Skip to content

Commit

Permalink
Remove default audit signing cert in containers
Browse files Browse the repository at this point in the history 
Audit signing is disabled by default so it's not necessary to
create an audit signing cert for containers by default. The
containers have been modified such that the audit signing cert
nickname and CSR are optional.

The PKIDeployer and CMSEngine classes have been modified to
skip processing the cert if the nickname or the CSR is blank.

The container tests have been updated to no longer create or
process audit signing certs.

In the future the default audit signing cert for regular PKI
server installation might be removed as well.
  • Loading branch information
@edewata
edewata committed Jun 24, 2024
1 parent 0247a52 commit 15910f1
Show file tree
Hide file tree
Showing 13 changed files with 49 additions and 274 deletions.
11 changes: 0 additions & 11 deletions .github/workflows/ca-container-basic-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -216,17 +216,6 @@ jobs:
--csr /conf/certs/ca_ocsp_signing.csr \
--profile /usr/share/pki/ca/conf/caOCSPCert.profile
- name: Import CA audit signing cert into CA database
run: |
docker exec ca pki-server cert-export \
--cert-file /conf/certs/ca_audit_signing.crt \
ca_audit_signing
docker exec ca pki-server ca-cert-import \
--cert /conf/certs/ca_audit_signing.crt \
--csr /conf/certs/ca_audit_signing.csr \
--profile /usr/share/pki/ca/conf/caAuditSigningCert.profile
- name: Import subsystem cert into CA database
run: |
docker exec ca pki-server cert-export \
Expand Down
31 changes: 0 additions & 31 deletions .github/workflows/ca-container-existing-certs-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,29 +95,6 @@ jobs:
nss-cert-show \
ca_ocsp_signing
- name: Create audit signing cert
run: |
docker exec client pki \
nss-cert-request \
--subject "CN=Audit Signing Certificate" \
--ext /usr/share/pki/server/certs/audit_signing.conf \
--csr $SHARED/certs/ca_audit_signing.csr
docker exec client pki \
nss-cert-issue \
--issuer ca_signing \
--csr $SHARED/certs/ca_audit_signing.csr \
--ext /usr/share/pki/server/certs/audit_signing.conf \
--cert $SHARED/certs/ca_audit_signing.crt
docker exec client pki nss-cert-import \
--cert $SHARED/certs/ca_audit_signing.crt \
--trust ,,P \
ca_audit_signing
docker exec client pki \
nss-cert-show \
ca_audit_signing
- name: Create subsystem cert
run: |
docker exec client pki \
Expand Down Expand Up @@ -169,7 +146,6 @@ jobs:
--password Secret.123 \
ca_signing \
ca_ocsp_signing \
ca_audit_signing \
subsystem \
sslserver
Expand Down Expand Up @@ -341,13 +317,6 @@ jobs:
--csr /certs/ca_ocsp_signing.csr \
--profile /usr/share/pki/ca/conf/caOCSPCert.profile
- name: Import CA audit signing cert into CA database
run: |
docker exec ca pki-server ca-cert-import \
--cert /certs/ca_audit_signing.crt \
--csr /certs/ca_audit_signing.csr \
--profile /usr/share/pki/ca/conf/caAuditSigningCert.profile
- name: Import subsystem cert into CA database
run: |
docker exec ca pki-server ca-cert-import \
Expand Down
33 changes: 0 additions & 33 deletions .github/workflows/kra-container-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -135,17 +135,6 @@ jobs:
--csr /conf/certs/ca_ocsp_signing.csr \
--profile /usr/share/pki/ca/conf/caOCSPCert.profile
- name: Import CA audit signing cert into CA database
run: |
docker exec ca pki-server cert-export \
--cert-file /conf/certs/ca_audit_signing.crt \
ca_audit_signing
docker exec ca pki-server ca-cert-import \
--cert /conf/certs/ca_audit_signing.crt \
--csr /conf/certs/ca_audit_signing.csr \
--profile /usr/share/pki/ca/conf/caAuditSigningCert.profile
- name: Import CA subsystem cert into CA database
run: |
docker exec ca pki-server cert-export \
Expand Down Expand Up @@ -254,27 +243,6 @@ jobs:
docker exec client pki nss-cert-show kra_transport
- name: Create KRA audit signing cert
run: |
docker exec client pki nss-cert-request \
--subject "CN=Audit Signing Certificate" \
--ext /usr/share/pki/server/certs/audit_signing.conf \
--csr $SHARED/kra/certs/kra_audit_signing.csr
docker exec client pki \
-d $SHARED/ca/conf/alias \
nss-cert-issue \
--issuer ca_signing \
--csr $SHARED/kra/certs/kra_audit_signing.csr \
--ext /usr/share/pki/server/certs/audit_signing.conf \
--cert $SHARED/kra/certs/kra_audit_signing.crt
docker exec client pki nss-cert-import \
--cert $SHARED/kra/certs/kra_audit_signing.crt \
--trust ,,P \
kra_audit_signing
docker exec client pki nss-cert-show kra_audit_signing
- name: Create KRA subsystem cert
run: |
docker exec client pki nss-cert-request \
Expand Down Expand Up @@ -328,7 +296,6 @@ jobs:
--password Secret.123 \
kra_storage \
kra_transport \
kra_audit_signing \
subsystem \
sslserver
Expand Down
33 changes: 0 additions & 33 deletions .github/workflows/ocsp-container-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,17 +136,6 @@ jobs:
--csr /conf/certs/ca_ocsp_signing.csr \
--profile /usr/share/pki/ca/conf/caOCSPCert.profile
- name: Import CA audit signing cert into CA database
run: |
docker exec ca pki-server cert-export \
--cert-file /conf/certs/ca_audit_signing.crt \
ca_audit_signing
docker exec ca pki-server ca-cert-import \
--cert /conf/certs/ca_audit_signing.crt \
--csr /conf/certs/ca_audit_signing.csr \
--profile /usr/share/pki/ca/conf/caAuditSigningCert.profile
- name: Import CA subsystem cert into CA database
run: |
docker exec ca pki-server cert-export \
Expand Down Expand Up @@ -235,27 +224,6 @@ jobs:
docker exec client pki nss-cert-show ocsp_signing
- name: Create OCSP audit signing cert
run: |
docker exec client pki nss-cert-request \
--subject "CN=Audit Signing Certificate" \
--ext /usr/share/pki/server/certs/audit_signing.conf \
--csr $SHARED/ocsp/certs/ocsp_audit_signing.csr
docker exec client pki \
-d $SHARED/ca/conf/alias \
nss-cert-issue \
--issuer ca_signing \
--csr $SHARED/ocsp/certs/ocsp_audit_signing.csr \
--ext /usr/share/pki/server/certs/audit_signing.conf \
--cert $SHARED/ocsp/certs/ocsp_audit_signing.crt
docker exec client pki nss-cert-import \
--cert $SHARED/ocsp/certs/ocsp_audit_signing.crt \
--trust ,,P \
ocsp_audit_signing
docker exec client pki nss-cert-show ocsp_audit_signing
- name: Create OCSP subsystem cert
run: |
docker exec client pki nss-cert-request \
Expand Down Expand Up @@ -308,7 +276,6 @@ jobs:
--pkcs12 $SHARED/ocsp/certs/server.p12 \
--password Secret.123 \
ocsp_signing \
ocsp_audit_signing \
subsystem \
sslserver
Expand Down
33 changes: 0 additions & 33 deletions .github/workflows/tks-container-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,17 +136,6 @@ jobs:
--csr /conf/certs/ca_ocsp_signing.csr \
--profile /usr/share/pki/ca/conf/caOCSPCert.profile
- name: Import CA audit signing cert into CA database
run: |
docker exec ca pki-server cert-export \
--cert-file /conf/certs/ca_audit_signing.crt \
ca_audit_signing
docker exec ca pki-server ca-cert-import \
--cert /conf/certs/ca_audit_signing.crt \
--csr /conf/certs/ca_audit_signing.csr \
--profile /usr/share/pki/ca/conf/caAuditSigningCert.profile
- name: Import CA subsystem cert into CA database
run: |
docker exec ca pki-server cert-export \
Expand Down Expand Up @@ -215,27 +204,6 @@ jobs:
ca-user-show \
admin
- name: Create TKS audit signing cert
run: |
docker exec client pki nss-cert-request \
--subject "CN=Audit Signing Certificate" \
--ext /usr/share/pki/server/certs/audit_signing.conf \
--csr $SHARED/tks/certs/tks_audit_signing.csr
docker exec client pki \
-d $SHARED/ca/conf/alias \
nss-cert-issue \
--issuer ca_signing \
--csr $SHARED/tks/certs/tks_audit_signing.csr \
--ext /usr/share/pki/server/certs/audit_signing.conf \
--cert $SHARED/tks/certs/tks_audit_signing.crt
docker exec client pki nss-cert-import \
--cert $SHARED/tks/certs/tks_audit_signing.crt \
--trust ,,P \
tks_audit_signing
docker exec client pki nss-cert-show tks_audit_signing
- name: Create TKS subsystem cert
run: |
docker exec client pki nss-cert-request \
Expand Down Expand Up @@ -285,7 +253,6 @@ jobs:
docker exec client pki pkcs12-export \
--pkcs12 $SHARED/tks/certs/server.p12 \
--password Secret.123 \
tks_audit_signing \
tks_subsystem \
tks_sslserver
Expand Down
71 changes: 0 additions & 71 deletions .github/workflows/tps-container-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -141,17 +141,6 @@ jobs:
--csr /conf/certs/ca_ocsp_signing.csr \
--profile /usr/share/pki/ca/conf/caOCSPCert.profile
- name: Import CA audit signing cert into CA database
run: |
docker exec ca pki-server cert-export \
--cert-file /conf/certs/ca_audit_signing.crt \
ca_audit_signing
docker exec ca pki-server ca-cert-import \
--cert /conf/certs/ca_audit_signing.crt \
--csr /conf/certs/ca_audit_signing.csr \
--profile /usr/share/pki/ca/conf/caAuditSigningCert.profile
- name: Import CA subsystem cert into CA database
run: |
docker exec ca pki-server cert-export \
Expand Down Expand Up @@ -256,25 +245,6 @@ jobs:
kra_transport
docker exec client pki nss-cert-show kra_transport
- name: Create KRA audit signing cert
run: |
docker exec client pki nss-cert-request \
--subject "CN=Audit Signing Certificate" \
--ext /usr/share/pki/server/certs/audit_signing.conf \
--csr $SHARED/kra/certs/kra_audit_signing.csr
docker exec client pki \
-d $SHARED/ca/conf/alias \
nss-cert-issue \
--issuer ca_signing \
--csr $SHARED/kra/certs/kra_audit_signing.csr \
--ext /usr/share/pki/server/certs/audit_signing.conf \
--cert $SHARED/kra/certs/kra_audit_signing.crt
docker exec client pki nss-cert-import \
--cert $SHARED/kra/certs/kra_audit_signing.crt \
--trust ,,P \
kra_audit_signing
docker exec client pki nss-cert-show kra_audit_signing
- name: Create KRA subsystem cert
run: |
docker exec client pki nss-cert-request \
Expand Down Expand Up @@ -324,7 +294,6 @@ jobs:
--password Secret.123 \
kra_storage \
kra_transport \
kra_audit_signing \
kra_subsystem \
kra_sslserver
Expand Down Expand Up @@ -458,25 +427,6 @@ jobs:
-o /dev/null \
https://ca.example.com:8443
- name: Create TKS audit signing cert
run: |
docker exec client pki nss-cert-request \
--subject "CN=Audit Signing Certificate" \
--ext /usr/share/pki/server/certs/audit_signing.conf \
--csr $SHARED/tks/certs/tks_audit_signing.csr
docker exec client pki \
-d $SHARED/ca/conf/alias \
nss-cert-issue \
--issuer ca_signing \
--csr $SHARED/tks/certs/tks_audit_signing.csr \
--ext /usr/share/pki/server/certs/audit_signing.conf \
--cert $SHARED/tks/certs/tks_audit_signing.crt
docker exec client pki nss-cert-import \
--cert $SHARED/tks/certs/tks_audit_signing.crt \
--trust ,,P \
tks_audit_signing
docker exec client pki nss-cert-show tks_audit_signing
- name: Create TKS subsystem cert
run: |
docker exec client pki nss-cert-request \
Expand Down Expand Up @@ -522,7 +472,6 @@ jobs:
docker exec client pki pkcs12-export \
--pkcs12 $SHARED/tks/certs/server.p12 \
--password Secret.123 \
tks_audit_signing \
tks_subsystem \
tks_sslserver
Expand Down Expand Up @@ -613,25 +562,6 @@ jobs:
tks-user-show \
admin
- name: Create TPS audit signing cert
run: |
docker exec client pki nss-cert-request \
--subject "CN=Audit Signing Certificate" \
--ext /usr/share/pki/server/certs/audit_signing.conf \
--csr $SHARED/tps/certs/tps_audit_signing.csr
docker exec client pki \
-d $SHARED/ca/conf/alias \
nss-cert-issue \
--issuer ca_signing \
--csr $SHARED/tps/certs/tps_audit_signing.csr \
--ext /usr/share/pki/server/certs/audit_signing.conf \
--cert $SHARED/tps/certs/tps_audit_signing.crt
docker exec client pki nss-cert-import \
--cert $SHARED/tps/certs/tps_audit_signing.crt \
--trust ,,P \
tps_audit_signing
docker exec client pki nss-cert-show tps_audit_signing
- name: Create TPS subsystem cert
run: |
docker exec client pki nss-cert-request \
Expand Down Expand Up @@ -677,7 +607,6 @@ jobs:
docker exec client pki pkcs12-export \
--pkcs12 $SHARED/tps/certs/server.p12 \
--password Secret.123 \
tps_audit_signing \
tps_subsystem \
tps_sslserver
Expand Down
Loading

0 comments on commit 15910f1

Please sign in to comment.