ca_command - -- name: Issue OCSP audit signing cert - approve - community.docker.docker_container_exec: - container: "{{ ca_container }}" - command: "pki -n caadmin ca-cert-request-approve {{ ca_command.stdout | regex_search('Request ID: *(.*)', '\\1') | first }} --force" + command: > + pki + -n caadmin + ca-cert-issue + --profile caOCSPCert + --csr-file {{ shared_workspace }}/ocsp_signing.csr + --output-file {{ shared_workspace }}/ocsp_signing.crt register: ca_command -- name: Issue OCSP audit signing cert - export +- name: Issue subsystem cert community.docker.docker_container_exec: container: "{{ ca_container }}" - command: "pki ca-cert-export {{ ca_command.stdout | regex_search('Certificate ID: *(.*)', '\\1') | first }} --output-file {{ shared_workspace }}/ocsp_audit_signing.crt" + command: > + pki + -n caadmin + ca-cert-issue + --profile caSubsystemCert + --csr-file {{ shared_workspace }}/subsystem.csr + --output-file {{ shared_workspace }}/subsystem.crt register: ca_command -- name: Issue OCSP admin cert - submit +- name: Issue SSL server cert community.docker.docker_container_exec: container: "{{ ca_container }}" - command: pki ca-cert-request-submit --profile AdminCert --csr-file {{ shared_workspace }}/ocsp_admin.csr + command: > + pki + -n caadmin + ca-cert-issue + --profile caServerCert + --csr-file {{ shared_workspace }}/sslserver.csr + --output-file {{ shared_workspace }}/sslserver.crt register: ca_command -- name: Issue OCSP admin cert - approve +- name: Issue OCSP audit signing cert community.docker.docker_container_exec: container: "{{ ca_container }}" - command: "pki -n caadmin ca-cert-request-approve {{ ca_command.stdout | regex_search('Request ID: *(.*)', '\\1') | first }} --force" + command: > + pki + -n caadmin + ca-cert-issue + --profile caAuditSigningCert + --csr-file {{ shared_workspace }}/ocsp_audit_signing.csr + --output-file {{ shared_workspace }}/ocsp_audit_signing.crt register: ca_command -- name: Issue OCSP admin cert - export +- name: Issue OCSP admin cert community.docker.docker_container_exec: container: "{{ ca_container }}" - command: "pki ca-cert-export {{ ca_command.stdout | regex_search('Certificate ID: *(.*)', '\\1') | first }} --output-file {{ shared_workspace }}/ocsp_admin.crt" + command: > + pki + -n caadmin + ca-cert-issue + --profile AdminCert + --csr-file {{ shared_workspace }}/ocsp_admin.csr + --output-file {{ shared_workspace }}/ocsp_admin.crt register: ca_command @@ -454,29 +414,18 @@ register: good_certificate_check failed_when: "'CertStatus=Good' not in good_certificate_check.stdout_lines[-1]" -- name: Create CSR for DS and submit +- name: Issue DS cert community.docker.docker_container_exec: container: "{{ ca_container }}" command: "{{ item }}" loop: - pki nss-cert-request --subject "CN={{ ocspds_hostname }}" --ext /usr/share/pki/server/certs/sslserver.conf --subjectAltName "critical, DNS:{{ ocspds_hostname }}" --csr {{ shared_workspace }}/ocspds.csr - - pki ca-cert-request-submit --profile caServerCert --csr-file {{ shared_workspace }}/ocspds.csr - register: - ca_command - -- name: Approve CSR request - community.docker.docker_container_exec: - container: "{{ ca_container }}" - command: "pki -n caadmin ca-cert-request-approve {{ ca_command.results[-1].stdout | regex_search('Request ID: *(.*)', '\\1') | first }} --force" - register: - ca_command - -- name: Issue OCSP admin cert - export - community.docker.docker_container_exec: - container: "{{ ca_container }}" - command: "{{ item }}" - loop: - - "pki ca-cert-export {{ ca_command.stdout | regex_search('Certificate ID: *(.*)', '\\1') | first }} --output-file {{ shared_workspace }}/ocspds.crt" + - pki + -n caadmin + ca-cert-issue + --profile caServerCert + --csr-file {{ shared_workspace }}/ocspds.csr + --output-file {{ shared_workspace }}/ocspds.crt - "certutil -d /root/.dogtag/nssdb -A -n ocspds -t ',,' -i {{ shared_workspace }}/ocspds.crt" - pk12util -d /root/.dogtag/nssdb -o {{ shared_workspace }}/ocspds.p12 -n ocspds -W {{ ocspds_password }} register: diff --git a/tests/ca/bin/sslserver-create.sh b/tests/ca/bin/sslserver-create.sh index 4a43febfdc8..b22bdfa020a 100755 --- a/tests/ca/bin/sslserver-create.sh +++ b/tests/ca/bin/sslserver-create.sh @@ -9,17 +9,11 @@ pki nss-cert-request \ --ext /usr/share/pki/server/certs/sslserver.conf \ --csr sslserver.csr -pki ca-cert-request-submit --profile caServerCert --csr-file sslserver.csr | tee /tmp/output - -sed -n "s/^\s*Request ID:\s*\(\S*\)$/\1/p" /tmp/output > /tmp/request_id -REQUEST_ID=$(cat /tmp/request_id) - -# approve the cert request and capture the cert ID -pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee /tmp/output - -sed -n "s/^\s*Certificate ID:\s*\(\S*\)$/\1/p" /tmp/output > /tmp/cert_id -CERT_ID=$(cat /tmp/cert_id) - -pki ca-cert-export $CERT_ID --output-file sslserver.crt +pki \ + -n caadmin \ + ca-cert-issue \ + --profile caServerCert \ + --csr-file sslserver.csr \ + --output-file sslserver.crt pki nss-cert-import sslserver --cert sslserver.crt