Skip to content

Commit

Permalink
Add pki ca-cert-issue
Browse files Browse the repository at this point in the history
The pki ca-cert-request-submit command can be used in two ways.
If it's invoked with an install token, the cert will be issued
immediately. If it's invoked without an install token, it will
submit the request to the CA, but then the request will need to
be approved, and the cert will need to be retrieved separately.

To make it easier to issue a cert, a new pki ca-cert-issue has
been added which is similar to pki ca-cert-request-submit but
it can approve the request and retrieve the cert immediately if
invoked with the proper credentials.

pkispawn and most CI tests have been updated to use the new
command. The pki ca-cert-request-submit options that take an
install token have been deprecated.
  • Loading branch information
edewata committed Sep 24, 2024
1 parent 56c4a06 commit 33a139a
Show file tree
Hide file tree
Showing 21 changed files with 945 additions and 539 deletions.
11 changes: 6 additions & 5 deletions .github/workflows/acme-postgresql-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -85,13 +85,14 @@ jobs:
--subject "CN=postgresql.example.com" \
--ext /usr/share/pki/server/certs/sslserver.conf \
--csr sslserver.csr
REC_ID=$(docker exec pki pki ca-cert-request-submit \
docker exec pki pki \
-n caadmin \
ca-cert-issue \
--profile caServerCert \
--csr-file sslserver.csr \
--subject "CN=postgresql.example.com" | grep "Request ID")
CERT_ID=$(docker exec pki pki -n caadmin ca-cert-request-approve ${REC_ID:14} --force | \
grep "Certificate ID")
docker exec pki pki ca-cert-export ${CERT_ID:18} --output-file sslserver.crt
--subject "CN=postgresql.example.com" \
--output-file sslserver.crt
docker exec pki pki nss-cert-import \
--cert sslserver.crt \
Expand Down
17 changes: 6 additions & 11 deletions .github/workflows/acme-separate-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -120,18 +120,13 @@ jobs:
docker exec acme cp /var/lib/pki/pki-tomcat/conf/certs/sslserver.csr $SHARED
docker exec ca openssl req -text -noout -in $SHARED/sslserver.csr
# submit cert request
docker exec ca pki ca-cert-request-submit \
# issue cert
docker exec ca pki \
-n caadmin \
ca-cert-issue \
--profile caServerCert \
--csr-file $SHARED/sslserver.csr | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
# approve cert request
docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output
CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output)
# export cert
docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/sslserver.crt
--csr-file $SHARED/sslserver.csr \
--output-file $SHARED/sslserver.crt
docker exec ca openssl x509 -text -noout -in $SHARED/sslserver.crt
# install cert
Expand Down
12 changes: 6 additions & 6 deletions .github/workflows/est-ds-realm-separate-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -74,13 +74,13 @@ jobs:
docker exec ca pki nss-cert-request --csr estSSLServer.csr \
--ext /usr/share/pki/server/certs/sslserver.conf --subject 'CN=est.example.com'
docker exec ca pki ca-cert-request-submit --csr-file estSSLServer.csr --profile caServerCert | tee output
REQUEST_ID=$(sed -n "s/^\s*Request ID:\s*\(\S*\)$/\1/p" output)
docker exec ca pki \
-n caadmin \
ca-cert-issue \
--csr-file estSSLServer.csr \
--profile caServerCert \
--output-file estSSLServer.crt
docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output
CERT_ID=$(sed -n "s/^\s*Certificate ID:\s*\(\S*\)$/\1/p" output)
docker exec ca pki -n caadmin ca-cert-export --output-file estSSLServer.crt $CERT_ID
docker exec ca pki nss-cert-import --cert estSSLServer.crt sslserver
docker exec ca pk12util -d /root/.dogtag/nssdb -o $SHARED/est_server.p12 -n sslserver -W Secret.123
Expand Down
78 changes: 30 additions & 48 deletions .github/workflows/kra-existing-certs-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -94,15 +94,12 @@ jobs:
--csr $SHARED/kra_storage.csr
docker exec ca openssl req -text -noout -in $SHARED/kra_storage.csr
docker exec ca pki ca-cert-request-submit \
docker exec ca pki \
-n caadmin \
ca-cert-issue \
--profile caStorageCert \
--csr-file $SHARED/kra_storage.csr | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output
CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output)
docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_storage.crt
--csr-file $SHARED/kra_storage.csr \
--output-file $SHARED/kra_storage.crt
docker exec ca openssl x509 -text -noout -in $SHARED/kra_storage.crt
docker exec kra pki nss-cert-import \
Expand All @@ -125,15 +122,12 @@ jobs:
--csr $SHARED/kra_transport.csr
docker exec ca openssl req -text -noout -in $SHARED/kra_transport.csr
docker exec ca pki ca-cert-request-submit \
docker exec ca pki \
-n caadmin \
ca-cert-issue \
--profile caTransportCert \
--csr-file $SHARED/kra_transport.csr | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output
CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output)
docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_transport.crt
--csr-file $SHARED/kra_transport.csr \
--output-file $SHARED/kra_transport.crt
docker exec ca openssl x509 -text -noout -in $SHARED/kra_transport.crt
docker exec kra pki nss-cert-import \
Expand All @@ -156,15 +150,12 @@ jobs:
--csr $SHARED/kra_audit_signing.csr
docker exec ca openssl req -text -noout -in $SHARED/kra_audit_signing.csr
docker exec ca pki ca-cert-request-submit \
docker exec ca pki \
-n caadmin \
ca-cert-issue \
--profile caAuditSigningCert \
--csr-file $SHARED/kra_audit_signing.csr | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output
CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output)
docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_audit_signing.crt
--csr-file $SHARED/kra_audit_signing.csr \
--output-file $SHARED/kra_audit_signing.crt
docker exec ca openssl x509 -text -noout -in $SHARED/kra_audit_signing.crt
docker exec kra pki nss-cert-import \
Expand All @@ -188,15 +179,12 @@ jobs:
--csr $SHARED/subsystem.csr
docker exec ca openssl req -text -noout -in $SHARED/subsystem.csr
docker exec ca pki ca-cert-request-submit \
docker exec ca pki \
-n caadmin \
ca-cert-issue \
--profile caSubsystemCert \
--csr-file $SHARED/subsystem.csr | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output
CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output)
docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/subsystem.crt
--csr-file $SHARED/subsystem.csr \
--output-file $SHARED/subsystem.crt
docker exec ca openssl x509 -text -noout -in $SHARED/subsystem.crt
docker exec kra pki nss-cert-import \
Expand All @@ -219,15 +207,12 @@ jobs:
--csr $SHARED/sslserver.csr
docker exec ca openssl req -text -noout -in $SHARED/sslserver.csr
docker exec ca pki ca-cert-request-submit \
docker exec ca pki \
-n caadmin \
ca-cert-issue \
--profile caServerCert \
--csr-file $SHARED/sslserver.csr | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output
CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output)
docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/sslserver.crt
--csr-file $SHARED/sslserver.csr \
--output-file $SHARED/sslserver.crt
docker exec ca openssl x509 -text -noout -in $SHARED/sslserver.crt
docker exec kra pki nss-cert-import \
Expand All @@ -250,15 +235,12 @@ jobs:
--csr $SHARED/kra_admin.csr
docker exec ca openssl req -text -noout -in $SHARED/kra_admin.csr
docker exec ca pki ca-cert-request-submit \
docker exec ca pki \
-n caadmin \
ca-cert-issue \
--profile AdminCert \
--csr-file $SHARED/kra_admin.csr | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output
CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output)
docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_admin.crt
--csr-file $SHARED/kra_admin.csr \
--output-file $SHARED/kra_admin.crt
docker exec ca openssl x509 -text -noout -in $SHARED/kra_admin.crt
docker exec kra pki nss-cert-import \
Expand Down
102 changes: 36 additions & 66 deletions .github/workflows/kra-existing-ds-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -95,18 +95,13 @@ jobs:
docker exec kra cp /var/lib/pki/pki-tomcat/conf/certs/kra_storage.csr $SHARED
docker exec kra openssl req -text -noout -in $SHARED/kra_storage.csr
# submit cert request
docker exec ca pki ca-cert-request-submit \
--profile caStorageCert \
--csr-file $SHARED/kra_storage.csr | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
# issue cert
docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output
CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output)
# retrieve cert
docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_storage.crt
docker exec ca pki \
-n caadmin \
ca-cert-issue \
--profile caStorageCert \
--csr-file $SHARED/kra_storage.csr \
--output-file $SHARED/kra_storage.crt
docker exec ca openssl x509 -text -noout -in $SHARED/kra_storage.crt
docker exec kra cp $SHARED/kra_storage.crt /var/lib/pki/pki-tomcat/conf/certs
Expand Down Expand Up @@ -137,18 +132,13 @@ jobs:
docker exec kra cp /var/lib/pki/pki-tomcat/conf/certs/kra_transport.csr $SHARED
docker exec ca openssl req -text -noout -in $SHARED/kra_transport.csr
# submit cert request
docker exec ca pki ca-cert-request-submit \
--profile caTransportCert \
--csr-file $SHARED/kra_transport.csr | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
# issue cert
docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output
CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output)
# retrieve cert
docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_transport.crt
docker exec ca pki \
-n caadmin \
ca-cert-issue \
--profile caTransportCert \
--csr-file $SHARED/kra_transport.csr \
--output-file $SHARED/kra_transport.crt
docker exec ca openssl x509 -text -noout -in $SHARED/kra_transport.crt
docker exec kra cp $SHARED/kra_transport.crt /var/lib/pki/pki-tomcat/conf/certs
Expand Down Expand Up @@ -179,18 +169,13 @@ jobs:
docker exec kra cp /var/lib/pki/pki-tomcat/conf/certs/kra_audit_signing.csr $SHARED
docker exec ca openssl req -text -noout -in $SHARED/kra_audit_signing.csr
# submit cert request
docker exec ca pki ca-cert-request-submit \
--profile caAuditSigningCert \
--csr-file $SHARED/kra_audit_signing.csr | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
# issue cert
docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output
CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output)
# retrieve cert
docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_audit_signing.crt
docker exec ca pki \
-n caadmin \
ca-cert-issue \
--profile caAuditSigningCert \
--csr-file $SHARED/kra_audit_signing.csr \
--output-file $SHARED/kra_audit_signing.crt
docker exec ca openssl x509 -text -noout -in $SHARED/kra_audit_signing.crt
docker exec kra cp $SHARED/kra_audit_signing.crt /var/lib/pki/pki-tomcat/conf/certs
Expand Down Expand Up @@ -221,18 +206,13 @@ jobs:
docker exec kra cp /var/lib/pki/pki-tomcat/conf/certs/subsystem.csr $SHARED
docker exec ca openssl req -text -noout -in $SHARED/subsystem.csr
# submit cert request
docker exec ca pki ca-cert-request-submit \
--profile caSubsystemCert \
--csr-file $SHARED/subsystem.csr | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
# issue cert
docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output
CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output)
# retrieve cert
docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/subsystem.crt
docker exec ca pki \
-n caadmin \
ca-cert-issue \
--profile caSubsystemCert \
--csr-file $SHARED/subsystem.csr \
--output-file $SHARED/subsystem.crt
docker exec ca openssl x509 -text -noout -in $SHARED/subsystem.crt
docker exec kra cp $SHARED/subsystem.crt /var/lib/pki/pki-tomcat/conf/certs
Expand Down Expand Up @@ -263,18 +243,13 @@ jobs:
docker exec kra cp /var/lib/pki/pki-tomcat/conf/certs/sslserver.csr $SHARED
docker exec ca openssl req -text -noout -in $SHARED/sslserver.csr
# submit cert request
docker exec ca pki ca-cert-request-submit \
--profile caServerCert \
--csr-file $SHARED/sslserver.csr | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
# issue cert
docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output
CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output)
# retrieve cert
docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/sslserver.crt
docker exec ca pki \
-n caadmin \
ca-cert-issue \
--profile caServerCert \
--csr-file $SHARED/sslserver.csr \
--output-file $SHARED/sslserver.crt
docker exec ca openssl x509 -text -noout -in $SHARED/sslserver.crt
docker exec kra cp $SHARED/sslserver.crt /var/lib/pki/pki-tomcat/conf/certs
Expand Down Expand Up @@ -304,18 +279,13 @@ jobs:
--csr $SHARED/kra_admin.csr
docker exec ca openssl req -text -noout -in $SHARED/kra_admin.csr
# submit cert request
docker exec ca pki ca-cert-request-submit \
--profile AdminCert \
--csr-file $SHARED/kra_admin.csr | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
# issue cert
docker exec ca pki -n caadmin ca-cert-request-approve $REQUEST_ID --force | tee output
CERT_ID=$(sed -n 's/Certificate ID: *\(.*\)/\1/p' output)
# retrieve cert
docker exec ca pki ca-cert-export $CERT_ID --output-file $SHARED/kra_admin.crt
docker exec ca pki \
-n caadmin \
ca-cert-issue \
--profile AdminCert \
--csr-file $SHARED/kra_admin.csr \
--output-file $SHARED/kra_admin.crt
docker exec ca openssl x509 -text -noout -in $SHARED/kra_admin.crt
# import cert
Expand Down
Loading

0 comments on commit 33a139a

Please sign in to comment.