RHCS-4630 (part 2) Add SHA-2 support to Server-side Keygen #106
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CA Tests | |
| on: [push, pull_request] | |
| jobs: | |
| init: | |
| name: Initialization | |
| uses: ./.github/workflows/init.yml | |
| secrets: inherit | |
| build: | |
| name: Waiting for build | |
| needs: init | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Wait for build | |
| uses: lewagon/[email protected] | |
| with: | |
| ref: ${{ github.ref }} | |
| check-name: 'Building PKI' | |
| repo-token: ${{ secrets.GITHUB_TOKEN }} | |
| wait-interval: 30 | |
| if: github.event_name == 'push' | |
| - name: Wait for build | |
| uses: lewagon/[email protected] | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| check-name: 'Building PKI' | |
| repo-token: ${{ secrets.GITHUB_TOKEN }} | |
| wait-interval: 30 | |
| if: github.event_name == 'pull_request' | |
| # docs/installation/ca/Installing_CA.md | |
| ca-test: | |
| name: Testing CA | |
| needs: [init, build] | |
| runs-on: ubuntu-latest | |
| env: | |
| PKIDIR: /tmp/workdir/pki | |
| steps: | |
| - name: Clone repository | |
| uses: actions/checkout@v3 | |
| - name: Retrieve pki-runner image | |
| uses: actions/cache@v3 | |
| with: | |
| key: pki-runner-${{ github.sha }} | |
| path: pki-runner.tar | |
| - name: Load runner image | |
| run: docker load --input pki-runner.tar | |
| - name: Run container | |
| run: | | |
| IMAGE=pki-runner \ | |
| NAME=pki \ | |
| HOSTNAME=pki.example.com \ | |
| tests/bin/runner-init.sh | |
| - name: Install dependencies | |
| run: docker exec pki dnf install -y 389-ds-base | |
| - name: Install DS | |
| run: docker exec pki ${PKIDIR}/tests/bin/ds-create.sh | |
| - name: Install CA | |
| run: | | |
| docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/ca.cfg -s CA -v | |
| # set buffer size to 0 so that revocation takes effect immediately | |
| docker exec pki pki-server ca-config-set auths.revocationChecking.bufferSize 0 | |
| docker exec pki pki-server restart --wait | |
| - name: Run PKI healthcheck | |
| run: docker exec pki pki-healthcheck --failures-only | |
| - name: Verify CA admin | |
| run: | | |
| docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt | |
| docker exec pki pki client-cert-import ca_signing --ca-cert ca_signing.crt | |
| docker exec pki pki client-cert-import \ | |
| --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \ | |
| --pkcs12-password-file /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf | |
| docker exec pki pki -n caadmin ca-user-show caadmin | |
| - name: Verify creating CA agent | |
| run: | | |
| docker exec pki /usr/share/pki/tests/ca/bin/ca-agent-create.sh | |
| - name: Verify creating, revoking, and unrevoking CA agent cert | |
| run: | | |
| docker exec pki /usr/share/pki/tests/ca/bin/ca-agent-cert-create.sh | |
| docker exec pki /usr/share/pki/tests/ca/bin/ca-agent-cert-revoke.sh | |
| docker exec pki /usr/share/pki/tests/ca/bin/ca-agent-cert-unrevoke.sh | |
| - name: Gather artifacts | |
| if: always() | |
| run: | | |
| tests/bin/ds-artifacts-save.sh pki | |
| tests/bin/pki-artifacts-save.sh pki | |
| - name: Remove CA | |
| run: docker exec pki pkidestroy -i pki-tomcat -s CA -v | |
| - name: Remove DS | |
| run: docker exec pki ${PKIDIR}/tests/bin/ds-remove.sh | |
| - name: Upload artifacts | |
| if: always() | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: ca | |
| path: | | |
| /tmp/artifacts/pki | |
| # docs/installation/ca/Installing_CA_with_ECC.md | |
| ca-ecc-test: | |
| name: Testing CA with ECC | |
| needs: [init, build] | |
| runs-on: ubuntu-latest | |
| env: | |
| PKIDIR: /tmp/workdir/pki | |
| steps: | |
| - name: Clone repository | |
| uses: actions/checkout@v3 | |
| - name: Retrieve pki-runner image | |
| uses: actions/cache@v3 | |
| with: | |
| key: pki-runner-${{ github.sha }} | |
| path: pki-runner.tar | |
| - name: Load runner image | |
| run: docker load --input pki-runner.tar | |
| - name: Run container | |
| run: | | |
| IMAGE=pki-runner \ | |
| NAME=pki \ | |
| HOSTNAME=pki.example.com \ | |
| tests/bin/runner-init.sh | |
| - name: Install dependencies | |
| run: docker exec pki dnf install -y 389-ds-base | |
| - name: Install DS | |
| run: docker exec pki ${PKIDIR}/tests/bin/ds-create.sh | |
| - name: Install CA | |
| run: docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/ca-ecc.cfg -s CA -v | |
| - name: Run PKI healthcheck | |
| run: docker exec pki pki-healthcheck --failures-only | |
| - name: Verify system keys | |
| run: | | |
| docker exec pki bash -c "echo Secret.123 > password.txt" | |
| docker exec pki certutil -K -d /etc/pki/pki-tomcat/alias -f password.txt | |
| echo "ec" > expected | |
| docker exec pki bash -c "certutil -K -d /etc/pki/pki-tomcat/alias -f password.txt | grep ca_signing | sed -n 's/<.*>\s\(\S\+\)\s.*/\1/p' > ${PKIDIR}/actual" | |
| diff expected actual | |
| docker exec pki bash -c "certutil -K -d /etc/pki/pki-tomcat/alias -f password.txt | grep ca_ocsp_signing | sed -n 's/<.*>\s\(\S\+\)\s.*/\1/p' > ${PKIDIR}/actual" | |
| diff expected actual | |
| docker exec pki bash -c "certutil -K -d /etc/pki/pki-tomcat/alias -f password.txt | grep ca_audit_signing | sed -n 's/<.*>\s\(\S\+\)\s.*/\1/p' > ${PKIDIR}/actual" | |
| diff expected actual | |
| docker exec pki bash -c "certutil -K -d /etc/pki/pki-tomcat/alias -f password.txt | grep subsystem | sed -n 's/<.*>\s\(\S\+\)\s.*/\1/p' > ${PKIDIR}/actual" | |
| diff expected actual | |
| docker exec pki bash -c "certutil -K -d /etc/pki/pki-tomcat/alias -f password.txt | grep sslserver | sed -n 's/<.*>\s\(\S\+\)\s.*/\1/p' > ${PKIDIR}/actual" | |
| diff expected actual | |
| - name: Verify CA admin | |
| run: | | |
| docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt | |
| docker exec pki pki client-cert-import ca_signing --ca-cert ca_signing.crt | |
| docker exec pki pki client-cert-import \ | |
| --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \ | |
| --pkcs12-password-file /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf | |
| docker exec pki pki -n caadmin ca-user-show caadmin | |
| - name: Gather artifacts | |
| if: always() | |
| run: | | |
| tests/bin/ds-artifacts-save.sh pki | |
| tests/bin/pki-artifacts-save.sh pki | |
| - name: Remove CA | |
| run: docker exec pki pkidestroy -i pki-tomcat -s CA -v | |
| - name: Remove DS | |
| run: docker exec pki ${PKIDIR}/tests/bin/ds-remove.sh | |
| - name: Upload artifacts | |
| if: always() | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: ca-ecc | |
| path: | | |
| /tmp/artifacts/pki | |
| # docs/installation/ca/Installing_Subordinate_CA.md | |
| subca-test: | |
| name: Testing subordinate CA | |
| needs: [init, build] | |
| runs-on: ubuntu-latest | |
| env: | |
| PKIDIR: /tmp/workdir/pki | |
| steps: | |
| - name: Clone repository | |
| uses: actions/checkout@v3 | |
| - name: Retrieve pki-runner image | |
| uses: actions/cache@v3 | |
| with: | |
| key: pki-runner-${{ github.sha }} | |
| path: pki-runner.tar | |
| - name: Load runner image | |
| run: docker load --input pki-runner.tar | |
| - name: Create network | |
| run: docker network create example | |
| - name: Run root container | |
| run: | | |
| IMAGE=pki-runner \ | |
| NAME=root \ | |
| HOSTNAME=root.example.com \ | |
| tests/bin/runner-init.sh | |
| - name: Connect root container to network | |
| run: docker network connect example root --alias root.example.com | |
| - name: Install dependencies in root container | |
| run: docker exec root dnf install -y 389-ds-base | |
| - name: Install DS in root container | |
| run: docker exec root ${PKIDIR}/tests/bin/ds-create.sh | |
| - name: Install root CA in root container | |
| run: docker exec root pkispawn -f /usr/share/pki/server/examples/installation/ca.cfg -s CA -v | |
| - name: Install banner in root container | |
| run: docker exec root cp /usr/share/pki/server/examples/banner/banner.txt /etc/pki/pki-tomcat | |
| - name: Setup subordinate container | |
| run: | | |
| IMAGE=pki-runner \ | |
| NAME=subordinate \ | |
| HOSTNAME=sub.example.com \ | |
| tests/bin/runner-init.sh | |
| - name: Connect subordinate container to network | |
| run: docker network connect example subordinate --alias sub.example.com | |
| - name: Install dependencies in subordinate container | |
| run: docker exec subordinate dnf install -y 389-ds-base | |
| - name: Install DS in subordinate container | |
| run: docker exec subordinate ${PKIDIR}/tests/bin/ds-create.sh | |
| - name: Install subordinate CA in subordinate container | |
| run: | | |
| docker exec root pki-server cert-export ca_signing --cert-file ${PKIDIR}/root-ca_signing.crt | |
| docker exec subordinate cp ${PKIDIR}/root-ca_signing.crt . | |
| docker exec subordinate pkispawn -f /usr/share/pki/server/examples/installation/subca.cfg -s CA -v | |
| - name: Install banner in subordinate container | |
| run: docker exec subordinate cp /usr/share/pki/server/examples/banner/banner.txt /etc/pki/pki-tomcat | |
| - name: Run PKI healthcheck | |
| run: docker exec subordinate pki-healthcheck --failures-only | |
| - name: Verify CA admin | |
| run: | | |
| docker exec subordinate pki client-cert-import ca_signing --ca-cert root-ca_signing.crt | |
| docker exec subordinate pki client-cert-import \ | |
| --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \ | |
| --pkcs12-password-file /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf | |
| docker exec subordinate pki -n caadmin --ignore-banner ca-user-show caadmin | |
| - name: Gather artifacts from root container | |
| if: always() | |
| run: | | |
| tests/bin/ds-artifacts-save.sh root | |
| tests/bin/pki-artifacts-save.sh root | |
| - name: Gather artifacts from subordinate container | |
| if: always() | |
| run: | | |
| tests/bin/ds-artifacts-save.sh subordinate | |
| tests/bin/pki-artifacts-save.sh subordinate | |
| - name: Remove subordinate CA from subordinate container | |
| run: docker exec subordinate pkidestroy -i pki-tomcat -s CA -v | |
| - name: Remove DS from subordinate container | |
| run: docker exec subordinate ${PKIDIR}/tests/bin/ds-remove.sh | |
| - name: Disconnect subordinate container from network | |
| run: docker network disconnect example subordinate | |
| - name: Remove root CA from root container | |
| run: docker exec root pkidestroy -i pki-tomcat -s CA -v | |
| - name: Remove DS from root container | |
| run: docker exec root ${PKIDIR}/tests/bin/ds-remove.sh | |
| - name: Disconnect root container from network | |
| run: docker network disconnect example root | |
| - name: Remove network | |
| run: docker network rm example | |
| - name: Upload artifacts from root container | |
| if: always() | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: ca-root | |
| path: | | |
| /tmp/artifacts/root | |
| - name: Upload artifacts from subordinate container | |
| if: always() | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: ca-subordinate | |
| path: | | |
| /tmp/artifacts/subordinate | |
| # docs/installation/ca/Installing_CA_with_External_CA_Signing_Certificate.md | |
| ca-external-cert-test: | |
| name: Testing CA with external signing certificate | |
| needs: [init, build] | |
| runs-on: ubuntu-latest | |
| env: | |
| PKIDIR: /tmp/workdir/pki | |
| steps: | |
| - name: Clone repository | |
| uses: actions/checkout@v3 | |
| - name: Retrieve pki-runner image | |
| uses: actions/cache@v3 | |
| with: | |
| key: pki-runner-${{ github.sha }} | |
| path: pki-runner.tar | |
| - name: Load runner image | |
| run: docker load --input pki-runner.tar | |
| - name: Setup PKI container | |
| run: | | |
| IMAGE=pki-runner \ | |
| NAME=pki \ | |
| HOSTNAME=pki.example.com \ | |
| tests/bin/runner-init.sh | |
| - name: Install dependencies | |
| run: docker exec pki dnf install -y 389-ds-base | |
| - name: Install DS | |
| run: docker exec pki ${PKIDIR}/tests/bin/ds-create.sh | |
| - name: Create root CA in NSS database | |
| run: | | |
| docker exec pki pki -d nssdb nss-cert-request \ | |
| --subject "CN=Root CA Signing Certificate" \ | |
| --ext /usr/share/pki/server/certs/ca_signing.conf \ | |
| --csr root-ca_signing.csr | |
| docker exec pki pki -d nssdb nss-cert-issue \ | |
| --csr root-ca_signing.csr \ | |
| --ext /usr/share/pki/server/certs/ca_signing.conf \ | |
| --cert root-ca_signing.crt | |
| docker exec pki pki -d nssdb nss-cert-import \ | |
| --cert root-ca_signing.crt \ | |
| --trust CT,C,C \ | |
| root-ca_signing | |
| - name: Install subordinate CA | |
| run: | | |
| docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/ca-external-cert-step1.cfg -s CA -v | |
| docker exec pki pki -d nssdb nss-cert-issue \ | |
| --issuer root-ca_signing \ | |
| --csr ca_signing.csr \ | |
| --ext /usr/share/pki/server/certs/ca_signing.conf \ | |
| --cert ca_signing.crt | |
| docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/ca-external-cert-step2.cfg -s CA -v | |
| - name: Run PKI healthcheck | |
| run: docker exec pki pki-healthcheck --failures-only | |
| - name: Verify CA admin | |
| run: | | |
| docker exec pki pki client-cert-import ca_signing --ca-cert root-ca_signing.crt | |
| docker exec pki pki client-cert-import \ | |
| --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \ | |
| --pkcs12-password-file /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf | |
| docker exec pki pki -n caadmin ca-user-show caadmin | |
| - name: Gather artifacts | |
| if: always() | |
| run: | | |
| tests/bin/ds-artifacts-save.sh pki | |
| tests/bin/pki-artifacts-save.sh pki | |
| - name: Remove subordinate CA | |
| run: docker exec pki pkidestroy -i pki-tomcat -s CA -v | |
| - name: Remove DS | |
| run: docker exec pki ${PKIDIR}/tests/bin/ds-remove.sh | |
| - name: Upload artifacts | |
| if: always() | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: ca-external-cert | |
| path: | | |
| /tmp/artifacts/pki | |
| # docs/installation/ca/Installing_CA_with_Existing_Keys_in_Internal_Token.md | |
| ca-existing-certs-test: | |
| name: Testing CA with existing certificates | |
| needs: [init, build] | |
| runs-on: ubuntu-latest | |
| env: | |
| PKIDIR: /tmp/workdir/pki | |
| steps: | |
| - name: Clone repository | |
| uses: actions/checkout@v3 | |
| - name: Retrieve pki-runner image | |
| uses: actions/cache@v3 | |
| with: | |
| key: pki-runner-${{ github.sha }} | |
| path: pki-runner.tar | |
| - name: Load runner image | |
| run: docker load --input pki-runner.tar | |
| - name: Setup PKI container | |
| run: | | |
| IMAGE=pki-runner \ | |
| NAME=pki \ | |
| HOSTNAME=pki.example.com \ | |
| tests/bin/runner-init.sh | |
| - name: Install dependencies | |
| run: docker exec pki dnf install -y 389-ds-base | |
| - name: Install DS | |
| run: docker exec pki ${PKIDIR}/tests/bin/ds-create.sh | |
| - name: Create CA signing cert | |
| run: | | |
| docker exec pki pki -d nssdb nss-cert-request \ | |
| --subject "CN=CA Signing Certificate" \ | |
| --ext /usr/share/pki/server/certs/ca_signing.conf \ | |
| --csr ca_signing.csr | |
| docker exec pki pki -d nssdb nss-cert-issue \ | |
| --csr ca_signing.csr \ | |
| --ext /usr/share/pki/server/certs/ca_signing.conf \ | |
| --serial 1 \ | |
| --cert ca_signing.crt | |
| docker exec pki pki -d nssdb nss-cert-import \ | |
| --cert ca_signing.crt \ | |
| --trust CT,C,C \ | |
| ca_signing | |
| docker exec pki bash -c "certutil -K -d nssdb | grep ca_signing | sed 's/<.*>\s\+\S\+\s\+\(\S\+\).*/\1/' > ca_signing.key" | |
| - name: Create CA OCSP signing cert | |
| run: | | |
| docker exec pki pki -d nssdb nss-cert-request \ | |
| --subject "CN=OCSP Signing Certificate" \ | |
| --ext /usr/share/pki/server/certs/ocsp_signing.conf \ | |
| --csr ca_ocsp_signing.csr | |
| docker exec pki pki -d nssdb nss-cert-issue \ | |
| --issuer ca_signing \ | |
| --csr ca_ocsp_signing.csr \ | |
| --ext /usr/share/pki/server/certs/ocsp_signing.conf \ | |
| --serial 2 \ | |
| --cert ca_ocsp_signing.crt | |
| docker exec pki pki -d nssdb nss-cert-import \ | |
| --cert ca_ocsp_signing.crt \ | |
| ca_ocsp_signing | |
| docker exec pki bash -c "certutil -K -d nssdb | grep ca_ocsp_signing | sed 's/<.*>\s\+\S\+\s\+\(\S\+\).*/\1/' > ca_ocsp_signing.key" | |
| - name: Create CA audit signing cert | |
| run: | | |
| docker exec pki pki -d nssdb nss-cert-request \ | |
| --subject "CN=Audit Signing Certificate" \ | |
| --ext /usr/share/pki/server/certs/audit_signing.conf \ | |
| --csr ca_audit_signing.csr | |
| docker exec pki pki -d nssdb nss-cert-issue \ | |
| --issuer ca_signing \ | |
| --csr ca_audit_signing.csr \ | |
| --ext /usr/share/pki/server/certs/audit_signing.conf \ | |
| --serial 3 \ | |
| --cert ca_audit_signing.crt | |
| docker exec pki pki -d nssdb nss-cert-import \ | |
| --cert ca_audit_signing.crt \ | |
| --trust ,,P \ | |
| ca_audit_signing | |
| docker exec pki bash -c "certutil -K -d nssdb | grep ca_audit_signing | sed 's/<.*>\s\+\S\+\s\+\(\S\+\).*/\1/' > ca_audit_signing.key" | |
| - name: Export CA certs | |
| run: | | |
| docker exec pki pki -d nssdb pkcs12-export \ | |
| --pkcs12 ca-certs.p12 \ | |
| --password Secret.123 | |
| docker exec pki pki pkcs12-cert-find \ | |
| --pkcs12 ca-certs.p12 \ | |
| --password Secret.123 | |
| - name: Install CA with existing certs | |
| run: | | |
| docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/ca-existing-certs-step1.cfg -s CA -v | |
| sleep 1 # avoid pkispawn log conflict due to identical timestamps | |
| docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/ca-existing-certs-step2.cfg -s CA -v | |
| - name: Run PKI healthcheck | |
| run: docker exec pki pki-healthcheck --failures-only | |
| - name: Verify CA keys | |
| run: | | |
| docker exec pki bash -c "echo Secret.123 > password.txt" | |
| docker exec pki bash -c "certutil -K -d /etc/pki/pki-tomcat/alias -f password.txt | grep ca_signing | sed 's/<.*>\s\+\S\+\s\+\(\S\+\).*/\1/' > ca_signing.key.new" | |
| docker exec pki diff ca_signing.key ca_signing.key.new | |
| docker exec pki bash -c "certutil -K -d /etc/pki/pki-tomcat/alias -f password.txt | grep ca_ocsp_signing | sed 's/<.*>\s\+\S\+\s\+\(\S\+\).*/\1/' > ca_ocsp_signing.key.new" | |
| docker exec pki diff ca_ocsp_signing.key ca_ocsp_signing.key.new | |
| docker exec pki bash -c "certutil -K -d /etc/pki/pki-tomcat/alias -f password.txt | grep ca_audit_signing | sed 's/<.*>\s\+\S\+\s\+\(\S\+\).*/\1/' > ca_audit_signing.key.new" | |
| docker exec pki diff ca_audit_signing.key ca_audit_signing.key.new | |
| - name: Verify CA admin | |
| run: | | |
| docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt | |
| docker exec pki pki client-cert-import ca_signing --ca-cert ca_signing.crt | |
| docker exec pki pki client-cert-import \ | |
| --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \ | |
| --pkcs12-password-file /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf | |
| docker exec pki pki -n caadmin ca-user-show caadmin | |
| - name: Gather artifacts | |
| if: always() | |
| run: | | |
| tests/bin/ds-artifacts-save.sh pki | |
| tests/bin/pki-artifacts-save.sh pki | |
| - name: Remove CA | |
| run: docker exec pki pkidestroy -i pki-tomcat -s CA -v | |
| - name: Remove DS | |
| run: docker exec pki ${PKIDIR}/tests/bin/ds-remove.sh | |
| - name: Upload artifacts | |
| if: always() | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: ca-existing-certs | |
| path: | | |
| /tmp/artifacts/pki | |
| # docs/installation/ca/Installing_CA_Clone.md | |
| ca-clone-test: | |
| name: Testing CA clone | |
| needs: [init, build] | |
| runs-on: ubuntu-latest | |
| env: | |
| PKIDIR: /tmp/workdir/pki | |
| steps: | |
| - name: Clone repository | |
| uses: actions/checkout@v3 | |
| - name: Retrieve pki-runner image | |
| uses: actions/cache@v3 | |
| with: | |
| key: pki-runner-${{ github.sha }} | |
| path: pki-runner.tar | |
| - name: Load runner image | |
| run: docker load --input pki-runner.tar | |
| - name: Create network | |
| run: docker network create example | |
| - name: Run primary container | |
| run: | | |
| IMAGE=pki-runner \ | |
| NAME=primary \ | |
| HOSTNAME=primary.example.com \ | |
| tests/bin/runner-init.sh | |
| - name: Connect primary container to network | |
| run: docker network connect example primary --alias primary.example.com | |
| - name: Install dependencies in primary container | |
| run: docker exec primary dnf install -y 389-ds-base | |
| - name: Install DS in primary container | |
| run: docker exec primary ${PKIDIR}/tests/bin/ds-create.sh | |
| - name: Install CA in primary container | |
| run: docker exec primary pkispawn -f /usr/share/pki/server/examples/installation/ca.cfg -s CA -v | |
| - name: Setup secondary container | |
| run: | | |
| IMAGE=pki-runner \ | |
| NAME=secondary \ | |
| HOSTNAME=secondary.example.com \ | |
| tests/bin/runner-init.sh | |
| - name: Connect secondary container to network | |
| run: docker network connect example secondary --alias secondary.example.com | |
| - name: Install dependencies in secondary container | |
| run: docker exec secondary dnf install -y 389-ds-base | |
| - name: Install DS in secondary container | |
| run: docker exec secondary ${PKIDIR}/tests/bin/ds-create.sh | |
| - name: Install CA in secondary container | |
| run: | | |
| docker exec primary pki-server cert-export ca_signing --cert-file ${PKIDIR}/ca_signing.crt | |
| docker exec primary pki-server ca-clone-prepare --pkcs12-file ${PKIDIR}/ca-certs.p12 --pkcs12-password Secret.123 | |
| docker exec secondary cp ${PKIDIR}/ca_signing.crt . | |
| docker exec secondary cp ${PKIDIR}/ca-certs.p12 . | |
| docker exec secondary pkispawn -f /usr/share/pki/server/examples/installation/ca-clone.cfg -s CA -v | |
| - name: Verify CA admin in secondary container | |
| run: | | |
| docker exec primary cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 ${PKIDIR}/ca_admin_cert.p12 | |
| docker exec primary cp /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf ${PKIDIR}/pkcs12_password.conf | |
| docker exec secondary pki client-cert-import ca_signing --ca-cert ca_signing.crt | |
| docker exec secondary pki client-cert-import \ | |
| --pkcs12 ${PKIDIR}/ca_admin_cert.p12 \ | |
| --pkcs12-password-file ${PKIDIR}/pkcs12_password.conf | |
| docker exec secondary pki -n caadmin ca-user-show caadmin | |
| - name: Setup tertiary container | |
| run: | | |
| IMAGE=pki-runner \ | |
| NAME=tertiary \ | |
| HOSTNAME=tertiary.example.com \ | |
| tests/bin/runner-init.sh | |
| - name: Connect tertiary container to network | |
| run: docker network connect example tertiary --alias tertiary.example.com | |
| - name: Install dependencies in tertiary container | |
| run: docker exec tertiary dnf install -y 389-ds-base | |
| - name: Install DS in tertiary container | |
| run: docker exec tertiary ${PKIDIR}/tests/bin/ds-create.sh | |
| - name: Install CA in tertiary container | |
| run: | | |
| docker exec secondary pki-server cert-export ca_signing --cert-file ${PKIDIR}/ca_signing.crt | |
| docker exec secondary pki-server ca-clone-prepare --pkcs12-file ${PKIDIR}/ca-certs.p12 --pkcs12-password Secret.123 | |
| docker exec tertiary cp ${PKIDIR}/ca_signing.crt . | |
| docker exec tertiary cp ${PKIDIR}/ca-certs.p12 . | |
| docker exec tertiary pkispawn -f /usr/share/pki/server/examples/installation/ca-clone-of-clone.cfg -s CA -v | |
| - name: Verify CA admin in tertiary container | |
| run: | | |
| docker exec tertiary pki client-cert-import ca_signing --ca-cert ca_signing.crt | |
| docker exec tertiary pki client-cert-import \ | |
| --pkcs12 ${PKIDIR}/ca_admin_cert.p12 \ | |
| --pkcs12-password-file ${PKIDIR}/pkcs12_password.conf | |
| docker exec tertiary pki -n caadmin ca-user-show caadmin | |
| - name: Gather artifacts from primary container | |
| if: always() | |
| run: | | |
| tests/bin/ds-artifacts-save.sh primary | |
| tests/bin/pki-artifacts-save.sh primary | |
| - name: Gather artifacts from secondary container | |
| if: always() | |
| run: | | |
| tests/bin/ds-artifacts-save.sh secondary | |
| tests/bin/pki-artifacts-save.sh secondary | |
| - name: Gather artifacts from tertiary container | |
| if: always() | |
| run: | | |
| tests/bin/ds-artifacts-save.sh tertiary | |
| tests/bin/pki-artifacts-save.sh tertiary | |
| - name: Remove CA from tertiary container | |
| run: docker exec tertiary pkidestroy -i pki-tomcat -s CA -v | |
| - name: Remove DS from tertiary container | |
| run: docker exec tertiary ${PKIDIR}/tests/bin/ds-remove.sh | |
| - name: Disconnect tertiary container from network | |
| run: docker network disconnect example tertiary | |
| - name: Remove CA from secondary container | |
| run: docker exec secondary pkidestroy -i pki-tomcat -s CA -v | |
| - name: Remove DS from secondary container | |
| run: docker exec secondary ${PKIDIR}/tests/bin/ds-remove.sh | |
| - name: Disconnect secondary container from network | |
| run: docker network disconnect example secondary | |
| - name: Remove CA from primary container | |
| run: docker exec primary pkidestroy -i pki-tomcat -s CA -v | |
| - name: Remove DS from primary container | |
| run: docker exec primary ${PKIDIR}/tests/bin/ds-remove.sh | |
| - name: Disconnect primary container from network | |
| run: docker network disconnect example primary | |
| - name: Remove network | |
| run: docker network rm example | |
| - name: Upload artifacts from primary container | |
| if: always() | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: ca-clone-primary | |
| path: | | |
| /tmp/artifacts/primary | |
| - name: Upload artifacts from secondary container | |
| if: always() | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: ca-clone-secondary | |
| path: | | |
| /tmp/artifacts/secondary | |
| - name: Upload artifacts from tertiary container | |
| if: always() | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: ca-clone-tertiary | |
| path: | | |
| /tmp/artifacts/tertiary | |
| # docs/installation/ca/Installing_CA_with_Secure_Database_Connection.md | |
| ca-secure-ds-test: | |
| name: Testing CA with secure DS | |
| needs: [init, build] | |
| runs-on: ubuntu-latest | |
| env: | |
| PKIDIR: /tmp/workdir/pki | |
| steps: | |
| - name: Clone repository | |
| uses: actions/checkout@v3 | |
| - name: Retrieve pki-runner image | |
| uses: actions/cache@v3 | |
| with: | |
| key: pki-runner-${{ github.sha }} | |
| path: pki-runner.tar | |
| - name: Load runner image | |
| run: docker load --input pki-runner.tar | |
| - name: Run container | |
| run: | | |
| IMAGE=pki-runner \ | |
| NAME=pki \ | |
| HOSTNAME=pki.example.com \ | |
| tests/bin/runner-init.sh | |
| - name: Install dependencies | |
| run: docker exec pki dnf install -y 389-ds-base | |
| - name: Install DS | |
| run: docker exec pki ${PKIDIR}/tests/bin/ds-create.sh | |
| - name: Create DS signing cert | |
| run: | | |
| docker exec pki pki \ | |
| -d /etc/dirsrv/slapd-localhost \ | |
| -C /etc/dirsrv/slapd-localhost/pwdfile.txt \ | |
| nss-cert-request \ | |
| --subject "CN=DS Signing Certificate" \ | |
| --ext /usr/share/pki/server/certs/ca_signing.conf \ | |
| --csr ds_signing.csr | |
| docker exec pki pki \ | |
| -d /etc/dirsrv/slapd-localhost \ | |
| -C /etc/dirsrv/slapd-localhost/pwdfile.txt \ | |
| nss-cert-issue \ | |
| --csr ds_signing.csr \ | |
| --ext /usr/share/pki/server/certs/ca_signing.conf \ | |
| --cert ds_signing.crt | |
| docker exec pki pki \ | |
| -d /etc/dirsrv/slapd-localhost \ | |
| -C /etc/dirsrv/slapd-localhost/pwdfile.txt \ | |
| nss-cert-import \ | |
| --cert ds_signing.crt \ | |
| --trust CT,C,C \ | |
| Self-Signed-CA | |
| docker exec pki certutil -L -d /etc/dirsrv/slapd-localhost | |
| - name: Create DS server cert | |
| run: | | |
| docker exec pki pki \ | |
| -d /etc/dirsrv/slapd-localhost \ | |
| -C /etc/dirsrv/slapd-localhost/pwdfile.txt \ | |
| nss-cert-request \ | |
| --subject "CN=pki.example.com" \ | |
| --ext /usr/share/pki/server/certs/sslserver.conf \ | |
| --csr ds_server.csr | |
| docker exec pki pki \ | |
| -d /etc/dirsrv/slapd-localhost \ | |
| -C /etc/dirsrv/slapd-localhost/pwdfile.txt \ | |
| nss-cert-issue \ | |
| --issuer Self-Signed-CA \ | |
| --csr ds_server.csr \ | |
| --ext /usr/share/pki/server/certs/sslserver.conf \ | |
| --cert ds_server.crt | |
| docker exec pki pki \ | |
| -d /etc/dirsrv/slapd-localhost \ | |
| -C /etc/dirsrv/slapd-localhost/pwdfile.txt \ | |
| nss-cert-import \ | |
| --cert ds_server.crt \ | |
| Server-Cert | |
| docker exec pki certutil -L -d /etc/dirsrv/slapd-localhost | |
| - name: Enable DS security | |
| run: | | |
| docker exec pki dsconf localhost config replace nsslapd-security=on | |
| docker exec pki dsctl localhost restart | |
| docker exec pki sleep 10 | |
| docker exec -e LDAPTLS_CACERT=/ds_signing.crt pki ldapsearch -H ldaps://pki.example.com:636 -x -b "" -s base \* + | |
| - name: Install CA | |
| run: docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/ca-secure-ds.cfg -s CA -v | |
| - name: Run PKI healthcheck | |
| run: docker exec pki pki-healthcheck --failures-only | |
| - name: Verify DS connection | |
| run: | | |
| docker exec pki pki-server ca-db-config-show > output | |
| cat output | |
| echo "pki.example.com" > expected | |
| sed -n 's/^\s\+Hostname:\s\+\(\S\+\)$/\1/p' output > actual | |
| diff expected actual | |
| echo "636" > expected | |
| sed -n 's/^\s\+Port:\s\+\(\S\+\)$/\1/p' output > actual | |
| diff expected actual | |
| echo "true" > expected | |
| sed -n 's/^\s\+Secure:\s\+\(\S\+\)$/\1/p' output > actual | |
| diff expected actual | |
| - name: Verify CA admin | |
| run: | | |
| docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt | |
| docker exec pki pki client-cert-import ca_signing --ca-cert ca_signing.crt | |
| docker exec pki pki client-cert-import \ | |
| --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \ | |
| --pkcs12-password-file /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf | |
| docker exec pki pki -n caadmin ca-user-show caadmin | |
| - name: Gather artifacts | |
| if: always() | |
| run: | | |
| tests/bin/ds-artifacts-save.sh pki | |
| tests/bin/pki-artifacts-save.sh pki | |
| - name: Remove CA | |
| run: docker exec pki pkidestroy -i pki-tomcat -s CA -v | |
| - name: Remove DS | |
| run: docker exec pki ${PKIDIR}/tests/bin/ds-remove.sh | |
| - name: Upload artifacts | |
| if: always() | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: ca-secure-ds | |
| path: | | |
| /tmp/artifacts/pki | |
| # docs/installation/ca/Installing_CA_Clone.md | |
| # docs/installation/ca/Installing_CA_with_Secure_Database_Connection.md | |
| ca-clone-secure-ds-test: | |
| name: Testing CA clone with secure DS | |
| needs: [init, build] | |
| runs-on: ubuntu-latest | |
| env: | |
| PKIDIR: /tmp/workdir/pki | |
| steps: | |
| - name: Clone repository | |
| uses: actions/checkout@v3 | |
| - name: Retrieve pki-runner image | |
| uses: actions/cache@v3 | |
| with: | |
| key: pki-runner-${{ github.sha }} | |
| path: pki-runner.tar | |
| - name: Load runner image | |
| run: docker load --input pki-runner.tar | |
| - name: Create network | |
| run: docker network create example | |
| - name: Run primary container | |
| run: | | |
| IMAGE=pki-runner \ | |
| NAME=primary \ | |
| HOSTNAME=primary.example.com \ | |
| tests/bin/runner-init.sh | |
| - name: Connect primary container to network | |
| run: docker network connect example primary --alias primary.example.com | |
| - name: Install dependencies in primary container | |
| run: docker exec primary dnf install -y 389-ds-base | |
| - name: Install DS in primary container | |
| run: docker exec primary ${PKIDIR}/tests/bin/ds-create.sh | |
| - name: Create DS signing cert in primary container | |
| run: | | |
| docker exec primary pki \ | |
| -d /etc/dirsrv/slapd-localhost \ | |
| -C /etc/dirsrv/slapd-localhost/pwdfile.txt \ | |
| nss-cert-request \ | |
| --subject "CN=DS Signing Certificate" \ | |
| --ext /usr/share/pki/server/certs/ca_signing.conf \ | |
| --csr ds_signing.csr | |
| docker exec primary pki \ | |
| -d /etc/dirsrv/slapd-localhost \ | |
| -C /etc/dirsrv/slapd-localhost/pwdfile.txt \ | |
| nss-cert-issue \ | |
| --csr ds_signing.csr \ | |
| --ext /usr/share/pki/server/certs/ca_signing.conf \ | |
| --cert ds_signing.crt | |
| docker exec primary pki \ | |
| -d /etc/dirsrv/slapd-localhost \ | |
| -C /etc/dirsrv/slapd-localhost/pwdfile.txt \ | |
| nss-cert-import \ | |
| --cert ds_signing.crt \ | |
| --trust CT,C,C \ | |
| Self-Signed-CA | |
| docker exec primary certutil -L -d /etc/dirsrv/slapd-localhost | |
| - name: Create DS server cert in primary container | |
| run: | | |
| docker exec primary pki \ | |
| -d /etc/dirsrv/slapd-localhost \ | |
| -C /etc/dirsrv/slapd-localhost/pwdfile.txt \ | |
| nss-cert-request \ | |
| --subject "CN=primary.example.com" \ | |
| --ext /usr/share/pki/server/certs/sslserver.conf \ | |
| --csr ds_server.csr | |
| docker exec primary pki \ | |
| -d /etc/dirsrv/slapd-localhost \ | |
| -C /etc/dirsrv/slapd-localhost/pwdfile.txt \ | |
| nss-cert-issue \ | |
| --issuer Self-Signed-CA \ | |
| --csr ds_server.csr \ | |
| --ext /usr/share/pki/server/certs/sslserver.conf \ | |
| --cert ds_server.crt | |
| docker exec primary pki \ | |
| -d /etc/dirsrv/slapd-localhost \ | |
| -C /etc/dirsrv/slapd-localhost/pwdfile.txt \ | |
| nss-cert-import \ | |
| --cert ds_server.crt \ | |
| Server-Cert | |
| docker exec primary certutil -L -d /etc/dirsrv/slapd-localhost | |
| - name: Enable DS security in primary container | |
| run: | | |
| docker exec primary dsconf localhost config replace nsslapd-security=on | |
| docker exec primary dsctl localhost restart | |
| docker exec primary sleep 10 | |
| docker exec -e LDAPTLS_CACERT=/ds_signing.crt primary ldapsearch -H ldaps://primary.example.com:636 -x -b "" -s base \* + | |
| - name: Install CA in primary container | |
| run: docker exec primary pkispawn -f /usr/share/pki/server/examples/installation/ca-secure-ds-primary.cfg -s CA -v | |
| - name: Run PKI healthcheck in primary container | |
| run: docker exec primary pki-healthcheck --failures-only | |
| - name: Verify DS connection in primary container | |
| run: | | |
| docker exec primary pki-server ca-db-config-show > output | |
| cat output | |
| echo "primary.example.com" > expected | |
| sed -n 's/^\s\+Hostname:\s\+\(\S\+\)$/\1/p' output > actual | |
| diff expected actual | |
| echo "636" > expected | |
| sed -n 's/^\s\+Port:\s\+\(\S\+\)$/\1/p' output > actual | |
| diff expected actual | |
| echo "true" > expected | |
| sed -n 's/^\s\+Secure:\s\+\(\S\+\)$/\1/p' output > actual | |
| diff expected actual | |
| - name: Verify CA admin in primary container | |
| run: | | |
| docker exec primary pki-server cert-export ca_signing --cert-file ca_signing.crt | |
| docker exec primary pki client-cert-import ca_signing --ca-cert ca_signing.crt | |
| docker exec primary pki client-cert-import \ | |
| --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \ | |
| --pkcs12-password-file /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf | |
| docker exec primary pki -n caadmin ca-user-show caadmin | |
| - name: Run secondary container | |
| run: | | |
| IMAGE=pki-runner \ | |
| NAME=secondary \ | |
| HOSTNAME=secondary.example.com \ | |
| tests/bin/runner-init.sh | |
| - name: Connect secondary container to network | |
| run: docker network connect example secondary --alias secondary.example.com | |
| - name: Install dependencies in secondary container | |
| run: docker exec secondary dnf install -y 389-ds-base | |
| - name: Install DS in secondary container | |
| run: docker exec secondary ${PKIDIR}/tests/bin/ds-create.sh | |
| - name: Import DS signing cert into secondary container | |
| run: | | |
| docker exec primary pki \ | |
| -d /etc/dirsrv/slapd-localhost \ | |
| -C /etc/dirsrv/slapd-localhost/pwdfile.txt \ | |
| pkcs12-export \ | |
| --pkcs12-file ${PKIDIR}/ds_signing.p12 \ | |
| --pkcs12-password Secret.123 \ | |
| Self-Signed-CA | |
| docker exec secondary pki \ | |
| -d /etc/dirsrv/slapd-localhost \ | |
| -C /etc/dirsrv/slapd-localhost/pwdfile.txt \ | |
| pkcs12-import \ | |
| --pkcs12-file ${PKIDIR}/ds_signing.p12 \ | |
| --pkcs12-password Secret.123 | |
| docker exec secondary certutil -L -d /etc/dirsrv/slapd-localhost | |
| - name: Create DS server cert in secondary container | |
| run: | | |
| docker exec secondary pki \ | |
| -d /etc/dirsrv/slapd-localhost \ | |
| -C /etc/dirsrv/slapd-localhost/pwdfile.txt \ | |
| nss-cert-request \ | |
| --subject "CN=secondary.example.com" \ | |
| --ext /usr/share/pki/server/certs/sslserver.conf \ | |
| --csr ds_server.csr | |
| docker exec secondary pki \ | |
| -d /etc/dirsrv/slapd-localhost \ | |
| -C /etc/dirsrv/slapd-localhost/pwdfile.txt \ | |
| nss-cert-issue \ | |
| --issuer Self-Signed-CA \ | |
| --csr ds_server.csr \ | |
| --ext /usr/share/pki/server/certs/sslserver.conf \ | |
| --cert ds_server.crt | |
| docker exec secondary pki \ | |
| -d /etc/dirsrv/slapd-localhost \ | |
| -C /etc/dirsrv/slapd-localhost/pwdfile.txt \ | |
| nss-cert-import \ | |
| --cert ds_server.crt \ | |
| Server-Cert | |
| docker exec secondary certutil -L -d /etc/dirsrv/slapd-localhost | |
| - name: Enable DS security in secondary container | |
| run: | | |
| docker exec secondary dsconf localhost config replace nsslapd-security=on | |
| docker exec secondary dsctl localhost restart | |
| docker exec secondary sleep 10 | |
| docker exec secondary bash -c "certutil -L -d /etc/dirsrv/slapd-localhost -n Self-Signed-CA -a > ds_signing.crt" | |
| docker exec -e LDAPTLS_CACERT=/ds_signing.crt secondary ldapsearch -d 65535 -H ldaps://secondary.example.com:636 -x -b "" -s base \* + | |
| - name: Install CA in secondary container | |
| run: | | |
| docker exec primary pki-server cert-export ca_signing --cert-file ${PKIDIR}/ca_signing.crt | |
| docker exec primary pki-server ca-clone-prepare --pkcs12-file ${PKIDIR}/ca-certs.p12 --pkcs12-password Secret.123 | |
| docker exec secondary cp ${PKIDIR}/ca_signing.crt . | |
| docker exec secondary cp ${PKIDIR}/ca-certs.p12 . | |
| docker exec secondary pkispawn -f /usr/share/pki/server/examples/installation/ca-secure-ds-secondary.cfg -s CA -v | |
| - name: Run PKI healthcheck in secondary container | |
| run: docker exec secondary pki-healthcheck --failures-only | |
| - name: Verify DS connection in secondary container | |
| run: | | |
| docker exec secondary pki-server ca-db-config-show > output | |
| cat output | |
| echo "secondary.example.com" > expected | |
| sed -n 's/^\s\+Hostname:\s\+\(\S\+\)$/\1/p' output > actual | |
| diff expected actual | |
| echo "636" > expected | |
| sed -n 's/^\s\+Port:\s\+\(\S\+\)$/\1/p' output > actual | |
| diff expected actual | |
| echo "true" > expected | |
| sed -n 's/^\s\+Secure:\s\+\(\S\+\)$/\1/p' output > actual | |
| diff expected actual | |
| - name: Verify CA admin in secondary container | |
| run: | | |
| docker exec primary cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 ${PKIDIR}/ca_admin_cert.p12 | |
| docker exec primary cp /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf ${PKIDIR}/pkcs12_password.conf | |
| docker exec secondary pki-server cert-export ca_signing --cert-file ca_signing.crt | |
| docker exec secondary pki client-cert-import ca_signing --ca-cert ca_signing.crt | |
| docker exec secondary pki client-cert-import \ | |
| --pkcs12 ${PKIDIR}/ca_admin_cert.p12 \ | |
| --pkcs12-password-file ${PKIDIR}/pkcs12_password.conf | |
| docker exec secondary pki -n caadmin ca-user-show caadmin | |
| - name: Remove CA from secondary PKI container | |
| run: | | |
| docker exec secondary pkidestroy -i pki-tomcat -s CA -v | |
| - name: Re-install CA in secondary PKI container | |
| run: | | |
| docker exec secondary pkispawn \ | |
| -f /usr/share/pki/server/examples/installation/ca-secure-ds-secondary.cfg \ | |
| -s CA \ | |
| -v | |
| - name: Gather artifacts from primary container | |
| if: always() | |
| run: | | |
| tests/bin/ds-artifacts-save.sh primary | |
| tests/bin/pki-artifacts-save.sh primary | |
| - name: Gather CA artifacts from secondary container | |
| if: always() | |
| run: | | |
| tests/bin/ds-artifacts-save.sh secondary | |
| tests/bin/pki-artifacts-save.sh secondary | |
| - name: Remove CA from secondary container | |
| run: docker exec secondary pkidestroy -i pki-tomcat -s CA -v | |
| - name: Remove DS from secondary container | |
| run: docker exec secondary ${PKIDIR}/tests/bin/ds-remove.sh | |
| - name: Remove CA from primary container | |
| run: docker exec primary pkidestroy -i pki-tomcat -s CA -v | |
| - name: Remove DS from primary container | |
| run: docker exec primary ${PKIDIR}/tests/bin/ds-remove.sh | |
| - name: Upload artifacts from primary container | |
| if: always() | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: ca-secure-ds-primary | |
| path: | | |
| /tmp/artifacts/primary | |
| - name: Upload artifacts from secondary container | |
| if: always() | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: ca-secure-ds-secondary | |
| path: | | |
| /tmp/artifacts/secondary | |
| subca-clone-test: | |
| name: Sub-CA clone | |
| needs: [init, build] | |
| uses: ./.github/workflows/subca-clone-test.yml | |
| scep-test: | |
| name: Testing SCEP responder | |
| needs: [init, build] | |
| runs-on: ubuntu-latest | |
| env: | |
| PKIDIR: /tmp/workdir/pki | |
| steps: | |
| - name: Clone repository | |
| uses: actions/checkout@v3 | |
| - name: Retrieve pki-runner image | |
| uses: actions/cache@v3 | |
| with: | |
| key: pki-runner-${{ github.sha }} | |
| path: pki-runner.tar | |
| - name: Load runner image | |
| run: docker load --input pki-runner.tar | |
| - name: Create network | |
| run: docker network create example | |
| - name: Run PKI container | |
| run: | | |
| IMAGE=pki-runner \ | |
| NAME=pki \ | |
| HOSTNAME=pki.example.com \ | |
| tests/bin/runner-init.sh | |
| - name: Connect PKI container to network | |
| run: docker network connect example pki --alias pki.example.com | |
| - name: Install dependencies in PKI container | |
| run: docker exec pki dnf install -y 389-ds-base | |
| - name: Install DS in PKI container | |
| run: docker exec pki ${PKIDIR}/tests/bin/ds-create.sh | |
| - name: Install CA in PKI container | |
| run: docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/ca.cfg -s CA -v | |
| - name: Set up client container | |
| run: | | |
| docker run \ | |
| --name client \ | |
| --hostname client.example.com \ | |
| --network example \ | |
| --network-alias client.example.com \ | |
| -it \ | |
| --detach \ | |
| quay.io/dogtagpki/sscep | |
| - name: Get client's IP address | |
| run: | | |
| docker inspect -f '{{ .NetworkSettings.Networks.example.IPAddress }}' client > client.ip | |
| echo "Client's IP: `cat client.ip`" | |
| # https://github.com/dogtagpki/pki/wiki/Configuring-SCEP-Responder | |
| - name: Configure SCEP in CA | |
| run: | | |
| docker exec pki pki-server ca-config-set ca.scep.enable true | |
| docker exec pki bash -c "echo UID:$(cat client.ip) > /etc/pki/pki-tomcat/ca/flatfile.txt" | |
| docker exec pki bash -c "echo PWD:Secret.123 >> /etc/pki/pki-tomcat/ca/flatfile.txt" | |
| docker exec pki pki-server restart --wait | |
| # https://github.com/dogtagpki/pki/wiki/Certificate-Enrollment-with-SSCEP | |
| - name: Get CA certificate using SSCEP | |
| run: | | |
| docker exec client sscep getca \ | |
| -u http://pki.example.com:8080/ca/cgi-bin/pkiclient.exe \ | |
| -c ca.crt | |
| docker exec client openssl x509 -text -noout -in ca.crt | |
| - name: Enroll certificate with IP address using SSCEP | |
| run: | | |
| docker exec client mkrequest -ip $(cat client.ip) Secret.123 | |
| docker exec client openssl req -text -noout -in local.csr | |
| docker exec client sscep enroll \ | |
| -u http://pki.example.com:8080/ca/cgi-bin/pkiclient.exe \ | |
| -c ca.crt \ | |
| -k local.key \ | |
| -r local.csr \ | |
| -l local.crt \ | |
| -E 3des \ | |
| -S sha256 | |
| docker exec client openssl x509 -text -noout -in local.crt | |
| - name: Gather artifacts from PKI container | |
| if: always() | |
| run: | | |
| tests/bin/ds-artifacts-save.sh pki | |
| tests/bin/pki-artifacts-save.sh pki | |
| - name: Remove CA from PKI container | |
| run: docker exec pki pkidestroy -i pki-tomcat -s CA -v | |
| - name: Remove DS from PKI container | |
| run: docker exec pki ${PKIDIR}/tests/bin/ds-remove.sh | |
| - name: Upload artifacts | |
| if: always() | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: scep | |
| path: | | |
| /tmp/artifacts/pki |