diff --git a/tests/external-signed-ca-with-automatic-copy/external-ca.sh b/tests/external-signed-ca-with-automatic-copy/external-ca.sh index bf4cb69601992178564abe65a918c97e8e9f09a8..9bf6f1cca5ef9ff1ac7bc20634f23cb64df73d54 100644 --- a/tests/external-signed-ca-with-automatic-copy/external-ca.sh +++ b/tests/external-signed-ca-with-automatic-copy/external-ca.sh @@ -11,7 +11,7 @@ fi PASSWORD="SomeCApassword" DBDIR="${master}-nssdb" PWDFILE="$DBDIR/pwdfile.txt" -NOISE="/etc/passwd" +NOISE="$DBDIR/noise.txt" domain=$2 if [ -z "$domain" ]; then @@ -29,21 +29,31 @@ fi ROOT_KEY_ID=0x$(dd if=/dev/urandom bs=20 count=1 | xxd -p) IPA_CA_KEY_ID=0x$(dd if=/dev/urandom bs=20 count=1 | xxd -p) +# Prepare a new NSS database to serve us as an external CA rm -rf "$DBDIR" mkdir "$DBDIR" echo "$PASSWORD" > "$PWDFILE" +dd count=10 bs=1024 if=/dev/random of="$NOISE" 2>/dev/null certutil -N -d "$DBDIR" -f "$PWDFILE" + +# Generate a CA certificate echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\n${ROOT_KEY_ID}\nn\n" \ | certutil -d "$DBDIR" -f "$PWDFILE" -S -z "$NOISE" -n ca -x -t C,C,C \ - -s "CN=PRIMARY,O=$domain" -x -1 -2 --extSKID + -s "CN=PRIMARY,O=$domain" -x -1 -2 --extSKID -m 1 +# Change the form of the CSR from PEM to DER for the NSS database openssl req -outform der -in "${master}-ipa.csr" -out "$DBDIR/req.csr" + +# Sign the certificate request echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\ny\n${ROOT_KEY_ID}\n\n\nn\n${IPA_CA_KEY_ID}\nn\n" \ | certutil -d "$DBDIR" -f "$PWDFILE" -C -z "$NOISE" -c ca \ - -i "$DBDIR/req.csr" -o "$DBDIR/external.cer" -1 -2 -3 --extSKID + -i "$DBDIR/req.csr" -o "$DBDIR/external.cer" -1 -2 -3 --extSKID -m 2 openssl x509 -inform der -in "$DBDIR/external.cer" -out "$DBDIR/external.pem" + +# Export the NSS CA certificate and add it to a chain file certutil -L -n ca -d "$DBDIR" -a > "$DBDIR/ca.crt" -cat "$DBDIR/external.pem" "$DBDIR/ca.crt" > "$DBDIR/chain.crt" +openssl x509 -text -in "$DBDIR/external.pem" > "$DBDIR/chain.crt" +openssl x509 -text -in "$DBDIR/ca.crt" >> "$DBDIR/chain.crt" cp "$DBDIR/chain.crt" "${master}-chain.crt" diff --git a/tests/external-signed-ca-with-manual-copy/external-ca.sh b/tests/external-signed-ca-with-manual-copy/external-ca.sh deleted file mode 100644 index bf4cb69601992178564abe65a918c97e8e9f09a8..0000000000000000000000000000000000000000 --- a/tests/external-signed-ca-with-manual-copy/external-ca.sh +++ /dev/null @@ -1,49 +0,0 @@ -#!/bin/bash - -master=$1 -if [ -z "$master" ]; then - echo "ERROR: master is not set" - echo - echo "usage: $0 master-fqdn domain" - exit 0; -fi - -PASSWORD="SomeCApassword" -DBDIR="${master}-nssdb" -PWDFILE="$DBDIR/pwdfile.txt" -NOISE="/etc/passwd" - -domain=$2 -if [ -z "$domain" ]; then - echo "ERROR: domain is not set" - echo - echo "usage: $0 master-fqdn domain" - exit 0; -fi - -if [ ! -f "${master}-ipa.csr" ]; then - echo "ERROR: ${master}-ipa.csr missing" - exit 1; -fi - -ROOT_KEY_ID=0x$(dd if=/dev/urandom bs=20 count=1 | xxd -p) -IPA_CA_KEY_ID=0x$(dd if=/dev/urandom bs=20 count=1 | xxd -p) - -rm -rf "$DBDIR" -mkdir "$DBDIR" -echo "$PASSWORD" > "$PWDFILE" -certutil -N -d "$DBDIR" -f "$PWDFILE" -echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\n${ROOT_KEY_ID}\nn\n" \ - | certutil -d "$DBDIR" -f "$PWDFILE" -S -z "$NOISE" -n ca -x -t C,C,C \ - -s "CN=PRIMARY,O=$domain" -x -1 -2 --extSKID - -openssl req -outform der -in "${master}-ipa.csr" -out "$DBDIR/req.csr" -echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\ny\n${ROOT_KEY_ID}\n\n\nn\n${IPA_CA_KEY_ID}\nn\n" \ - | certutil -d "$DBDIR" -f "$PWDFILE" -C -z "$NOISE" -c ca \ - -i "$DBDIR/req.csr" -o "$DBDIR/external.cer" -1 -2 -3 --extSKID - -openssl x509 -inform der -in "$DBDIR/external.cer" -out "$DBDIR/external.pem" -certutil -L -n ca -d "$DBDIR" -a > "$DBDIR/ca.crt" -cat "$DBDIR/external.pem" "$DBDIR/ca.crt" > "$DBDIR/chain.crt" - -cp "$DBDIR/chain.crt" "${master}-chain.crt" diff --git a/tests/external-signed-ca-with-manual-copy/external-ca.sh b/tests/external-signed-ca-with-manual-copy/external-ca.sh new file mode 120000 index 0000000000000000000000000000000000000000..de59ac8e147128d4ed907a6f81e9cf748d6bbd70 --- /dev/null +++ b/tests/external-signed-ca-with-manual-copy/external-ca.sh @@ -0,0 +1 @@ +../external-signed-ca-with-automatic-copy/external-ca.sh \ No newline at end of file