diff --git a/.github/workflows/ocsp-tests.yml b/.github/workflows/ocsp-tests.yml index f79b55fcf96..a7f60874971 100644 --- a/.github/workflows/ocsp-tests.yml +++ b/.github/workflows/ocsp-tests.yml @@ -76,3 +76,36 @@ jobs: uses: ./.github/workflows/ocsp-hsm-test.yml with: db-image: ${{ needs.init.outputs.db-image }} + + ocsp-crl-ldap-self-verification-test: + name: OCSP with self certificate verification test + needs: [init, build] + runs-on: ubuntu-latest + steps: + - name: Clone repository + uses: actions/checkout@v3 + + - name: Retrieve PKI images + uses: actions/cache@v3 + with: + key: pki-images-${{ github.sha }} + path: pki-images.tar + + - name: Load PKI images + run: docker load --input pki-images.tar + + - name: Set up Python 3.9 + uses: actions/setup-python@v4 + with: + python-version: 3.9 + + - name: Install ansible + run: | + python -m pip install --upgrade pip + pip install --user -r tests/ansible/requirements.txt + + - name: Execute est playbook + run: | + ansible-playbook -e 'pki_subsystem="ocsp"' tests/ansible/pki-playbook.yml + env: + ANSIBLE_CONFIG: ${{ github.workspace }}/tests/ansible/ansible.cfg diff --git a/tests/ansible/ca_signing.crt b/tests/ansible/ca_signing.crt new file mode 100644 index 00000000000..fd067500a6e --- /dev/null +++ b/tests/ansible/ca_signing.crt @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEfTCCAuWgAwIBAgIQavVXHCitBbcwDsABcEu5fjANBgkqhkiG9w0BAQsFADBI +MRAwDgYDVQQKDAdFWEFNUExFMRMwEQYDVQQLDApwa2ktdG9tY2F0MR8wHQYDVQQD +DBZDQSBTaWduaW5nIENlcnRpZmljYXRlMB4XDTIzMDgyMzEwMDYxNVoXDTQzMDgy +MzEwMDYxNVowSDEQMA4GA1UECgwHRVhBTVBMRTETMBEGA1UECwwKcGtpLXRvbWNh +dDEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0ZTCCAaIwDQYJKoZIhvcN +AQEBBQADggGPADCCAYoCggGBAK9kHDM3KmcSAQz/u6iM79ejge9pxwoZupshlm/I +5u7caLaOak5kcBKlMzcsGCZiDgtf7SLhm2BWn1IO/MGllYnlZk7+OcXiPM6RZzBN +IvcOaoPj5Ki2+JLx3+rvDLkZfvirEP+dSQi8B/dxVY9vaXXg0yVhL21BDPS7CBEg +O1PVLpV83JzFTfKiRQPzE6LYfaO3brjODVEwDwcy0Iw5cLOEXncudOjWCCfPJQjn +fEIhadRGOXkJ/pMtMVDE42QSZZJ+W+AfpB67sS9guq4sUCLcUjPmensIi0cWU9es +o9ahJsTWrNuMwOAjVl70Ykeir0OXZLIV2c3nVj0dVNKud14+QY34sfi/jfZunyzd +U3D1O11g0U8hOSA/Zp7CgptKK2HLLbBVAJ3aELfKxYU00lAVRTZbOEMQMrw3Zr4S +QwajtwhMeYMgliTf2wBg0Ixz02DjtKUBduP/K4VqRpZEAAvVdiY2NJPxTHWqfKk8 +Fa2sxyAcrW0mMzPePm6Xaqm6tQIDAQABo2MwYTAfBgNVHSMEGDAWgBQ9O6szYpko +vvmbVOwy7vXZS2vXpzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAd +BgNVHQ4EFgQUPTurM2KZKL75m1TsMu712Utr16cwDQYJKoZIhvcNAQELBQADggGB +AJ2S1bNnsmQ76vCswTtCaNFlGFWqULmljr3MEci2evR8sHNhiF+Held5SPCsHUam +R2RwzmyLDQUnJ4BZC7wHI6qkHIPvc6oBMsxzWyHiYHY4YU1cKBCrBmruYMzm02Nh +s0ZxTlXurpeHC6cFyw1I2UBFk16grYEB+sfdAbmljxxIKelhOlBm4nlnqMaZpLQR +KJb2+e9bDbl40Cy0pmquzb39eglkdCdvu7MGyjt8FRXtJdDLILziQN1woMbhusvI +WQVw+omrqPu+9bDr1++J6C6BUlNGlvG9mFE0bVs1heA8hWUgLExFtYZI1kEn7lO9 +XctQ6feHpIfj5semI8o6cDUEm8NurG60QH67bLZPsrsL09YXNCppDms2y223DDiJ +Fbz4nw5DmzJPYLI4ASPyOrKKaRIv5kjd2VFaQJSJ432wA8AdKbjwhmQxx22g71At +q60YXW0PxYegDiqHqlgyjBCR88JperwCmXkyl2WwE6xMFvkWvBRY4QQKe+jSDBOO +Tw== +-----END CERTIFICATE----- diff --git a/tests/ansible/est/defaults/main.yml b/tests/ansible/est/defaults/main.yml index 6a8eccd3907..6c00a8e46a4 100644 --- a/tests/ansible/est/defaults/main.yml +++ b/tests/ansible/est/defaults/main.yml @@ -2,7 +2,7 @@ # defaults file for est shared_workspace: /tmp/workdir/pki -github_workspace: ./ +github_workspace: ../../ #DS ds_container: ds diff --git a/tests/ansible/ocsp/README.md b/tests/ansible/ocsp/README.md new file mode 100644 index 00000000000..0f223f30d8a --- /dev/null +++ b/tests/ansible/ocsp/README.md @@ -0,0 +1,37 @@ +OCSP +========= + +OCSP tests for CI + +Requirements +------------ + +The only requirement is the `community.docker` module + + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + + + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - ocsp + +License +------- + +GPL-2-and-later + +Author Information +------------------ + +Marco Fargetta (mfargett@redhat.com) + diff --git a/tests/ansible/ocsp/defaults/main.yml b/tests/ansible/ocsp/defaults/main.yml new file mode 100644 index 00000000000..720240150f4 --- /dev/null +++ b/tests/ansible/ocsp/defaults/main.yml @@ -0,0 +1,33 @@ +--- +# defaults file for ocsp + +shared_workspace: /tmp/workdir/pki +github_workspace: ../../ + +#CA-DS +cads_container: cads +cads_image: pki-runner +cads_hostname: cads.example.com +cads_password: Secret.123 + +#CA +ca_container: ca +ca_image: pki-runner +ca_hostname: ca.example.com + +#OCSP-DS +ocspds_container: ocspds +ocspds_image: pki-runner +ocspds_hostname: ocspds.example.com +ocspds_password: Secret.123 + +#OCSP +ocsp_container: ocsp +ocsp_image: pki-runner +ocsp_hostname: ocsp.example.com + + +#Client +client_container: client +client_image: quay.io/dogtagpki/libest +client_hostname: client.example.com diff --git a/tests/ansible/ocsp/handlers/main.yml b/tests/ansible/ocsp/handlers/main.yml new file mode 100644 index 00000000000..6aff6926917 --- /dev/null +++ b/tests/ansible/ocsp/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for ocsp diff --git a/tests/ansible/ocsp/meta/main.yml b/tests/ansible/ocsp/meta/main.yml new file mode 100644 index 00000000000..c9d401229d1 --- /dev/null +++ b/tests/ansible/ocsp/meta/main.yml @@ -0,0 +1,24 @@ +galaxy_info: + author: Marco Fargetta (mfargett@redhat.com) + description: OCSP tests for CI + company: Red Hat + + + license: GPL-2.0-or-later + + min_ansible_version: 2.1 + + + platforms: + - name: Fedora + versions: + - all + - name: Ubuntu + versions: + - 22.04 + + galaxy_tags: + - dogtag + - pki + +dependencies: [] diff --git a/tests/ansible/ocsp/tasks/certificate_self_validation_with_crl.yml b/tests/ansible/ocsp/tasks/certificate_self_validation_with_crl.yml new file mode 100644 index 00000000000..fc1a61e4041 --- /dev/null +++ b/tests/ansible/ocsp/tasks/certificate_self_validation_with_crl.yml @@ -0,0 +1,575 @@ +--- + +- name: Create a network + community.docker.docker_network: + name: example + +- name: Set up CA DS container + community.docker.docker_container: + name: "{{ cads_container }}" + image: "{{ cads_image }}" + hostname: "{{ cads_hostname }}" + volumes: + - "{{ github_workspace }}:{{ shared_workspace }}" + tmpfs: + - /tmp + - /run + state: started + detach: true + privileged: true + env: + SHARED="{{ shared_workspace }}" + networks: + - name: example + aliases: + - "{{ cads_hostname }}" + ports: + - 3389 + - 3636 + entrypoint: /usr/sbin/init + register: cads + +- name: Initialise CA ds + community.docker.docker_container_exec: + container: "{{ cads_container }}" + command: "{{ item }}" + when: cads.changed + loop: + - dnf install -y 389-ds-base + - dscreate create-template ds.inf + - sed -i -e "s/;instance_name = .*/instance_name = localhost/g" ds.inf + - sed -i -e "s/;port = .*/port = 3389/g" -e "s/;secure_port = .*/secure_port = 3636/g" ds.inf + - sed -i -e "s/;root_password = .*/root_password = {{ cads_password }} /g" ds.inf + - sed -i -e "s/;suffix = .*/suffix = dc=example,dc=com/g" ds.inf + - sed -i -e "s/;self_sign_cert = .*/self_sign_cert = True/g" ds.inf + - dscreate from-file ds.inf + +- name: Add CA base entry + community.docker.docker_container_exec: + container: "{{ cads_container }}" + command: ldapadd -H ldap://{{ cads_hostname }}:3389 -D "cn=Directory Manager" -w {{ cads_password }} -x + stdin: | + dn: dc=example,dc=com + objectClass: domain + dc: example + + dn: dc=pki,dc=example,dc=com + objectClass: domain + dc: pki + when: cads.changed + +- name: Set up CA container + community.docker.docker_container: + name: "{{ ca_container }}" + image: "{{ ca_image }}" + hostname: "{{ ca_hostname }}" + volumes: + - "{{ github_workspace }}:{{ shared_workspace }}" + tmpfs: + - /tmp + - /run + state: started + detach: true + privileged: true + env: + SHARED="{{ shared_workspace }}" + networks: + - name: example + aliases: + - "{{ ca_hostname }}" + ports: + - 8080 + - 8443 + entrypoint: /usr/sbin/init + +- name: Install CA in CA container + community.docker.docker_container_exec: + container: "{{ ca_container }}" + command: > + pkispawn -f /usr/share/pki/server/examples/installation/ca.cfg + -s CA + -D pki_ds_url=ldap://{{ cads_hostname }}:3389 + -D pki_cert_id_generator=random + -D pki_request_id_generator=random + -v + +- name: Install CA admin cert in CA container + community.docker.docker_container_exec: + container: "{{ ca_container }}" + command: "{{ item }}" + loop: + - pki-server cert-export ca_signing --cert-file {{ shared_workspace }}/ca_signing.crt + - pki client-cert-import ca_signing --ca-cert {{ shared_workspace }}/ca_signing.crt + - pki pkcs12-import --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 --pkcs12-password Secret.123 + +- name: Set up OCSP DS container + community.docker.docker_container: + name: "{{ ocspds_container }}" + image: "{{ ocspds_image }}" + hostname: "{{ ocspds_hostname }}" + volumes: + - "{{ github_workspace }}:{{ shared_workspace }}" + tmpfs: + - /tmp + - /run + state: started + detach: true + privileged: true + env: + SHARED="{{ shared_workspace }}" + networks: + - name: example + aliases: + - "{{ ocspds_hostname }}" + ports: + - 3389 + - 3636 + entrypoint: /usr/sbin/init + register: ocspds + +- name: Initialise OCSP ds + community.docker.docker_container_exec: + container: "{{ ocspds_container }}" + command: "{{ item }}" + when: ocspds.changed + loop: + - dnf install -y 389-ds-base + - dscreate create-template ds.inf + - sed -i -e "s/;instance_name = .*/instance_name = localhost/g" ds.inf + - sed -i -e "s/;port = .*/port = 3389/g" -e "s/;secure_port = .*/secure_port = 3636/g" ds.inf + - sed -i -e "s/;root_password = .*/root_password = {{ ocspds_password }} /g" ds.inf + - sed -i -e "s/;suffix = .*/suffix = dc=example,dc=com/g" ds.inf + - sed -i -e "s/;self_sign_cert = .*/self_sign_cert = True/g" ds.inf + - dscreate from-file ds.inf + + +- name: Add OCSP base entry + community.docker.docker_container_exec: + container: "{{ ocspds_container }}" + command: ldapadd -H ldap://{{ ocspds_hostname }}:3389 -D "cn=Directory Manager" -w {{ ocspds_password }} -x + stdin: | + dn: dc=example,dc=com + objectClass: domain + dc: example + + dn: dc=pki,dc=example,dc=com + objectClass: domain + dc: pki + when: ocspds.changed + +- name: Set up OCSP container + community.docker.docker_container: + name: "{{ ocsp_container }}" + image: "{{ ocsp_image }}" + hostname: "{{ ocsp_hostname }}" + volumes: + - "{{ github_workspace }}:{{ shared_workspace }}" + tmpfs: + - /tmp + - /run + state: started + detach: true + privileged: true + env: + SHARED="{{ shared_workspace }}" + networks: + - name: example + aliases: + - "{{ ocsp_hostname }}" + ports: + - 8080 + - 8443 + entrypoint: /usr/sbin/init + +- name: Install OCSP in OCSP container (step 1) + community.docker.docker_container_exec: + container: "{{ ocsp_container }}" + command: > + pkispawn -f /usr/share/pki/server/examples/installation/ocsp-standalone-step1.cfg + -s OCSP + -D pki_ds_url=ldap://{{ ocspds_hostname }}:3389 + -D pki_cert_chain_path={{ shared_workspace }}/ca_signing.crt + -D pki_ocsp_signing_csr_path={{ shared_workspace }}/ocsp_signing.csr + -D pki_subsystem_csr_path={{ shared_workspace }}/subsystem.csr + -D pki_sslserver_csr_path={{ shared_workspace }}/sslserver.csr + -D pki_audit_signing_csr_path={{ shared_workspace }}/ocsp_audit_signing.csr + -D pki_admin_csr_path={{ shared_workspace }}/ocsp_admin.csr + -v + +- name: Issue OCSP signing cert - submit + community.docker.docker_container_exec: + container: "{{ ca_container }}" + command: pki ca-cert-request-submit --profile caOCSPCert --csr-file {{ shared_workspace }}/ocsp_signing.csr + register: + ca_command + +- name: Issue OCSP signing cert - approve + community.docker.docker_container_exec: + container: "{{ ca_container }}" + command: "pki -n caadmin ca-cert-request-approve {{ ca_command.stdout | regex_search('Request ID: *(.*)', '\\1') | first }} --force" + register: + ca_command + +- name: Issue OCSP signing cert - export + community.docker.docker_container_exec: + container: "{{ ca_container }}" + command: "pki ca-cert-export {{ ca_command.stdout | regex_search('Certificate ID: *(.*)', '\\1') | first }} --output-file {{ shared_workspace }}/ocsp_signing.crt" + register: + ca_command + +- name: Issue subsystem cert - submit + community.docker.docker_container_exec: + container: "{{ ca_container }}" + command: pki ca-cert-request-submit --profile caSubsystemCert --csr-file {{ shared_workspace }}/subsystem.csr + register: + ca_command + +- name: Issue subsystem cert - approve + community.docker.docker_container_exec: + container: "{{ ca_container }}" + command: "pki -n caadmin ca-cert-request-approve {{ ca_command.stdout | regex_search('Request ID: *(.*)', '\\1') | first }} --force" + register: + ca_command + +- name: Issue subsystem cert - export + community.docker.docker_container_exec: + container: "{{ ca_container }}" + command: "pki ca-cert-export {{ ca_command.stdout | regex_search('Certificate ID: *(.*)', '\\1') | first }} --output-file {{ shared_workspace }}/subsystem.crt" + register: + ca_command + +- name: Issue SSL server cert - submit + community.docker.docker_container_exec: + container: "{{ ca_container }}" + command: pki ca-cert-request-submit --profile caServerCert --csr-file {{ shared_workspace }}/sslserver.csr + register: + ca_command + +- name: Issue SSL server cert - approve + community.docker.docker_container_exec: + container: "{{ ca_container }}" + command: "pki -n caadmin ca-cert-request-approve {{ ca_command.stdout | regex_search('Request ID: *(.*)', '\\1') | first }} --force" + register: + ca_command + +- name: Issue SSL server cert - export + community.docker.docker_container_exec: + container: "{{ ca_container }}" + command: "pki ca-cert-export {{ ca_command.stdout | regex_search('Certificate ID: *(.*)', '\\1') | first }} --output-file {{ shared_workspace }}/sslserver.crt" + register: + ca_command + +- name: Issue OCSP audit signing cert - submit + community.docker.docker_container_exec: + container: "{{ ca_container }}" + command: pki ca-cert-request-submit --profile caAuditSigningCert --csr-file {{ shared_workspace }}/ocsp_audit_signing.csr + register: + ca_command + +- name: Issue OCSP audit signing cert - approve + community.docker.docker_container_exec: + container: "{{ ca_container }}" + command: "pki -n caadmin ca-cert-request-approve {{ ca_command.stdout | regex_search('Request ID: *(.*)', '\\1') | first }} --force" + register: + ca_command + +- name: Issue OCSP audit signing cert - export + community.docker.docker_container_exec: + container: "{{ ca_container }}" + command: "pki ca-cert-export {{ ca_command.stdout | regex_search('Certificate ID: *(.*)', '\\1') | first }} --output-file {{ shared_workspace }}/ocsp_audit_signing.crt" + register: + ca_command + +- name: Issue OCSP admin cert - submit + community.docker.docker_container_exec: + container: "{{ ca_container }}" + command: pki ca-cert-request-submit --profile AdminCert --csr-file {{ shared_workspace }}/ocsp_admin.csr + register: + ca_command + +- name: Issue OCSP admin cert - approve + community.docker.docker_container_exec: + container: "{{ ca_container }}" + command: "pki -n caadmin ca-cert-request-approve {{ ca_command.stdout | regex_search('Request ID: *(.*)', '\\1') | first }} --force" + register: + ca_command + +- name: Issue OCSP admin cert - export + community.docker.docker_container_exec: + container: "{{ ca_container }}" + command: "pki ca-cert-export {{ ca_command.stdout | regex_search('Certificate ID: *(.*)', '\\1') | first }} --output-file {{ shared_workspace }}/ocsp_admin.crt" + register: + ca_command + +- name: Install OCSP in OCSP container (step 2) + community.docker.docker_container_exec: + container: "{{ ocsp_container }}" + command: > + pkispawn + -f /usr/share/pki/server/examples/installation/ocsp-standalone-step2.cfg + -s OCSP + -D pki_ds_url=ldap://{{ ocspds_hostname }}:3389 + -D pki_cert_chain_path={{ shared_workspace }}/ca_signing.crt + -D pki_ocsp_signing_csr_path={{ shared_workspace }}/ocsp_signing.csr + -D pki_subsystem_csr_path={{ shared_workspace }}/subsystem.csr + -D pki_sslserver_csr_path={{ shared_workspace }}/sslserver.csr + -D pki_audit_signing_csr_path={{ shared_workspace }}/ocsp_audit_signing.csr + -D pki_admin_csr_path={{ shared_workspace }}/ocsp_admin.csr + -D pki_ocsp_signing_cert_path={{ shared_workspace }}/ocsp_signing.crt + -D pki_subsystem_cert_path={{ shared_workspace }}/subsystem.crt + -D pki_sslserver_cert_path={{ shared_workspace }}/sslserver.crt + -D pki_audit_signing_cert_path={{ shared_workspace }}/ocsp_audit_signing.crt + -D pki_admin_cert_path={{ shared_workspace }}/ocsp_admin.crt + -v + +- name: Install OCSP admin cert in OCSP container + community.docker.docker_container_exec: + container: "{{ ocsp_container }}" + command: "{{ item }}" + loop: + - pki client-cert-import ca_signing --ca-cert {{ shared_workspace }}/ca_signing.crt + - pki pkcs12-import --pkcs12 /root/.dogtag/pki-tomcat/ocsp_admin_cert.p12 --pkcs12-password Secret.123 + - pki -n ocspadmin ocsp-user-show ocspadmin + +- name: Prepare CRL publishing subtree + community.docker.docker_container_exec: + container: "{{ ocsp_container }}" + command: ldapadd -H ldap://{{ ocspds_hostname }}:3389 -x -D "cn=Directory Manager" -w {{ ocspds_password }} + stdin: | + dn: dc=crl,dc=pki,dc=example,dc=com + objectClass: domain + dc: crl + aci: (targetattr!="userPassword || aci") + (version 3.0; acl "Enable anonymous access"; allow (read, search, compare) userdn="ldap:///anyone";) + +- name: Verify anonymous access + community.docker.docker_container_exec: + container: "{{ ocsp_container }}" + command: ldapsearch -H ldap://{{ ocspds_hostname }}:3389 -x -b "dc=crl,dc=pki,dc=example,dc=com" + +- name: Configure CA cert and CRL publishing in CA + community.docker.docker_container_exec: + container: "{{ ca_container }}" + command: "{{ item }}" + loop: + # configure LDAP connection + - pki-server ca-config-set ca.publish.ldappublish.enable true + - pki-server ca-config-set ca.publish.ldappublish.ldap.ldapauth.authtype BasicAuth + - pki-server ca-config-set ca.publish.ldappublish.ldap.ldapauth.bindDN "cn=Directory Manager" + - pki-server ca-config-set ca.publish.ldappublish.ldap.ldapauth.bindPWPrompt internaldb + - pki-server ca-config-set ca.publish.ldappublish.ldap.ldapconn.host ocspds.example.com + - pki-server ca-config-set ca.publish.ldappublish.ldap.ldapconn.port 3389 + - pki-server ca-config-set ca.publish.ldappublish.ldap.ldapconn.secureConn false + # configure LDAP-based CA cert publisher + - pki-server ca-config-set ca.publish.publisher.instance.LdapCaCertPublisher.caCertAttr "cACertificate;binary" + - pki-server ca-config-set ca.publish.publisher.instance.LdapCaCertPublisher.caObjectClass pkiCA + - pki-server ca-config-set ca.publish.publisher.instance.LdapCaCertPublisher.pluginName LdapCaCertPublisher + # configure CA cert mapper + - pki-server ca-config-set ca.publish.mapper.instance.LdapCaCertMap.createCAEntry true + - pki-server ca-config-set ca.publish.mapper.instance.LdapCaCertMap.dnPattern "cn=$subj.cn,dc=crl,dc=pki,dc=example,dc=com" + - pki-server ca-config-set ca.publish.mapper.instance.LdapCaCertMap.pluginName LdapCaSimpleMap + # configure CA cert publishing rule + - pki-server ca-config-set ca.publish.rule.instance.LdapCaCertRule.enable true + - pki-server ca-config-set ca.publish.rule.instance.LdapCaCertRule.mapper LdapCaCertMap + - pki-server ca-config-set ca.publish.rule.instance.LdapCaCertRule.pluginName Rule + - pki-server ca-config-set ca.publish.rule.instance.LdapCaCertRule.predicate "" + - pki-server ca-config-set ca.publish.rule.instance.LdapCaCertRule.publisher LdapCaCertPublisher + - pki-server ca-config-set ca.publish.rule.instance.LdapCaCertRule.type cacert + # configure LDAP-based CRL publisher + - pki-server ca-config-set ca.publish.publisher.instance.LdapCrlPublisher.crlAttr "certificateRevocationList;binary" + - pki-server ca-config-set ca.publish.publisher.instance.LdapCrlPublisher.crlObjectClass pkiCA + - pki-server ca-config-set ca.publish.publisher.instance.LdapCrlPublisher.pluginName LdapCrlPublisher + # configure CRL mapper + - pki-server ca-config-set ca.publish.mapper.instance.LdapCrlMap.createCAEntry true + - pki-server ca-config-set ca.publish.mapper.instance.LdapCrlMap.dnPattern "cn=$subj.cn,dc=crl,dc=pki,dc=example,dc=com" + - pki-server ca-config-set ca.publish.mapper.instance.LdapCrlMap.pluginName LdapCaSimpleMap + # configure CRL publishing rule + - pki-server ca-config-set ca.publish.rule.instance.LdapCrlRule.enable true + - pki-server ca-config-set ca.publish.rule.instance.LdapCrlRule.mapper LdapCrlMap + - pki-server ca-config-set ca.publish.rule.instance.LdapCrlRule.pluginName Rule + - pki-server ca-config-set ca.publish.rule.instance.LdapCrlRule.predicate "" + - pki-server ca-config-set ca.publish.rule.instance.LdapCrlRule.publisher LdapCrlPublisher + - pki-server ca-config-set ca.publish.rule.instance.LdapCrlRule.type crl + # enable CRL publishing + - pki-server ca-config-set ca.publish.enable true + # set buffer size to 0 so that revocation will take effect immediately + - pki-server ca-config-set auths.revocationChecking.bufferSize 0 + # update CRL immediately after each cert revocation + - pki-server ca-config-set ca.crl.MasterCRL.alwaysUpdate true + # restart CA subsystem + - pki-server ca-redeploy --wait + +- name: Configure revocation info store in OCSP + community.docker.docker_container_exec: + container: "{{ ocsp_container }}" + command: "{{ item }}" + loop: + # configure LDAP store + - pki-server ocsp-config-set ocsp.store.ldapStore.numConns 1 + - pki-server ocsp-config-set ocsp.store.ldapStore.host0 ocspds.example.com + - pki-server ocsp-config-set ocsp.store.ldapStore.port0 3389 + - pki-server ocsp-config-set ocsp.store.ldapStore.baseDN0 "dc=crl,dc=pki,dc=example,dc=com" + - pki-server ocsp-config-set ocsp.store.ldapStore.byName true + - pki-server ocsp-config-set ocsp.store.ldapStore.caCertAttr "cACertificate;binary" + - pki-server ocsp-config-set ocsp.store.ldapStore.crlAttr "certificateRevocationList;binary" + - pki-server ocsp-config-set ocsp.store.ldapStore.includeNextUpdate false + - pki-server ocsp-config-set ocsp.store.ldapStore.notFoundAsGood true + - pki-server ocsp-config-set ocsp.store.ldapStore.refreshInSec0 10 + # enable LDAP store + - pki-server ocsp-config-set ocsp.storeId ldapStore + # restart OCSP subsystem + - pki-server ocsp-redeploy --wait + +- name: Create users and initial CRL + community.docker.docker_container_exec: + container: "{{ ca_container }}" + command: "{{ item }}" + loop: + - /usr/share/pki/tests/ca/bin/ca-agent-create.sh + - /usr/share/pki/tests/ca/bin/ca-agent-cert-create.sh + - curl --cert-type P12 --cert /root/.dogtag/pki-tomcat/ca_admin_cert.p12:Secret.123 -sk -d "xml=true" https://{{ ca_hostname }}:8443/ca/agent/ca/updateCRL + - sleep 10 + - pki nss-cert-show caagent + register: user_agents + +- name: Check good certificate + community.docker.docker_container_exec: + container: "{{ ocsp_container }}" + command: "OCSPClient -d /root/.dogtag/nssdb -h {{ ocsp_hostname }} -p 8080 -t /ocsp/ee/ocsp -c ca_signing --serial {{ user_agents.results[-1].stdout | regex_search('\\s*Serial Number:\\s*(\\S*)', '\\1') | first }}" + register: good_certificate_check + failed_when: "'CertStatus=Good' not in good_certificate_check.stdout_lines[-1]" + +- name: Create CSR for DS and submit + community.docker.docker_container_exec: + container: "{{ ca_container }}" + command: "{{ item }}" + loop: + - pki nss-cert-request --subject "CN={{ ocspds_hostname }}" --ext /usr/share/pki/server/certs/sslserver.conf --subjectAltName "critical, DNS:{{ ocspds_hostname }}" --csr {{ shared_workspace }}/ocspds.csr + - pki ca-cert-request-submit --profile caServerCert --csr-file {{ shared_workspace }}/ocspds.csr + register: + ca_command + +- name: Approve CSR request + community.docker.docker_container_exec: + container: "{{ ca_container }}" + command: "pki -n caadmin ca-cert-request-approve {{ ca_command.results[-1].stdout | regex_search('Request ID: *(.*)', '\\1') | first }} --force" + register: + ca_command + +- name: Issue OCSP admin cert - export + community.docker.docker_container_exec: + container: "{{ ca_container }}" + command: "{{ item }}" + loop: + - "pki ca-cert-export {{ ca_command.stdout | regex_search('Certificate ID: *(.*)', '\\1') | first }} --output-file {{ shared_workspace }}/ocspds.crt" + - "certutil -d /root/.dogtag/nssdb -A -n ocspds -t ',,' -i {{ shared_workspace }}/ocspds.crt" + - pk12util -d /root/.dogtag/nssdb -o {{ shared_workspace }}/ocspds.p12 -n ocspds -W {{ ocspds_password }} + register: + ca_command + +- name: Configure certificate in OCSP DS + community.docker.docker_container_exec: + container: "{{ ocspds_container }}" + command: "{{ item }}" + loop: + - dsctl slapd-localhost stop + - certutil -d /etc/dirsrv/slapd-localhost/ -D -n Server-Cert + - pk12util -i {{ shared_workspace }}/ocspds.p12 -d /etc/dirsrv/slapd-localhost/ -W {{ ocspds_password }} -k /etc/dirsrv/slapd-localhost/pwdfile.txt + - certutil -d /etc/dirsrv/slapd-localhost/ --rename -n ocspds --new-n Server-Cert + - dsctl slapd-localhost start + +- name: Configure secure ldap connection and enable client revocation check + community.docker.docker_container_exec: + container: "{{ ocsp_container }}" + command: "{{ item }}" + loop: + - pki-server stop + - pki-server ocsp-config-set internaldb.ldapconn.port 3636 + - pki-server ocsp-config-set internaldb.ldapconn.secureConn true + - pki-server ocsp-config-set auths.revocationChecking.enabled true + - pki-server start --wait + +- name: Interact with good certificate + community.docker.docker_container_exec: + container: "{{ ocsp_container }}" + command: pki -n ocspadmin ocsp-user-show ocspadmin + register: ocsp_command + failed_when: "'User ID: ocspadmin' not in ocsp_command.stdout" + +- name: Identify the admin certificate serial + community.docker.docker_container_exec: + container: "{{ ca_container }}" + command: "pki -n caadmin ca-cert-find --email ocspadmin@example.com" + register: ca_command + +- name: Put the OCSP admin on hold + community.docker.docker_container_exec: + container: "{{ ca_container }}" + command: "pki -n caadmin ca-cert-hold {{ ca_command.stdout | regex_search('\\s*Serial Number:\\s*(\\S*)', '\\1') | first }} --force" + +- name: Wait for CRL propagation + ansible.builtin.pause: + seconds: 15 + +- name: Interact with revoked certificate + community.docker.docker_container_exec: + container: "{{ ocsp_container }}" + command: pki -n ocspadmin ocsp-user-show ocspadmin + register: ocsp_command + failed_when: "'PKIException: Unauthorized' not in ocsp_command.stderr" + +- name: Release the OCSP admin certificate + community.docker.docker_container_exec: + container: "{{ ca_container }}" + command: "pki -n caadmin ca-cert-release-hold {{ ca_command.stdout | regex_search('\\s*Serial Number:\\s*(\\S*)', '\\1') | first }} --force" + +- name: Wait for CRL propagation + ansible.builtin.pause: + seconds: 15 + +- name: Interact with good certificate again + community.docker.docker_container_exec: + container: "{{ ocsp_container }}" + command: pki -n ocspadmin ocsp-user-show ocspadmin + register: ocsp_command + failed_when: "'User ID: ocspadmin' not in ocsp_command.stdout" + +- name: Identify the OCSP DS certificate serial + community.docker.docker_container_exec: + container: "{{ ca_container }}" + command: "pki -n caadmin ca-cert-find --name {{ ocspds_hostname }}" + register: ca_command + +- name: Put the OCSP DS certificate on hold + community.docker.docker_container_exec: + container: "{{ ca_container }}" + command: "pki -n caadmin ca-cert-hold {{ ca_command.stdout | regex_search('\\s*Serial Number:\\s*(\\S*)', '\\1') | first }} --force" + +- name: Restart OCSP + community.docker.docker_container_exec: + container: "{{ ocsp_container }}" + command: pki-server restart --wait + +- name: Interact with good certificate again + community.docker.docker_container_exec: + container: "{{ ocsp_container }}" + command: pki -n ocspadmin ocsp-user-show ocspadmin + register: ocsp_command + failed_when: "'PKIException: Not Found' not in ocsp_command.stderr" + +- name: Release the OCSP DS certificate + community.docker.docker_container_exec: + container: "{{ ca_container }}" + command: "pki -n caadmin ca-cert-release-hold {{ ca_command.stdout | regex_search('\\s*Serial Number:\\s*(\\S*)', '\\1') | first }} --force" + +- name: Restart OCSP 2 + community.docker.docker_container_exec: + container: "{{ ocsp_container }}" + command: pki-server restart --wait + +- name: Interact with good certificate again + community.docker.docker_container_exec: + container: "{{ ocsp_container }}" + command: pki -n ocspadmin ocsp-user-show ocspadmin + register: ocsp_command + failed_when: "'User ID: ocspadmin' not in ocsp_command.stdout" diff --git a/tests/ansible/ocsp/tasks/main.yml b/tests/ansible/ocsp/tasks/main.yml new file mode 100644 index 00000000000..ccc56750fca --- /dev/null +++ b/tests/ansible/ocsp/tasks/main.yml @@ -0,0 +1,3 @@ +--- +# tasks file for ocsp +- ansible.builtin.import_tasks: certificate_self_validation_with_crl.yml diff --git a/tests/ansible/ocsp/tests/inventory b/tests/ansible/ocsp/tests/inventory new file mode 100644 index 00000000000..878877b0776 --- /dev/null +++ b/tests/ansible/ocsp/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/tests/ansible/ocsp/tests/test.yml b/tests/ansible/ocsp/tests/test.yml new file mode 100644 index 00000000000..a26155cf6e1 --- /dev/null +++ b/tests/ansible/ocsp/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - ocsp diff --git a/tests/ansible/ocsp/vars/main.yml b/tests/ansible/ocsp/vars/main.yml new file mode 100644 index 00000000000..95184424c2b --- /dev/null +++ b/tests/ansible/ocsp/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for ocsp diff --git a/tests/ansible/ocsp_admin.crt b/tests/ansible/ocsp_admin.crt new file mode 100644 index 00000000000..93285e96e39 --- /dev/null +++ b/tests/ansible/ocsp_admin.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIEZDCCAsygAwIBAgIRANqnC/EUF2WvHN1sw0QMTw0wDQYJKoZIhvcNAQELBQAwSDEQMA4GA1UE +CgwHRVhBTVBMRTETMBEGA1UECwwKcGtpLXRvbWNhdDEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0 +aWZpY2F0ZTAeFw0yMzA4MjMxMDA5MTRaFw0yNDA4MjIxMDA5MTRaMH0xJDAiBgNVBAoMG2V4YW1w +bGUuY29tIFNlY3VyaXR5IERvbWFpbjETMBEGA1UECwwKcGtpLXRvbWNhdDEkMCIGCSqGSIb3DQEJ +ARYVb2NzcGFkbWluQGV4YW1wbGUuY29tMRowGAYDVQQDDBFQS0kgQWRtaW5pc3RyYXRvcjCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN5Ruqhbuepqc942LHrwOK7gXUyshqAxDVDy1dI3 +5/pRzC9uVJd/LPdgIwwxAU4Dou6JlbcO8gQ/f7lWk5XhdnqBDMaLP0dD43+PGGjU4nBsn7cAfay4 +rk5oNLCQmD2tTSheAaTzGN9JpeDwzBblQHNHXhRLMl9Up1HSu51AT+Y1j7opdaEsCAHt/7rfPwGd +Unwy8JmCfCOTGYwEsM2OHGlI84XOl+c4UEJEUMiOAxxUkvz3e3Y9lP3KRBwXB5qyDrUc3KpV2XHU +ey8mwueukpUUUZ+WXGME5XMvm9FNZE2/gTzNRNWGbDpUWcqV39oEAOzdCN7evJg7UhPqvKCZgdUC +AwEAAaOBkzCBkDAfBgNVHSMEGDAWgBQ9O6szYpkovvmbVOwy7vXZS2vXpzA+BggrBgEFBQcBAQQy +MDAwLgYIKwYBBQUHMAGGImh0dHA6Ly9jYS5leGFtcGxlLmNvbTo4MDgwL2NhL29jc3AwDgYDVR0P +AQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDANBgkqhkiG9w0BAQsFAAOC +AYEAd94CYlj+qI4dSO9S9AKzRS0qcHKawOMDQiLBWGXaTVQhnVmFaJe9em+P8J0ojmLj13+xAS7u +Yc9mOz29G8t3IJe6s4f9B6sx4CjtOCDJl32Ew/tPH6USc5aziiHFxh6c57gCuhWiWxTNjYu+f1hc +onmj8QJLf/xYyYtaarEaTYzbpF1qTC9kw/jCybGMRToGFJJpe7GZECSdRKTJU43EujyoUhfvznKL +biX+yopefRxZ9rSHY8Cs/u3PANWOimGizQOUl5lUTZdmxbP1qsHSFcV7hwfOg6Fwtkf3nj2fRl2v +vdPreRasedfl2WveRNmOp72Z9fh/omaJlD33/7C6w3McxFYG7Ws8JbXYIoJ3HuBzxHVCzfJ9YvQ6 +iKN88ZGOJfgj+yEkFGMx4jNmA9i47a9zsfbXQHsIJDDOJGaOMdjUf83LkfyydKLYck4CSvKK4RtU +C8zHBAQeOyH9AHdyfmSwUYqwp9ysmUI2t63akCvXEUQLaVLWbtoFLUAwb5+l +-----END CERTIFICATE----- diff --git a/tests/ansible/ocsp_admin.csr b/tests/ansible/ocsp_admin.csr new file mode 100644 index 00000000000..969bcf19acf --- /dev/null +++ b/tests/ansible/ocsp_admin.csr @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICwjCCAaoCAQAwfTEkMCIGA1UECgwbZXhhbXBsZS5jb20gU2VjdXJpdHkgRG9tYWluMRMwEQYD +VQQLDApwa2ktdG9tY2F0MSQwIgYJKoZIhvcNAQkBFhVvY3NwYWRtaW5AZXhhbXBsZS5jb20xGjAY +BgNVBAMMEVBLSSBBZG1pbmlzdHJhdG9yMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +3lG6qFu56mpz3jYsevA4ruBdTKyGoDENUPLV0jfn+lHML25Ul38s92AjDDEBTgOi7omVtw7yBD9/ +uVaTleF2eoEMxos/R0Pjf48YaNTicGyftwB9rLiuTmg0sJCYPa1NKF4BpPMY30ml4PDMFuVAc0de +FEsyX1SnUdK7nUBP5jWPuil1oSwIAe3/ut8/AZ1SfDLwmYJ8I5MZjASwzY4caUjzhc6X5zhQQkRQ +yI4DHFSS/Pd7dj2U/cpEHBcHmrIOtRzcqlXZcdR7LybC566SlRRRn5ZcYwTlcy+b0U1kTb+BPM1E +1YZsOlRZypXf2gQA7N0I3t68mDtSE+q8oJmB1QIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAKuV +I5UkWkfVhR1/I4cuvGhdHoWzJiFFjb/8FKf9wCBavXVNZHloa5JasTyxh0SoHGrwM4cr+y45ecB5 +/zv7H8JMrw29yPt+hMYybcdzbRXTjkl+XLrbU0KYt7QyCJlTHlxT7YnFBKr2D76BZfaCih9aCc2E +4zejoKSoOZ8fbVPNm8S2L8O/E8sNOFRGtypCLXXg/5h8EonG2o+bcpiubwfeMqpxXcB9laKKLBIy +flZLRDTwL5032o+Miy56flC5xJT186HAJSfVniX2C1b6I21AjM2SMmNl8paUqNYip1H5+b+EEmN1 +gbylFBwlHj+nvo+/onRaRr6A5vqs8fnd7VI= +-----END CERTIFICATE REQUEST----- diff --git a/tests/ansible/ocsp_audit_signing.crt b/tests/ansible/ocsp_audit_signing.crt new file mode 100644 index 00000000000..e33daa3d4a5 --- /dev/null +++ b/tests/ansible/ocsp_audit_signing.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIEKjCCApKgAwIBAgIRAMIHhdi8+BXkoXB2xO+vCBUwDQYJKoZIhvcNAQELBQAwSDEQMA4GA1UE +CgwHRVhBTVBMRTETMBEGA1UECwwKcGtpLXRvbWNhdDEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0 +aWZpY2F0ZTAeFw0yMzA4MjMxMDA5MDlaFw0yNTA4MTIxMDA5MDlaMGQxJDAiBgNVBAoMG2V4YW1w +bGUuY29tIFNlY3VyaXR5IERvbWFpbjETMBEGA1UECwwKcGtpLXRvbWNhdDEnMCUGA1UEAwweT0NT +UCBBdWRpdCBTaWduaW5nIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEA1AZbaHLIFk4/OEnLor8+AEDXIIexBC6v1pMQ8OTcXAMgpuGto2JtlaltGNM4XrWWmpIKbi84 +Udbxsetxcuc96QmDf3W0Cbg3zzcNIDJ3J2mHaARSFKMh6M8SQID7gJ04ZgRddnw+WRmlg+TsShVt +SYdYrBUBvHlqEy4nTdibZ0yS3kJVuhi/E9YiBwh5YRSOc3HeUkrc+UGOqYxvKZjKW1GY1UK7JZU4 +iDv+94mGXhiv6PZl6PidNdNHJslG6+IEsvUsJiJ9f8h9M5UyLbnV5MkCO6gPy8N1qzrf7dBV3pjw +R4WH+FBOixosPhIrl/+g7WcAoloaivlFO+WBxTy6pQIDAQABo3MwcTAfBgNVHSMEGDAWgBQ9O6sz +YpkovvmbVOwy7vXZS2vXpzA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6Ly9jYS5l +eGFtcGxlLmNvbTo4MDgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgbAMA0GCSqGSIb3DQEBCwUAA4IB +gQAzlD47+WAVZI+9/iIfKJQ2fd/4j64fYQ/A5IDXHAaInYin7UBqdYcCBv42IF2/60vPszURtUfE +UfpgFY3ngCjXwE87JBOIhShTmILNJIvu55J1i1fRGyS0h6qAUA9O9Wbw/rz6n6NIDn/ADmp/wa7k ++wTD9L0+JHPs0xUzU13sX0A5x9DG6fXlyZk65Uq6+gLGsiQ47QxPu0CzgfhlYRIhVpesqnK6ESqH +yyHDRIQo9F/W8o6tTT21jCoFvyGmKy1T4eyUyfsscg008qdQVI5N/DoFLAjeiGZT5RqhcaNFVfDE +oNZH6BbNiFj+nP03impvRjeYPyp/eW0iPSS01HwM/l8oUu/jinCofR7BakR+0Qfk/t7sfEM5p0OY +Sjoyq6xGzgmEeBlj7zFLQ5xeJ/zam7NiL5waMrGa9z/8+mLi4VZ2GXdU81bEGricwnMBG5zkV8ZD +d3AagbEaJ8W4AO7kg4KDIJB2etcMRqtTO4K3dvn/SnjSAtgb1TRbPJPOn+Q= +-----END CERTIFICATE----- diff --git a/tests/ansible/ocsp_audit_signing.csr b/tests/ansible/ocsp_audit_signing.csr new file mode 100644 index 00000000000..9d1fd9de987 --- /dev/null +++ b/tests/ansible/ocsp_audit_signing.csr @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICyjCCAbICAQAwZDEkMCIGA1UECgwbZXhhbXBsZS5jb20gU2VjdXJpdHkgRG9tYWluMRMwEQYD +VQQLDApwa2ktdG9tY2F0MScwJQYDVQQDDB5PQ1NQIEF1ZGl0IFNpZ25pbmcgQ2VydGlmaWNhdGUw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDUBltocsgWTj84Scuivz4AQNcgh7EELq/W +kxDw5NxcAyCm4a2jYm2VqW0Y0zhetZaakgpuLzhR1vGx63Fy5z3pCYN/dbQJuDfPNw0gMncnaYdo +BFIUoyHozxJAgPuAnThmBF12fD5ZGaWD5OxKFW1Jh1isFQG8eWoTLidN2JtnTJLeQlW6GL8T1iIH +CHlhFI5zcd5SStz5QY6pjG8pmMpbUZjVQrsllTiIO/73iYZeGK/o9mXo+J0100cmyUbr4gSy9Swm +In1/yH0zlTItudXkyQI7qA/Lw3WrOt/t0FXemPBHhYf4UE6LGiw+EiuX/6DtZwCiWhqK+UU75YHF +PLqlAgMBAAGgITAfBgkqhkiG9w0BCQ4xEjAQMA4GA1UdDwEB/wQEAwIGwDANBgkqhkiG9w0BAQsF +AAOCAQEAyNeHr30pQMvpMJsw89EYYJ6S0+RCmEbcBCrxF6ZmCXx2ukptsb47CkfS0FAWlzdG2xMA +cnVv+XXkbTyFmheZucp5RZDu89s52Xtm19f3WSndRu+mcxOtlwqjgSGFL4aYppo799Zu/4FbAayz +bypQpAY1OBgFa+JztAd5wbvXa+mxJJchPNFOwVOva7MMdpHm0dWKNclAGGtdr53YqRPNPfJZqQwD +oKyPqnFCq3VrOeQhOdCwzGWJUavbgWmZKrtM2QbTDRw8FBssCTQzz1xR+y8pHAzc8RGWM7rBW9LC +8/j4ErHtycim2PXB1IbhEh0Sk6cv1zn8B5kUJ2m1BY1BwQ== +-----END CERTIFICATE REQUEST----- diff --git a/tests/ansible/ocsp_signing.crt b/tests/ansible/ocsp_signing.crt new file mode 100644 index 00000000000..92fb09ae5e8 --- /dev/null +++ b/tests/ansible/ocsp_signing.crt @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEuzCCAyOgAwIBAgIQa9yWspi16I7V0HmpN+kH5jANBgkqhkiG9w0BAQsFADBIMRAwDgYDVQQK +DAdFWEFNUExFMRMwEQYDVQQLDApwa2ktdG9tY2F0MR8wHQYDVQQDDBZDQSBTaWduaW5nIENlcnRp +ZmljYXRlMB4XDTIzMDgyMzEwMDg1NloXDTI1MDgxMjEwMDg1NlowXjEkMCIGA1UECgwbZXhhbXBs +ZS5jb20gU2VjdXJpdHkgRG9tYWluMRMwEQYDVQQLDApwa2ktdG9tY2F0MSEwHwYDVQQDDBhPQ1NQ +IFNpZ25pbmcgQ2VydGlmaWNhdGUwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDgYIAA +ov3mMxNItbaeKVG5YjuL8OG2hwzlDFVJkJGsklDAfvTPL9VVtdtLuux7zrdGnkCSX9yGHHlr9cd4 +1shomfxRwIYd6aagSg1YO4sz8G+hMFDIDVS6l6gzDnmF25nNaP1fxnysNjRMSKgseGIVQe8bylp7 +lATInIw2/Suf/k4Ow47omUoZVY2huuU+/ec+Thtd+0DlNy9fpkEf9LLBmYaNI3UNPhv4L0lWArxz +s7BMsjEcEAYbnFWvomU92ODcUtnqcoOdMxMt7KUm4wzOqYv29ZOTGPVbqRYXvcVFrElvFEaiO2E+ +i6jyEeFMhI2IHuP1IRwKFmmuOogxNB+i2wGeU6Oz42KkiRkBzvivM333zvWE5xxFy65L+T2vSvJ0 +Kz3dEjO6MgJ+q9HR8X8RoO+kW2upjAtml56PLsBQgwfy2//35kuh1hf1FayRpJUYOKAlYFb+CGAp +pnjfLxbMEq8/tUKOK5xqqm2pK0vEgv24NlTeZ1Kk9CeJSY5O5Q8CAwEAAaOBijCBhzAfBgNVHSME +GDAWgBQ9O6szYpkovvmbVOwy7vXZS2vXpzAPBgkrBgEFBQcwAQUEAgUAMD4GCCsGAQUFBwEBBDIw +MDAuBggrBgEFBQcwAYYiaHR0cDovL2NhLmV4YW1wbGUuY29tOjgwODAvY2Evb2NzcDATBgNVHSUE +DDAKBggrBgEFBQcDCTANBgkqhkiG9w0BAQsFAAOCAYEAbTuLCBGcoII0/XCgavgLexRyiRirfJ3Q +grPFWKcz+weR0cexwrg9466kFto+Hq+BL7QJ1pzfROPZq7EewdTuM2/Vrmpx2WLCZ2MY0Br3ofv+ +ScalAOU1BO1ff04TAGm5S0xuP9AiqyHcLuNxpwhFldRltqg/kEoPFBEfW/vAILWY+uBfaEz550o0 +kM/Rz3EmJwu+NcIu6FLcWrbWh0275r3oqHl+f+Yoo7IvwRJWZC0t3jYpL9XZMdQmOxOqkQ+pHURJ +YYasv4tmPNBpiwCVQa56mqhsNwCQ6446P7P59kX710uCv6mfAoveSbusjctGt8BOeKGFp7BrckBX +FGeCzVrMebQ4XITQQw2pGFkdVP0tjZVO8a+CkazHSzWIptnf0N/XW1vgQ1R1207y6oOhL3FTxbhn +XeQ0et1ce+fb1TTm3/STrqPNsx24CZk7S5aWsZS+jd7YpHIQKimpZ0Ve0Se+qopWsoB13Bp4r7JI +4NWVz28xJMWvVSLSCHmQ4lhN +-----END CERTIFICATE----- diff --git a/tests/ansible/ocsp_signing.csr b/tests/ansible/ocsp_signing.csr new file mode 100644 index 00000000000..2e5b12a768c --- /dev/null +++ b/tests/ansible/ocsp_signing.csr @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIDozCCAgsCAQAwXjEkMCIGA1UECgwbZXhhbXBsZS5jb20gU2VjdXJpdHkgRG9tYWluMRMwEQYD +VQQLDApwa2ktdG9tY2F0MSEwHwYDVQQDDBhPQ1NQIFNpZ25pbmcgQ2VydGlmaWNhdGUwggGiMA0G +CSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDgYIAAov3mMxNItbaeKVG5YjuL8OG2hwzlDFVJkJGs +klDAfvTPL9VVtdtLuux7zrdGnkCSX9yGHHlr9cd41shomfxRwIYd6aagSg1YO4sz8G+hMFDIDVS6 +l6gzDnmF25nNaP1fxnysNjRMSKgseGIVQe8bylp7lATInIw2/Suf/k4Ow47omUoZVY2huuU+/ec+ +Thtd+0DlNy9fpkEf9LLBmYaNI3UNPhv4L0lWArxzs7BMsjEcEAYbnFWvomU92ODcUtnqcoOdMxMt +7KUm4wzOqYv29ZOTGPVbqRYXvcVFrElvFEaiO2E+i6jyEeFMhI2IHuP1IRwKFmmuOogxNB+i2wGe +U6Oz42KkiRkBzvivM333zvWE5xxFy65L+T2vSvJ0Kz3dEjO6MgJ+q9HR8X8RoO+kW2upjAtml56P +LsBQgwfy2//35kuh1hf1FayRpJUYOKAlYFb+CGAppnjfLxbMEq8/tUKOK5xqqm2pK0vEgv24NlTe +Z1Kk9CeJSY5O5Q8CAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBgQAI2SYM7zdYMKcD7NByXXhXvnJ6 +DTofErsRpvKyr7Ix/AViayHQqU4El3EMjjyZDGK80GzTtzqZpTSkohre33B7L9YGvusAlAXVQGm1 +odCiBhJEtWvFXnpktXt0EnY1jJzwM21lKwn0l4MND6tU6SmBE349EUwxzhhiGFhATULSsniMteFq +tXss48EZgbJUAT5Jer92ZnD8Pg1ACznYWL8Vxbzy6/+mGYhjl6bsWlhfUYpoHiq0gWBAuRV0rwaM +oHGD9oZPSRByJFAUv2kHHe4kg4jGXjFEuxvRsBn3HGvPGCs2CWPYfoWPcSYT3PNGayaX6KUvH5Sg +haDQywOEXxmIcD5epCnRY9eiT3rHjhbs9LeHuud9gL21xqkhuS70jL7p7mZ29nNiixeOReRCm0bs +4UwkErOiBYIXD3k3Qy3wWIornkyhrDrF+Qtra1QknAl+qLGSclkRD7dU6zPp17c5f1uFbdQntst4 +85lqU8z3prSc9r8+aYjCp9HQDPy8Xhc= +-----END CERTIFICATE REQUEST----- diff --git a/tests/ansible/sslserver.crt b/tests/ansible/sslserver.crt new file mode 100644 index 00000000000..0d38f14d59b --- /dev/null +++ b/tests/ansible/sslserver.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIEWTCCAsGgAwIBAgIQTjXnudS/EqNaz+l035hFujANBgkqhkiG9w0BAQsFADBIMRAwDgYDVQQK +DAdFWEFNUExFMRMwEQYDVQQLDApwa2ktdG9tY2F0MR8wHQYDVQQDDBZDQSBTaWduaW5nIENlcnRp +ZmljYXRlMB4XDTIzMDgyMzEwMDkwNVoXDTI1MDgxMjEwMDkwNVowVjEkMCIGA1UECgwbZXhhbXBs +ZS5jb20gU2VjdXJpdHkgRG9tYWluMRMwEQYDVQQLDApwa2ktdG9tY2F0MRkwFwYDVQQDDBBvY3Nw +LmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwyEcLAlnGz/7IcyD +4Ap8lFLYH9ZSBV5M2cXFzwIchBfZXBEFviIzO4aiBzlVsF+Z/VNfuNda9z98l7az9p/swrv+NRJ5 +Ozy1BwnIaQ8iUdQpe4ZaPYerdO2LZPOl8VGf6QauQ4DByQ++ZUAeCati8qVBI1hLscLc7yvJx4Io +JOGw4igJIrZ6q1MhdwmHdD5y2NmFB/2mdNlOqH96X5cFUOXYtPfO+VhRnuk4lsDINemdc5Ptxxtk +4YaQpfo3r41vOEmNdvVj1JmqmjH2opU5yuX2nvziEimTJyp9i5R2dJpJiQvQDuYZBGMr7+lElM/p +IMx7LNZVa4MfWdOpX0O96wIDAQABo4GwMIGtMB8GA1UdIwQYMBaAFD07qzNimSi++ZtU7DLu9dlL +a9enMBsGA1UdEQQUMBKCEG9jc3AuZXhhbXBsZS5jb20wPgYIKwYBBQUHAQEEMjAwMC4GCCsGAQUF +BzABhiJodHRwOi8vY2EuZXhhbXBsZS5jb206ODA4MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIEsDAd +BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggGBABDM2fdL3AJZ +Zow/gEz3MK4Nv8UxxRQI0JHMSYVUF7o/YmYZo8Z5gV1Qdnzn6niVhOFp8gOYbwZIpOAoSFg5WsaB +jL6zEBZuOxpB2qGTbeH1ycPq9LD8a8SPzo1eZXgUIPK0QkHJyI2nB7EqrqULY1P8GYe9maPT9PYc +8RIfjbtqvXq6pUFhDbSvrkWp/DO2LBcboM7PQnQyVzQO7/vM1fPsHKHHgo4X8qFKYwyQJicQ32Mf +bpWBZ2I804/QaYM4gIQ1h9PEVCYLxrA6cw7zzoRbbUyHKXqIDsmB93K1h384sb2Vit7rTaPvNbVn +2E1LC7z5wqi5hYakhft4B71NK/Ah9U8OjlnyDoqDe+7HdHluXWqet4U/R/aasyIEasE8gxKnHhtn +iNkioPfgR+g7Af/3ozGU7YV38AGTBDFRD0fPcfiA7DDV7yQDWKzPv8vkwqbWRtX2FRUiJtdy4sbm +XNAgzOyHRFT4IPrqkgUScmlVUkYiSGliSs/uMAyaRRWeEw== +-----END CERTIFICATE----- diff --git a/tests/ansible/sslserver.csr b/tests/ansible/sslserver.csr new file mode 100644 index 00000000000..e2c26e334b1 --- /dev/null +++ b/tests/ansible/sslserver.csr @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIC0TCCAbkCAQAwVjEkMCIGA1UECgwbZXhhbXBsZS5jb20gU2VjdXJpdHkgRG9tYWluMRMwEQYD +VQQLDApwa2ktdG9tY2F0MRkwFwYDVQQDDBBvY3NwLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAwyEcLAlnGz/7IcyD4Ap8lFLYH9ZSBV5M2cXFzwIchBfZXBEFviIz +O4aiBzlVsF+Z/VNfuNda9z98l7az9p/swrv+NRJ5Ozy1BwnIaQ8iUdQpe4ZaPYerdO2LZPOl8VGf +6QauQ4DByQ++ZUAeCati8qVBI1hLscLc7yvJx4IoJOGw4igJIrZ6q1MhdwmHdD5y2NmFB/2mdNlO +qH96X5cFUOXYtPfO+VhRnuk4lsDINemdc5Ptxxtk4YaQpfo3r41vOEmNdvVj1JmqmjH2opU5yuX2 +nvziEimTJyp9i5R2dJpJiQvQDuYZBGMr7+lElM/pIMx7LNZVa4MfWdOpX0O96wIDAQABoDYwNAYJ +KoZIhvcNAQkOMScwJTAOBgNVHQ8BAf8EBAMCBPAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZI +hvcNAQELBQADggEBABSxdBGBg/qGs1HgRl/6fB0jfq5xzEQVHeULNVBZKwKdccaU0VoyGAmjh4ED +hpY6ETyG6Tls5ru5+Wp1PpdgWtT7jKCWVCkblgS9VdB6cwQ1HH17h1T2ELfaKTKwoFj7WQ79tWoo +Q2hK9NjJjau6JF0eiGwAOxKHA3PO+ZcF3TsQs1Ll8EghnW/77HS2XKgiPkIiBQy4TuoqE4rVN62B +fyG5uVo94UioOU9kiYYDH0LuuXS0of/3/lHjsBac1azn7Wh/Ku9QyDNN0IqGNn+rqur7k4nOtPCK +oLCNLDIftupRP+DUjtuLDLnxhqXNr2HWZULP4EjuQO9s1dBviRDvdcA= +-----END CERTIFICATE REQUEST----- diff --git a/tests/ansible/subsystem.crt b/tests/ansible/subsystem.crt new file mode 100644 index 00000000000..380648e48b3 --- /dev/null +++ b/tests/ansible/subsystem.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIENzCCAp+gAwIBAgIQWtPyCCuDQDgynzFjLTVRWTANBgkqhkiG9w0BAQsFADBIMRAwDgYDVQQK +DAdFWEFNUExFMRMwEQYDVQQLDApwa2ktdG9tY2F0MR8wHQYDVQQDDBZDQSBTaWduaW5nIENlcnRp +ZmljYXRlMB4XDTIzMDgyMzEwMDkwMVoXDTI1MDgxMjEwMDkwMVowWzEkMCIGA1UECgwbZXhhbXBs +ZS5jb20gU2VjdXJpdHkgRG9tYWluMRMwEQYDVQQLDApwa2ktdG9tY2F0MR4wHAYDVQQDDBVTdWJz +eXN0ZW0gQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC26DftS8F4 +Zy5ofl8P1XMPzZQfeGweRCVftF8j4RSl0aZssClO/XOE7vDkkIj/cjQiD0gonilVUE+55Oak4dOd +KdDsOuAA3CES1sDiAO6spVbIsmFH0mczooT3n3TxCIymQh3h/G1qVDvqEWtf8SP6awAaxxBrjya/ +MkIepCSBKRJo1fsJUF72wm2M9qQh83guOuYlvjpmti5bGwox5fCBC8VUyB8OeshpBD9pdmNOP8VT +40JMMXHfUaxNtVAZ941G3rb7LtxdAXmPfF3zRb2shUF7tjy3T63UsNGfY1Hyl6TaacO080Gv6l8e +7CqJ/Ju8hAHzsWcxuisx+Ijpjj1VAgMBAAGjgYkwgYYwHwYDVR0jBBgwFoAUPTurM2KZKL75m1Ts +Mu712Utr16cwPgYIKwYBBQUHAQEEMjAwMC4GCCsGAQUFBzABhiJodHRwOi8vY2EuZXhhbXBsZS5j +b206ODA4MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIEsDATBgNVHSUEDDAKBggrBgEFBQcDAjANBgkq +hkiG9w0BAQsFAAOCAYEAbboxyQsicWkfDcYmBg6scyGS8T0F8kwK3d2UOmxgWMqnVidNdepNxK4B +8lycDZeKYivZsnrcjLxtcpv+vuu7nIqpv72S0HlGhTlOVeEAWO/soaH6HkEAdCa1Z7JUasmFCGGB +Y1f4mJp16kX8aGmzBKVcZg/lOBtPN6ccX5CRXduHQ6O/6HzFzrb/EXVSHJLawrNNlzuQsl5XBa06 +Yv1CotzNTrSb5dVoLZBhjbcH4pQZ9Ug/8hFPyMa7MTX3nphnoWTTX4YEAyi/Tesfn0XV+sRkOe9T +4Mawlmv9Vt4MtImwZKW0x5eTkzTrS4aOxIZPOWjD/kAQzvJ88GRui4EruyU3r0Di5u0GS+q6zJJh +lUaMV8k0YY0rcujjzwnDMaruL08KdshylEJfFraHkgiD759RHfyB06gfiicuAD+mumUq2uxVqJOd ++beG2i4KoFkdvcsp7b6p7sBzbGhoxzqQBJRLbCCuhApgIqx3ul1+2oM7LDUJpX4sTQdAFfBPlzAj +-----END CERTIFICATE----- diff --git a/tests/ansible/subsystem.csr b/tests/ansible/subsystem.csr new file mode 100644 index 00000000000..3ccf4c8d260 --- /dev/null +++ b/tests/ansible/subsystem.csr @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIC4DCCAcgCAQAwWzEkMCIGA1UECgwbZXhhbXBsZS5jb20gU2VjdXJpdHkgRG9tYWluMRMwEQYD +VQQLDApwa2ktdG9tY2F0MR4wHAYDVQQDDBVTdWJzeXN0ZW0gQ2VydGlmaWNhdGUwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC26DftS8F4Zy5ofl8P1XMPzZQfeGweRCVftF8j4RSl0aZs +sClO/XOE7vDkkIj/cjQiD0gonilVUE+55Oak4dOdKdDsOuAA3CES1sDiAO6spVbIsmFH0mczooT3 +n3TxCIymQh3h/G1qVDvqEWtf8SP6awAaxxBrjya/MkIepCSBKRJo1fsJUF72wm2M9qQh83guOuYl +vjpmti5bGwox5fCBC8VUyB8OeshpBD9pdmNOP8VT40JMMXHfUaxNtVAZ941G3rb7LtxdAXmPfF3z +Rb2shUF7tjy3T63UsNGfY1Hyl6TaacO080Gv6l8e7CqJ/Ju8hAHzsWcxuisx+Ijpjj1VAgMBAAGg +QDA+BgkqhkiG9w0BCQ4xMTAvMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYI +KwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBAHCqFElDGzapOQF7OmzFQjrXADqYYSk7v0k4qWLj +SdPkkBocsrxO6kCATjGdIIWiF9g/bMt/xNzq0L8vEDu2pC4ieTqRyh2ZQs7lapkv58RLu7x2hPm4 +NjUGP9Lwb5urg/huRdmfK/gUB8KFFz26Nu7hvyOmL67xxNyyYpvq1jUqdZFM8bvEFo06CQpM5Do/ +BwDvyS6y6Fca8Y/Hv2Q42V1D9F4ypkioaq6tDPRmLoZVVt7zoCRFnA+ImbiJSAr7ft7CkZQI0wHs +WELlluEXcMneFh/Iyqh7RMRVcUcfJC7cdsQFdo/LYFsQbWGeDtTd3jW0/PG0vPAFW+C08kces98= +-----END CERTIFICATE REQUEST-----