Skip to content

Commit

Permalink
Add pki ca-cert-issue
Browse files Browse the repository at this point in the history 
The pki ca-cert-request-submit produces two different
outputs depending on the authentication. If it's called
without authentication, it will only submit the request
to the CA, then a CA agent needs to approve the request,
then the cert can be retrieved with another command. If
the command is called with an installation token, it will
create and return a cert immediately.

To simplify the installation process, a new pki
ca-cert-issue command has been added to return a cert
immediately in all cases. If the command is called with
CA agent authentication, it will automatically submits
the request, approve the request, then retrieve the cert.
If the command is called with an installation token, it
will create and return a cert immediately.
  • Loading branch information
@edewata
edewata committed Sep 20, 2024
1 parent 5181954 commit 930e700
Show file tree
Hide file tree
Showing 25 changed files with 993 additions and 715 deletions.
10 changes: 5 additions & 5 deletions .github/workflows/acme-postgresql-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,13 +85,13 @@ jobs:
--subject "CN=postgresql.example.com" \
--ext /usr/share/pki/server/certs/sslserver.conf \
--csr sslserver.csr
REC_ID=$(docker exec pki pki ca-cert-request-submit \
REC_ID=$(docker exec pki pki \
-n caadmin \
ca-cert-issue \
--profile caServerCert \
--csr-file sslserver.csr \
--subject "CN=postgresql.example.com" | grep "Request ID")
CERT_ID=$(docker exec pki pki -n caadmin ca-cert-request-approve ${REC_ID:14} --force | \
grep "Certificate ID")
docker exec pki pki ca-cert-export ${CERT_ID:18} --output-file sslserver.crt
--subject "CN=postgresql.example.com" \
--output-file sslserver.crt
docker exec pki pki nss-cert-import \
--cert sslserver.crt \
Expand Down
15 changes: 5 additions & 10 deletions .github/workflows/acme-separate-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -121,17 +121,12 @@ jobs:
docker exec ca openssl req -text -noout -in $SHARED/sslserver.csr
# submit cert request
docker exec ca pki ca-cert-request-submit \
docker exec ca pki \
-n caadmin \
ca-cert-issue \
--profile caServerCert \
--csr-file $SHARED/sslserver.csr | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
# approve cert request
docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output
CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output)
# export cert
docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/sslserver.crt
--csr-file $SHARED/sslserver.csr \
--output-file $SHARED/sslserver.crt
docker exec ca openssl x509 -text -noout -in $SHARED/sslserver.crt
# install cert
Expand Down
50 changes: 30 additions & 20 deletions .github/workflows/ca-ds-connection-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,32 +108,38 @@ jobs:
- name: Test request enrollment
run: |
# enrollment should work
docker exec pki pki ca-cert-request-submit --profile caServerCert --csr-file sslserver.csr | tee output
grep "Reason:" output | wc -l > actual
echo "0" > expected
diff expected actual
docker exec pki pki \
-n caadmin \
ca-cert-issue \
--profile caServerCert \
--csr-file sslserver.csr \
--output-file sslserver.crt
- name: Stop the DS
run: |
docker stop ds
sleep 10
# enrollment should fail
docker exec pki pki ca-cert-request-submit --profile caServerCert --csr-file sslserver.csr | tee output
grep "Reason:" output | wc -l > actual
echo "1" > expected
diff expected actual
docker exec pki pki \
-n caadmin \
ca-cert-issue \
--profile caServerCert \
--csr-file sslserver.csr \
--output-file sslserver.crt
- name: Restart the DS
run: |
docker start ds
sleep 20
# enrollment should work
docker exec pki pki ca-cert-request-submit --profile caServerCert --csr-file sslserver.csr | tee output
grep "Reason:" output | wc -l > actual
echo "0" > expected
diff expected actual
docker exec pki pki \
-n caadmin \
ca-cert-issue \
--profile caServerCert \
--csr-file sslserver.csr \
--output-file sslserver.crt
- name: Start without the DS
run: |
Expand All @@ -144,21 +150,25 @@ jobs:
docker exec pki curl -s http://pki.example.com:8080/ca/admin/ca/getStatus
# enrollment should fail
docker exec pki pki ca-cert-request-submit --profile caServerCert --csr-file sslserver.csr | tee output
grep "Reason:" output | wc -l > actual
echo "1" > expected
diff expected actual
docker exec pki pki \
-n caadmin \
ca-cert-issue \
--profile caServerCert \
--csr-file sslserver.csr \
--output-file sslserver.crt
- name: Start the DS with running CA
run: |
docker start ds
sleep 60
# enrollment should work
docker exec pki pki ca-cert-request-submit --profile caServerCert --csr-file sslserver.csr | tee output
grep "Reason:" output | wc -l > actual
echo "0" > expected
diff expected actual
docker exec pki pki \
-n caadmin \
ca-cert-issue \
--profile caServerCert \
--csr-file sslserver.csr \
--output-file sslserver.crt
- name: Remove CA
run: docker exec pki pkidestroy -s CA -v
Expand Down
22 changes: 4 additions & 18 deletions .github/workflows/ca-profile-caServerCert-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -113,26 +113,12 @@ jobs:
diff actual expected
# submit cert request
docker exec pki pki \
ca-cert-request-submit \
--profile caServerCert \
--csr-file sslserver.csr | tee output
REQUEST_ID=$(sed -n -e 's/^ *Request ID: *\(.*\)$/\1/p' output)
echo "REQUEST_ID: $REQUEST_ID"
# issue cert
docker exec pki pki \
-n caadmin \
ca-cert-request-approve \
--force \
$REQUEST_ID | tee output
CERT_ID=$(sed -n -e 's/^ *Certificate ID: *\(.*\)$/\1/p' output)
echo "CERT_ID: $CERT_ID"
# export cert
docker exec pki pki ca-cert-export $CERT_ID --output-file sslserver.crt
ca-cert-issue \
--profile caServerCert \
--csr-file sslserver.csr \
--output-file sslserver.crt
docker exec pki openssl x509 -text -noout -in sslserver.crt | tee output
Expand Down
100 changes: 25 additions & 75 deletions .github/workflows/ca-renewal-system-certs-hsm-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -264,23 +264,13 @@ jobs:
CERT_ID=$(sed -n "s/^\s*Serial Number:\s*\(\S*\)$/\1/p" output)
# submit renewal request
docker exec pki pki ca-cert-request-submit \
docker exec pki pki \
-n caadmin \
ca-cert-issue \
--profile caManualRenewal \
--serial $CERT_ID \
--renewal | tee output
REQUEST_ID=$(sed -n "s/^\s*Request ID:\s*\(\S*\)$/\1/p" output)
# approve renewal request
docker exec pki pki \
-u caadmin \
-w Secret.123 \
ca-cert-request-approve \
$REQUEST_ID \
--force | tee output
CERT_ID=$(sed -n "s/^\s*Certificate ID:\s*\(\S*\)$/\1/p" output)
# export new cert
docker exec pki pki ca-cert-export $CERT_ID --output-file sslserver.crt
--renewal \
--output-file sslserver.crt
# delete current cert
docker exec pki pki-server cert-del sslserver
Expand All @@ -298,23 +288,13 @@ jobs:
CERT_ID=$(sed -n "s/^\s*Serial Number:\s*\(\S*\)$/\1/p" output)
# submit renewal request
docker exec pki pki ca-cert-request-submit \
docker exec pki pki \
-n caadmin \
ca-cert-issue \
--profile caManualRenewal \
--serial $CERT_ID \
--renewal | tee output
REQUEST_ID=$(sed -n "s/^\s*Request ID:\s*\(\S*\)$/\1/p" output)
# approve renewal request
docker exec pki pki \
-u caadmin \
-w Secret.123 \
ca-cert-request-approve \
$REQUEST_ID \
--force | tee output
CERT_ID=$(sed -n "s/^\s*Certificate ID:\s*\(\S*\)$/\1/p" output)
# export new cert
docker exec pki pki ca-cert-export $CERT_ID --output-file subsystem.crt
--renewal \
--output-file subsystem.crt
# delete current cert
docker exec pki pki-server cert-del subsystem
Expand Down Expand Up @@ -349,23 +329,13 @@ jobs:
CERT_ID=$(sed -n "s/^\s*Serial Number:\s*\(\S*\)$/\1/p" output)
# submit renewal request
docker exec pki pki ca-cert-request-submit \
docker exec pki pki \
-n caadmin \
ca-cert-issue \
--profile caManualRenewal \
--serial $CERT_ID \
--renewal | tee output
REQUEST_ID=$(sed -n "s/^\s*Request ID:\s*\(\S*\)$/\1/p" output)
# approve renewal request
docker exec pki pki \
-u caadmin \
-w Secret.123 \
ca-cert-request-approve \
$REQUEST_ID \
--force | tee output
CERT_ID=$(sed -n "s/^\s*Certificate ID:\s*\(\S*\)$/\1/p" output)
# export new cert
docker exec pki pki ca-cert-export $CERT_ID --output-file ca_audit_signing.crt
--renewal \
--output-file ca_audit_signing.crt
# delete current cert
docker exec pki pki-server cert-del ca_audit_signing
Expand All @@ -383,23 +353,13 @@ jobs:
CERT_ID=$(sed -n "s/^\s*Serial Number:\s*\(\S*\)$/\1/p" output)
# submit renewal request
docker exec pki pki ca-cert-request-submit \
docker exec pki pki \
-n caadmin \
ca-cert-issue \
--profile caManualRenewal \
--serial $CERT_ID \
--renewal | tee output
REQUEST_ID=$(sed -n "s/^\s*Request ID:\s*\(\S*\)$/\1/p" output)
# approve renewal request
docker exec pki pki \
-u caadmin \
-w Secret.123 \
ca-cert-request-approve \
$REQUEST_ID \
--force | tee output
CERT_ID=$(sed -n "s/^\s*Certificate ID:\s*\(\S*\)$/\1/p" output)
# export new cert
docker exec pki pki ca-cert-export $CERT_ID --output-file ca_ocsp_signing.crt
--renewal \
--output-file ca_ocsp_signing.crt
# delete current cert
docker exec pki pki-server cert-del ca_ocsp_signing
Expand All @@ -417,23 +377,13 @@ jobs:
CERT_ID=$(sed -n "s/^\s*Serial Number:\s*\(\S*\)$/\1/p" output)
# submit renewal request
docker exec pki pki ca-cert-request-submit \
docker exec pki pki \
-n caadmin \
ca-cert-issue \
--profile caManualRenewal \
--serial $CERT_ID \
--renewal | tee output
REQUEST_ID=$(sed -n "s/^\s*Request ID:\s*\(\S*\)$/\1/p" output)
# approve renewal request
docker exec pki pki \
-u caadmin \
-w Secret.123 \
ca-cert-request-approve \
$REQUEST_ID \
--force | tee output
CERT_ID=$(sed -n "s/^\s*Certificate ID:\s*\(\S*\)$/\1/p" output)
# export new cert
docker exec pki pki ca-cert-export $CERT_ID --output-file caadmin.crt
--renewal \
--output-file caadmin.crt
# delete current cert
docker exec pki pki nss-cert-del caadmin
Expand Down
Loading

0 comments on commit 930e700

Please sign in to comment.