diff --git a/tests/ca-less/certificates/extensions.conf b/tests/ca-less/certificates/extensions.conf
new file mode 100644
index 0000000000000000000000000000000000000000..9879fed4e849c667f4f46d76c37476a9408f0a13
--- /dev/null
+++ b/tests/ca-less/certificates/extensions.conf
@@ -0,0 +1,7 @@
+basicConstraints = CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+authorityKeyIdentifier = keyid,issuer
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = ${ENV::HOST_FQDN}
diff --git a/tests/ca-less/certificates/pkinit-extensions.conf b/tests/ca-less/certificates/pkinit-extensions.conf
new file mode 100644
index 0000000000000000000000000000000000000000..118252e8618a0477e649b2ecbaa43f90a03009e9
--- /dev/null
+++ b/tests/ca-less/certificates/pkinit-extensions.conf
@@ -0,0 +1,19 @@
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
+extendedKeyUsage = 1.3.6.1.5.2.3.5
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+issuerAltName = issuer:copy
+subjectAltName = otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
+
+[kdc_princ_name]
+realm = EXP:0,GeneralString:${ENV::REALM_NAME}
+principal_name = EXP:1,SEQUENCE:kdc_principal_seq
+
+[kdc_principal_seq]
+name_type = EXP:0,INTEGER:1
+name_string = EXP:1,SEQUENCE:kdc_principals
+
+[kdc_principals]
+princ1 = GeneralString:krbtgt
+princ2 = GeneralString:${ENV::REALM_NAME}
diff --git a/tests/ca-less/certificates/pkinit/extensions.conf b/tests/ca-less/certificates/pkinit/extensions.conf
deleted file mode 100644
index cbff73bef1ed6cf35caf01ec8347627155983b27..0000000000000000000000000000000000000000
--- a/tests/ca-less/certificates/pkinit/extensions.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-[kdc_cert]
-basicConstraints=CA:FALSE
-keyUsage=nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
-extendedKeyUsage=1.3.6.1.5.2.3.5
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
-issuerAltName=issuer:copy
-subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
-
-[kdc_princ_name]
-realm=EXP:0,GeneralString:${ENV::REALM}
-principal_name=EXP:1,SEQUENCE:kdc_principal_seq
-
-[kdc_principal_seq]
-name_type=EXP:0,INTEGER:1
-name_string=EXP:1,SEQUENCE:kdc_principals
-
-[kdc_principals]
-princ1=GeneralString:krbtgt
-princ2=GeneralString:${ENV::REALM}
diff --git a/tests/ca-less/clean_up_certificates.yml b/tests/ca-less/clean_up_certificates.yml
index 2f499dc5f479c6dd3d1542fe57af46f99d6d3bde..99e83d483a427c3915e526113286fb1122f537f0 100644
--- a/tests/ca-less/clean_up_certificates.yml
+++ b/tests/ca-less/clean_up_certificates.yml
@@ -7,9 +7,6 @@
- name: Run generate-certificates.sh
ansible.builtin.command: >
/bin/bash
- generate-certificates.sh delete "{{ item }}"
+ generate-certificates.sh cleanup
args:
chdir: "{{ playbook_dir }}"
- with_items:
- - "{{ groups.ipaserver[0] }}"
- - "{{ groups.ipareplicas[0] }}"
diff --git a/tests/ca-less/generate-certificates.sh b/tests/ca-less/generate-certificates.sh
index c366e87d9e74dca89091cb32fcca76f427a820d7..c75be116c44601c02df72434d0a8746a57d14366 100755
--- a/tests/ca-less/generate-certificates.sh
+++ b/tests/ca-less/generate-certificates.sh
@@ -1,153 +1,177 @@
#!/usr/bin/env bash
-ROOT_CA_DIR="certificates/root-ca"
-DIRSRV_CERTS_DIR="certificates/dirsrv"
-HTTPD_CERTS_DIR="certificates/httpd"
-PKINIT_CERTS_DIR="certificates/pkinit"
+CERTIFICATES="certificates"
+ROOT_CA_DIR="${CERTIFICATES}/root-ca"
+DIRSRV_CERTS_DIR="${CERTIFICATES}/dirsrv"
+HTTPD_CERTS_DIR="${CERTIFICATES}/httpd"
+PKINIT_CERTS_DIR="${CERTIFICATES}/pkinit"
+EXTENSIONS_CONF="${CERTIFICATES}/extensions.conf"
+PKINIT_EXTENSIONS_CONF="${CERTIFICATES}/pkinit-extensions.conf"
PKCS12_PASSWORD="SomePKCS12password"
-# generate_ipa_pkcs12_certificate \
-# $cert_name $ipa_fqdn $certs_dir $root_ca_cert $root_ca_private_key extensions_file extensions_name
-function generate_ipa_pkcs12_certificate {
+# create_ca \
+# $domain_name
+function create_ca {
- cert_name=$1
- ipa_fqdn=$2
- certs_dir=$3
- root_ca_cert=$4
- root_ca_private_key=$5
- extensions_file=$6
- extensions_name=$7
-
- # Generate CSR and private key
- openssl req -new -newkey rsa:4096 -nodes \
- -subj "/C=US/ST=Test/L=Testing/O=Default/CN=${ipa_fqdn}" \
- -keyout "${certs_dir}/private.key" \
- -out "${certs_dir}/request.csr"
-
- # Sign CSR to generate PEM certificate
- if [ -z "${extensions_file}" ]; then
- openssl x509 -req -days 365 -sha256 \
- -CAcreateserial \
- -CA "${root_ca_cert}" \
- -CAkey "${root_ca_private_key}" \
- -in "${certs_dir}/request.csr" \
- -out "${certs_dir}/cert.pem"
- else
- openssl x509 -req -days 365 -sha256 \
- -CAcreateserial \
- -CA "${ROOT_CA_DIR}/cert.pem" \
- -CAkey "${ROOT_CA_DIR}/private.key" \
- -extfile "${extensions_file}" \
- -extensions "${extensions_name}" \
- -in "${certs_dir}/request.csr" \
- -out "${certs_dir}/cert.pem"
+ domain_name=$1
+ if [ -z "${domain_name}" ]; then
+ echo "ERROR: domain is not set"
+ echo
+ echo "usage: $0 ca <domain>"
+ exit 0;
fi
+ realm=${domain_name^^}
+
+ export REALM_NAME=${realm}
+
+ # Create certificates folder structure
+ mkdir -p "${ROOT_CA_DIR}"
+
+ # Create root CA
+ if [ ! -f "${ROOT_CA_DIR}/private.key" ]; then
+ # create aes encrypted private key
+ openssl genrsa -out "${ROOT_CA_DIR}/private.key" 4096
+
+ # create certificate, 1826 days = 5 years
+ openssl req -x509 -new -nodes -sha256 -days 1826 \
+ -subj "/C=US/ST=Test/L=Testing/O=Default/CN=Test Root CA" \
+ -key "${ROOT_CA_DIR}/private.key" \
+ -out "${ROOT_CA_DIR}/cert.pem"
+ fi
+}
+
+# create_host_pkcs12_certificate \
+# $cert_name $certs_dir $root_ca_cert $extensions_file
+function create_host_pkcs12_certificate {
+
+ cert_name=$1
+ certs_dir=$2
+ root_ca_cert=$3
+ extensions_file=$4
+
+ # Create CSR and private key
+ openssl req -new -nodes -newkey rsa:4096 \
+ -subj "/C=US/ST=Test/L=Testing/O=Default/CN=${cert_name}" \
+ -keyout "${certs_dir}/private.key" \
+ -out "${certs_dir}/request.csr"
+
+ # Sign CSR to create PEM certificate
+ openssl x509 -req -days 1460 -sha256 -CAcreateserial \
+ -CAkey "${ROOT_CA_DIR}/private.key" \
+ -CA "${root_ca_cert}" \
+ -in "${certs_dir}/request.csr" \
+ -out "${certs_dir}/cert.pem" \
+ -extfile "${extensions_file}"
# Convert certificate to PKCS12 format
openssl pkcs12 -export \
- -name "${cert_name}" \
- -certfile "${root_ca_cert}" \
- -in "${certs_dir}/cert.pem" \
- -inkey "${certs_dir}/private.key" \
- -passout "pass:${PKCS12_PASSWORD}" \
- -out "${certs_dir}/cert.p12"
+ -name "${cert_name}" \
+ -certfile "${root_ca_cert}" \
+ -passout "pass:${PKCS12_PASSWORD}" \
+ -inkey "${certs_dir}/private.key" \
+ -in "${certs_dir}/cert.pem" \
+ -out "${certs_dir}/cert.p12"
}
-# generate_ipa_pkcs12_certificates $ipa_fqdn $ipa_domain
-function generate_ipa_pkcs12_certificates {
+# create_ipa_pkcs12_certificates \
+# $host_fqdn $domain_name
+function create_host_certificates {
- host=$1
- if [ -z "$host" ]; then
- echo "ERROR: ipa-host-fqdn is not set"
+ host_fqdn=$1
+ if [ -z "${host_fqdn}" ]; then
+ echo "ERROR: host-fqdn is not set"
echo
- echo "usage: $0 create ipa-host-fqdn domain"
+ echo "usage: $0 create <host-fqdn> [<domain>]"
exit 0;
fi
- domain=$2
- if [ -z "$domain" ]; then
- echo "ERROR: domain is not set"
+ domain_name=$2
+ [ -z "${domain_name}" ] && domain_name=${host_fqdn#*.*}
+ if [ -z "${domain_name}" ]; then
+ echo "ERROR: domain is not set and can not be created from host fqdn"
echo
- echo "usage: $0 create ipa-host-fqdn domain"
+ echo "usage: $0 create <host-fqdn> [<domain>]"
exit 0;
fi
+ realm=${domain_name^^}
- # Generate certificates folder structure
- mkdir -p "${ROOT_CA_DIR}"
- mkdir -p "${DIRSRV_CERTS_DIR}/$host"
- mkdir -p "${HTTPD_CERTS_DIR}/$host"
- mkdir -p "${PKINIT_CERTS_DIR}/$host"
+ export HOST_FQDN=${host_fqdn}
+ export REALM_NAME=${realm}
- # Generate root CA
if [ ! -f "${ROOT_CA_DIR}/private.key" ]; then
- openssl genrsa \
- -out "${ROOT_CA_DIR}/private.key" 4096
-
- openssl req -new -x509 -sha256 -nodes -days 3650 \
- -subj "/C=US/ST=Test/L=Testing/O=Default" \
- -key "${ROOT_CA_DIR}/private.key" \
- -out "${ROOT_CA_DIR}/cert.pem"
+ create_ca "${domain_name}"
fi
- # Generate a certificate for the Directory Server
- if [ ! -f "${DIRSRV_CERTS_DIR}/$host/cert.pem" ]; then
- generate_ipa_pkcs12_certificate \
+ # Create certificates folder structure
+ mkdir -p "${DIRSRV_CERTS_DIR}/${host_fqdn}"
+ mkdir -p "${HTTPD_CERTS_DIR}/${host_fqdn}"
+ mkdir -p "${PKINIT_CERTS_DIR}/${host_fqdn}"
+
+ # Create a certificate for the Directory Server
+ if [ ! -f "${DIRSRV_CERTS_DIR}/${host_fqdn}/cert.pem" ]; then
+ create_host_pkcs12_certificate \
"dirsrv-cert" \
- "$host" \
- "${DIRSRV_CERTS_DIR}/$host" \
+ "${DIRSRV_CERTS_DIR}/${host_fqdn}" \
"${ROOT_CA_DIR}/cert.pem" \
- "${ROOT_CA_DIR}/private.key"
+ "${EXTENSIONS_CONF}"
fi
- # Generate a certificate for the Apache server
- if [ ! -f "${HTTPD_CERTS_DIR}/$host/cert.pem" ]; then
- generate_ipa_pkcs12_certificate \
+ # Create a certificate for the Apache server
+ if [ ! -f "${HTTPD_CERTS_DIR}/${host_fqdn}/cert.pem" ]; then
+ create_host_pkcs12_certificate \
"httpd-cert" \
- "$host" \
- "${HTTPD_CERTS_DIR}/$host" \
+ "${HTTPD_CERTS_DIR}/${host_fqdn}" \
"${ROOT_CA_DIR}/cert.pem" \
- "${ROOT_CA_DIR}/private.key"
+ "${EXTENSIONS_CONF}"
fi
- # Generate a certificate for the KDC PKINIT
- if [ ! -f "${PKINIT_CERTS_DIR}/$host/cert.pem" ]; then
- export REALM=${domain^^}
-
- generate_ipa_pkcs12_certificate \
+ # Create a certificate for the KDC PKINIT
+ if [ ! -f "${PKINIT_CERTS_DIR}/${host_fqdn}/cert.pem" ]; then
+ create_host_pkcs12_certificate \
"pkinit-cert" \
- "$host" \
- "${PKINIT_CERTS_DIR}/$host" \
+ "${PKINIT_CERTS_DIR}/${host_fqdn}" \
"${ROOT_CA_DIR}/cert.pem" \
- "${ROOT_CA_DIR}/private.key" \
- "${PKINIT_CERTS_DIR}/extensions.conf" \
- "kdc_cert"
+ "${PKINIT_EXTENSIONS_CONF}"
fi
}
-# delete_ipa_pkcs12_certificates $ipa_fqdn
-function delete_ipa_pkcs12_certificates {
+# delete_host_certificates \
+# $host_fqdn
+function delete_host_certificates {
- host=$1
- if [ -z "$host" ]; then
- echo "ERROR: ipa-host-fqdn is not set"
+ host_fqdn=$1
+ if [ -z "${host_fqdn}" ]; then
+ echo "ERROR: host-fqdn is not set"
echo
- echo "usage: $0 delete ipa-host-fqdn"
+ echo "usage: $0 delete <host-fqdn>"
exit 0;
fi
- rm -f certificates/*/"$host"/*
- rm -f "${ROOT_CA_DIR}"/*
+ rm -rf certificates/*/"${host_fqdn}"/
+}
+
+# cleanup \
+# $host_fqdn
+function cleanup {
+
+ rm -rf certificates/*/
}
# Entrypoint
case "$1" in
+ ca)
+ create_ca "$2"
+ ;;
create)
- generate_ipa_pkcs12_certificates "$2" "$3"
+ create_host_certificates "$2" "$3"
;;
delete)
- delete_ipa_pkcs12_certificates "$2"
+ delete_host_certificates "$2"
+ ;;
+ cleanup)
+ cleanup
;;
*)
- echo $"Usage: $0 {create|delete}"
+ echo $"Usage: $0 {create|delete|ca|cleanup}"
;;
esac