Skip to content

Commit 97dfad4

Browse files
edewataedewata
committed
Add test for CA migration to container
A new test has been added to migrate CA from a regular PKI server (i.e. pki-tomcatd) into a Podman container running as systemd service. The container will use PKI server's existing config and log folders. The container startup scripts have been modified to use the standard CSR filenames for OCSP signing and audit signing certs so that the container can find the existing CSRs in the migrated config folder. The default nicknames have also been updated for consistency.
1 parent 1dde79c commit 97dfad4

10 files changed

+421
-79
lines changed

.github/workflows/ca-container-basic-test.yml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -208,23 +208,23 @@ jobs:
208208
- name: Import CA OCSP signing cert into CA database
209209
run: |
210210
docker exec ca pki-server cert-export \
211-
--cert-file /conf/certs/ocsp_signing.crt \
211+
--cert-file /conf/certs/ca_ocsp_signing.crt \
212212
ca_ocsp_signing
213213
214214
docker exec ca pki-server ca-cert-import \
215-
--cert /conf/certs/ocsp_signing.crt \
216-
--csr /conf/certs/ocsp_signing.csr \
215+
--cert /conf/certs/ca_ocsp_signing.crt \
216+
--csr /conf/certs/ca_ocsp_signing.csr \
217217
--profile /usr/share/pki/ca/conf/caOCSPCert.profile
218218
219219
- name: Import CA audit signing cert into CA database
220220
run: |
221221
docker exec ca pki-server cert-export \
222-
--cert-file /conf/certs/audit_signing.crt \
222+
--cert-file /conf/certs/ca_audit_signing.crt \
223223
ca_audit_signing
224224
225225
docker exec ca pki-server ca-cert-import \
226-
--cert /conf/certs/audit_signing.crt \
227-
--csr /conf/certs/audit_signing.csr \
226+
--cert /conf/certs/ca_audit_signing.crt \
227+
--csr /conf/certs/ca_audit_signing.csr \
228228
--profile /usr/share/pki/ca/conf/caAuditSigningCert.profile
229229
230230
- name: Import subsystem cert into CA database

.github/workflows/ca-container-existing-certs-test.yml

Lines changed: 18 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -78,42 +78,42 @@ jobs:
7878
nss-cert-request \
7979
--subject "CN=OCSP Signing Certificate" \
8080
--ext /usr/share/pki/server/certs/ocsp_signing.conf \
81-
--csr $SHARED/certs/ocsp_signing.csr
81+
--csr $SHARED/certs/ca_ocsp_signing.csr
8282
docker exec client pki \
8383
nss-cert-issue \
8484
--issuer ca_signing \
85-
--csr $SHARED/certs/ocsp_signing.csr \
85+
--csr $SHARED/certs/ca_ocsp_signing.csr \
8686
--ext /usr/share/pki/server/certs/ocsp_signing.conf \
87-
--cert $SHARED/certs/ocsp_signing.crt
87+
--cert $SHARED/certs/ca_ocsp_signing.crt
8888
docker exec client pki \
8989
nss-cert-import \
90-
--cert $SHARED/certs/ocsp_signing.crt \
91-
ocsp_signing
90+
--cert $SHARED/certs/ca_ocsp_signing.crt \
91+
ca_ocsp_signing
9292
docker exec client pki \
9393
nss-cert-show \
94-
ocsp_signing
94+
ca_ocsp_signing
9595
9696
- name: Create audit signing cert
9797
run: |
9898
docker exec client pki \
9999
nss-cert-request \
100100
--subject "CN=Audit Signing Certificate" \
101101
--ext /usr/share/pki/server/certs/audit_signing.conf \
102-
--csr $SHARED/certs/audit_signing.csr
102+
--csr $SHARED/certs/ca_audit_signing.csr
103103
docker exec client pki \
104104
nss-cert-issue \
105105
--issuer ca_signing \
106-
--csr $SHARED/certs/audit_signing.csr \
106+
--csr $SHARED/certs/ca_audit_signing.csr \
107107
--ext /usr/share/pki/server/certs/audit_signing.conf \
108-
--cert $SHARED/certs/audit_signing.crt
108+
--cert $SHARED/certs/ca_audit_signing.crt
109109
docker exec client pki \
110110
nss-cert-import \
111-
--cert $SHARED/certs/audit_signing.crt \
111+
--cert $SHARED/certs/ca_audit_signing.crt \
112112
--trust ,,P \
113-
audit_signing
113+
ca_audit_signing
114114
docker exec client pki \
115115
nss-cert-show \
116-
audit_signing
116+
ca_audit_signing
117117
118118
- name: Create subsystem cert
119119
run: |
@@ -184,8 +184,8 @@ jobs:
184184
--pkcs12 $SHARED/certs/server.p12 \
185185
--password Secret.123 \
186186
ca_signing \
187-
ocsp_signing \
188-
audit_signing \
187+
ca_ocsp_signing \
188+
ca_audit_signing \
189189
subsystem \
190190
sslserver
191191
@@ -368,15 +368,15 @@ jobs:
368368
- name: Import CA OCSP signing cert into CA database
369369
run: |
370370
docker exec ca pki-server ca-cert-import \
371-
--cert /certs/ocsp_signing.crt \
372-
--csr /certs/ocsp_signing.csr \
371+
--cert /certs/ca_ocsp_signing.crt \
372+
--csr /certs/ca_ocsp_signing.csr \
373373
--profile /usr/share/pki/ca/conf/caOCSPCert.profile
374374
375375
- name: Import CA audit signing cert into CA database
376376
run: |
377377
docker exec ca pki-server ca-cert-import \
378-
--cert /certs/audit_signing.crt \
379-
--csr /certs/audit_signing.csr \
378+
--cert /certs/ca_audit_signing.crt \
379+
--csr /certs/ca_audit_signing.csr \
380380
--profile /usr/share/pki/ca/conf/caAuditSigningCert.profile
381381
382382
- name: Import subsystem cert into CA database

.github/workflows/ca-container-existing-config-test.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -129,7 +129,7 @@ jobs:
129129
$SHARED/certs/ca_signing.csr
130130
docker exec pki cp \
131131
/var/lib/pki/pki-tomcat/conf/certs/ca_ocsp_signing.csr \
132-
$SHARED/certs/ocsp_signing.csr
132+
$SHARED/certs/ca_ocsp_signing.csr
133133
docker exec pki cp \
134134
/var/lib/pki/pki-tomcat/conf/certs/ca_audit_signing.csr \
135135
$SHARED/certs/audit_signing.csr

0 commit comments

Comments
 (0)