Fix ca-less test to use X.509 v3 certificates

The generated certificates have been X.509 v1. This is not supported any more. Only X.509 v3 is supported. A new certificates/extensions.conf file has been added to make v3 certificates. The existing certificates/pkinit/extensions.conf has been renamed to certificates/pkinit-extensions.conf with additional changes. For example "[kdc_cert]" had to be removed for v3. The extensions config files are using environment variables, which are set by the generate-certificates.sh script before calling openssl. The script generate-certificates.sh has been reworked for a simpler structure, also new options have been added: "ca" and "cleanup".
2026-03-26 21:33:05 +00:00 · 2024-03-05 11:05:19 +01:00
parent ce05b5e137
commit b92da82661
5 changed files with 169 additions and 142 deletions
--- a/tests/ca-less/certificates/extensions.conf
+++ b/tests/ca-less/certificates/extensions.conf
@@ -0,0 +1,7 @@
+basicConstraints = CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+authorityKeyIdentifier = keyid,issuer
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = ${ENV::HOST_FQDN}
--- a/tests/ca-less/certificates/pkinit-extensions.conf
+++ b/tests/ca-less/certificates/pkinit-extensions.conf
@@ -0,0 +1,19 @@
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
+extendedKeyUsage = 1.3.6.1.5.2.3.5
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+issuerAltName = issuer:copy
+subjectAltName = otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
+
+[kdc_princ_name]
+realm = EXP:0,GeneralString:${ENV::REALM_NAME}
+principal_name = EXP:1,SEQUENCE:kdc_principal_seq
+
+[kdc_principal_seq]
+name_type = EXP:0,INTEGER:1
+name_string = EXP:1,SEQUENCE:kdc_principals
+
+[kdc_principals]
+princ1 = GeneralString:krbtgt
+princ2 = GeneralString:${ENV::REALM_NAME}
--- a/tests/ca-less/certificates/pkinit/extensions.conf
+++ b/tests/ca-less/certificates/pkinit/extensions.conf
@@ -1,20 +0,0 @@
-[kdc_cert]
-basicConstraints=CA:FALSE
-keyUsage=nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
-extendedKeyUsage=1.3.6.1.5.2.3.5
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
-issuerAltName=issuer:copy
-subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
-
-[kdc_princ_name]
-realm=EXP:0,GeneralString:${ENV::REALM}
-principal_name=EXP:1,SEQUENCE:kdc_principal_seq
-
-[kdc_principal_seq]
-name_type=EXP:0,INTEGER:1
-name_string=EXP:1,SEQUENCE:kdc_principals
-
-[kdc_principals]
-princ1=GeneralString:krbtgt
-princ2=GeneralString:${ENV::REALM}
--- a/tests/ca-less/clean_up_certificates.yml
+++ b/tests/ca-less/clean_up_certificates.yml
@@ -7,9 +7,6 @@
  - name: Run generate-certificates.sh
    ansible.builtin.command: >
      /bin/bash
-      generate-certificates.sh delete "{{ item }}"
+      generate-certificates.sh cleanup
    args:
      chdir: "{{ playbook_dir }}"
-    with_items:
-      - "{{ groups.ipaserver[0] }}"
-      - "{{ groups.ipareplicas[0] }}"
--- a/tests/ca-less/generate-certificates.sh
+++ b/tests/ca-less/generate-certificates.sh
@@ -1,153 +1,177 @@
 #!/usr/bin/env bash

-ROOT_CA_DIR="certificates/root-ca"
-DIRSRV_CERTS_DIR="certificates/dirsrv"
-HTTPD_CERTS_DIR="certificates/httpd"
-PKINIT_CERTS_DIR="certificates/pkinit"
+CERTIFICATES="certificates"
+ROOT_CA_DIR="${CERTIFICATES}/root-ca"
+DIRSRV_CERTS_DIR="${CERTIFICATES}/dirsrv"
+HTTPD_CERTS_DIR="${CERTIFICATES}/httpd"
+PKINIT_CERTS_DIR="${CERTIFICATES}/pkinit"
+EXTENSIONS_CONF="${CERTIFICATES}/extensions.conf"
+PKINIT_EXTENSIONS_CONF="${CERTIFICATES}/pkinit-extensions.conf"
 PKCS12_PASSWORD="SomePKCS12password"

-# generate_ipa_pkcs12_certificate \
-#    $cert_name $ipa_fqdn $certs_dir $root_ca_cert $root_ca_private_key extensions_file extensions_name
-function generate_ipa_pkcs12_certificate {
+# create_ca \
+#    $domain_name
+function create_ca {

-    cert_name=$1
-    ipa_fqdn=$2
-    certs_dir=$3
-    root_ca_cert=$4
-    root_ca_private_key=$5
-    extensions_file=$6
-    extensions_name=$7
-
-    # Generate CSR and private key
-    openssl req -new -newkey rsa:4096 -nodes \
-        -subj "/C=US/ST=Test/L=Testing/O=Default/CN=${ipa_fqdn}" \
-        -keyout "${certs_dir}/private.key" \
-        -out "${certs_dir}/request.csr"
-
-    # Sign CSR to generate PEM certificate
-    if [ -z "${extensions_file}" ]; then
-        openssl x509 -req -days 365 -sha256 \
-            -CAcreateserial \
-            -CA "${root_ca_cert}" \
-            -CAkey "${root_ca_private_key}" \
-            -in "${certs_dir}/request.csr" \
-            -out "${certs_dir}/cert.pem"
-    else
-        openssl x509 -req -days 365 -sha256 \
-            -CAcreateserial \
-            -CA "${ROOT_CA_DIR}/cert.pem" \
-            -CAkey "${ROOT_CA_DIR}/private.key" \
-            -extfile "${extensions_file}" \
-            -extensions "${extensions_name}" \
-            -in "${certs_dir}/request.csr" \
-            -out "${certs_dir}/cert.pem"
-    fi
-
-    # Convert certificate to PKCS12 format
-    openssl pkcs12 -export \
-        -name "${cert_name}" \
-        -certfile "${root_ca_cert}" \
-        -in "${certs_dir}/cert.pem" \
-        -inkey "${certs_dir}/private.key" \
-        -passout "pass:${PKCS12_PASSWORD}" \
-        -out "${certs_dir}/cert.p12"
-}
-
-# generate_ipa_pkcs12_certificates $ipa_fqdn $ipa_domain
-function generate_ipa_pkcs12_certificates {
-
-    host=$1
-    if [ -z "$host" ]; then
-        echo "ERROR: ipa-host-fqdn is not set"
-        echo
-        echo "usage: $0 create ipa-host-fqdn domain"
-        exit 0;
-    fi
-
-    domain=$2
-    if [ -z "$domain" ]; then
+    domain_name=$1
+    if [ -z "${domain_name}" ]; then
        echo "ERROR: domain is not set"
        echo
-        echo "usage: $0 create ipa-host-fqdn domain"
+        echo "usage: $0 ca <domain>"
        exit 0;
    fi
+    realm=${domain_name^^}

-    # Generate certificates folder structure
+    export REALM_NAME=${realm}
+
+    # Create certificates folder structure
    mkdir -p "${ROOT_CA_DIR}"
-    mkdir -p "${DIRSRV_CERTS_DIR}/$host"
-    mkdir -p "${HTTPD_CERTS_DIR}/$host"
-    mkdir -p "${PKINIT_CERTS_DIR}/$host"

-    # Generate root CA
+    # Create root CA
    if [ ! -f "${ROOT_CA_DIR}/private.key" ]; then
-        openssl genrsa \
-                -out "${ROOT_CA_DIR}/private.key" 4096
+        # create aes encrypted private key
+        openssl genrsa -out "${ROOT_CA_DIR}/private.key" 4096

-        openssl req -new -x509 -sha256 -nodes -days 3650 \
-                -subj "/C=US/ST=Test/L=Testing/O=Default" \
+        # create certificate, 1826 days = 5 years
+        openssl req -x509 -new -nodes -sha256 -days 1826 \
+                -subj "/C=US/ST=Test/L=Testing/O=Default/CN=Test Root CA" \
                -key "${ROOT_CA_DIR}/private.key" \
                -out "${ROOT_CA_DIR}/cert.pem"
    fi
-
-    # Generate a certificate for the Directory Server
-    if [ ! -f "${DIRSRV_CERTS_DIR}/$host/cert.pem" ]; then
-        generate_ipa_pkcs12_certificate \
-            "dirsrv-cert" \
-            "$host" \
-            "${DIRSRV_CERTS_DIR}/$host" \
-            "${ROOT_CA_DIR}/cert.pem" \
-            "${ROOT_CA_DIR}/private.key"
-    fi
-
-    # Generate a certificate for the Apache server
-    if [ ! -f "${HTTPD_CERTS_DIR}/$host/cert.pem" ]; then
-        generate_ipa_pkcs12_certificate \
-            "httpd-cert" \
-            "$host" \
-            "${HTTPD_CERTS_DIR}/$host" \
-            "${ROOT_CA_DIR}/cert.pem" \
-            "${ROOT_CA_DIR}/private.key"
-    fi
-
-    # Generate a certificate for the KDC PKINIT
-    if [ ! -f "${PKINIT_CERTS_DIR}/$host/cert.pem" ]; then
-        export REALM=${domain^^}
-
-        generate_ipa_pkcs12_certificate \
-            "pkinit-cert" \
-            "$host" \
-            "${PKINIT_CERTS_DIR}/$host" \
-            "${ROOT_CA_DIR}/cert.pem" \
-            "${ROOT_CA_DIR}/private.key" \
-            "${PKINIT_CERTS_DIR}/extensions.conf" \
-            "kdc_cert"
-    fi
 }

-# delete_ipa_pkcs12_certificates $ipa_fqdn
-function delete_ipa_pkcs12_certificates {
+# create_host_pkcs12_certificate \
+#    $cert_name $certs_dir $root_ca_cert $extensions_file
+function create_host_pkcs12_certificate {

-    host=$1
-    if [ -z "$host" ]; then
-        echo "ERROR: ipa-host-fqdn is not set"
+    cert_name=$1
+    certs_dir=$2
+    root_ca_cert=$3
+    extensions_file=$4
+
+    # Create CSR and private key
+    openssl req -new -nodes -newkey rsa:4096 \
+                -subj "/C=US/ST=Test/L=Testing/O=Default/CN=${cert_name}" \
+                -keyout "${certs_dir}/private.key" \
+                -out "${certs_dir}/request.csr"
+
+    # Sign CSR to create PEM certificate
+    openssl x509 -req -days 1460 -sha256 -CAcreateserial \
+                -CAkey "${ROOT_CA_DIR}/private.key" \
+                -CA "${root_ca_cert}" \
+                -in "${certs_dir}/request.csr" \
+                -out "${certs_dir}/cert.pem" \
+                -extfile "${extensions_file}"
+
+    # Convert certificate to PKCS12 format
+    openssl pkcs12 -export \
+            -name "${cert_name}" \
+            -certfile "${root_ca_cert}" \
+            -passout "pass:${PKCS12_PASSWORD}" \
+            -inkey "${certs_dir}/private.key" \
+            -in "${certs_dir}/cert.pem" \
+            -out "${certs_dir}/cert.p12"
+}
+
+# create_ipa_pkcs12_certificates \
+#    $host_fqdn $domain_name
+function create_host_certificates {
+
+    host_fqdn=$1
+    if [ -z "${host_fqdn}" ]; then
+        echo "ERROR: host-fqdn is not set"
        echo
-        echo "usage: $0 delete ipa-host-fqdn"
+        echo "usage: $0 create <host-fqdn> [<domain>]"
        exit 0;
    fi

-    rm -f certificates/*/"$host"/*
-    rm -f "${ROOT_CA_DIR}"/*
+    domain_name=$2
+    [ -z "${domain_name}" ] && domain_name=${host_fqdn#*.*}
+    if [ -z "${domain_name}" ]; then
+        echo "ERROR: domain is not set and can not be created from host fqdn"
+        echo
+        echo "usage: $0 create <host-fqdn> [<domain>]"
+        exit 0;
+    fi
+    realm=${domain_name^^}
+
+    export HOST_FQDN=${host_fqdn}
+    export REALM_NAME=${realm}
+
+    if [ ! -f "${ROOT_CA_DIR}/private.key" ]; then
+        create_ca "${domain_name}"
+    fi
+
+    # Create certificates folder structure
+    mkdir -p "${DIRSRV_CERTS_DIR}/${host_fqdn}"
+    mkdir -p "${HTTPD_CERTS_DIR}/${host_fqdn}"
+    mkdir -p "${PKINIT_CERTS_DIR}/${host_fqdn}"
+
+    # Create a certificate for the Directory Server
+    if [ ! -f "${DIRSRV_CERTS_DIR}/${host_fqdn}/cert.pem" ]; then
+        create_host_pkcs12_certificate \
+            "dirsrv-cert" \
+            "${DIRSRV_CERTS_DIR}/${host_fqdn}" \
+            "${ROOT_CA_DIR}/cert.pem" \
+            "${EXTENSIONS_CONF}"
+    fi
+
+    # Create a certificate for the Apache server
+    if [ ! -f "${HTTPD_CERTS_DIR}/${host_fqdn}/cert.pem" ]; then
+        create_host_pkcs12_certificate \
+            "httpd-cert" \
+            "${HTTPD_CERTS_DIR}/${host_fqdn}" \
+            "${ROOT_CA_DIR}/cert.pem" \
+            "${EXTENSIONS_CONF}"
+    fi
+
+    # Create a certificate for the KDC PKINIT
+    if [ ! -f "${PKINIT_CERTS_DIR}/${host_fqdn}/cert.pem" ]; then
+        create_host_pkcs12_certificate \
+            "pkinit-cert" \
+            "${PKINIT_CERTS_DIR}/${host_fqdn}" \
+            "${ROOT_CA_DIR}/cert.pem" \
+            "${PKINIT_EXTENSIONS_CONF}"
+    fi
+}
+
+# delete_host_certificates \
+#     $host_fqdn
+function delete_host_certificates {
+
+    host_fqdn=$1
+    if [ -z "${host_fqdn}" ]; then
+        echo "ERROR: host-fqdn is not set"
+        echo
+        echo "usage: $0 delete <host-fqdn>"
+        exit 0;
+    fi
+
+    rm -rf certificates/*/"${host_fqdn}"/
+}
+
+# cleanup \
+#     $host_fqdn
+function cleanup {
+
+    rm -rf certificates/*/
 }

 # Entrypoint
 case "$1" in
+  ca)
+    create_ca "$2"
+    ;;
  create)
-    generate_ipa_pkcs12_certificates "$2" "$3"
+    create_host_certificates "$2" "$3"
    ;;
  delete)
-    delete_ipa_pkcs12_certificates "$2"
+    delete_host_certificates "$2"
+    ;;
+  cleanup)
+    cleanup
    ;;
  *)
-    echo $"Usage: $0 {create|delete}"
+    echo $"Usage: $0 {create|delete|ca|cleanup}"
    ;;
 esac