Fix ca-less test to use X.509 v3 certificates

The generated certificates have been X.509 v1. This is not supported any more. Only X.509 v3 is supported. A new certificates/extensions.conf file has been added to make v3 certificates. The existing certificates/pkinit/extensions.conf has been renamed to certificates/pkinit-extensions.conf with additional changes. For example "[kdc_cert]" had to be removed for v3. The extensions config files are using environment variables, which are set by the generate-certificates.sh script before calling openssl. The script generate-certificates.sh has been reworked for a simpler structure, also new options have been added: "ca" and "cleanup".

Fix ca-less test to use X.509 v3 certificates
b92da826 · Thomas Woerner · ce05b5e1 · b92da826 · b92da826 · ce05b5e1
Commit b92da826 authored 1 year ago by Thomas Woerner
--- a/tests/ca-less/certificates/extensions.conf
+++ b/tests/ca-less/certificates/extensions.conf
+basicConstraints = CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+authorityKeyIdentifier = keyid,issuer
+subjectAltName = @alt_names
+[alt_names]
+DNS.1 = ${ENV::HOST_FQDN}
--- a/tests/ca-less/certificates/pkinit-extensions.conf
+++ b/tests/ca-less/certificates/pkinit-extensions.conf
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
+extendedKeyUsage = 1.3.6.1.5.2.3.5
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+issuerAltName = issuer:copy
+subjectAltName = otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
+[kdc_princ_name]
+realm = EXP:0,GeneralString:${ENV::REALM_NAME}
+principal_name = EXP:1,SEQUENCE:kdc_principal_seq
+[kdc_principal_seq]
+name_type = EXP:0,INTEGER:1
+name_string = EXP:1,SEQUENCE:kdc_principals
+[kdc_principals]
+princ1 = GeneralString:krbtgt
+princ2 = GeneralString:${ENV::REALM_NAME}
--- a/tests/ca-less/certificates/pkinit/extensions.conf
+++ b/tests/ca-less/certificates/pkinit/extensions.conf
-[kdc_cert]
-basicConstraints=CA:FALSE
-keyUsage=nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
-extendedKeyUsage=1.3.6.1.5.2.3.5
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
-issuerAltName=issuer:copy
-subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
-[kdc_princ_name]
-realm=EXP:0,GeneralString:${ENV::REALM}
-principal_name=EXP:1,SEQUENCE:kdc_principal_seq
-[kdc_principal_seq]
-name_type=EXP:0,INTEGER:1
-name_string=EXP:1,SEQUENCE:kdc_principals
-[kdc_principals]
-princ1=GeneralString:krbtgt
-princ2=GeneralString:${ENV::REALM}
--- a/tests/ca-less/clean_up_certificates.yml
+++ b/tests/ca-less/clean_up_certificates.yml
@@ -7,9 +7,6 @@
  - name: Run generate-certificates.sh
    ansible.builtin.command: >
      /bin/bash
-      generate-certificates.sh delete "{{ item }}"
+      generate-certificates.sh cleanup
    args:
      chdir: "{{ playbook_dir }}"
-    with_items:
-      - "{{ groups.ipaserver[0] }}"
-      - "{{ groups.ipareplicas[0] }}"
--- a/tests/ca-less/generate-certificates.sh
+++ b/tests/ca-less/generate-certificates.sh
 #!/usr/bin/env bash
-ROOT_CA_DIR="certificates/root-ca"
+CERTIFICATES="certificates"
-DIRSRV_CERTS_DIR="certificates/dirsrv"
+ROOT_CA_DIR="${CERTIFICATES}/root-ca"
-HTTPD_CERTS_DIR="certificates/httpd"
+DIRSRV_CERTS_DIR="${CERTIFICATES}/dirsrv"
-PKINIT_CERTS_DIR="certificates/pkinit"
+HTTPD_CERTS_DIR="${CERTIFICATES}/httpd"
+PKINIT_CERTS_DIR="${CERTIFICATES}/pkinit"
+EXTENSIONS_CONF="${CERTIFICATES}/extensions.conf"
+PKINIT_EXTENSIONS_CONF="${CERTIFICATES}/pkinit-extensions.conf"
 PKCS12_PASSWORD="SomePKCS12password"
-# generate_ipa_pkcs12_certificate \
+# create_ca \
-#    $cert_name $ipa_fqdn $certs_dir $root_ca_cert $root_ca_private_key extensions_file extensions_name
+#    $domain_name
-function generate_ipa_pkcs12_certificate {
+function create_ca {
-    cert_name=$1
+    domain_name=$1
-    ipa_fqdn=$2
+    if [ -z "${domain_name}" ]; then
-    certs_dir=$3
+        echo "ERROR: domain is not set"
-    root_ca_cert=$4
+        echo
-    root_ca_private_key=$5
+        echo "usage: $0 ca <domain>"
-    extensions_file=$6
+        exit 0;
-    extensions_name=$7
-    # Generate CSR and private key
-    openssl req -new -newkey rsa:4096 -nodes \
-        -subj "/C=US/ST=Test/L=Testing/O=Default/CN=${ipa_fqdn}" \
-        -keyout "${certs_dir}/private.key" \
-        -out "${certs_dir}/request.csr"
-    # Sign CSR to generate PEM certificate
-    if [ -z "${extensions_file}" ]; then
-        openssl x509 -req -days 365 -sha256 \
-            -CAcreateserial \
-            -CA "${root_ca_cert}" \
-            -CAkey "${root_ca_private_key}" \
-            -in "${certs_dir}/request.csr" \
-            -out "${certs_dir}/cert.pem"
-    else
-        openssl x509 -req -days 365 -sha256 \
-            -CAcreateserial \
-            -CA "${ROOT_CA_DIR}/cert.pem" \
-            -CAkey "${ROOT_CA_DIR}/private.key" \
-            -extfile "${extensions_file}" \
-            -extensions "${extensions_name}" \
-            -in "${certs_dir}/request.csr" \
-            -out "${certs_dir}/cert.pem"
    fi
+    realm=${domain_name^^}
+    export REALM_NAME=${realm}
+    # Create certificates folder structure
+    mkdir -p "${ROOT_CA_DIR}"
+    # Create root CA
+    if [ ! -f "${ROOT_CA_DIR}/private.key" ]; then
+        # create aes encrypted private key
+        openssl genrsa -out "${ROOT_CA_DIR}/private.key" 4096
+        # create certificate, 1826 days = 5 years
+        openssl req -x509 -new -nodes -sha256 -days 1826 \
+                -subj "/C=US/ST=Test/L=Testing/O=Default/CN=Test Root CA" \
+                -key "${ROOT_CA_DIR}/private.key" \
+                -out "${ROOT_CA_DIR}/cert.pem"
+    fi
+}
+# create_host_pkcs12_certificate \
+#    $cert_name $certs_dir $root_ca_cert $extensions_file
+function create_host_pkcs12_certificate {
+    cert_name=$1
+    certs_dir=$2
+    root_ca_cert=$3
+    extensions_file=$4
+    # Create CSR and private key
+    openssl req -new -nodes -newkey rsa:4096 \
+                -subj "/C=US/ST=Test/L=Testing/O=Default/CN=${cert_name}" \
+                -keyout "${certs_dir}/private.key" \
+                -out "${certs_dir}/request.csr"
+    # Sign CSR to create PEM certificate
+    openssl x509 -req -days 1460 -sha256 -CAcreateserial \
+                -CAkey "${ROOT_CA_DIR}/private.key" \
+                -CA "${root_ca_cert}" \
+                -in "${certs_dir}/request.csr" \
+                -out "${certs_dir}/cert.pem" \
+                -extfile "${extensions_file}"
    # Convert certificate to PKCS12 format
    openssl pkcs12 -export \
-        -name "${cert_name}" \
+            -name "${cert_name}" \
-        -certfile "${root_ca_cert}" \
+            -certfile "${root_ca_cert}" \
-        -in "${certs_dir}/cert.pem" \
+            -passout "pass:${PKCS12_PASSWORD}" \
-        -inkey "${certs_dir}/private.key" \
+            -inkey "${certs_dir}/private.key" \
-        -passout "pass:${PKCS12_PASSWORD}" \
+            -in "${certs_dir}/cert.pem" \
-        -out "${certs_dir}/cert.p12"
+            -out "${certs_dir}/cert.p12"
 }
-# generate_ipa_pkcs12_certificates $ipa_fqdn $ipa_domain
+# create_ipa_pkcs12_certificates \
-function generate_ipa_pkcs12_certificates {
+#    $host_fqdn $domain_name
+function create_host_certificates {
-    host=$1
+    host_fqdn=$1
-    if [ -z "$host" ]; then
+    if [ -z "${host_fqdn}" ]; then
-        echo "ERROR: ipa-host-fqdn is not set"
+        echo "ERROR: host-fqdn is not set"
        echo
-        echo "usage: $0 create ipa-host-fqdn domain"
+        echo "usage: $0 create <host-fqdn> [<domain>]"
        exit 0;
    fi
-    domain=$2
+    domain_name=$2
-    if [ -z "$domain" ]; then
+    [ -z "${domain_name}" ] && domain_name=${host_fqdn#*.*}
-        echo "ERROR: domain is not set"
+    if [ -z "${domain_name}" ]; then
+        echo "ERROR: domain is not set and can not be created from host fqdn"
        echo
-        echo "usage: $0 create ipa-host-fqdn domain"
+        echo "usage: $0 create <host-fqdn> [<domain>]"
        exit 0;
    fi
+    realm=${domain_name^^}
-    # Generate certificates folder structure
+    export HOST_FQDN=${host_fqdn}
-    mkdir -p "${ROOT_CA_DIR}"
+    export REALM_NAME=${realm}
-    mkdir -p "${DIRSRV_CERTS_DIR}/$host"
-    mkdir -p "${HTTPD_CERTS_DIR}/$host"
-    mkdir -p "${PKINIT_CERTS_DIR}/$host"
-    # Generate root CA
    if [ ! -f "${ROOT_CA_DIR}/private.key" ]; then
-        openssl genrsa \
+        create_ca "${domain_name}"
-                -out "${ROOT_CA_DIR}/private.key" 4096
-        openssl req -new -x509 -sha256 -nodes -days 3650 \
-                -subj "/C=US/ST=Test/L=Testing/O=Default" \
-                -key "${ROOT_CA_DIR}/private.key" \
-                -out "${ROOT_CA_DIR}/cert.pem"
    fi
-    # Generate a certificate for the Directory Server
+    # Create certificates folder structure
-    if [ ! -f "${DIRSRV_CERTS_DIR}/$host/cert.pem" ]; then
+    mkdir -p "${DIRSRV_CERTS_DIR}/${host_fqdn}"
-        generate_ipa_pkcs12_certificate \
+    mkdir -p "${HTTPD_CERTS_DIR}/${host_fqdn}"
+    mkdir -p "${PKINIT_CERTS_DIR}/${host_fqdn}"
+    # Create a certificate for the Directory Server
+    if [ ! -f "${DIRSRV_CERTS_DIR}/${host_fqdn}/cert.pem" ]; then
+        create_host_pkcs12_certificate \
            "dirsrv-cert" \
-            "$host" \
+            "${DIRSRV_CERTS_DIR}/${host_fqdn}" \
-            "${DIRSRV_CERTS_DIR}/$host" \
            "${ROOT_CA_DIR}/cert.pem" \
-            "${ROOT_CA_DIR}/private.key"
+            "${EXTENSIONS_CONF}"
    fi
-    # Generate a certificate for the Apache server
+    # Create a certificate for the Apache server
-    if [ ! -f "${HTTPD_CERTS_DIR}/$host/cert.pem" ]; then
+    if [ ! -f "${HTTPD_CERTS_DIR}/${host_fqdn}/cert.pem" ]; then
-        generate_ipa_pkcs12_certificate \
+        create_host_pkcs12_certificate \
            "httpd-cert" \
-            "$host" \
+            "${HTTPD_CERTS_DIR}/${host_fqdn}" \
-            "${HTTPD_CERTS_DIR}/$host" \
            "${ROOT_CA_DIR}/cert.pem" \
-            "${ROOT_CA_DIR}/private.key"
+            "${EXTENSIONS_CONF}"
    fi
-    # Generate a certificate for the KDC PKINIT
+    # Create a certificate for the KDC PKINIT
-    if [ ! -f "${PKINIT_CERTS_DIR}/$host/cert.pem" ]; then
+    if [ ! -f "${PKINIT_CERTS_DIR}/${host_fqdn}/cert.pem" ]; then
-        export REALM=${domain^^}
+        create_host_pkcs12_certificate \
-        generate_ipa_pkcs12_certificate \
            "pkinit-cert" \
-            "$host" \
+            "${PKINIT_CERTS_DIR}/${host_fqdn}" \
-            "${PKINIT_CERTS_DIR}/$host" \
            "${ROOT_CA_DIR}/cert.pem" \
-            "${ROOT_CA_DIR}/private.key" \
+            "${PKINIT_EXTENSIONS_CONF}"
-            "${PKINIT_CERTS_DIR}/extensions.conf" \
-            "kdc_cert"
    fi
 }
-# delete_ipa_pkcs12_certificates $ipa_fqdn
+# delete_host_certificates \
-function delete_ipa_pkcs12_certificates {
+#     $host_fqdn
+function delete_host_certificates {
-    host=$1
+    host_fqdn=$1
-    if [ -z "$host" ]; then
+    if [ -z "${host_fqdn}" ]; then
-        echo "ERROR: ipa-host-fqdn is not set"
+        echo "ERROR: host-fqdn is not set"
        echo
-        echo "usage: $0 delete ipa-host-fqdn"
+        echo "usage: $0 delete <host-fqdn>"
        exit 0;
    fi
-    rm -f certificates/*/"$host"/*
+    rm -rf certificates/*/"${host_fqdn}"/
-    rm -f "${ROOT_CA_DIR}"/*
+}
+# cleanup \
+#     $host_fqdn
+function cleanup {
+    rm -rf certificates/*/
 }
 # Entrypoint
 case "$1" in
+  ca)
+    create_ca "$2"
+    ;;
  create)
-    generate_ipa_pkcs12_certificates "$2" "$3"
+    create_host_certificates "$2" "$3"
    ;;
  delete)
-    delete_ipa_pkcs12_certificates "$2"
+    delete_host_certificates "$2"
+    ;;
+  cleanup)
+    cleanup
    ;;
  *)
-    echo $"Usage: $0 {create|delete}"
+    echo $"Usage: $0 {create|delete|ca|cleanup}"
    ;;
 esac