.github/workflows/ocsp-tests.yml

name: OCSP Tests

on: [push, pull_request]

jobs:
  init:
    name: Initializing Workflow
    runs-on: ubuntu-latest
    container: fedora:latest
    outputs:
      matrix: ${{ steps.set-matrix.outputs.matrix }}
    steps:
      - name: Set up test matrix
        id: set-matrix
        run: |
          export latest=$(cat /etc/fedora-release | awk '{ print $3 }')
          export previous=$(cat /etc/fedora-release | awk '{ print $3 - 1}')
          echo "Running CI against Fedora $previous and $latest"
          if [ "${{ secrets.MATRIX }}" == "" ]
          then
              echo "::set-output name=matrix::{\"os\":[\"$previous\", \"$latest\"]}"
          else
              echo "::set-output name=matrix::${{ secrets.MATRIX }}"
          fi

  # docs/development/Building_PKI.md
  build:
    name: Building PKI
    needs: init
    runs-on: ubuntu-latest
    env:
      COPR_REPO: "@pki/master"
    strategy:
      matrix: ${{ fromJSON(needs.init.outputs.matrix) }}
    steps:
      - name: Clone repository
        uses: actions/checkout@v2

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1

      - name: Build runner image
        uses: docker/build-push-action@v2
        with:
          context: .
          build-args: |
            OS_VERSION=${{ matrix.os }}
            COPR_REPO=${{ env.COPR_REPO }}
            BUILD_OPTS=--with-pkgs=base,server,ca,ocsp --with-timestamp --with-commit-id
          tags: pki-runner
          target: pki-runner
          outputs: type=docker,dest=/tmp/pki-runner.tar

      - name: Upload runner image
        uses: actions/upload-artifact@v2
        with:
          name: pki-runner-${{ matrix.os }}
          path: /tmp/pki-runner.tar

  # docs/installation/ocsp/Installing_OCSP.md
  ocsp-test:
    name: Installing OCSP
    needs: [init, build]
    runs-on: ubuntu-latest
    env:
      BUILDDIR: /tmp/workdir
      PKIDIR: /tmp/workdir/pki
      COPR_REPO: "@pki/master"
    strategy:
      matrix: ${{ fromJSON(needs.init.outputs.matrix) }}
    steps:
      - name: Clone repository
        uses: actions/checkout@v2

      - name: Download runner image
        uses: actions/download-artifact@v2
        with:
          name: pki-runner-${{ matrix.os }}
          path: /tmp

      - name: Load runner image
        run: docker load --input /tmp/pki-runner.tar

      - name: Run container
        run: |
          IMAGE=pki-runner \
          NAME=pki \
          HOSTNAME=pki.example.com \
          tests/bin/runner-init.sh

      - name: Install dependencies
        run: docker exec pki dnf install -y 389-ds-base

      - name: Install DS
        run: docker exec pki ${PKIDIR}/tests/bin/ds-create.sh

      - name: Install CA
        run: docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/ca.cfg -s CA -v

      - name: Install OCSP
        run: docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/ocsp.cfg -s OCSP -v

      - name: Run PKI healthcheck
        run: docker exec pki pki-healthcheck --debug

      - name: Verify OCSP admin
        run: |
          docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt
          docker exec pki pki client-cert-import ca_signing --ca-cert ca_signing.crt
          docker exec pki pki client-cert-import \
              --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
              --pkcs12-password-file /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf
          docker exec pki pki -n caadmin ocsp-user-show ocspadmin

      - name: Gather artifacts
        if: always()
        run: |
          tests/bin/ds-artifacts-save.sh pki
          tests/bin/pki-artifacts-save.sh pki

      - name: Remove OCSP
        run: docker exec pki pkidestroy -i pki-tomcat -s OCSP -v

      - name: Remove CA
        run: docker exec pki pkidestroy -i pki-tomcat -s CA -v

      - name: Remove DS
        run: docker exec pki ${PKIDIR}/tests/bin/ds-remove.sh

      - name: Upload artifacts
        if: always()
        uses: actions/upload-artifact@v2
        with:
          name: ocsp-${{ matrix.os }}
          path: |
            /tmp/artifacts/pki

  # docs/installation/ocsp/Installing_OCSP_with_External_Certificates.md
  ocsp-external-certs-test:
    name: Installing OCSP with External Certificates
    needs: [init, build]
    runs-on: ubuntu-latest
    env:
      BUILDDIR: /tmp/workdir
      PKIDIR: /tmp/workdir/pki
      COPR_REPO: "@pki/master"
    strategy:
      matrix: ${{ fromJSON(needs.init.outputs.matrix) }}
    steps:
      - name: Clone repository
        uses: actions/checkout@v2

      - name: Download runner image
        uses: actions/download-artifact@v2
        with:
          name: pki-runner-${{ matrix.os }}
          path: /tmp

      - name: Load runner image
        run: docker load --input /tmp/pki-runner.tar

      - name: Create network
        run: docker network create example

      - name: Setup CA container
        run: |
          IMAGE=pki-runner \
          NAME=ca \
          HOSTNAME=ca.example.com \
          tests/bin/runner-init.sh

      - name: Connect CA container to network
        run: docker network connect example ca --alias ca.example.com

      - name: Install dependencies in CA container
        run: docker exec ca dnf install -y 389-ds-base

      - name: Install DS in CA container
        run: docker exec ca ${PKIDIR}/tests/bin/ds-create.sh

      - name: Install CA in CA container
        run: docker exec ca pkispawn -f /usr/share/pki/server/examples/installation/ca.cfg -s CA -v

      - name: Initialize CA admin in CA container
        run: |
          docker exec ca pki-server cert-export ca_signing --cert-file ${PKIDIR}/ca_signing.crt
          docker exec ca pki client-cert-import ca_signing --ca-cert ${PKIDIR}/ca_signing.crt
          docker exec ca pki client-cert-import \
              --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \
              --pkcs12-password-file /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf

      - name: Setup OCSP container
        run: |
          IMAGE=pki-runner \
          NAME=ocsp \
          HOSTNAME=ocsp.example.com \
          tests/bin/runner-init.sh

      - name: Connect OCSP container to network
        run: docker network connect example ocsp --alias ocsp.example.com

      - name: Install dependencies in OCSP container
        run: docker exec ocsp dnf install -y 389-ds-base

      - name: Install DS in OCSP container
        run: docker exec ocsp ${PKIDIR}/tests/bin/ds-create.sh

      - name: Install OCSP in OCSP container (step 1)
        run: |
          docker exec ocsp cp ${PKIDIR}/ca_signing.crt .
          docker exec ocsp pkispawn -f /usr/share/pki/server/examples/installation/ocsp-external-certs-step1.cfg -s OCSP -v

      - name: Issue OCSP signing cert
        run: |
          docker exec ocsp cp ocsp_signing.csr ${PKIDIR}/ocsp_signing.csr
          docker exec ca bash -c "pki ca-cert-request-submit --profile caOCSPCert --csr-file ${PKIDIR}/ocsp_signing.csr | sed -n 's/Request ID: *\(.*\)/\1/p' > ${PKIDIR}/ocsp_signing.reqid"
          docker exec ca bash -c "pki -n caadmin ca-cert-request-approve `cat ocsp_signing.reqid` --force | sed -n 's/Certificate ID: *\(.*\)/\1/p' > ${PKIDIR}/ocsp_signing.certid"
          docker exec ca bash -c "pki ca-cert-export `cat ocsp_signing.certid` --output-file ${PKIDIR}/ocsp_signing.crt"
          docker exec ocsp cp ${PKIDIR}/ocsp_signing.crt ocsp_signing.crt

      - name: Issue subsystem cert
        run: |
          docker exec ocsp cp subsystem.csr ${PKIDIR}/subsystem.csr
          docker exec ca bash -c "pki ca-cert-request-submit --profile caSubsystemCert --csr-file ${PKIDIR}/subsystem.csr | sed -n 's/Request ID: *\(.*\)/\1/p' > ${PKIDIR}/subsystem.reqid"
          docker exec ca bash -c "pki -n caadmin ca-cert-request-approve `cat subsystem.reqid` --force | sed -n 's/Certificate ID: *\(.*\)/\1/p' > ${PKIDIR}/subsystem.certid"
          docker exec ca bash -c "pki ca-cert-export `cat subsystem.certid` --output-file ${PKIDIR}/subsystem.crt"
          docker exec ocsp cp ${PKIDIR}/subsystem.crt subsystem.crt

      - name: Issue SSL server cert
        run: |
          docker exec ocsp cp sslserver.csr ${PKIDIR}/sslserver.csr
          docker exec ca bash -c "pki ca-cert-request-submit --profile caServerCert --csr-file ${PKIDIR}/sslserver.csr | sed -n 's/Request ID: *\(.*\)/\1/p' > ${PKIDIR}/sslserver.reqid"
          docker exec ca bash -c "pki -n caadmin ca-cert-request-approve `cat sslserver.reqid` --force | sed -n 's/Certificate ID: *\(.*\)/\1/p' > ${PKIDIR}/sslserver.certid"
          docker exec ca bash -c "pki ca-cert-export `cat sslserver.certid` --output-file ${PKIDIR}/sslserver.crt"
          docker exec ocsp cp ${PKIDIR}/sslserver.crt sslserver.crt

      - name: Issue OCSP audit signing cert
        run: |
          docker exec ocsp cp ocsp_audit_signing.csr ${PKIDIR}/ocsp_audit_signing.csr
          docker exec ca bash -c "pki ca-cert-request-submit --profile caAuditSigningCert --csr-file ${PKIDIR}/ocsp_audit_signing.csr | sed -n 's/Request ID: *\(.*\)/\1/p' > ${PKIDIR}/ocsp_audit_signing.reqid"
          docker exec ca bash -c "pki -n caadmin ca-cert-request-approve `cat ocsp_audit_signing.reqid` --force | sed -n 's/Certificate ID: *\(.*\)/\1/p' > ${PKIDIR}/ocsp_audit_signing.certid"
          docker exec ca bash -c "pki ca-cert-export `cat ocsp_audit_signing.certid` --output-file ${PKIDIR}/ocsp_audit_signing.crt"
          docker exec ocsp cp ${PKIDIR}/ocsp_audit_signing.crt ocsp_audit_signing.crt

      - name: Issue OCSP admin cert
        run: |
          docker exec ocsp cp ocsp_admin.csr ${PKIDIR}/ocsp_admin.csr
          docker exec ca bash -c "pki ca-cert-request-submit --profile caUserCert --csr-file ${PKIDIR}/ocsp_admin.csr --subject uid=ocspadmin | sed -n 's/Request ID: *\(.*\)/\1/p' > ${PKIDIR}/ocsp_admin.reqid"
          docker exec ca bash -c "pki -n caadmin ca-cert-request-approve `cat ocsp_admin.reqid` --force | sed -n 's/Certificate ID: *\(.*\)/\1/p' > ${PKIDIR}/ocsp_admin.certid"
          docker exec ca bash -c "pki ca-cert-export `cat ocsp_admin.certid` --output-file ${PKIDIR}/ocsp_admin.crt"
          docker exec ocsp cp ${PKIDIR}/ocsp_admin.crt ocsp_admin.crt

      - name: Install OCSP in OCSP container (step 2)
        run: |
          docker exec ocsp pkispawn -f /usr/share/pki/server/examples/installation/ocsp-external-certs-step2.cfg -s OCSP -v

      - name: Run PKI healthcheck
        run: docker exec ocsp pki-healthcheck --debug

      - name: Verify OCSP admin
        run: |
          docker exec ocsp pki client-cert-import ca_signing --ca-cert ca_signing.crt
          docker exec ocsp pki client-cert-import \
              --pkcs12 /root/.dogtag/pki-tomcat/ocsp_admin_cert.p12 \
              --pkcs12-password-file /root/.dogtag/pki-tomcat/ocsp/pkcs12_password.conf
          docker exec ocsp pki -n ocspadmin ocsp-user-show ocspadmin

      - name: Gather artifacts from CA container
        if: always()
        run: |
          tests/bin/ds-artifacts-save.sh ca
          tests/bin/pki-artifacts-save.sh ca

      - name: Gather artifacts from OCSP container
        if: always()
        run: |
          tests/bin/ds-artifacts-save.sh ocsp
          tests/bin/pki-artifacts-save.sh ocsp

      - name: Remove OCSP from OCSP container
        run: docker exec ocsp pkidestroy -i pki-tomcat -s OCSP -v

      - name: Remove DS from OCSP container
        run: docker exec ocsp ${PKIDIR}/tests/bin/ds-remove.sh

      - name: Disconnect OCSP container from network
        run: docker network disconnect example ocsp

      - name: Remove CA from CA container
        run: docker exec ca pkidestroy -i pki-tomcat -s CA -v

      - name: Remove DS from CA container
        run: docker exec ca ${PKIDIR}/tests/bin/ds-remove.sh

      - name: Disconnect CA container from network
        run: docker network disconnect example ca

      - name: Remove network
        run: docker network rm example

      - name: Upload artifacts from CA container
        if: always()
        uses: actions/upload-artifact@v2
        with:
          name: ocsp-external-certs-ca-${{ matrix.os }}
          path: |
            /tmp/artifacts/ca

      - name: Upload artifacts from OCSP container
        if: always()
        uses: actions/upload-artifact@v2
        with:
          name: ocsp-external-certs-ocsp-${{ matrix.os }}
          path: |
            /tmp/artifacts/ocsp

  # docs/installation/ocsp/Installing_OCSP_Clone.md
  ocsp-clone-test:
    name: Installing OCSP Clone
    needs: [init, build]
    runs-on: ubuntu-latest
    env:
      BUILDDIR: /tmp/workdir
      PKIDIR: /tmp/workdir/pki
      COPR_REPO: "@pki/master"
    strategy:
      matrix: ${{ fromJSON(needs.init.outputs.matrix) }}
    steps:
      - name: Clone repository
        uses: actions/checkout@v2

      - name: Download runner images
        uses: actions/download-artifact@v2
        with:
          name: pki-runner-${{ matrix.os }}
          path: /tmp

      - name: Load runner image
        run: docker load --input /tmp/pki-runner.tar

      - name: Create network
        run: docker network create example

      - name: Run primary container
        run: |
          IMAGE=pki-runner \
          NAME=primary \
          HOSTNAME=primary.example.com \
          tests/bin/runner-init.sh

      - name: Connect primary container to network
        run: docker network connect example primary --alias primary.example.com

      - name: Install dependencies in primary container
        run: docker exec primary dnf install -y 389-ds-base

      - name: Install DS in primary container
        run: docker exec primary ${PKIDIR}/tests/bin/ds-create.sh

      - name: Install primary CA in primary container
        run: docker exec primary pkispawn -f /usr/share/pki/server/examples/installation/ca.cfg -s CA -v

      - name: Install primary OCSP in primary container
        run: docker exec primary pkispawn -f /usr/share/pki/server/examples/installation/ocsp.cfg -s OCSP -v

      - name: Setup secondary container
        run: |
          IMAGE=pki-runner \
          NAME=secondary \
          HOSTNAME=secondary.example.com \
          tests/bin/runner-init.sh

      - name: Connect secondary container to network
        run: docker network connect example secondary --alias secondary.example.com

      - name: Install dependencies in secondary container
        run: docker exec secondary dnf install -y 389-ds-base

      - name: Install DS in secondary container
        run: docker exec secondary ${PKIDIR}/tests/bin/ds-create.sh

      - name: Install CA in secondary container
        run: |
          docker exec primary pki-server cert-export ca_signing --cert-file ${PKIDIR}/ca_signing.crt
          docker exec primary pki-server ca-clone-prepare --pkcs12-file ${PKIDIR}/ca-certs.p12 --pkcs12-password Secret.123
          docker exec secondary cp ${PKIDIR}/ca_signing.crt .
          docker exec secondary cp ${PKIDIR}/ca-certs.p12 .
          docker exec secondary pkispawn -f /usr/share/pki/server/examples/installation/ca-clone.cfg -s CA -v

      - name: Install OCSP in secondary container
        run: |
          docker exec primary pki-server ocsp-clone-prepare --pkcs12-file ${PKIDIR}/ocsp-certs.p12 --pkcs12-password Secret.123
          docker exec secondary cp ${PKIDIR}/ocsp-certs.p12 .
          docker exec secondary pkispawn -f /usr/share/pki/server/examples/installation/ocsp-clone.cfg -s OCSP -v

      - name: Verify OCSP admin in secondary container
        run: |
          docker exec primary cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 ${PKIDIR}/ca_admin_cert.p12
          docker exec primary cp /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf ${PKIDIR}/pkcs12_password.conf
          docker exec secondary pki client-cert-import ca_signing --ca-cert ca_signing.crt
          docker exec secondary pki client-cert-import \
              --pkcs12 ${PKIDIR}/ca_admin_cert.p12 \
              --pkcs12-password-file ${PKIDIR}/pkcs12_password.conf
          docker exec secondary pki -n caadmin ocsp-user-show ocspadmin

      - name: Setup tertiary container
        run: |
          IMAGE=pki-runner \
          NAME=tertiary \
          HOSTNAME=tertiary.example.com \
          tests/bin/runner-init.sh

      - name: Connect tertiary container to network
        run: docker network connect example tertiary --alias tertiary.example.com

      - name: Install dependencies in tertiary container
        run: docker exec tertiary dnf install -y 389-ds-base

      - name: Install DS in tertiary container
        run: docker exec tertiary ${PKIDIR}/tests/bin/ds-create.sh

      - name: Install CA in tertiary container
        run: |
          docker exec secondary pki-server cert-export ca_signing --cert-file ${PKIDIR}/ca_signing.crt
          docker exec secondary pki-server ca-clone-prepare --pkcs12-file ${PKIDIR}/ca-certs.p12 --pkcs12-password Secret.123
          docker exec tertiary cp ${PKIDIR}/ca_signing.crt .
          docker exec tertiary cp ${PKIDIR}/ca-certs.p12 .
          docker exec tertiary pkispawn -f /usr/share/pki/server/examples/installation/ca-clone-of-clone.cfg -s CA -v

      - name: Install OCSP in tertiary container
        run: |
          docker exec secondary pki-server ocsp-clone-prepare --pkcs12-file ${PKIDIR}/ocsp-certs.p12 --pkcs12-password Secret.123
          docker exec tertiary cp ${PKIDIR}/ocsp-certs.p12 .
          docker exec tertiary pkispawn -f /usr/share/pki/server/examples/installation/ocsp-clone-of-clone.cfg -s OCSP -v

      - name: Verify OCSP admin in tertiary container
        run: |
          docker exec tertiary pki client-cert-import ca_signing --ca-cert ca_signing.crt
          docker exec tertiary pki client-cert-import \
              --pkcs12 ${PKIDIR}/ca_admin_cert.p12 \
              --pkcs12-password-file ${PKIDIR}/pkcs12_password.conf
          docker exec tertiary pki -n caadmin ocsp-user-show ocspadmin

      - name: Gather artifacts from primary container
        if: always()
        run: |
          tests/bin/ds-artifacts-save.sh primary
          tests/bin/pki-artifacts-save.sh primary

      - name: Gather artifacts from secondary container
        if: always()
        run: |
          tests/bin/ds-artifacts-save.sh secondary
          tests/bin/pki-artifacts-save.sh secondary

      - name: Gather artifacts from tertiary container
        if: always()
        run: |
          tests/bin/ds-artifacts-save.sh tertiary
          tests/bin/pki-artifacts-save.sh tertiary

      - name: Remove OCSP from tertiary container
        run: docker exec tertiary pkidestroy -i pki-tomcat -s OCSP -v

      - name: Remove CA from tertiary container
        run: docker exec tertiary pkidestroy -i pki-tomcat -s CA -v

      - name: Remove DS from tertiary container
        run: docker exec tertiary ${PKIDIR}/tests/bin/ds-remove.sh

      - name: Disconnect tertiary container from network
        run: docker network disconnect example tertiary

      - name: Remove OCSP from secondary container
        run: docker exec secondary pkidestroy -i pki-tomcat -s OCSP -v

      - name: Remove CA from secondary container
        run: docker exec secondary pkidestroy -i pki-tomcat -s CA -v

      - name: Remove DS from secondary container
        run: docker exec secondary ${PKIDIR}/tests/bin/ds-remove.sh

      - name: Disconnect secondary container from network
        run: docker network disconnect example secondary

      - name: Remove OCSP from primary container
        run: docker exec primary pkidestroy -i pki-tomcat -s OCSP -v

      - name: Remove CA from primary container
        run: docker exec primary pkidestroy -i pki-tomcat -s CA -v

      - name: Remove DS from primary container
        run: docker exec primary ${PKIDIR}/tests/bin/ds-remove.sh

      - name: Disconnect primary container from network
        run: docker network disconnect example primary

      - name: Remove network
        run: docker network rm example

      - name: Upload artifacts from primary container
        if: always()
        uses: actions/upload-artifact@v2
        with:
          name: ocsp-clone-primary-${{ matrix.os }}
          path: |
            /tmp/artifacts/primary

      - name: Upload artifacts from secondary container
        if: always()
        uses: actions/upload-artifact@v2
        with:
          name: ocsp-clone-secondary-${{ matrix.os }}
          path: |
            /tmp/artifacts/secondary

      - name: Upload artifacts from tertiary container
        if: always()
        uses: actions/upload-artifact@v2
        with:
          name: ocsp-clone-tertiary-${{ matrix.os }}
          path: |
            /tmp/artifacts/tertiary

  ocsp-standalone-test:
    name: Installing Standalone OCSP
    needs: [init, build]
    runs-on: ubuntu-latest
    env:
      BUILDDIR: /tmp/workdir
      PKIDIR: /tmp/workdir/pki
      COPR_REPO: "@pki/master"
    strategy:
      matrix: ${{ fromJSON(needs.init.outputs.matrix) }}
    steps:
      - name: Clone repository
        uses: actions/checkout@v2

      - name: Download runner image
        uses: actions/download-artifact@v2
        with:
          name: pki-runner-${{ matrix.os }}
          path: /tmp

      - name: Load runner image
        run: docker load --input /tmp/pki-runner.tar

      - name: Run container
        run: |
          IMAGE=pki-runner \
          NAME=pki \
          HOSTNAME=pki.example.com \
          tests/bin/runner-init.sh

      - name: Install dependencies
        run: docker exec pki dnf install -y 389-ds-base

      - name: Install DS
        run: docker exec pki ${PKIDIR}/tests/bin/ds-create.sh

      - name: Create CA signing cert
        run: |
          docker exec pki pki -d nssdb nss-cert-request \
              --subject "CN=CA Signing Certificate" \
              --ext /usr/share/pki/server/certs/ca_signing.conf \
              --csr ca_signing.csr
          docker exec pki pki -d nssdb nss-cert-issue \
              --csr ca_signing.csr \
              --ext /usr/share/pki/server/certs/ca_signing.conf \
              --serial 1 \
              --cert ca_signing.crt
          docker exec pki pki -d nssdb nss-cert-import \
              --cert ca_signing.crt \
              --trust CT,C,C \
              ca_signing

      - name: Install OCSP (step 1)
        run: |
          docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/ocsp-standalone-step1.cfg -s OCSP -v

      - name: Issue OCSP signing cert
        run: |
          docker exec pki pki -d nssdb nss-cert-issue \
              --issuer ca_signing \
              --csr ocsp_signing.csr \
              --ext /usr/share/pki/server/certs/ocsp_signing.conf \
              --serial 2 \
              --cert ocsp_signing.crt

      - name: Issue subsystem cert
        run: |
          docker exec pki pki -d nssdb nss-cert-issue \
              --issuer ca_signing \
              --csr subsystem.csr \
              --ext /usr/share/pki/server/certs/subsystem.conf \
              --serial 3 \
              --cert subsystem.crt

      - name: Issue SSL server cert
        run: |
          docker exec pki pki -d nssdb nss-cert-issue \
              --issuer ca_signing \
              --csr sslserver.csr \
              --ext /usr/share/pki/server/certs/sslserver.conf \
              --serial 4 \
              --cert sslserver.crt

      - name: Issue OCSP audit signing cert
        run: |
          docker exec pki pki -d nssdb nss-cert-issue \
              --issuer ca_signing \
              --csr ocsp_audit_signing.csr \
              --ext /usr/share/pki/server/certs/audit_signing.conf \
              --serial 5 \
              --cert ocsp_audit_signing.crt

      - name: Issue OCSP admin cert
        run: |
          docker exec pki pki -d nssdb nss-cert-issue \
              --issuer ca_signing \
              --csr ocsp_admin.csr \
              --ext /usr/share/pki/server/certs/admin.conf \
              --serial 6 \
              --cert ocsp_admin.crt

      - name: Install OCSP (step 2)
        run: |
          docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/ocsp-standalone-step2.cfg -s OCSP -v

      # TODO: Fix DogtagOCSPConnectivityCheck to work without CA
      # - name: Run PKI healthcheck
      #   run: docker exec pki pki-healthcheck --debug

      - name: Verify admin user
        run: |
          docker exec pki pki client-cert-import ca_signing --ca-cert ca_signing.crt
          docker exec pki pki client-cert-import \
              --pkcs12 /root/.dogtag/pki-tomcat/ocsp_admin_cert.p12 \
              --pkcs12-password-file /root/.dogtag/pki-tomcat/ocsp/pkcs12_password.conf
          docker exec pki pki -n ocspadmin ocsp-user-show ocspadmin

      - name: Gather artifacts
        if: always()
        run: |
          tests/bin/ds-artifacts-save.sh pki
          tests/bin/pki-artifacts-save.sh pki

      - name: Remove OCSP
        run: docker exec pki pkidestroy -i pki-tomcat -s OCSP -v

      - name: Remove DS
        run: docker exec pki ${PKIDIR}/tests/bin/ds-remove.sh

      - name: Upload artifacts
        if: always()
        uses: actions/upload-artifact@v2
        with:
          name: ocsp-standalone-${{ matrix.os }}
          path: |
            /tmp/artifacts/pki