Skip to content
Commits on Source (4)
Hide whitespace changes
Inline Side-by-side
roles/ipaserver/library/ipaserver_test.py
View file @ 780e6b14
......@@ -1171,7 +1171,7 @@ def main():
changed=False,
ipa_python_version=IPA_PYTHON_VERSION,
# basic
domain=options.domain_name,
domain=domain_name,
realm=realm_name,
hostname=host_name,
_hostname_overridden=bool(options.host_name),
......
tests/ca-less/certificates/extensions.conf 0 → 100644
View file @ 780e6b14
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
authorityKeyIdentifier = keyid,issuer
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${ENV::HOST_FQDN}
tests/ca-less/certificates/pkinit-extensions.conf 0 → 100644
View file @ 780e6b14
basicConstraints = CA:FALSE
keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
extendedKeyUsage = 1.3.6.1.5.2.3.5
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
issuerAltName = issuer:copy
subjectAltName = otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
[kdc_princ_name]
realm = EXP:0,GeneralString:${ENV::REALM_NAME}
principal_name = EXP:1,SEQUENCE:kdc_principal_seq
[kdc_principal_seq]
name_type = EXP:0,INTEGER:1
name_string = EXP:1,SEQUENCE:kdc_principals
[kdc_principals]
princ1 = GeneralString:krbtgt
princ2 = GeneralString:${ENV::REALM_NAME}
tests/ca-less/certificates/pkinit/extensions.conf deleted 100644 → 0
View file @ ce05b5e1
[kdc_cert]
basicConstraints=CA:FALSE
keyUsage=nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
extendedKeyUsage=1.3.6.1.5.2.3.5
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
issuerAltName=issuer:copy
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
[kdc_princ_name]
realm=EXP:0,GeneralString:${ENV::REALM}
principal_name=EXP:1,SEQUENCE:kdc_principal_seq
[kdc_principal_seq]
name_type=EXP:0,INTEGER:1
name_string=EXP:1,SEQUENCE:kdc_principals
[kdc_principals]
princ1=GeneralString:krbtgt
princ2=GeneralString:${ENV::REALM}
tests/ca-less/clean_up_certificates.yml
View file @ 780e6b14
......@@ -7,9 +7,6 @@
- name: Run generate-certificates.sh
ansible.builtin.command: >
/bin/bash
generate-certificates.sh delete "{{ item }}"
generate-certificates.sh cleanup
args:
chdir: "{{ playbook_dir }}"
with_items:
- "{{ groups.ipaserver[0] }}"
- "{{ groups.ipareplicas[0] }}"
tests/ca-less/generate-certificates.sh
View file @ 780e6b14
#!/usr/bin/env bash
ROOT_CA_DIR="certificates/root-ca"
DIRSRV_CERTS_DIR="certificates/dirsrv"
HTTPD_CERTS_DIR="certificates/httpd"
PKINIT_CERTS_DIR="certificates/pkinit"
CERTIFICATES="certificates"
ROOT_CA_DIR="${CERTIFICATES}/root-ca"
DIRSRV_CERTS_DIR="${CERTIFICATES}/dirsrv"
HTTPD_CERTS_DIR="${CERTIFICATES}/httpd"
PKINIT_CERTS_DIR="${CERTIFICATES}/pkinit"
EXTENSIONS_CONF="${CERTIFICATES}/extensions.conf"
PKINIT_EXTENSIONS_CONF="${CERTIFICATES}/pkinit-extensions.conf"
PKCS12_PASSWORD="SomePKCS12password"
# generate_ipa_pkcs12_certificate \
# $cert_name $ipa_fqdn $certs_dir $root_ca_cert $root_ca_private_key extensions_file extensions_name
function generate_ipa_pkcs12_certificate {
# create_ca \
# $domain_name
function create_ca {
cert_name=$1
ipa_fqdn=$2
certs_dir=$3
root_ca_cert=$4
root_ca_private_key=$5
extensions_file=$6
extensions_name=$7
# Generate CSR and private key
openssl req -new -newkey rsa:4096 -nodes \
-subj "/C=US/ST=Test/L=Testing/O=Default/CN=${ipa_fqdn}" \
-keyout "${certs_dir}/private.key" \
-out "${certs_dir}/request.csr"
# Sign CSR to generate PEM certificate
if [ -z "${extensions_file}" ]; then
openssl x509 -req -days 365 -sha256 \
-CAcreateserial \
-CA "${root_ca_cert}" \
-CAkey "${root_ca_private_key}" \
-in "${certs_dir}/request.csr" \
-out "${certs_dir}/cert.pem"
else
openssl x509 -req -days 365 -sha256 \
-CAcreateserial \
-CA "${ROOT_CA_DIR}/cert.pem" \
-CAkey "${ROOT_CA_DIR}/private.key" \
-extfile "${extensions_file}" \
-extensions "${extensions_name}" \
-in "${certs_dir}/request.csr" \
-out "${certs_dir}/cert.pem"
domain_name=$1
if [ -z "${domain_name}" ]; then
echo "ERROR: domain is not set"
echo
echo "usage: $0 ca <domain>"
exit 0;
fi
realm=${domain_name^^}
export REALM_NAME=${realm}
# Create certificates folder structure
mkdir -p "${ROOT_CA_DIR}"
# Create root CA
if [ ! -f "${ROOT_CA_DIR}/private.key" ]; then
# create aes encrypted private key
openssl genrsa -out "${ROOT_CA_DIR}/private.key" 4096
# create certificate, 1826 days = 5 years
openssl req -x509 -new -nodes -sha256 -days 1826 \
-subj "/C=US/ST=Test/L=Testing/O=Default/CN=Test Root CA" \
-key "${ROOT_CA_DIR}/private.key" \
-out "${ROOT_CA_DIR}/cert.pem"
fi
}
# create_host_pkcs12_certificate \
# $cert_name $certs_dir $root_ca_cert $extensions_file
function create_host_pkcs12_certificate {
cert_name=$1
certs_dir=$2
root_ca_cert=$3
extensions_file=$4
# Create CSR and private key
openssl req -new -nodes -newkey rsa:4096 \
-subj "/C=US/ST=Test/L=Testing/O=Default/CN=${cert_name}" \
-keyout "${certs_dir}/private.key" \
-out "${certs_dir}/request.csr"
# Sign CSR to create PEM certificate
openssl x509 -req -days 1460 -sha256 -CAcreateserial \
-CAkey "${ROOT_CA_DIR}/private.key" \
-CA "${root_ca_cert}" \
-in "${certs_dir}/request.csr" \
-out "${certs_dir}/cert.pem" \
-extfile "${extensions_file}"
# Convert certificate to PKCS12 format
openssl pkcs12 -export \
-name "${cert_name}" \
-certfile "${root_ca_cert}" \
-in "${certs_dir}/cert.pem" \
-inkey "${certs_dir}/private.key" \
-passout "pass:${PKCS12_PASSWORD}" \
-out "${certs_dir}/cert.p12"
-name "${cert_name}" \
-certfile "${root_ca_cert}" \
-passout "pass:${PKCS12_PASSWORD}" \
-inkey "${certs_dir}/private.key" \
-in "${certs_dir}/cert.pem" \
-out "${certs_dir}/cert.p12"
}
# generate_ipa_pkcs12_certificates $ipa_fqdn $ipa_domain
function generate_ipa_pkcs12_certificates {
# create_ipa_pkcs12_certificates \
# $host_fqdn $domain_name
function create_host_certificates {
host=$1
if [ -z "$host" ]; then
echo "ERROR: ipa-host-fqdn is not set"
host_fqdn=$1
if [ -z "${host_fqdn}" ]; then
echo "ERROR: host-fqdn is not set"
echo
echo "usage: $0 create ipa-host-fqdn domain"
echo "usage: $0 create <host-fqdn> [<domain>]"
exit 0;
fi
domain=$2
if [ -z "$domain" ]; then
echo "ERROR: domain is not set"
domain_name=$2
[ -z "${domain_name}" ] && domain_name=${host_fqdn#*.*}
if [ -z "${domain_name}" ]; then
echo "ERROR: domain is not set and can not be created from host fqdn"
echo
echo "usage: $0 create ipa-host-fqdn domain"
echo "usage: $0 create <host-fqdn> [<domain>]"
exit 0;
fi
realm=${domain_name^^}
# Generate certificates folder structure
mkdir -p "${ROOT_CA_DIR}"
mkdir -p "${DIRSRV_CERTS_DIR}/$host"
mkdir -p "${HTTPD_CERTS_DIR}/$host"
mkdir -p "${PKINIT_CERTS_DIR}/$host"
export HOST_FQDN=${host_fqdn}
export REALM_NAME=${realm}
# Generate root CA
if [ ! -f "${ROOT_CA_DIR}/private.key" ]; then
openssl genrsa \
-out "${ROOT_CA_DIR}/private.key" 4096
openssl req -new -x509 -sha256 -nodes -days 3650 \
-subj "/C=US/ST=Test/L=Testing/O=Default" \
-key "${ROOT_CA_DIR}/private.key" \
-out "${ROOT_CA_DIR}/cert.pem"
create_ca "${domain_name}"
fi
# Generate a certificate for the Directory Server
if [ ! -f "${DIRSRV_CERTS_DIR}/$host/cert.pem" ]; then
generate_ipa_pkcs12_certificate \
# Create certificates folder structure
mkdir -p "${DIRSRV_CERTS_DIR}/${host_fqdn}"
mkdir -p "${HTTPD_CERTS_DIR}/${host_fqdn}"
mkdir -p "${PKINIT_CERTS_DIR}/${host_fqdn}"
# Create a certificate for the Directory Server
if [ ! -f "${DIRSRV_CERTS_DIR}/${host_fqdn}/cert.pem" ]; then
create_host_pkcs12_certificate \
"dirsrv-cert" \
"$host" \
"${DIRSRV_CERTS_DIR}/$host" \
"${DIRSRV_CERTS_DIR}/${host_fqdn}" \
"${ROOT_CA_DIR}/cert.pem" \
"${ROOT_CA_DIR}/private.key"
"${EXTENSIONS_CONF}"
fi
# Generate a certificate for the Apache server
if [ ! -f "${HTTPD_CERTS_DIR}/$host/cert.pem" ]; then
generate_ipa_pkcs12_certificate \
# Create a certificate for the Apache server
if [ ! -f "${HTTPD_CERTS_DIR}/${host_fqdn}/cert.pem" ]; then
create_host_pkcs12_certificate \
"httpd-cert" \
"$host" \
"${HTTPD_CERTS_DIR}/$host" \
"${HTTPD_CERTS_DIR}/${host_fqdn}" \
"${ROOT_CA_DIR}/cert.pem" \
"${ROOT_CA_DIR}/private.key"
"${EXTENSIONS_CONF}"
fi
# Generate a certificate for the KDC PKINIT
if [ ! -f "${PKINIT_CERTS_DIR}/$host/cert.pem" ]; then
export REALM=${domain^^}
generate_ipa_pkcs12_certificate \
# Create a certificate for the KDC PKINIT
if [ ! -f "${PKINIT_CERTS_DIR}/${host_fqdn}/cert.pem" ]; then
create_host_pkcs12_certificate \
"pkinit-cert" \
"$host" \
"${PKINIT_CERTS_DIR}/$host" \
"${PKINIT_CERTS_DIR}/${host_fqdn}" \
"${ROOT_CA_DIR}/cert.pem" \
"${ROOT_CA_DIR}/private.key" \
"${PKINIT_CERTS_DIR}/extensions.conf" \
"kdc_cert"
"${PKINIT_EXTENSIONS_CONF}"
fi
}
# delete_ipa_pkcs12_certificates $ipa_fqdn
function delete_ipa_pkcs12_certificates {
# delete_host_certificates \
# $host_fqdn
function delete_host_certificates {
host=$1
if [ -z "$host" ]; then
echo "ERROR: ipa-host-fqdn is not set"
host_fqdn=$1
if [ -z "${host_fqdn}" ]; then
echo "ERROR: host-fqdn is not set"
echo
echo "usage: $0 delete ipa-host-fqdn"
echo "usage: $0 delete <host-fqdn>"
exit 0;
fi
rm -f certificates/*/"$host"/*
rm -f "${ROOT_CA_DIR}"/*
rm -rf certificates/*/"${host_fqdn}"/
}
# cleanup \
# $host_fqdn
function cleanup {
rm -rf certificates/*/
}
# Entrypoint
case "$1" in
ca)
create_ca "$2"
;;
create)
generate_ipa_pkcs12_certificates "$2" "$3"
create_host_certificates "$2" "$3"
;;
delete)
delete_ipa_pkcs12_certificates "$2"
delete_host_certificates "$2"
;;
cleanup)
cleanup
;;
*)
echo $"Usage: $0 {create|delete}"
echo $"Usage: $0 {create|delete|ca|cleanup}"
;;
esac