From 930e700d2d3c4c83b571f11781adac38beab2b6e Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Fri, 20 Sep 2024 14:21:10 -0500 Subject: [PATCH] Add pki ca-cert-issue The pki ca-cert-request-submit produces two different outputs depending on the authentication. If it's called without authentication, it will only submit the request to the CA, then a CA agent needs to approve the request, then the cert can be retrieved with another command. If the command is called with an installation token, it will create and return a cert immediately. To simplify the installation process, a new pki ca-cert-issue command has been added to return a cert immediately in all cases. If the command is called with CA agent authentication, it will automatically submits the request, approve the request, then retrieve the cert. If the command is called with an installation token, it will create and return a cert immediately. --- .github/workflows/acme-postgresql-test.yml | 10 +- .github/workflows/acme-separate-test.yml | 15 +- .github/workflows/ca-ds-connection-test.yml | 50 +- .../ca-profile-caServerCert-test.yml | 22 +- .../ca-renewal-system-certs-hsm-test.yml | 100 +--- .../ca-renewal-system-certs-test.yml | 100 +--- .../workflows/est-ds-realm-separate-test.yml | 13 +- .github/workflows/kra-existing-certs-test.yml | 78 ++- .github/workflows/kra-existing-ds-test.yml | 90 ++-- .github/workflows/kra-existing-hsm-test.yml | 78 ++- .github/workflows/kra-existing-nssdb-test.yml | 78 ++- .github/workflows/kra-external-certs-test.yml | 66 +-- .github/workflows/kra-standalone-test.yml | 66 +-- .github/workflows/ocsp-crl-direct-test.yml | 55 +- .github/workflows/ocsp-crl-ldap-test.yml | 55 +- .../workflows/ocsp-external-certs-test.yml | 55 +- .github/workflows/ocsp-standalone-test.yml | 55 +- .github/workflows/tks-external-certs-test.yml | 44 +- .github/workflows/tps-external-certs-test.yml | 36 +- .../python/pki/server/deployment/__init__.py | 2 +- .../com/netscape/cmstools/ca/CACertCLI.java | 1 + .../netscape/cmstools/ca/CACertIssueCLI.java | 479 ++++++++++++++++++ .../cmstools/ca/CACertRequestSubmitCLI.java | 9 +- .../certificate_self_validation_with_crl.yml | 133 ++--- tests/ca/bin/sslserver-create.sh | 18 +- 25 files changed, 993 insertions(+), 715 deletions(-) create mode 100644 base/tools/src/main/java/com/netscape/cmstools/ca/CACertIssueCLI.java diff --git a/.github/workflows/acme-postgresql-test.yml b/.github/workflows/acme-postgresql-test.yml index ff7950e34b6..6ca8d024c30 100644 --- a/.github/workflows/acme-postgresql-test.yml +++ b/.github/workflows/acme-postgresql-test.yml @@ -85,13 +85,13 @@ jobs: --subject "CN=postgresql.example.com" \ --ext /usr/share/pki/server/certs/sslserver.conf \ --csr sslserver.csr - REC_ID=$(docker exec pki pki ca-cert-request-submit \ + REC_ID=$(docker exec pki pki \ + -n caadmin \ + ca-cert-issue \ --profile caServerCert \ --csr-file sslserver.csr \ - --subject "CN=postgresql.example.com" | grep "Request ID") - CERT_ID=$(docker exec pki pki -n caadmin ca-cert-request-approve ${REC_ID:14} --force | \ - grep "Certificate ID") - docker exec pki pki ca-cert-export ${CERT_ID:18} --output-file sslserver.crt + --subject "CN=postgresql.example.com" \ + --output-file sslserver.crt docker exec pki pki nss-cert-import \ --cert sslserver.crt \ diff --git a/.github/workflows/acme-separate-test.yml b/.github/workflows/acme-separate-test.yml index 5455a0e7f49..c451677850e 100644 --- a/.github/workflows/acme-separate-test.yml +++ b/.github/workflows/acme-separate-test.yml @@ -121,17 +121,12 @@ jobs: docker exec ca openssl req -text -noout -in $SHARED/sslserver.csr # submit cert request - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile caServerCert \ - --csr-file $SHARED/sslserver.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - # approve cert request - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - # export cert - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/sslserver.crt + --csr-file $SHARED/sslserver.csr \ + --output-file $SHARED/sslserver.crt docker exec ca openssl x509 -text -noout -in $SHARED/sslserver.crt # install cert diff --git a/.github/workflows/ca-ds-connection-test.yml b/.github/workflows/ca-ds-connection-test.yml index 3decce9bb80..c1c23dbc767 100644 --- a/.github/workflows/ca-ds-connection-test.yml +++ b/.github/workflows/ca-ds-connection-test.yml @@ -108,10 +108,12 @@ jobs: - name: Test request enrollment run: | # enrollment should work - docker exec pki pki ca-cert-request-submit --profile caServerCert --csr-file sslserver.csr | tee output - grep "Reason:" output | wc -l > actual - echo "0" > expected - diff expected actual + docker exec pki pki \ + -n caadmin \ + ca-cert-issue \ + --profile caServerCert \ + --csr-file sslserver.csr \ + --output-file sslserver.crt - name: Stop the DS run: | @@ -119,10 +121,12 @@ jobs: sleep 10 # enrollment should fail - docker exec pki pki ca-cert-request-submit --profile caServerCert --csr-file sslserver.csr | tee output - grep "Reason:" output | wc -l > actual - echo "1" > expected - diff expected actual + docker exec pki pki \ + -n caadmin \ + ca-cert-issue \ + --profile caServerCert \ + --csr-file sslserver.csr \ + --output-file sslserver.crt - name: Restart the DS run: | @@ -130,10 +134,12 @@ jobs: sleep 20 # enrollment should work - docker exec pki pki ca-cert-request-submit --profile caServerCert --csr-file sslserver.csr | tee output - grep "Reason:" output | wc -l > actual - echo "0" > expected - diff expected actual + docker exec pki pki \ + -n caadmin \ + ca-cert-issue \ + --profile caServerCert \ + --csr-file sslserver.csr \ + --output-file sslserver.crt - name: Start without the DS run: | @@ -144,10 +150,12 @@ jobs: docker exec pki curl -s http://pki.example.com:8080/ca/admin/ca/getStatus # enrollment should fail - docker exec pki pki ca-cert-request-submit --profile caServerCert --csr-file sslserver.csr | tee output - grep "Reason:" output | wc -l > actual - echo "1" > expected - diff expected actual + docker exec pki pki \ + -n caadmin \ + ca-cert-issue \ + --profile caServerCert \ + --csr-file sslserver.csr \ + --output-file sslserver.crt - name: Start the DS with running CA run: | @@ -155,10 +163,12 @@ jobs: sleep 60 # enrollment should work - docker exec pki pki ca-cert-request-submit --profile caServerCert --csr-file sslserver.csr | tee output - grep "Reason:" output | wc -l > actual - echo "0" > expected - diff expected actual + docker exec pki pki \ + -n caadmin \ + ca-cert-issue \ + --profile caServerCert \ + --csr-file sslserver.csr \ + --output-file sslserver.crt - name: Remove CA run: docker exec pki pkidestroy -s CA -v diff --git a/.github/workflows/ca-profile-caServerCert-test.yml b/.github/workflows/ca-profile-caServerCert-test.yml index 0dc8b2a3dd4..ec16560016b 100644 --- a/.github/workflows/ca-profile-caServerCert-test.yml +++ b/.github/workflows/ca-profile-caServerCert-test.yml @@ -113,26 +113,12 @@ jobs: diff actual expected # submit cert request - docker exec pki pki \ - ca-cert-request-submit \ - --profile caServerCert \ - --csr-file sslserver.csr | tee output - - REQUEST_ID=$(sed -n -e 's/^ *Request ID: *\(.*\)$/\1/p' output) - echo "REQUEST_ID: $REQUEST_ID" - - # issue cert docker exec pki pki \ -n caadmin \ - ca-cert-request-approve \ - --force \ - $REQUEST_ID | tee output - - CERT_ID=$(sed -n -e 's/^ *Certificate ID: *\(.*\)$/\1/p' output) - echo "CERT_ID: $CERT_ID" - - # export cert - docker exec pki pki ca-cert-export $CERT_ID --output-file sslserver.crt + ca-cert-issue \ + --profile caServerCert \ + --csr-file sslserver.csr \ + --output-file sslserver.crt docker exec pki openssl x509 -text -noout -in sslserver.crt | tee output diff --git a/.github/workflows/ca-renewal-system-certs-hsm-test.yml b/.github/workflows/ca-renewal-system-certs-hsm-test.yml index d113babe985..ddf8bf0d9d2 100644 --- a/.github/workflows/ca-renewal-system-certs-hsm-test.yml +++ b/.github/workflows/ca-renewal-system-certs-hsm-test.yml @@ -264,23 +264,13 @@ jobs: CERT_ID=$(sed -n "s/^\s*Serial Number:\s*\(\S*\)$/\1/p" output) # submit renewal request - docker exec pki pki ca-cert-request-submit \ + docker exec pki pki \ + -n caadmin \ + ca-cert-issue \ --profile caManualRenewal \ --serial $CERT_ID \ - --renewal | tee output - REQUEST_ID=$(sed -n "s/^\s*Request ID:\s*\(\S*\)$/\1/p" output) - - # approve renewal request - docker exec pki pki \ - -u caadmin \ - -w Secret.123 \ - ca-cert-request-approve \ - $REQUEST_ID \ - --force | tee output - CERT_ID=$(sed -n "s/^\s*Certificate ID:\s*\(\S*\)$/\1/p" output) - - # export new cert - docker exec pki pki ca-cert-export $CERT_ID --output-file sslserver.crt + --renewal \ + --output-file sslserver.crt # delete current cert docker exec pki pki-server cert-del sslserver @@ -298,23 +288,13 @@ jobs: CERT_ID=$(sed -n "s/^\s*Serial Number:\s*\(\S*\)$/\1/p" output) # submit renewal request - docker exec pki pki ca-cert-request-submit \ + docker exec pki pki \ + -n caadmin \ + ca-cert-issue \ --profile caManualRenewal \ --serial $CERT_ID \ - --renewal | tee output - REQUEST_ID=$(sed -n "s/^\s*Request ID:\s*\(\S*\)$/\1/p" output) - - # approve renewal request - docker exec pki pki \ - -u caadmin \ - -w Secret.123 \ - ca-cert-request-approve \ - $REQUEST_ID \ - --force | tee output - CERT_ID=$(sed -n "s/^\s*Certificate ID:\s*\(\S*\)$/\1/p" output) - - # export new cert - docker exec pki pki ca-cert-export $CERT_ID --output-file subsystem.crt + --renewal \ + --output-file subsystem.crt # delete current cert docker exec pki pki-server cert-del subsystem @@ -349,23 +329,13 @@ jobs: CERT_ID=$(sed -n "s/^\s*Serial Number:\s*\(\S*\)$/\1/p" output) # submit renewal request - docker exec pki pki ca-cert-request-submit \ + docker exec pki pki \ + -n caadmin \ + ca-cert-issue \ --profile caManualRenewal \ --serial $CERT_ID \ - --renewal | tee output - REQUEST_ID=$(sed -n "s/^\s*Request ID:\s*\(\S*\)$/\1/p" output) - - # approve renewal request - docker exec pki pki \ - -u caadmin \ - -w Secret.123 \ - ca-cert-request-approve \ - $REQUEST_ID \ - --force | tee output - CERT_ID=$(sed -n "s/^\s*Certificate ID:\s*\(\S*\)$/\1/p" output) - - # export new cert - docker exec pki pki ca-cert-export $CERT_ID --output-file ca_audit_signing.crt + --renewal \ + --output-file ca_audit_signing.crt # delete current cert docker exec pki pki-server cert-del ca_audit_signing @@ -383,23 +353,13 @@ jobs: CERT_ID=$(sed -n "s/^\s*Serial Number:\s*\(\S*\)$/\1/p" output) # submit renewal request - docker exec pki pki ca-cert-request-submit \ + docker exec pki pki \ + -n caadmin \ + ca-cert-issue \ --profile caManualRenewal \ --serial $CERT_ID \ - --renewal | tee output - REQUEST_ID=$(sed -n "s/^\s*Request ID:\s*\(\S*\)$/\1/p" output) - - # approve renewal request - docker exec pki pki \ - -u caadmin \ - -w Secret.123 \ - ca-cert-request-approve \ - $REQUEST_ID \ - --force | tee output - CERT_ID=$(sed -n "s/^\s*Certificate ID:\s*\(\S*\)$/\1/p" output) - - # export new cert - docker exec pki pki ca-cert-export $CERT_ID --output-file ca_ocsp_signing.crt + --renewal \ + --output-file ca_ocsp_signing.crt # delete current cert docker exec pki pki-server cert-del ca_ocsp_signing @@ -417,23 +377,13 @@ jobs: CERT_ID=$(sed -n "s/^\s*Serial Number:\s*\(\S*\)$/\1/p" output) # submit renewal request - docker exec pki pki ca-cert-request-submit \ + docker exec pki pki \ + -n caadmin \ + ca-cert-issue \ --profile caManualRenewal \ --serial $CERT_ID \ - --renewal | tee output - REQUEST_ID=$(sed -n "s/^\s*Request ID:\s*\(\S*\)$/\1/p" output) - - # approve renewal request - docker exec pki pki \ - -u caadmin \ - -w Secret.123 \ - ca-cert-request-approve \ - $REQUEST_ID \ - --force | tee output - CERT_ID=$(sed -n "s/^\s*Certificate ID:\s*\(\S*\)$/\1/p" output) - - # export new cert - docker exec pki pki ca-cert-export $CERT_ID --output-file caadmin.crt + --renewal \ + --output-file caadmin.crt # delete current cert docker exec pki pki nss-cert-del caadmin diff --git a/.github/workflows/ca-renewal-system-certs-test.yml b/.github/workflows/ca-renewal-system-certs-test.yml index 5c1ed4b756b..7332440c76b 100644 --- a/.github/workflows/ca-renewal-system-certs-test.yml +++ b/.github/workflows/ca-renewal-system-certs-test.yml @@ -227,23 +227,13 @@ jobs: CERT_ID=$(sed -n "s/^\s*Serial Number:\s*\(\S*\)$/\1/p" output) # submit renewal request - docker exec pki pki ca-cert-request-submit \ + docker exec pki pki \ + -n caadmin \ + ca-cert-issue \ --profile caManualRenewal \ --serial $CERT_ID \ - --renewal | tee output - REQUEST_ID=$(sed -n "s/^\s*Request ID:\s*\(\S*\)$/\1/p" output) - - # approve renewal request - docker exec pki pki \ - -u caadmin \ - -w Secret.123 \ - ca-cert-request-approve \ - $REQUEST_ID \ - --force | tee output - CERT_ID=$(sed -n "s/^\s*Certificate ID:\s*\(\S*\)$/\1/p" output) - - # export new cert - docker exec pki pki ca-cert-export $CERT_ID --output-file sslserver.crt + --renewal \ + --output-file sslserver.crt # delete current cert docker exec pki pki-server cert-del sslserver @@ -261,23 +251,13 @@ jobs: CERT_ID=$(sed -n "s/^\s*Serial Number:\s*\(\S*\)$/\1/p" output) # submit renewal request - docker exec pki pki ca-cert-request-submit \ + docker exec pki pki \ + -n caadmin \ + ca-cert-issue \ --profile caManualRenewal \ --serial $CERT_ID \ - --renewal | tee output - REQUEST_ID=$(sed -n "s/^\s*Request ID:\s*\(\S*\)$/\1/p" output) - - # approve renewal request - docker exec pki pki \ - -u caadmin \ - -w Secret.123 \ - ca-cert-request-approve \ - $REQUEST_ID \ - --force | tee output - CERT_ID=$(sed -n "s/^\s*Certificate ID:\s*\(\S*\)$/\1/p" output) - - # export new cert - docker exec pki pki ca-cert-export $CERT_ID --output-file subsystem.crt + --renewal \ + --output-file subsystem.crt # delete current cert docker exec pki pki-server cert-del subsystem @@ -312,23 +292,13 @@ jobs: CERT_ID=$(sed -n "s/^\s*Serial Number:\s*\(\S*\)$/\1/p" output) # submit renewal request - docker exec pki pki ca-cert-request-submit \ + docker exec pki pki \ + -n caadmin \ + ca-cert-issue \ --profile caManualRenewal \ --serial $CERT_ID \ - --renewal | tee output - REQUEST_ID=$(sed -n "s/^\s*Request ID:\s*\(\S*\)$/\1/p" output) - - # approve renewal request - docker exec pki pki \ - -u caadmin \ - -w Secret.123 \ - ca-cert-request-approve \ - $REQUEST_ID \ - --force | tee output - CERT_ID=$(sed -n "s/^\s*Certificate ID:\s*\(\S*\)$/\1/p" output) - - # export new cert - docker exec pki pki ca-cert-export $CERT_ID --output-file ca_audit_signing.crt + --renewal \ + --output-file ca_audit_signing.crt # delete current cert docker exec pki pki-server cert-del ca_audit_signing @@ -346,23 +316,13 @@ jobs: CERT_ID=$(sed -n "s/^\s*Serial Number:\s*\(\S*\)$/\1/p" output) # submit renewal request - docker exec pki pki ca-cert-request-submit \ + docker exec pki pki \ + -n caadmin \ + ca-cert-issue \ --profile caManualRenewal \ --serial $CERT_ID \ - --renewal | tee output - REQUEST_ID=$(sed -n "s/^\s*Request ID:\s*\(\S*\)$/\1/p" output) - - # approve renewal request - docker exec pki pki \ - -u caadmin \ - -w Secret.123 \ - ca-cert-request-approve \ - $REQUEST_ID \ - --force | tee output - CERT_ID=$(sed -n "s/^\s*Certificate ID:\s*\(\S*\)$/\1/p" output) - - # export new cert - docker exec pki pki ca-cert-export $CERT_ID --output-file ca_ocsp_signing.crt + --renewal \ + --output-file ca_ocsp_signing.crt # delete current cert docker exec pki pki-server cert-del ca_ocsp_signing @@ -380,23 +340,13 @@ jobs: CERT_ID=$(sed -n "s/^\s*Serial Number:\s*\(\S*\)$/\1/p" output) # submit renewal request - docker exec pki pki ca-cert-request-submit \ + docker exec pki pki \ + -n caadmin \ + ca-cert-issue \ --profile caManualRenewal \ --serial $CERT_ID \ - --renewal | tee output - REQUEST_ID=$(sed -n "s/^\s*Request ID:\s*\(\S*\)$/\1/p" output) - - # approve renewal request - docker exec pki pki \ - -u caadmin \ - -w Secret.123 \ - ca-cert-request-approve \ - $REQUEST_ID \ - --force | tee output - CERT_ID=$(sed -n "s/^\s*Certificate ID:\s*\(\S*\)$/\1/p" output) - - # export new cert - docker exec pki pki ca-cert-export $CERT_ID --output-file caadmin.crt + --renewal \ + --output-file caadmin.crt # delete current cert docker exec pki pki nss-cert-del caadmin diff --git a/.github/workflows/est-ds-realm-separate-test.yml b/.github/workflows/est-ds-realm-separate-test.yml index 5a704f48eca..9efdd042c4b 100644 --- a/.github/workflows/est-ds-realm-separate-test.yml +++ b/.github/workflows/est-ds-realm-separate-test.yml @@ -74,13 +74,12 @@ jobs: docker exec ca pki nss-cert-request --csr estSSLServer.csr \ --ext /usr/share/pki/server/certs/sslserver.conf --subject 'CN=est.example.com' - docker exec ca pki ca-cert-request-submit --csr-file estSSLServer.csr --profile caServerCert | tee output - REQUEST_ID=$(sed -n "s/^\s*Request ID:\s*\(\S*\)$/\1/p" output) - - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n "s/^\s*Certificate ID:\s*\(\S*\)$/\1/p" output) - - docker exec ca pki -n caadmin ca-cert-export --output-file estSSLServer.crt $CERT_ID + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --csr-file estSSLServer.csr \ + --profile caServerCert \ + --output-file estSSLServer.crt docker exec ca pki nss-cert-import --cert estSSLServer.crt sslserver docker exec ca pk12util -d /root/.dogtag/nssdb -o $SHARED/est_server.p12 -n sslserver -W Secret.123 diff --git a/.github/workflows/kra-existing-certs-test.yml b/.github/workflows/kra-existing-certs-test.yml index 0ab858f26a2..310f2dcfd1b 100644 --- a/.github/workflows/kra-existing-certs-test.yml +++ b/.github/workflows/kra-existing-certs-test.yml @@ -94,15 +94,12 @@ jobs: --csr $SHARED/kra_storage.csr docker exec ca openssl req -text -noout -in $SHARED/kra_storage.csr - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile caStorageCert \ - --csr-file $SHARED/kra_storage.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_storage.crt + --csr-file $SHARED/kra_storage.csr \ + --output-file $SHARED/kra_storage.crt docker exec ca openssl x509 -text -noout -in $SHARED/kra_storage.crt docker exec kra pki nss-cert-import \ @@ -125,15 +122,12 @@ jobs: --csr $SHARED/kra_transport.csr docker exec ca openssl req -text -noout -in $SHARED/kra_transport.csr - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile caTransportCert \ - --csr-file $SHARED/kra_transport.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_transport.crt + --csr-file $SHARED/kra_transport.csr \ + --output-file $SHARED/kra_transport.crt docker exec ca openssl x509 -text -noout -in $SHARED/kra_transport.crt docker exec kra pki nss-cert-import \ @@ -156,15 +150,12 @@ jobs: --csr $SHARED/kra_audit_signing.csr docker exec ca openssl req -text -noout -in $SHARED/kra_audit_signing.csr - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile caAuditSigningCert \ - --csr-file $SHARED/kra_audit_signing.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_audit_signing.crt + --csr-file $SHARED/kra_audit_signing.csr \ + --output-file $SHARED/kra_audit_signing.crt docker exec ca openssl x509 -text -noout -in $SHARED/kra_audit_signing.crt docker exec kra pki nss-cert-import \ @@ -188,15 +179,12 @@ jobs: --csr $SHARED/subsystem.csr docker exec ca openssl req -text -noout -in $SHARED/subsystem.csr - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile caSubsystemCert \ - --csr-file $SHARED/subsystem.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/subsystem.crt + --csr-file $SHARED/subsystem.csr \ + --output-file $SHARED/subsystem.crt docker exec ca openssl x509 -text -noout -in $SHARED/subsystem.crt docker exec kra pki nss-cert-import \ @@ -219,15 +207,12 @@ jobs: --csr $SHARED/sslserver.csr docker exec ca openssl req -text -noout -in $SHARED/sslserver.csr - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile caServerCert \ - --csr-file $SHARED/sslserver.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/sslserver.crt + --csr-file $SHARED/sslserver.csr \ + --output-file $SHARED/sslserver.crt docker exec ca openssl x509 -text -noout -in $SHARED/sslserver.crt docker exec kra pki nss-cert-import \ @@ -250,15 +235,12 @@ jobs: --csr $SHARED/kra_admin.csr docker exec ca openssl req -text -noout -in $SHARED/kra_admin.csr - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile AdminCert \ - --csr-file $SHARED/kra_admin.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_admin.crt + --csr-file $SHARED/kra_admin.csr \ + --output-file $SHARED/kra_admin.crt docker exec ca openssl x509 -text -noout -in $SHARED/kra_admin.crt docker exec kra pki nss-cert-import \ diff --git a/.github/workflows/kra-existing-ds-test.yml b/.github/workflows/kra-existing-ds-test.yml index 5b039bf8b29..99e3eab3d2a 100644 --- a/.github/workflows/kra-existing-ds-test.yml +++ b/.github/workflows/kra-existing-ds-test.yml @@ -96,17 +96,12 @@ jobs: docker exec kra openssl req -text -noout -in $SHARED/kra_storage.csr # submit cert request - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile caStorageCert \ - --csr-file $SHARED/kra_storage.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - # issue cert - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - # retrieve cert - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_storage.crt + --csr-file $SHARED/kra_storage.csr \ + --output-file $SHARED/kra_storage.crt docker exec ca openssl x509 -text -noout -in $SHARED/kra_storage.crt docker exec kra cp $SHARED/kra_storage.crt /var/lib/pki/pki-tomcat/conf/certs @@ -138,17 +133,12 @@ jobs: docker exec ca openssl req -text -noout -in $SHARED/kra_transport.csr # submit cert request - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile caTransportCert \ - --csr-file $SHARED/kra_transport.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - # issue cert - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - # retrieve cert - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_transport.crt + --csr-file $SHARED/kra_transport.csr \ + --output-file $SHARED/kra_transport.crt docker exec ca openssl x509 -text -noout -in $SHARED/kra_transport.crt docker exec kra cp $SHARED/kra_transport.crt /var/lib/pki/pki-tomcat/conf/certs @@ -180,17 +170,12 @@ jobs: docker exec ca openssl req -text -noout -in $SHARED/kra_audit_signing.csr # submit cert request - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile caAuditSigningCert \ - --csr-file $SHARED/kra_audit_signing.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - # issue cert - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - # retrieve cert - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_audit_signing.crt + --csr-file $SHARED/kra_audit_signing.csr \ + --output-file $SHARED/kra_audit_signing.crt docker exec ca openssl x509 -text -noout -in $SHARED/kra_audit_signing.crt docker exec kra cp $SHARED/kra_audit_signing.crt /var/lib/pki/pki-tomcat/conf/certs @@ -222,17 +207,12 @@ jobs: docker exec ca openssl req -text -noout -in $SHARED/subsystem.csr # submit cert request - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile caSubsystemCert \ - --csr-file $SHARED/subsystem.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - # issue cert - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - # retrieve cert - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/subsystem.crt + --csr-file $SHARED/subsystem.csr \ + --output-file $SHARED/subsystem.crt docker exec ca openssl x509 -text -noout -in $SHARED/subsystem.crt docker exec kra cp $SHARED/subsystem.crt /var/lib/pki/pki-tomcat/conf/certs @@ -264,17 +244,12 @@ jobs: docker exec ca openssl req -text -noout -in $SHARED/sslserver.csr # submit cert request - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile caServerCert \ - --csr-file $SHARED/sslserver.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - # issue cert - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - # retrieve cert - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/sslserver.crt + --csr-file $SHARED/sslserver.csr \ + --output-file $SHARED/sslserver.crt docker exec ca openssl x509 -text -noout -in $SHARED/sslserver.crt docker exec kra cp $SHARED/sslserver.crt /var/lib/pki/pki-tomcat/conf/certs @@ -305,17 +280,12 @@ jobs: docker exec ca openssl req -text -noout -in $SHARED/kra_admin.csr # submit cert request - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile AdminCert \ - --csr-file $SHARED/kra_admin.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - # issue cert - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - # retrieve cert - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_admin.crt + --csr-file $SHARED/kra_admin.csr \ + --output-file $SHARED/kra_admin.crt docker exec ca openssl x509 -text -noout -in $SHARED/kra_admin.crt # import cert diff --git a/.github/workflows/kra-existing-hsm-test.yml b/.github/workflows/kra-existing-hsm-test.yml index b4e202b5e7b..b2020731191 100644 --- a/.github/workflows/kra-existing-hsm-test.yml +++ b/.github/workflows/kra-existing-hsm-test.yml @@ -124,15 +124,12 @@ jobs: docker exec kra cp /var/lib/pki/pki-tomcat/conf/certs/kra_storage.csr $SHARED docker exec kra openssl req -text -noout -in $SHARED/kra_storage.csr - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile caStorageCert \ - --csr-file $SHARED/kra_storage.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_storage.crt + --csr-file $SHARED/kra_storage.csr \ + --output-file $SHARED/kra_storage.crt docker exec ca openssl x509 -text -noout -in $SHARED/kra_storage.crt docker exec kra cp $SHARED/kra_storage.crt /var/lib/pki/pki-tomcat/conf/certs @@ -166,15 +163,12 @@ jobs: docker exec kra cp /var/lib/pki/pki-tomcat/conf/certs/kra_transport.csr $SHARED docker exec ca openssl req -text -noout -in $SHARED/kra_transport.csr - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile caTransportCert \ - --csr-file $SHARED/kra_transport.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_transport.crt + --csr-file $SHARED/kra_transport.csr \ + --output-file $SHARED/kra_transport.crt docker exec ca openssl x509 -text -noout -in $SHARED/kra_transport.crt docker exec kra cp $SHARED/kra_transport.crt /var/lib/pki/pki-tomcat/conf/certs @@ -208,15 +202,12 @@ jobs: docker exec kra cp /var/lib/pki/pki-tomcat/conf/certs/kra_audit_signing.csr $SHARED docker exec ca openssl req -text -noout -in $SHARED/kra_audit_signing.csr - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile caAuditSigningCert \ - --csr-file $SHARED/kra_audit_signing.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_audit_signing.crt + --csr-file $SHARED/kra_audit_signing.csr \ + --output-file $SHARED/kra_audit_signing.crt docker exec ca openssl x509 -text -noout -in $SHARED/kra_audit_signing.crt docker exec kra cp $SHARED/kra_audit_signing.crt /var/lib/pki/pki-tomcat/conf/certs @@ -250,15 +241,12 @@ jobs: docker exec kra cp /var/lib/pki/pki-tomcat/conf/certs/subsystem.csr $SHARED docker exec ca openssl req -text -noout -in $SHARED/subsystem.csr - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile caSubsystemCert \ - --csr-file $SHARED/subsystem.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/subsystem.crt + --csr-file $SHARED/subsystem.csr \ + --output-file $SHARED/subsystem.crt docker exec ca openssl x509 -text -noout -in $SHARED/subsystem.crt docker exec kra cp $SHARED/subsystem.crt /var/lib/pki/pki-tomcat/conf/certs @@ -291,15 +279,12 @@ jobs: docker exec kra cp /var/lib/pki/pki-tomcat/conf/certs/sslserver.csr $SHARED docker exec ca openssl req -text -noout -in $SHARED/sslserver.csr - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile caServerCert \ - --csr-file $SHARED/sslserver.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/sslserver.crt + --csr-file $SHARED/sslserver.csr \ + --output-file $SHARED/sslserver.crt docker exec ca openssl x509 -text -noout -in $SHARED/sslserver.crt docker exec kra cp $SHARED/sslserver.crt /var/lib/pki/pki-tomcat/conf/certs @@ -328,15 +313,12 @@ jobs: --csr $SHARED/kra_admin.csr docker exec ca openssl req -text -noout -in $SHARED/kra_admin.csr - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile AdminCert \ - --csr-file $SHARED/kra_admin.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_admin.crt + --csr-file $SHARED/kra_admin.csr \ + --output-file $SHARED/kra_admin.crt docker exec ca openssl x509 -text -noout -in $SHARED/kra_admin.crt docker exec kra pki nss-cert-import \ diff --git a/.github/workflows/kra-existing-nssdb-test.yml b/.github/workflows/kra-existing-nssdb-test.yml index ef682a25327..0d7618fb30c 100644 --- a/.github/workflows/kra-existing-nssdb-test.yml +++ b/.github/workflows/kra-existing-nssdb-test.yml @@ -100,15 +100,12 @@ jobs: docker exec kra cp /var/lib/pki/pki-tomcat/conf/certs/kra_storage.csr $SHARED docker exec kra openssl req -text -noout -in $SHARED/kra_storage.csr - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile caStorageCert \ - --csr-file $SHARED/kra_storage.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_storage.crt + --csr-file $SHARED/kra_storage.csr \ + --output-file $SHARED/kra_storage.crt docker exec ca openssl x509 -text -noout -in $SHARED/kra_storage.crt docker exec kra cp $SHARED/kra_storage.crt /var/lib/pki/pki-tomcat/conf/certs @@ -138,15 +135,12 @@ jobs: docker exec kra cp /var/lib/pki/pki-tomcat/conf/certs/kra_transport.csr $SHARED docker exec ca openssl req -text -noout -in $SHARED/kra_transport.csr - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile caTransportCert \ - --csr-file $SHARED/kra_transport.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_transport.crt + --csr-file $SHARED/kra_transport.csr \ + --output-file $SHARED/kra_transport.crt docker exec ca openssl x509 -text -noout -in $SHARED/kra_transport.crt docker exec kra cp $SHARED/kra_transport.crt /var/lib/pki/pki-tomcat/conf/certs @@ -176,15 +170,12 @@ jobs: docker exec kra cp /var/lib/pki/pki-tomcat/conf/certs/kra_audit_signing.csr $SHARED docker exec ca openssl req -text -noout -in $SHARED/kra_audit_signing.csr - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile caAuditSigningCert \ - --csr-file $SHARED/kra_audit_signing.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_audit_signing.crt + --csr-file $SHARED/kra_audit_signing.csr \ + --output-file $SHARED/kra_audit_signing.crt docker exec ca openssl x509 -text -noout -in $SHARED/kra_audit_signing.crt docker exec kra cp $SHARED/kra_audit_signing.crt /var/lib/pki/pki-tomcat/conf/certs @@ -214,15 +205,12 @@ jobs: docker exec kra cp /var/lib/pki/pki-tomcat/conf/certs/subsystem.csr $SHARED docker exec ca openssl req -text -noout -in $SHARED/subsystem.csr - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile caSubsystemCert \ - --csr-file $SHARED/subsystem.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/subsystem.crt + --csr-file $SHARED/subsystem.csr \ + --output-file $SHARED/subsystem.crt docker exec ca openssl x509 -text -noout -in $SHARED/subsystem.crt docker exec kra cp $SHARED/subsystem.crt /var/lib/pki/pki-tomcat/conf/certs @@ -252,15 +240,12 @@ jobs: docker exec kra cp /var/lib/pki/pki-tomcat/conf/certs/sslserver.csr $SHARED docker exec ca openssl req -text -noout -in $SHARED/sslserver.csr - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile caServerCert \ - --csr-file $SHARED/sslserver.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/sslserver.crt + --csr-file $SHARED/sslserver.csr \ + --output-file $SHARED/sslserver.crt docker exec ca openssl x509 -text -noout -in $SHARED/sslserver.crt docker exec kra cp $SHARED/sslserver.crt /var/lib/pki/pki-tomcat/conf/certs @@ -289,15 +274,12 @@ jobs: --csr $SHARED/kra_admin.csr docker exec ca openssl req -text -noout -in $SHARED/kra_admin.csr - docker exec ca pki ca-cert-request-submit \ + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ --profile AdminCert \ - --csr-file $SHARED/kra_admin.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - - docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_admin.crt + --csr-file $SHARED/kra_admin.csr \ + --output-file $SHARED/kra_admin.crt docker exec ca openssl x509 -text -noout -in $SHARED/kra_admin.crt docker exec kra pki nss-cert-import \ diff --git a/.github/workflows/kra-external-certs-test.yml b/.github/workflows/kra-external-certs-test.yml index 63f65327b00..ebb9f3fec74 100644 --- a/.github/workflows/kra-external-certs-test.yml +++ b/.github/workflows/kra-external-certs-test.yml @@ -109,61 +109,67 @@ jobs: - name: Issue KRA storage cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/kra_storage.csr - docker exec ca pki ca-cert-request-submit --profile caStorageCert --csr-file ${SHARED}/kra_storage.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/kra_storage.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caStorageCert \ + --csr-file ${SHARED}/kra_storage.csr \ + --output-file ${SHARED}/kra_storage.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/kra_storage.crt - name: Issue KRA transport cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/kra_transport.csr - docker exec ca pki ca-cert-request-submit --profile caTransportCert --csr-file ${SHARED}/kra_transport.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/kra_transport.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caTransportCert \ + --csr-file ${SHARED}/kra_transport.csr \ + --output-file ${SHARED}/kra_transport.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/kra_transport.crt - name: Issue subsystem cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/subsystem.csr - docker exec ca pki ca-cert-request-submit --profile caSubsystemCert --csr-file ${SHARED}/subsystem.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/subsystem.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caSubsystemCert \ + --csr-file ${SHARED}/subsystem.csr \ + --output-file ${SHARED}/subsystem.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/subsystem.crt - name: Issue SSL server cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/sslserver.csr - docker exec ca pki ca-cert-request-submit --profile caServerCert --csr-file ${SHARED}/sslserver.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/sslserver.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caServerCert \ + --csr-file ${SHARED}/sslserver.csr \ + --output-file ${SHARED}/sslserver.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/sslserver.crt - name: Issue KRA audit signing cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/kra_audit_signing.csr - docker exec ca pki ca-cert-request-submit --profile caAuditSigningCert --csr-file ${SHARED}/kra_audit_signing.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/kra_audit_signing.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caAuditSigningCert \ + --csr-file ${SHARED}/kra_audit_signing.csr \ + --output-file ${SHARED}/kra_audit_signing.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/kra_audit_signing.crt - name: Issue KRA admin cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/kra_admin.csr - docker exec ca pki ca-cert-request-submit --profile AdminCert --csr-file ${SHARED}/kra_admin.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/kra_admin.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile AdminCert \ + --csr-file ${SHARED}/kra_admin.csr \ + --output-file ${SHARED}/kra_admin.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/kra_admin.crt - name: Install KRA in KRA container (step 2) diff --git a/.github/workflows/kra-standalone-test.yml b/.github/workflows/kra-standalone-test.yml index 48a1cae1b91..4a58252dfb8 100644 --- a/.github/workflows/kra-standalone-test.yml +++ b/.github/workflows/kra-standalone-test.yml @@ -112,61 +112,67 @@ jobs: - name: Issue KRA storage cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/kra_storage.csr - docker exec ca pki ca-cert-request-submit --profile caStorageCert --csr-file ${SHARED}/kra_storage.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/kra_storage.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caStorageCert \ + --csr-file ${SHARED}/kra_storage.csr \ + --output-file ${SHARED}/kra_storage.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/kra_storage.crt - name: Issue KRA transport cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/kra_transport.csr - docker exec ca pki ca-cert-request-submit --profile caTransportCert --csr-file ${SHARED}/kra_transport.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/kra_transport.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caTransportCert \ + --csr-file ${SHARED}/kra_transport.csr \ + --output-file ${SHARED}/kra_transport.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/kra_transport.crt - name: Issue subsystem cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/subsystem.csr - docker exec ca pki ca-cert-request-submit --profile caSubsystemCert --csr-file ${SHARED}/subsystem.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/subsystem.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caSubsystemCert \ + --csr-file ${SHARED}/subsystem.csr \ + --output-file ${SHARED}/subsystem.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/subsystem.crt - name: Issue SSL server cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/sslserver.csr - docker exec ca pki ca-cert-request-submit --profile caServerCert --csr-file ${SHARED}/sslserver.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/sslserver.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caServerCert \ + --csr-file ${SHARED}/sslserver.csr \ + --output-file ${SHARED}/sslserver.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/sslserver.crt - name: Issue KRA audit signing cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/kra_audit_signing.csr - docker exec ca pki ca-cert-request-submit --profile caAuditSigningCert --csr-file ${SHARED}/kra_audit_signing.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/kra_audit_signing.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caAuditSigningCert \ + --csr-file ${SHARED}/kra_audit_signing.csr \ + --output-file ${SHARED}/kra_audit_signing.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/kra_audit_signing.crt - name: Issue KRA admin cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/kra_admin.csr - docker exec ca pki ca-cert-request-submit --profile AdminCert --csr-file ${SHARED}/kra_admin.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/kra_admin.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile AdminCert \ + --csr-file ${SHARED}/kra_admin.csr \ + --output-file ${SHARED}/kra_admin.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/kra_admin.crt - name: Install standalone KRA (step 2) diff --git a/.github/workflows/ocsp-crl-direct-test.yml b/.github/workflows/ocsp-crl-direct-test.yml index 22a6aa791eb..1f5f9078c51 100644 --- a/.github/workflows/ocsp-crl-direct-test.yml +++ b/.github/workflows/ocsp-crl-direct-test.yml @@ -112,51 +112,56 @@ jobs: - name: Issue OCSP signing cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/ocsp_signing.csr - docker exec ca pki ca-cert-request-submit --profile caOCSPCert --csr-file ${SHARED}/ocsp_signing.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/ocsp_signing.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caOCSPCert \ + --csr-file ${SHARED}/ocsp_signing.csr \ + --output-file ${SHARED}/ocsp_signing.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/ocsp_signing.crt - name: Issue subsystem cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/subsystem.csr - docker exec ca pki ca-cert-request-submit --profile caSubsystemCert --csr-file ${SHARED}/subsystem.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/subsystem.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caSubsystemCert \ + --csr-file ${SHARED}/subsystem.csr \ + --output-file ${SHARED}/subsystem.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/subsystem.crt - name: Issue SSL server cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/sslserver.csr - docker exec ca pki ca-cert-request-submit --profile caServerCert --csr-file ${SHARED}/sslserver.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/sslserver.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caServerCert \ + --csr-file ${SHARED}/sslserver.csr \ + --output-file ${SHARED}/sslserver.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/sslserver.crt - name: Issue OCSP audit signing cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/ocsp_audit_signing.csr - docker exec ca pki ca-cert-request-submit --profile caAuditSigningCert --csr-file ${SHARED}/ocsp_audit_signing.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/ocsp_audit_signing.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caAuditSigningCert \ + --csr-file ${SHARED}/ocsp_audit_signing.csr \ + --output-file ${SHARED}/ocsp_audit_signing.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/ocsp_audit_signing.crt - name: Issue OCSP admin cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/ocsp_admin.csr - docker exec ca pki ca-cert-request-submit --profile AdminCert --csr-file ${SHARED}/ocsp_admin.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/ocsp_admin.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile AdminCert \ + --csr-file ${SHARED}/ocsp_admin.csr \ + --output-file ${SHARED}/ocsp_admin.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/ocsp_admin.crt - name: Install OCSP in OCSP container (step 2) diff --git a/.github/workflows/ocsp-crl-ldap-test.yml b/.github/workflows/ocsp-crl-ldap-test.yml index cf838dd049d..c5d894985bb 100644 --- a/.github/workflows/ocsp-crl-ldap-test.yml +++ b/.github/workflows/ocsp-crl-ldap-test.yml @@ -113,51 +113,56 @@ jobs: - name: Issue OCSP signing cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/ocsp_signing.csr - docker exec ca pki ca-cert-request-submit --profile caOCSPCert --csr-file ${SHARED}/ocsp_signing.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/ocsp_signing.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caOCSPCert \ + --csr-file ${SHARED}/ocsp_signing.csr \ + --output-file ${SHARED}/ocsp_signing.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/ocsp_signing.crt - name: Issue subsystem cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/subsystem.csr - docker exec ca pki ca-cert-request-submit --profile caSubsystemCert --csr-file ${SHARED}/subsystem.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/subsystem.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caSubsystemCert \ + --csr-file ${SHARED}/subsystem.csr \ + --output-file ${SHARED}/subsystem.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/subsystem.crt - name: Issue SSL server cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/sslserver.csr - docker exec ca pki ca-cert-request-submit --profile caServerCert --csr-file ${SHARED}/sslserver.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/sslserver.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caServerCert \ + --csr-file ${SHARED}/sslserver.csr \ + --output-file ${SHARED}/sslserver.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/sslserver.crt - name: Issue OCSP audit signing cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/ocsp_audit_signing.csr - docker exec ca pki ca-cert-request-submit --profile caAuditSigningCert --csr-file ${SHARED}/ocsp_audit_signing.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/ocsp_audit_signing.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caAuditSigningCert \ + --csr-file ${SHARED}/ocsp_audit_signing.csr \ + --output-file ${SHARED}/ocsp_audit_signing.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/ocsp_audit_signing.crt - name: Issue OCSP admin cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/ocsp_admin.csr - docker exec ca pki ca-cert-request-submit --profile AdminCert --csr-file ${SHARED}/ocsp_admin.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/ocsp_admin.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile AdminCert \ + --csr-file ${SHARED}/ocsp_admin.csr \ + --output-file ${SHARED}/ocsp_admin.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/ocsp_admin.crt - name: Install OCSP in OCSP container (step 2) diff --git a/.github/workflows/ocsp-external-certs-test.yml b/.github/workflows/ocsp-external-certs-test.yml index d1f33f0f89e..099456896a2 100644 --- a/.github/workflows/ocsp-external-certs-test.yml +++ b/.github/workflows/ocsp-external-certs-test.yml @@ -108,51 +108,56 @@ jobs: - name: Issue OCSP signing cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/ocsp_signing.csr - docker exec ca pki ca-cert-request-submit --profile caOCSPCert --csr-file ${SHARED}/ocsp_signing.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/ocsp_signing.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caOCSPCert \ + --csr-file ${SHARED}/ocsp_signing.csr \ + --output-file ${SHARED}/ocsp_signing.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/ocsp_signing.crt - name: Issue subsystem cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/subsystem.csr - docker exec ca pki ca-cert-request-submit --profile caSubsystemCert --csr-file ${SHARED}/subsystem.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/subsystem.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caSubsystemCert \ + --csr-file ${SHARED}/subsystem.csr \ + --output-file ${SHARED}/subsystem.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/subsystem.crt - name: Issue SSL server cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/sslserver.csr - docker exec ca pki ca-cert-request-submit --profile caServerCert --csr-file ${SHARED}/sslserver.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/sslserver.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caServerCert \ + --csr-file ${SHARED}/sslserver.csr \ + --output-file ${SHARED}/sslserver.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/sslserver.crt - name: Issue OCSP audit signing cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/ocsp_audit_signing.csr - docker exec ca pki ca-cert-request-submit --profile caAuditSigningCert --csr-file ${SHARED}/ocsp_audit_signing.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/ocsp_audit_signing.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caAuditSigningCert \ + --csr-file ${SHARED}/ocsp_audit_signing.csr \ + --output-file ${SHARED}/ocsp_audit_signing.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/ocsp_audit_signing.crt - name: Issue OCSP admin cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/ocsp_admin.csr - docker exec ca pki ca-cert-request-submit --profile AdminCert --csr-file ${SHARED}/ocsp_admin.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/ocsp_admin.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile AdminCert \ + --csr-file ${SHARED}/ocsp_admin.csr \ + --output-file ${SHARED}/ocsp_admin.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/ocsp_admin.crt - name: Install OCSP in OCSP container (step 2) diff --git a/.github/workflows/ocsp-standalone-test.yml b/.github/workflows/ocsp-standalone-test.yml index 40a2be685a7..1f04271941e 100644 --- a/.github/workflows/ocsp-standalone-test.yml +++ b/.github/workflows/ocsp-standalone-test.yml @@ -112,51 +112,56 @@ jobs: - name: Issue OCSP signing cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/ocsp_signing.csr - docker exec ca pki ca-cert-request-submit --profile caOCSPCert --csr-file ${SHARED}/ocsp_signing.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/ocsp_signing.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caOCSPCert \ + --csr-file ${SHARED}/ocsp_signing.csr \ + --output-file ${SHARED}/ocsp_signing.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/ocsp_signing.crt - name: Issue subsystem cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/subsystem.csr - docker exec ca pki ca-cert-request-submit --profile caSubsystemCert --csr-file ${SHARED}/subsystem.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/subsystem.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caSubsystemCert \ + --csr-file ${SHARED}/subsystem.csr \ + --output-file ${SHARED}/subsystem.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/subsystem.crt - name: Issue SSL server cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/sslserver.csr - docker exec ca pki ca-cert-request-submit --profile caServerCert --csr-file ${SHARED}/sslserver.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/sslserver.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caServerCert \ + --csr-file ${SHARED}/sslserver.csr \ + --output-file ${SHARED}/sslserver.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/sslserver.crt - name: Issue OCSP audit signing cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/ocsp_audit_signing.csr - docker exec ca pki ca-cert-request-submit --profile caAuditSigningCert --csr-file ${SHARED}/ocsp_audit_signing.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/ocsp_audit_signing.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caAuditSigningCert \ + --csr-file ${SHARED}/ocsp_audit_signing.csr \ + --output-file ${SHARED}/ocsp_audit_signing.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/ocsp_audit_signing.crt - name: Issue OCSP admin cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/ocsp_admin.csr - docker exec ca pki ca-cert-request-submit --profile AdminCert --csr-file ${SHARED}/ocsp_admin.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/ocsp_admin.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile AdminCert \ + --csr-file ${SHARED}/ocsp_admin.csr \ + --output-file ${SHARED}/ocsp_admin.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/ocsp_admin.crt - name: Install standalone OCSP (step 2) diff --git a/.github/workflows/tks-external-certs-test.yml b/.github/workflows/tks-external-certs-test.yml index f4a73bf66f1..5bb875c813b 100644 --- a/.github/workflows/tks-external-certs-test.yml +++ b/.github/workflows/tks-external-certs-test.yml @@ -110,41 +110,45 @@ jobs: - name: Issue subsystem cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/subsystem.csr - docker exec ca pki ca-cert-request-submit --profile caSubsystemCert --csr-file ${SHARED}/subsystem.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/subsystem.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caSubsystemCert \ + --csr-file ${SHARED}/subsystem.csr \ + --output-file ${SHARED}/subsystem.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/subsystem.crt - name: Issue SSL server cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/sslserver.csr - docker exec ca pki ca-cert-request-submit --profile caServerCert --csr-file ${SHARED}/sslserver.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/sslserver.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caServerCert \ + --csr-file ${SHARED}/sslserver.csr \ + --output-file ${SHARED}/sslserver.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/sslserver.crt - name: Issue TKS audit signing cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/tks_audit_signing.csr - docker exec ca pki ca-cert-request-submit --profile caAuditSigningCert --csr-file ${SHARED}/tks_audit_signing.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/tks_audit_signing.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caAuditSigningCert \ + --csr-file ${SHARED}/tks_audit_signing.csr \ + --output-file ${SHARED}/tks_audit_signing.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/tks_audit_signing.crt - name: Issue TKS admin cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/tks_admin.csr - docker exec ca pki ca-cert-request-submit --profile AdminCert --csr-file ${SHARED}/tks_admin.csr | tee output - REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output) - docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output - CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output) - docker exec ca pki ca-cert-export $CERT_ID --output-file ${SHARED}/tks_admin.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile AdminCert \ + --csr-file ${SHARED}/tks_admin.csr \ + --output-file ${SHARED}/tks_admin.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/tks_admin.crt - name: Install TKS in TKS container (step 2) diff --git a/.github/workflows/tps-external-certs-test.yml b/.github/workflows/tps-external-certs-test.yml index e44eccaa645..0f412e40ce5 100644 --- a/.github/workflows/tps-external-certs-test.yml +++ b/.github/workflows/tps-external-certs-test.yml @@ -184,33 +184,45 @@ jobs: - name: Issue subsystem cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/subsystem.csr - docker exec ca pki ca-cert-request-submit --profile caSubsystemCert --csr-file ${SHARED}/subsystem.csr | sed -n 's/Request ID: *\(.*\)/\1/p' > subsystem.reqid - docker exec ca pki -n caadmin ca-cert-request-approve `cat subsystem.reqid` --force | sed -n 's/Certificate ID: *\(.*\)/\1/p' > subsystem.certid - docker exec ca pki ca-cert-export `cat subsystem.certid` --output-file ${SHARED}/subsystem.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caSubsystemCert \ + --csr-file ${SHARED}/subsystem.csr \ + --output-file ${SHARED}/subsystem.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/subsystem.crt - name: Issue SSL server cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/sslserver.csr - docker exec ca pki ca-cert-request-submit --profile caServerCert --csr-file ${SHARED}/sslserver.csr | sed -n 's/Request ID: *\(.*\)/\1/p' > sslserver.reqid - docker exec ca pki -n caadmin ca-cert-request-approve `cat sslserver.reqid` --force | sed -n 's/Certificate ID: *\(.*\)/\1/p' > sslserver.certid - docker exec ca pki ca-cert-export `cat sslserver.certid` --output-file ${SHARED}/sslserver.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caServerCert \ + --csr-file ${SHARED}/sslserver.csr \ + --output-file ${SHARED}/sslserver.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/sslserver.crt - name: Issue TPS audit signing cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/tps_audit_signing.csr - docker exec ca pki ca-cert-request-submit --profile caAuditSigningCert --csr-file ${SHARED}/tps_audit_signing.csr | sed -n 's/Request ID: *\(.*\)/\1/p' > tps_audit_signing.reqid - docker exec ca pki -n caadmin ca-cert-request-approve `cat tps_audit_signing.reqid` --force | sed -n 's/Certificate ID: *\(.*\)/\1/p' > tps_audit_signing.certid - docker exec ca pki ca-cert-export `cat tps_audit_signing.certid` --output-file ${SHARED}/tps_audit_signing.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile caAuditSigningCert \ + --csr-file ${SHARED}/tps_audit_signing.csr \ + --output-file ${SHARED}/tps_audit_signing.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/tps_audit_signing.crt - name: Issue TPS admin cert run: | docker exec ca openssl req -text -noout -in ${SHARED}/tps_admin.csr - docker exec ca pki ca-cert-request-submit --profile AdminCert --csr-file ${SHARED}/tps_admin.csr | sed -n 's/Request ID: *\(.*\)/\1/p' > tps_admin.reqid - docker exec ca pki -n caadmin ca-cert-request-approve `cat tps_admin.reqid` --force | sed -n 's/Certificate ID: *\(.*\)/\1/p' > tps_admin.certid - docker exec ca pki ca-cert-export `cat tps_admin.certid` --output-file ${SHARED}/tps_admin.crt + docker exec ca pki \ + -n caadmin \ + ca-cert-issue \ + --profile AdminCert \ + --csr-file ${SHARED}/tps_admin.csr \ + --output-file ${SHARED}/tps_admin.crt docker exec ca openssl x509 -text -noout -in ${SHARED}/tps_admin.crt - name: Install TPS in TPS container (step 2) diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py index 5cba57fc89f..ba4a00b68de 100644 --- a/base/server/python/pki/server/deployment/__init__.py +++ b/base/server/python/pki/server/deployment/__init__.py @@ -3681,7 +3681,7 @@ def issue_cert( '-f', self.instance.password_conf, '-U', url, '--ignore-banner', - 'ca-cert-request-submit', + 'ca-cert-issue', '--request-type', request_type, '--csr-file', request_file, '--profile', profile, diff --git a/base/tools/src/main/java/com/netscape/cmstools/ca/CACertCLI.java b/base/tools/src/main/java/com/netscape/cmstools/ca/CACertCLI.java index 07e1a523bed..5f424b4eb42 100644 --- a/base/tools/src/main/java/com/netscape/cmstools/ca/CACertCLI.java +++ b/base/tools/src/main/java/com/netscape/cmstools/ca/CACertCLI.java @@ -45,6 +45,7 @@ public CACertCLI(CLI parent) { super("cert", "Certificate management commands", parent); addModule(new CACertFindCLI(this)); + addModule(new CACertIssueCLI(this)); addModule(new CACertShowCLI(this)); addModule(new CACertExportCLI(this)); addModule(new CACertRevokeCLI(this)); diff --git a/base/tools/src/main/java/com/netscape/cmstools/ca/CACertIssueCLI.java b/base/tools/src/main/java/com/netscape/cmstools/ca/CACertIssueCLI.java new file mode 100644 index 00000000000..38532f7a5e2 --- /dev/null +++ b/base/tools/src/main/java/com/netscape/cmstools/ca/CACertIssueCLI.java @@ -0,0 +1,479 @@ +package com.netscape.cmstools.ca; + +import java.io.Console; +import java.io.File; +import java.io.FileNotFoundException; +import java.io.FileOutputStream; +import java.io.IOException; +import java.io.PrintWriter; +import java.io.StringWriter; +import java.nio.file.Files; +import java.nio.file.Paths; +import java.util.Collection; +import java.util.HashMap; +import java.util.Map; +import java.util.Scanner; +import java.util.Vector; + +import org.apache.commons.cli.CommandLine; +import org.apache.commons.cli.Option; +import org.dogtagpki.cli.CLIException; +import org.dogtagpki.cli.CommandCLI; +import org.dogtagpki.util.cert.CertUtil; +import org.mozilla.jss.netscape.security.pkcs.PKCS10; +import org.mozilla.jss.netscape.security.util.Cert; +import org.mozilla.jss.netscape.security.util.Utils; +import org.mozilla.jss.netscape.security.x509.X500Name; +import org.mozilla.jss.netscape.security.x509.X509CertImpl; + +import com.netscape.certsrv.ca.AuthorityID; +import com.netscape.certsrv.ca.CACertClient; +import com.netscape.certsrv.cert.CertData; +import com.netscape.certsrv.cert.CertEnrollmentRequest; +import com.netscape.certsrv.cert.CertRequestInfo; +import com.netscape.certsrv.cert.CertRequestInfos; +import com.netscape.certsrv.cert.CertReviewResponse; +import com.netscape.certsrv.dbs.certdb.CertId; +import com.netscape.certsrv.profile.ProfileAttribute; +import com.netscape.certsrv.profile.ProfileInput; +import com.netscape.certsrv.request.RequestId; +import com.netscape.cmstools.cli.MainCLI; + +import netscape.ldap.util.DN; +import netscape.ldap.util.RDN; + +public class CACertIssueCLI extends CommandCLI { + + public static org.slf4j.Logger logger = org.slf4j.LoggerFactory.getLogger(CACertIssueCLI.class); + + CACertCLI certCLI; + + public CACertIssueCLI(CACertCLI certCLI) { + super("issue", "Issue certificate", certCLI); + this.certCLI = certCLI; + } + + @Override + public void createOptions() { + + Option option = new Option(null, "issuer-id", true, "Authority ID (host authority if omitted)"); + option.setArgName("ID"); + options.addOption(option); + + option = new Option(null, "issuer-dn", true, "Authority DN (host authority if omitted)"); + option.setArgName("DN"); + options.addOption(option); + + option = new Option(null, "username", true, "Username for enrollment"); + option.setArgName("username"); + options.addOption(option); + + option = new Option(null, "password-file", true, "File containing enrollment password"); + options.addOption(option); + + option = new Option(null, "password", false, "Prompt for enrollment password"); + options.addOption(option); + + option = new Option(null, "pin-file", true, "File containing enrollment PIN"); + options.addOption(option); + + option = new Option(null, "pin", false, "Prompt for enrollment PIN"); + options.addOption(option); + + option = new Option(null, "profile", true, "Certificate profile"); + option.setArgName("profile"); + options.addOption(option); + + option = new Option(null, "request-type", true, "Request type (default: pkcs10)"); + option.setArgName("type"); + options.addOption(option); + + option = new Option(null, "renewal", false, "Submit renewal request"); + options.addOption(option); + + option = new Option(null, "csr-file", true, "File containing the CSR"); + option.setArgName("path"); + options.addOption(option); + + option = new Option(null, "serial", true, "Serial number of certificate for renewal"); + option.setArgName("number"); + options.addOption(option); + + option = new Option(null, "subject", true, "Subject DN"); + option.setArgName("DN"); + options.addOption(option); + + option = new Option(null, "dns-names", true, "Comma-separated list of DNS names"); + option.setArgName("names"); + options.addOption(option); + + option = new Option(null, "requestor", true, "Requestor"); + option.setArgName("requestor"); + options.addOption(option); + + option = new Option(null, "session", true, "Session ID"); + option.setArgName("ID"); + options.addOption(option); + + option = new Option(null, "install-token", true, "Install token"); + option.setArgName("path"); + options.addOption(option); + + option = new Option(null, "output-format", true, "Output format: PEM (default), DER"); + option.setArgName("format"); + options.addOption(option); + + option = new Option(null, "output-file", true, "Output file"); + option.setArgName("file"); + options.addOption(option); + } + + @Override + public void printHelp() { + formatter.printHelp(getFullName() + " [OPTIONS...]", options); + } + + private String loadFile(String fileName) throws FileNotFoundException { + try (Scanner scanner = new Scanner(new File(fileName))) { + return scanner.useDelimiter("\\A").next(); + } + } + + public byte[] issueCert( + CACertClient certClient, + String requestType, + String csr, + String profileID, + String subjectDN, + String[] dnsNames, + String requestor, + String sessionID, + String outputFormat, + String outputFile) + throws Exception { + + X509CertImpl cert = certClient.submitRequest( + requestType, + csr, + profileID, + subjectDN, + dnsNames, + requestor, + sessionID); + + if (outputFormat == null || "PEM".equalsIgnoreCase(outputFormat)) { + StringWriter sw = new StringWriter(); + + try (PrintWriter out = new PrintWriter(sw, true)) { + out.println(Cert.HEADER); + out.print(Utils.base64encodeMultiLine(cert.getEncoded())); + out.println(Cert.FOOTER); + } + + return sw.toString().getBytes(); + + } else if ("DER".equalsIgnoreCase(outputFormat)) { + return cert.getEncoded(); + + } else { + throw new Exception("Unsupported format: " + outputFormat); + } + } + + public byte[] issueCert( + CACertClient certClient, + CertEnrollmentRequest request, + AuthorityID authorityID, + X500Name authorityDN, + String outputFormat, + String outputFile) + throws Exception { + + logger.info("Submitting certificate request"); + CertRequestInfos cri = certClient.enrollRequest(request, authorityID, authorityDN); + + Collection entries = cri.getEntries(); + if (entries.size() == 0) { + throw new CLIException("Unable to submit certificate request"); + } + + CertRequestInfo requestInfo = entries.iterator().next(); + RequestId requestId = requestInfo.getRequestID(); + + logger.info("Retrieving certificate request " + requestId.toHexString()); + CertReviewResponse reviewInfo = certClient.reviewRequest(requestId); + + logger.info("Approving certificate request " + requestId.toHexString()); + certClient.approveRequest(requestId, reviewInfo); + requestInfo = certClient.getRequest(requestId); + CertId certID = requestInfo.getCertId(); + + logger.info("Retrieving certificate " + certID.toHexString()); + CertData certData = certClient.getCert(certID); + + if (outputFormat == null || "PEM".equalsIgnoreCase(outputFormat)) { + return certData.getEncoded().getBytes(); + + } else if ("DER".equalsIgnoreCase(outputFormat)) { + return Cert.parseCertificate(certData.getEncoded()); + + } else { + throw new Exception("Unsupported format: " + outputFormat); + } + } + + @Override + public void execute(CommandLine cmd) throws Exception { + + String[] cmdArgs = cmd.getArgs(); + + String requestFilename = cmdArgs.length > 0 ? cmdArgs[0] : null; + String profileID = cmd.getOptionValue("profile"); + + if (requestFilename == null && profileID == null) { + throw new Exception("Missing request file or profile ID."); + } + + if (requestFilename != null && profileID != null) { + throw new Exception("Request file and profile ID are mutually exclusive."); + } + + AuthorityID aid = null; + if (cmd.hasOption("issuer-id")) { + String aidString = cmd.getOptionValue("issuer-id"); + try { + aid = new AuthorityID(aidString); + } catch (IllegalArgumentException e) { + throw new Exception("Bad AuthorityID: " + aidString, e); + } + } + + X500Name adn = null; + if (cmd.hasOption("issuer-dn")) { + String adnString = cmd.getOptionValue("issuer-dn"); + try { + adn = new X500Name(adnString); + } catch (IOException e) { + throw new Exception("Bad DN: " + adnString, e); + } + } + + if (aid != null && adn != null) { + throw new Exception("--issuer-id and --issuer-dn options are mutually exclusive"); + } + + String requestType = cmd.getOptionValue("request-type"); + + CertEnrollmentRequest request; + if (requestFilename == null) { // if no request file specified, generate new request from profile + + logger.info("Retrieving " + profileID + " profile"); + + CACertClient certClient = certCLI.getCertClient(); + request = certClient.getEnrollmentTemplate(profileID); + + // set default request type for new request + if (requestType == null) requestType = "pkcs10"; + + } else { // otherwise, load request from file + + logger.info("Loading request from " + requestFilename); + + String xml = loadFile(requestFilename); + request = CertEnrollmentRequest.fromXML(xml); + } + + if (requestType != null) { + + logger.info("Request type: " + requestType); + + for (ProfileInput input : request.getInputs()) { + ProfileAttribute typeAttr = input.getAttribute("cert_request_type"); + if (typeAttr != null) { + typeAttr.setValue(requestType); + } + } + } + + request.setRenewal(cmd.hasOption("renewal")); + + String csrFilename = cmd.getOptionValue("csr-file"); + String csr = null; + PKCS10 pkcs10 = null; + + if (csrFilename != null) { + + csr = loadFile(csrFilename); + logger.debug("CSR:\n" + csr); + + byte[] bytes = CertUtil.parseCSR(csr); + if ("pkcs10".equals(requestType)) { + pkcs10 = new PKCS10(bytes); + } + + for (ProfileInput input : request.getInputs()) { + ProfileAttribute csrAttr = input.getAttribute("cert_request"); + if (csrAttr != null) { + csrAttr.setValue(csr); + } + } + } + + String serial = cmd.getOptionValue("serial"); + if (serial != null) { + + logger.info("Serial: " + serial); + + request.setSerialNum(new CertId(serial)); + + // store serial number in profile input if available + for (ProfileInput input : request.getInputs()) { + ProfileAttribute serialAttr = input.getAttribute("serial_num"); + if (serialAttr != null) { + serialAttr.setValue(serial); + } + } + } + + String subjectDN = cmd.getOptionValue("subject"); + + if (subjectDN == null) { + // if no subject DN provided, get from CSR + if (pkcs10 != null) { + subjectDN = pkcs10.getSubjectName().toLdapDNString(); + } + } + + if (subjectDN != null) { + DN dn = new DN(subjectDN); + Vector rdns = dn.getRDNs(); + + Map subjectAttributes = new HashMap<>(); + for (int i=0; i< rdns.size(); i++) { + RDN rdn = (RDN)rdns.elementAt(i); + String type = rdn.getTypes()[0].toLowerCase(); + String value = rdn.getValues()[0]; + subjectAttributes.put(type, value); + } + + ProfileInput sn = request.getInput("Subject Name"); + if (sn != null) { + logger.info("Subject Name:"); + + for (ProfileAttribute attribute : sn.getAttributes()) { + String name = attribute.getName(); + String value = null; + + if (name.equals("subject")) { + // get the whole subject DN + value = subjectDN; + + } else if (name.startsWith("sn_")) { + // get value from subject DN + value = subjectAttributes.get(name.substring(3)); + + } else { + // unknown attribute, ignore + logger.info("- " + name); + continue; + } + + if (value == null) continue; + + logger.info("- " + name + ": " + value); + attribute.setValue(value); + } + } + } + + String enrollmentUsername = cmd.getOptionValue("username"); + if (enrollmentUsername != null) { + request.setAttribute("uid", enrollmentUsername); + } + + String passwordFile = cmd.getOptionValue("password-file"); + if (passwordFile != null) { + String enrollmentPassword = Files.readString(Paths.get(passwordFile)).trim(); + request.setAttribute("pwd", enrollmentPassword); + + } else if (cmd.hasOption("password")) { + Console console = System.console(); + String enrollmentPassword = new String(console.readPassword("Password: ")); + request.setAttribute("pwd", enrollmentPassword); + } + + String pinFile = cmd.getOptionValue("pin-file"); + if (pinFile != null) { + String enrollmentPIN = Files.readString(Paths.get(pinFile)).trim(); + request.setAttribute("pin", enrollmentPIN); + + } else if (cmd.hasOption("pin")) { + Console console = System.console(); + String enrollmentPIN = new String(console.readPassword("PIN: ")); + request.setAttribute("pin", enrollmentPIN); + } + + logger.info("Request:\n" + request); + + String list = cmd.getOptionValue("dns-names"); + logger.info("DNS names: " + list); + + String[] dnsNames = null; + if (list != null) { + dnsNames = list.split(","); + } + + String requestor = cmd.getOptionValue("requestor"); + logger.info("Requestor: " + requestor); + + String outputFormat = cmd.getOptionValue("output-format"); + String outputFile = cmd.getOptionValue("output-file"); + + MainCLI mainCLI = (MainCLI) getRoot(); + mainCLI.init(); + + CACertClient certClient = certCLI.getCertClient(); + + String installToken = cmd.getOptionValue("install-token"); + String sessionID; + + if (installToken != null) { + sessionID = new String(Files.readAllBytes(Paths.get(installToken))); + } else { + sessionID = cmd.getOptionValue("session"); + } + + byte[] bytes; + if (sessionID == null) { + bytes = issueCert( + certClient, + request, + aid, + adn, + outputFormat, + outputFile); + + } else { + bytes = issueCert( + certClient, + requestType, + csr, + profileID, + subjectDN, + dnsNames, + requestor, + sessionID, + outputFormat, + outputFile); + } + + if (outputFile != null) { + try (FileOutputStream out = new FileOutputStream(outputFile)) { + out.write(bytes); + } + + } else { + System.out.write(bytes); + } + } +} diff --git a/base/tools/src/main/java/com/netscape/cmstools/ca/CACertRequestSubmitCLI.java b/base/tools/src/main/java/com/netscape/cmstools/ca/CACertRequestSubmitCLI.java index 3255b5d7e91..1102cc2ef32 100644 --- a/base/tools/src/main/java/com/netscape/cmstools/ca/CACertRequestSubmitCLI.java +++ b/base/tools/src/main/java/com/netscape/cmstools/ca/CACertRequestSubmitCLI.java @@ -105,11 +105,11 @@ public void createOptions() { option.setArgName("requestor"); options.addOption(option); - option = new Option(null, "session", true, "Session ID"); + option = new Option(null, "session", true, "DEPRECATED: Session ID"); option.setArgName("ID"); options.addOption(option); - option = new Option(null, "install-token", true, "Install token"); + option = new Option(null, "install-token", true, "DEPRECATED: Install token"); option.setArgName("path"); options.addOption(option); @@ -337,12 +337,13 @@ public void execute(CommandLine cmd) throws Exception { CACertClient certClient = certRequestCLI.getCertClient(); String installToken = cmd.getOptionValue("install-token"); - String sessionID; + String sessionID = cmd.getOptionValue("session"); if (installToken != null) { + logger.warn("The --install-token option has been deprecated. Use pki ca-cert-issue instead."); sessionID = new String(Files.readAllBytes(Paths.get(installToken))); } else { - sessionID = cmd.getOptionValue("session"); + logger.warn("The --session option has been deprecated. Use pki ca-cert-issue instead."); } if (sessionID == null) { diff --git a/tests/ansible/ocsp/tasks/certificate_self_validation_with_crl.yml b/tests/ansible/ocsp/tasks/certificate_self_validation_with_crl.yml index a01d7d1eccc..72fddfcef61 100644 --- a/tests/ansible/ocsp/tasks/certificate_self_validation_with_crl.yml +++ b/tests/ansible/ocsp/tasks/certificate_self_validation_with_crl.yml @@ -214,105 +214,65 @@ - name: Issue OCSP signing cert - submit community.docker.docker_container_exec: container: "{{ ca_container }}" - command: pki ca-cert-request-submit --profile caOCSPCert --csr-file {{ shared_workspace }}/ocsp_signing.csr - register: - ca_command - -- name: Issue OCSP signing cert - approve - community.docker.docker_container_exec: - container: "{{ ca_container }}" - command: "pki -n caadmin ca-cert-request-approve {{ ca_command.stdout | regex_search('Request ID: *(.*)', '\\1') | first }} --force" - register: - ca_command - -- name: Issue OCSP signing cert - export - community.docker.docker_container_exec: - container: "{{ ca_container }}" - command: "pki ca-cert-export {{ ca_command.stdout | regex_search('Certificate ID: *(.*)', '\\1') | first }} --output-file {{ shared_workspace }}/ocsp_signing.crt" + command: > + pki + -n caadmin + ca-cert-issue + --profile caOCSPCert + --csr-file {{ shared_workspace }}/ocsp_signing.csr + --output-file {{ shared_workspace }}/ocsp_signing.crt register: ca_command - name: Issue subsystem cert - submit community.docker.docker_container_exec: container: "{{ ca_container }}" - command: pki ca-cert-request-submit --profile caSubsystemCert --csr-file {{ shared_workspace }}/subsystem.csr - register: - ca_command - -- name: Issue subsystem cert - approve - community.docker.docker_container_exec: - container: "{{ ca_container }}" - command: "pki -n caadmin ca-cert-request-approve {{ ca_command.stdout | regex_search('Request ID: *(.*)', '\\1') | first }} --force" - register: - ca_command - -- name: Issue subsystem cert - export - community.docker.docker_container_exec: - container: "{{ ca_container }}" - command: "pki ca-cert-export {{ ca_command.stdout | regex_search('Certificate ID: *(.*)', '\\1') | first }} --output-file {{ shared_workspace }}/subsystem.crt" + command: > + pki + -n caadmin + ca-cert-issue + --profile caSubsystemCert + --csr-file {{ shared_workspace }}/subsystem.csr + --output-file {{ shared_workspace }}/subsystem.crt register: ca_command - name: Issue SSL server cert - submit community.docker.docker_container_exec: container: "{{ ca_container }}" - command: pki ca-cert-request-submit --profile caServerCert --csr-file {{ shared_workspace }}/sslserver.csr - register: - ca_command - -- name: Issue SSL server cert - approve - community.docker.docker_container_exec: - container: "{{ ca_container }}" - command: "pki -n caadmin ca-cert-request-approve {{ ca_command.stdout | regex_search('Request ID: *(.*)', '\\1') | first }} --force" - register: - ca_command - -- name: Issue SSL server cert - export - community.docker.docker_container_exec: - container: "{{ ca_container }}" - command: "pki ca-cert-export {{ ca_command.stdout | regex_search('Certificate ID: *(.*)', '\\1') | first }} --output-file {{ shared_workspace }}/sslserver.crt" + command: > + pki + -n caadmin + ca-cert-issue + --profile caServerCert + --csr-file {{ shared_workspace }}/sslserver.csr + --output-file {{ shared_workspace }}/sslserver.crt register: ca_command - name: Issue OCSP audit signing cert - submit community.docker.docker_container_exec: container: "{{ ca_container }}" - command: pki ca-cert-request-submit --profile caAuditSigningCert --csr-file {{ shared_workspace }}/ocsp_audit_signing.csr - register: - ca_command - -- name: Issue OCSP audit signing cert - approve - community.docker.docker_container_exec: - container: "{{ ca_container }}" - command: "pki -n caadmin ca-cert-request-approve {{ ca_command.stdout | regex_search('Request ID: *(.*)', '\\1') | first }} --force" - register: - ca_command - -- name: Issue OCSP audit signing cert - export - community.docker.docker_container_exec: - container: "{{ ca_container }}" - command: "pki ca-cert-export {{ ca_command.stdout | regex_search('Certificate ID: *(.*)', '\\1') | first }} --output-file {{ shared_workspace }}/ocsp_audit_signing.crt" + command: > + pki + -n caadmin + ca-cert-issue + --profile caAuditSigningCert + --csr-file {{ shared_workspace }}/ocsp_audit_signing.csr + --output-file {{ shared_workspace }}/ocsp_audit_signing.crt register: ca_command - name: Issue OCSP admin cert - submit community.docker.docker_container_exec: container: "{{ ca_container }}" - command: pki ca-cert-request-submit --profile AdminCert --csr-file {{ shared_workspace }}/ocsp_admin.csr - register: - ca_command - -- name: Issue OCSP admin cert - approve - community.docker.docker_container_exec: - container: "{{ ca_container }}" - command: "pki -n caadmin ca-cert-request-approve {{ ca_command.stdout | regex_search('Request ID: *(.*)', '\\1') | first }} --force" - register: - ca_command - -- name: Issue OCSP admin cert - export - community.docker.docker_container_exec: - container: "{{ ca_container }}" - command: "pki ca-cert-export {{ ca_command.stdout | regex_search('Certificate ID: *(.*)', '\\1') | first }} --output-file {{ shared_workspace }}/ocsp_admin.crt" + command: > + pki + -n caadmin + ca-cert-issue + --profile AdminCert + --csr-file {{ shared_workspace }}/ocsp_admin.csr + --output-file {{ shared_workspace }}/ocsp_admin.crt register: ca_command @@ -460,23 +420,12 @@ command: "{{ item }}" loop: - pki nss-cert-request --subject "CN={{ ocspds_hostname }}" --ext /usr/share/pki/server/certs/sslserver.conf --subjectAltName "critical, DNS:{{ ocspds_hostname }}" --csr {{ shared_workspace }}/ocspds.csr - - pki ca-cert-request-submit --profile caServerCert --csr-file {{ shared_workspace }}/ocspds.csr - register: - ca_command - -- name: Approve CSR request - community.docker.docker_container_exec: - container: "{{ ca_container }}" - command: "pki -n caadmin ca-cert-request-approve {{ ca_command.results[-1].stdout | regex_search('Request ID: *(.*)', '\\1') | first }} --force" - register: - ca_command - -- name: Issue OCSP admin cert - export - community.docker.docker_container_exec: - container: "{{ ca_container }}" - command: "{{ item }}" - loop: - - "pki ca-cert-export {{ ca_command.stdout | regex_search('Certificate ID: *(.*)', '\\1') | first }} --output-file {{ shared_workspace }}/ocspds.crt" + - pki \ + -n caadmin \ + ca-cert-issue \ + --profile caServerCert \ + --csr-file {{ shared_workspace }}/ocspds.csr + --output-file {{ shared_workspace }}/ocspds.crt - "certutil -d /root/.dogtag/nssdb -A -n ocspds -t ',,' -i {{ shared_workspace }}/ocspds.crt" - pk12util -d /root/.dogtag/nssdb -o {{ shared_workspace }}/ocspds.p12 -n ocspds -W {{ ocspds_password }} register: diff --git a/tests/ca/bin/sslserver-create.sh b/tests/ca/bin/sslserver-create.sh index 4a43febfdc8..b22bdfa020a 100755 --- a/tests/ca/bin/sslserver-create.sh +++ b/tests/ca/bin/sslserver-create.sh @@ -9,17 +9,11 @@ pki nss-cert-request \ --ext /usr/share/pki/server/certs/sslserver.conf \ --csr sslserver.csr -pki ca-cert-request-submit --profile caServerCert --csr-file sslserver.csr | tee /tmp/output - -sed -n "s/^\s*Request ID:\s*\(\S*\)$/\1/p" /tmp/output > /tmp/request_id -REQUEST_ID=$(cat /tmp/request_id) - -# approve the cert request and capture the cert ID -pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee /tmp/output - -sed -n "s/^\s*Certificate ID:\s*\(\S*\)$/\1/p" /tmp/output > /tmp/cert_id -CERT_ID=$(cat /tmp/cert_id) - -pki ca-cert-export $CERT_ID --output-file sslserver.crt +pki \ + -n caadmin \ + ca-cert-issue \ + --profile caServerCert \ + --csr-file sslserver.csr \ + --output-file sslserver.crt pki nss-cert-import sslserver --cert sslserver.crt