tests/external-signed-ca tests: Fix external-ca.sh to use proper serials

The serial numbers have not been set for the creation of the CA and also
to sign the request. Because of this the local time has been used, which
resulted sometimes in the use of the same time stamp for the CA and the
signing reuqest. The import failed then with same issuer and serial number
error.

The cat to generate the chain.crt has been replaces with openssl x509 calls.

Some comments have also been added.

The script in external-signed-ca-with-manual-copy has been replaced with a
link to the external-signed-ca-with-automatic-copy directory.

tests/external-signed-ca-with-automatic-copy/external-ca.sh

@@ -11,7 +11,7 @@ fi
 PASSWORD="SomeCApassword"
 DBDIR="${master}-nssdb"
 PWDFILE="$DBDIR/pwdfile.txt"
-NOISE="/etc/passwd"
+NOISE="$DBDIR/noise.txt"
 
 domain=$2
 if [ -z "$domain" ]; then
@@ -29,21 +29,31 @@ fi
 ROOT_KEY_ID=0x$(dd if=/dev/urandom bs=20 count=1 | xxd -p)
 IPA_CA_KEY_ID=0x$(dd if=/dev/urandom bs=20 count=1 | xxd -p)
 
+# Prepare a new NSS database to serve us as an external CA
 rm -rf "$DBDIR"
 mkdir "$DBDIR"
 echo "$PASSWORD" > "$PWDFILE"
+dd count=10 bs=1024 if=/dev/random of="$NOISE" 2>/dev/null
 certutil -N -d "$DBDIR" -f "$PWDFILE"
+
+# Generate a CA certificate
 echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\n${ROOT_KEY_ID}\nn\n" \
   | certutil -d "$DBDIR"  -f "$PWDFILE" -S -z "$NOISE" -n ca -x -t C,C,C \
-    -s "CN=PRIMARY,O=$domain" -x -1 -2 --extSKID
+    -s "CN=PRIMARY,O=$domain" -x -1 -2 --extSKID -m 1
 
+# Change the form of the CSR from PEM to DER for the NSS database
 openssl req -outform der -in "${master}-ipa.csr" -out "$DBDIR/req.csr"
+
+# Sign the certificate request
 echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\ny\n${ROOT_KEY_ID}\n\n\nn\n${IPA_CA_KEY_ID}\nn\n" \
   | certutil -d "$DBDIR" -f "$PWDFILE" -C -z "$NOISE" -c ca \
-    -i "$DBDIR/req.csr" -o "$DBDIR/external.cer" -1 -2 -3 --extSKID
+    -i "$DBDIR/req.csr" -o "$DBDIR/external.cer" -1 -2 -3 --extSKID -m 2
 
 openssl x509 -inform der -in "$DBDIR/external.cer" -out "$DBDIR/external.pem"
+
+# Export the NSS CA certificate and add it to a chain file
 certutil -L -n ca -d "$DBDIR" -a > "$DBDIR/ca.crt"
-cat "$DBDIR/external.pem" "$DBDIR/ca.crt" > "$DBDIR/chain.crt"
+openssl x509 -text -in "$DBDIR/external.pem" > "$DBDIR/chain.crt"
+openssl x509 -text -in "$DBDIR/ca.crt" >> "$DBDIR/chain.crt"
 
 cp "$DBDIR/chain.crt" "${master}-chain.crt"

tests/external-signed-ca-with-manual-copy/external-ca.sh

@@ -1,49 +0,0 @@
-#!/bin/bash
-
-master=$1
-if [ -z "$master" ]; then
-    echo "ERROR: master is not set"
-    echo
-    echo "usage: $0 master-fqdn domain"
-    exit 0;
-fi
-
-PASSWORD="SomeCApassword"
-DBDIR="${master}-nssdb"
-PWDFILE="$DBDIR/pwdfile.txt"
-NOISE="/etc/passwd"
-
-domain=$2
-if [ -z "$domain" ]; then
-    echo "ERROR: domain is not set"
-    echo
-    echo "usage: $0 master-fqdn domain"
-    exit 0;
-fi
-
-if [ ! -f "${master}-ipa.csr" ]; then
-    echo "ERROR: ${master}-ipa.csr missing"
-    exit 1;
-fi
-
-ROOT_KEY_ID=0x$(dd if=/dev/urandom bs=20 count=1 | xxd -p)
-IPA_CA_KEY_ID=0x$(dd if=/dev/urandom bs=20 count=1 | xxd -p)
-
-rm -rf "$DBDIR"
-mkdir "$DBDIR"
-echo "$PASSWORD" > "$PWDFILE"
-certutil -N -d "$DBDIR" -f "$PWDFILE"
-echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\n${ROOT_KEY_ID}\nn\n" \
-  | certutil -d "$DBDIR"  -f "$PWDFILE" -S -z "$NOISE" -n ca -x -t C,C,C \
-    -s "CN=PRIMARY,O=$domain" -x -1 -2 --extSKID
-
-openssl req -outform der -in "${master}-ipa.csr" -out "$DBDIR/req.csr"
-echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\ny\n${ROOT_KEY_ID}\n\n\nn\n${IPA_CA_KEY_ID}\nn\n" \
-  | certutil -d "$DBDIR" -f "$PWDFILE" -C -z "$NOISE" -c ca \
-    -i "$DBDIR/req.csr" -o "$DBDIR/external.cer" -1 -2 -3 --extSKID
-
-openssl x509 -inform der -in "$DBDIR/external.cer" -out "$DBDIR/external.pem"
-certutil -L -n ca -d "$DBDIR" -a > "$DBDIR/ca.crt"
-cat "$DBDIR/external.pem" "$DBDIR/ca.crt" > "$DBDIR/chain.crt"
-
-cp "$DBDIR/chain.crt" "${master}-chain.crt"

tests/external-signed-ca-with-manual-copy/external-ca.sh

@@ -0,0 +1 @@
+../external-signed-ca-with-automatic-copy/external-ca.sh