Skip importing certs and requests when pki_ds_setup=False

If pki_ds_setup is set to False pkispawn should not modify the
DS during installation, so the PKIDeployer.setup_system_cert()
has been modified to skip importing the certs and the requests
into CA database in that scenario. With this change the certs
and the requests need to be imported separately.

The CA installation test with existing DS has been modified to
import the certs and the requests into CA database before
calling pkispawn.

https://github.com/dogtagpki/pki/wiki/Installing-CA-with-Existing-DS-Database

.github/workflows/ca-existing-ds-test.yml

@@ -160,9 +160,17 @@ jobs:
               --maxConns 15 \
               --minConns 3
 
-          # configure user/group subsystem to use DS
+          # configure CA user/group subsystem
           docker exec pki pki-server ca-config-set usrgrp.ldap internaldb
 
+          # configure CA database subsystem
+          docker exec pki pki-server ca-config-set dbs.ldap internaldb
+          docker exec pki pki-server ca-config-set dbs.newSchemaEntryAdded true
+          docker exec pki pki-server ca-config-set dbs.requestDN ou=ca,ou=requests
+          docker exec pki pki-server ca-config-set dbs.request.id.generator random
+          docker exec pki pki-server ca-config-set dbs.serialDN ou=certificateRepository,ou=ca
+          docker exec pki pki-server ca-config-set dbs.cert.id.generator random
+
       - name: Check connection to CA database
         run: |
           docker exec pki pki-server ca-db-info
@@ -188,6 +196,78 @@ jobs:
         run: |
           docker exec pki pki-server ca-db-vlv-reindex -v
 
+      - name: Import CA signing cert into CA database
+        run: |
+          docker exec pki pki-server ca-cert-request-import \
+              --csr /etc/pki/pki-tomcat/certs/ca_signing.csr \
+              --profile /usr/share/pki/ca/conf/caCert.profile | tee output
+          REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
+
+          docker exec pki pki-server ca-cert-import \
+              --cert /etc/pki/pki-tomcat/certs/ca_signing.crt \
+              --profile /usr/share/pki/ca/conf/caCert.profile \
+              --request $REQUEST_ID
+
+      - name: Import CA OCSP signing cert into CA database
+        run: |
+          docker exec pki pki-server ca-cert-request-import \
+              --csr /etc/pki/pki-tomcat/certs/ca_ocsp_signing.csr \
+              --profile /usr/share/pki/ca/conf/caOCSPCert.profile | tee output
+          REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
+
+          docker exec pki pki-server ca-cert-import \
+              --cert /etc/pki/pki-tomcat/certs/ca_ocsp_signing.crt \
+              --profile /usr/share/pki/ca/conf/caOCSPCert.profile \
+              --request $REQUEST_ID
+
+      - name: Import CA audit signing cert into CA database
+        run: |
+          docker exec pki pki-server ca-cert-request-import \
+              --csr /etc/pki/pki-tomcat/certs/ca_audit_signing.csr \
+              --profile /usr/share/pki/ca/conf/caAuditSigningCert.profile | tee output
+          REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
+
+          docker exec pki pki-server ca-cert-import \
+              --cert /etc/pki/pki-tomcat/certs/ca_audit_signing.crt \
+              --profile /usr/share/pki/ca/conf/caAuditSigningCert.profile \
+              --request $REQUEST_ID
+
+      - name: Import subsystem cert into CA database
+        run: |
+          docker exec pki pki-server ca-cert-request-import \
+              --csr /etc/pki/pki-tomcat/certs/subsystem.csr \
+              --profile /usr/share/pki/ca/conf/rsaSubsystemCert.profile | tee output
+          REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
+
+          docker exec pki pki-server ca-cert-import \
+              --cert /etc/pki/pki-tomcat/certs/subsystem.crt \
+              --profile /usr/share/pki/ca/conf/rsaSubsystemCert.profile \
+              --request $REQUEST_ID
+
+      - name: Import SSL server cert into CA database
+        run: |
+          docker exec pki pki-server ca-cert-request-import \
+              --csr /etc/pki/pki-tomcat/certs/sslserver.csr \
+              --profile /usr/share/pki/ca/conf/rsaServerCert.profile | tee output
+          REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
+
+          docker exec pki pki-server ca-cert-import \
+              --cert /etc/pki/pki-tomcat/certs/sslserver.crt \
+              --profile /usr/share/pki/ca/conf/rsaServerCert.profile \
+              --request $REQUEST_ID
+
+      - name: Import admin cert into CA database
+        run: |
+          docker exec pki pki-server ca-cert-request-import \
+              --csr admin.csr \
+              --profile /usr/share/pki/ca/conf/rsaAdminCert.profile | tee output
+          REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
+
+          docker exec pki pki-server ca-cert-import \
+              --cert admin.crt \
+              --profile /usr/share/pki/ca/conf/rsaAdminCert.profile \
+              --request $REQUEST_ID
+
       # https://github.com/dogtagpki/pki/wiki/Setting-up-CA-Database-User
       - name: Add database user
         run: |
@@ -365,6 +445,4 @@ jobs:
         uses: actions/upload-artifact@v3
         with:
           name: ca-existing-ds
-          path: |
-            /tmp/artifacts/ds
-            /tmp/artifacts/pki
+          path: /tmp/artifacts

base/server/python/pki/server/deployment/__init__.py

@@ -3289,7 +3289,8 @@ def setup_system_cert(self, nssdb, subsystem, tag, system_cert, request):
             # might conflict with system certificates to be created later.
             # Also create the certificate request record for renewals.
 
-            if config.str2bool(self.mdict['pki_import_system_certs']):
+            if config.str2bool(self.mdict['pki_import_system_certs']) and \
+                    config.str2bool(self.mdict['pki_ds_setup']):
                 self.import_cert_request(subsystem, tag, request)
                 self.import_cert(subsystem, tag, request, system_cert['data'])
 
@@ -3382,8 +3383,9 @@ def setup_system_cert(self, nssdb, subsystem, tag, system_cert, request):
 
         # selfsign or local
 
-        # import request into CA database and get a request ID
-        self.import_cert_request(subsystem, tag, request)
+        if config.str2bool(self.mdict['pki_ds_setup']):
+            # import request into CA database and get a request ID
+            self.import_cert_request(subsystem, tag, request)
 
         if cert_info:
             logger.info('Reusing %s cert in NSS database', tag)
@@ -3402,8 +3404,9 @@ def setup_system_cert(self, nssdb, subsystem, tag, system_cert, request):
                 cert_format='base64',
                 token=request.systemCert.token)
 
-        # import cert into CA database
-        self.import_cert(subsystem, tag, request, system_cert['data'])
+        if config.str2bool(self.mdict['pki_ds_setup']):
+            # import cert into CA database
+            self.import_cert(subsystem, tag, request, system_cert['data'])
 
     def setup_system_certs(self, nssdb, subsystem):
 
@@ -3759,10 +3762,13 @@ def create_admin_cert(self, subsystem, csr):
         request.systemCert.keyAlgorithm = self.get_signing_algorithm(subsystem, profile)
         logger.info('Signing algorithm: %s', request.systemCert.keyAlgorithm)
 
-        self.import_cert_request(subsystem, 'admin', request)
+        if config.str2bool(self.mdict['pki_ds_setup']):
+            self.import_cert_request(subsystem, 'admin', request)
 
         cert_data = self.create_cert(subsystem, 'admin', request)
-        self.import_cert(subsystem, 'admin', request, cert_data)
+
+        if config.str2bool(self.mdict['pki_ds_setup']):
+            self.import_cert(subsystem, 'admin', request, cert_data)
 
         cert_pem = pki.nssdb.convert_cert(cert_data, 'base64', 'pem')
         cert_obj = x509.load_pem_x509_certificate(cert_pem.encode(), backend=default_backend())