internet/ansible-freeipa
4
0
Fork 0
mirror of https://github.com/freeipa/ansible-freeipa.git synced 2026-06-11 11:15:55 +00:00
Code Issues Projects Releases Wiki Activity

tests/external-signed-ca tests: Fix external-ca.sh to use proper serials

Browse Source 
The serial numbers have not been set for the creation of the CA and also
to sign the request. Because of this the local time has been used, which
resulted sometimes in the use of the same time stamp for the CA and the
signing reuqest. The import failed then with same issuer and serial number
error.

The cat to generate the chain.crt has been replaces with openssl x509 calls.

Some comments have also been added.

The script in external-signed-ca-with-manual-copy has been replaced with a
link to the external-signed-ca-with-automatic-copy directory.
This commit is contained in:
Thomas Woerner
2019-09-27 15:15:56 +02:00
parent e8173dd9b5
commit 2a197cc7b1
2 changed files with 15 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
tests/external-signed-ca-with-manual-copy/external-ca.sh
View File

@@ -1,49 +0,0 @@
#!/bin/bash
master=$1
if [ -z "$master" ]; then
echo "ERROR: master is not set"
echo
echo "usage: $0 master-fqdn domain"
exit 0;
fi
PASSWORD="SomeCApassword"
DBDIR="${master}-nssdb"
PWDFILE="$DBDIR/pwdfile.txt"
NOISE="/etc/passwd"
domain=$2
if [ -z "$domain" ]; then
echo "ERROR: domain is not set"
echo
echo "usage: $0 master-fqdn domain"
exit 0;
fi
if [ ! -f "${master}-ipa.csr" ]; then
echo "ERROR: ${master}-ipa.csr missing"
exit 1;
fi
ROOT_KEY_ID=0x$(dd if=/dev/urandom bs=20 count=1 | xxd -p)
IPA_CA_KEY_ID=0x$(dd if=/dev/urandom bs=20 count=1 | xxd -p)
rm -rf "$DBDIR"
mkdir "$DBDIR"
echo "$PASSWORD" > "$PWDFILE"
certutil -N -d "$DBDIR" -f "$PWDFILE"
echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\n${ROOT_KEY_ID}\nn\n" \
| certutil -d "$DBDIR" -f "$PWDFILE" -S -z "$NOISE" -n ca -x -t C,C,C \
-s "CN=PRIMARY,O=$domain" -x -1 -2 --extSKID
openssl req -outform der -in "${master}-ipa.csr" -out "$DBDIR/req.csr"
echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\ny\n${ROOT_KEY_ID}\n\n\nn\n${IPA_CA_KEY_ID}\nn\n" \
| certutil -d "$DBDIR" -f "$PWDFILE" -C -z "$NOISE" -c ca \
-i "$DBDIR/req.csr" -o "$DBDIR/external.cer" -1 -2 -3 --extSKID
openssl x509 -inform der -in "$DBDIR/external.cer" -out "$DBDIR/external.pem"
certutil -L -n ca -d "$DBDIR" -a > "$DBDIR/ca.crt"
cat "$DBDIR/external.pem" "$DBDIR/ca.crt" > "$DBDIR/chain.crt"
cp "$DBDIR/chain.crt" "${master}-chain.crt"

1
tests/external-signed-ca-with-manual-copy/external-ca.sh Symbolic link
View File

@@ -0,0 +1 @@
../external-signed-ca-with-automatic-copy/external-ca.sh