Skip to content

Commit

Permalink
Remove redundant files in containers
Browse files Browse the repository at this point in the history 
The containers have been updated to remove redundant files
to avoid conflicting or obsolete certs.

When the container is started the certs provided in /certs
will be the authoritative data and will be imported into
the server and admin NSS databases. If the certs are not
provided, the container will generate new certs directly in
the NSS databases. Once the container is running, the certs
in the NSS databases will be the authoritative data until
the container is restarted.

So now the container will only store certs and keys in NSS
databases and CSR files, but it will no longer store cert
files or PKCS #12 files since they are redundant. The tests
have been updated to export these files from the container
when they are needed.
  • Loading branch information
@edewata
edewata committed Jun 7, 2024
1 parent e5b208a commit d96159a
Show file tree
Hide file tree
Showing 10 changed files with 380 additions and 192 deletions.
9 changes: 8 additions & 1 deletion .github/workflows/acme-container-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -159,9 +159,16 @@ jobs:
- name: Install CA signing cert
run: |
docker exec acme pki \
-d /conf/alias \
-f /conf/password.conf \
nss-cert-export \
--output-file /conf/certs/ca_signing.crt \
ca_signing
docker exec client pki \
nss-cert-import \
--cert $SHARED/certs/ca_signing.crt \
--cert $SHARED/conf/certs/ca_signing.crt \
--trust CT,C,C \
ca_signing
Expand Down
63 changes: 48 additions & 15 deletions .github/workflows/ca-container-basic-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -162,8 +162,12 @@ jobs:
- name: Check CA info
run: |
docker exec ca pki-server cert-export \
--cert-file /conf/certs/ca_signing.crt \
ca_signing
docker exec client pki nss-cert-import \
--cert $SHARED/certs/ca_signing.crt \
--cert $SHARED/conf/certs/ca_signing.crt \
--trust CT,C,C \
ca_signing
Expand Down Expand Up @@ -192,73 +196,97 @@ jobs:
- name: Import CA signing cert into CA database
run: |
docker exec ca pki-server cert-export \
--cert-file /conf/certs/ca_signing.crt \
ca_signing
docker exec ca pki-server ca-cert-request-import \
--csr /certs/ca_signing.csr \
--csr /conf/certs/ca_signing.csr \
--profile /usr/share/pki/ca/conf/caCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki-server ca-cert-import \
--cert /certs/ca_signing.crt \
--cert /conf/certs/ca_signing.crt \
--profile /usr/share/pki/ca/conf/caCert.profile \
--request $REQUEST_ID
- name: Import CA OCSP signing cert into CA database
run: |
docker exec ca pki-server cert-export \
--cert-file /conf/certs/ocsp_signing.crt \
ca_ocsp_signing
docker exec ca pki-server ca-cert-request-import \
--csr /certs/ocsp_signing.csr \
--csr /conf/certs/ocsp_signing.csr \
--profile /usr/share/pki/ca/conf/caOCSPCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki-server ca-cert-import \
--cert /certs/ocsp_signing.crt \
--cert /conf/certs/ocsp_signing.crt \
--profile /usr/share/pki/ca/conf/caOCSPCert.profile \
--request $REQUEST_ID
- name: Import CA audit signing cert into CA database
run: |
docker exec ca pki-server cert-export \
--cert-file /conf/certs/audit_signing.crt \
ca_audit_signing
docker exec ca pki-server ca-cert-request-import \
--csr /certs/audit_signing.csr \
--csr /conf/certs/audit_signing.csr \
--profile /usr/share/pki/ca/conf/caAuditSigningCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki-server ca-cert-import \
--cert /certs/audit_signing.crt \
--cert /conf/certs/audit_signing.crt \
--profile /usr/share/pki/ca/conf/caAuditSigningCert.profile \
--request $REQUEST_ID
- name: Import subsystem cert into CA database
run: |
docker exec ca pki-server cert-export \
--cert-file /conf/certs/subsystem.crt \
subsystem
docker exec ca pki-server ca-cert-request-import \
--csr /certs/subsystem.csr \
--csr /conf/certs/subsystem.csr \
--profile /usr/share/pki/ca/conf/rsaSubsystemCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki-server ca-cert-import \
--cert /certs/subsystem.crt \
--cert /conf/certs/subsystem.crt \
--profile /usr/share/pki/ca/conf/rsaSubsystemCert.profile \
--request $REQUEST_ID
- name: Import SSL server cert into CA database
run: |
docker exec ca pki-server cert-export \
--cert-file /conf/certs/sslserver.crt \
sslserver
docker exec ca pki-server ca-cert-request-import \
--csr /certs/sslserver.csr \
--csr /conf/certs/sslserver.csr \
--profile /usr/share/pki/ca/conf/rsaServerCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki-server ca-cert-import \
--cert /certs/sslserver.crt \
--cert /conf/certs/sslserver.crt \
--profile /usr/share/pki/ca/conf/rsaServerCert.profile \
--request $REQUEST_ID
- name: Import admin cert into CA database
run: |
docker exec ca pki nss-cert-export \
--output-file /conf/certs/admin.crt \
admin
docker exec ca pki-server ca-cert-request-import \
--csr /certs/admin.csr \
--csr /conf/certs/admin.csr \
--profile /usr/share/pki/ca/conf/rsaAdminCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki-server ca-cert-import \
--cert /certs/admin.crt \
--cert /conf/certs/admin.crt \
--profile /usr/share/pki/ca/conf/rsaAdminCert.profile \
--request $REQUEST_ID
Expand All @@ -279,7 +307,7 @@ jobs:
# assign admin cert to CA admin user
docker exec ca pki-server ca-user-cert-add \
--cert /certs/admin.crt \
--cert /conf/certs/admin.crt \
admin
# add CA admin user into CA groups
Expand All @@ -288,8 +316,13 @@ jobs:
- name: Check CA admin user
run: |
docker exec ca pki pkcs12-export \
--pkcs12 /conf/certs/admin.p12 \
--password Secret.123 \
admin
docker exec client pki pkcs12-import \
--pkcs12 $SHARED/certs/admin.p12 \
--pkcs12 $SHARED/conf/certs/admin.p12 \
--pkcs12-password Secret.123
docker exec client pki \
Expand Down
22 changes: 19 additions & 3 deletions .github/workflows/ca-container-system-service-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -217,8 +217,13 @@ jobs:
- name: Check CA info
run: |
docker exec pki podman exec systemd-pki-ca \
pki-server cert-export \
--cert-file /conf/certs/ca_signing.crt \
ca_signing
docker exec pki pki nss-cert-import \
--cert /home/pkiuser/certs/ca_signing.crt \
--cert /home/pkiuser/conf/certs/ca_signing.crt \
--trust CT,C,C \
ca_signing
Expand Down Expand Up @@ -248,10 +253,15 @@ jobs:
--type adminType \
admin
docker exec pki podman exec systemd-pki-ca \
pki nss-cert-export \
--output-file /conf/certs/admin.crt \
admin
# assign admin cert to CA admin user
docker exec pki podman exec systemd-pki-ca \
pki-server ca-user-cert-add \
--cert /certs/admin.crt \
--cert /conf/certs/admin.crt \
admin
# add CA admin user into CA groups
Expand All @@ -262,8 +272,14 @@ jobs:
- name: Check CA admin user
run: |
docker exec pki podman exec systemd-pki-ca \
pki pkcs12-export \
--pkcs12 /conf/certs/admin.p12 \
--password Secret.123 \
admin
docker exec pki pki pkcs12-import \
--pkcs12 /home/pkiuser/certs/admin.p12 \
--pkcs12 /home/pkiuser/conf/certs/admin.p12 \
--password Secret.123
docker exec pki pki \
Expand Down
69 changes: 49 additions & 20 deletions .github/workflows/kra-container-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -98,73 +98,97 @@ jobs:
- name: Import CA signing cert into CA database
run: |
docker exec ca pki-server cert-export \
--cert-file /conf/certs/ca_signing.crt \
ca_signing
docker exec ca pki-server ca-cert-request-import \
--csr /certs/ca_signing.csr \
--csr /conf/certs/ca_signing.csr \
--profile /usr/share/pki/ca/conf/caCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki-server ca-cert-import \
--cert /certs/ca_signing.crt \
--cert /conf/certs/ca_signing.crt \
--profile /usr/share/pki/ca/conf/caCert.profile \
--request $REQUEST_ID
- name: Import CA OCSP signing cert into CA database
run: |
docker exec ca pki-server cert-export \
--cert-file /conf/certs/ocsp_signing.crt \
ca_ocsp_signing
docker exec ca pki-server ca-cert-request-import \
--csr /certs/ocsp_signing.csr \
--csr /conf/certs/ocsp_signing.csr \
--profile /usr/share/pki/ca/conf/caOCSPCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki-server ca-cert-import \
--cert /certs/ocsp_signing.crt \
--cert /conf/certs/ocsp_signing.crt \
--profile /usr/share/pki/ca/conf/caOCSPCert.profile \
--request $REQUEST_ID
- name: Import CA audit signing cert into CA database
run: |
docker exec ca pki-server cert-export \
--cert-file /conf/certs/audit_signing.crt \
ca_audit_signing
docker exec ca pki-server ca-cert-request-import \
--csr /certs/audit_signing.csr \
--csr /conf/certs/audit_signing.csr \
--profile /usr/share/pki/ca/conf/caAuditSigningCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki-server ca-cert-import \
--cert /certs/audit_signing.crt \
--cert /conf/certs/audit_signing.crt \
--profile /usr/share/pki/ca/conf/caAuditSigningCert.profile \
--request $REQUEST_ID
- name: Import CA subsystem cert into CA database
run: |
docker exec ca pki-server cert-export \
--cert-file /conf/certs/subsystem.crt \
subsystem
docker exec ca pki-server ca-cert-request-import \
--csr /certs/subsystem.csr \
--csr /conf/certs/subsystem.csr \
--profile /usr/share/pki/ca/conf/rsaSubsystemCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki-server ca-cert-import \
--cert /certs/subsystem.crt \
--cert /conf/certs/subsystem.crt \
--profile /usr/share/pki/ca/conf/rsaSubsystemCert.profile \
--request $REQUEST_ID
- name: Import SSL server cert into CA database
run: |
docker exec ca pki-server cert-export \
--cert-file /conf/certs/sslserver.crt \
sslserver
docker exec ca pki-server ca-cert-request-import \
--csr /certs/sslserver.csr \
--csr /conf/certs/sslserver.csr \
--profile /usr/share/pki/ca/conf/rsaServerCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki-server ca-cert-import \
--cert /certs/sslserver.crt \
--cert /conf/certs/sslserver.crt \
--profile /usr/share/pki/ca/conf/rsaServerCert.profile \
--request $REQUEST_ID
- name: Import admin cert into CA database
run: |
docker exec ca pki nss-cert-export \
--output-file /conf/certs/admin.crt \
admin
docker exec ca pki-server ca-cert-request-import \
--csr /certs/admin.csr \
--csr /conf/certs/admin.csr \
--profile /usr/share/pki/ca/conf/rsaAdminCert.profile | tee output
REQUEST_ID=$(sed -n 's/Request ID: *\(.*\)/\1/p' output)
docker exec ca pki-server ca-cert-import \
--cert /certs/admin.crt \
--cert /conf/certs/admin.crt \
--profile /usr/share/pki/ca/conf/rsaAdminCert.profile \
--request $REQUEST_ID
Expand All @@ -179,7 +203,7 @@ jobs:
- name: Assign admin cert to CA admin user
run: |
docker exec ca pki-server ca-user-cert-add \
--cert /certs/admin.crt \
--cert /conf/certs/admin.crt \
admin
- name: Add admin user into CA groups
Expand All @@ -189,8 +213,13 @@ jobs:
- name: Install admin cert
run: |
docker exec ca pki pkcs12-export \
--pkcs12 /conf/certs/admin.p12 \
--password Secret.123 \
admin
docker exec client pki pkcs12-import \
--pkcs12 $SHARED/ca/certs/admin.p12 \
--pkcs12 $SHARED/ca/conf/certs/admin.p12 \
--password Secret.123
docker exec client pki \
Expand Down Expand Up @@ -293,7 +322,7 @@ jobs:
- name: Prepare KRA certs and keys
run: |
# export CA signing cert
docker exec client cp $SHARED/ca/certs/ca_signing.crt $SHARED/kra/certs
docker exec client cp $SHARED/ca/conf/certs/ca_signing.crt $SHARED/kra/certs
docker exec client pki nss-cert-find
Expand All @@ -312,7 +341,7 @@ jobs:
--password Secret.123 \
# export admin cert and key
docker exec client cp $SHARED/ca/certs/admin.p12 $SHARED/kra/certs
docker exec client cp $SHARED/ca/conf/certs/admin.p12 $SHARED/kra/certs
docker exec client pki pkcs12-cert-find \
--pkcs12 $SHARED/kra/certs/admin.p12 \
Expand Down Expand Up @@ -463,8 +492,9 @@ jobs:
- name: Assign admin cert to KRA admin user
run: |
cp ca/conf/certs/admin.crt kra/conf/certs/admin.crt
docker exec kra pki-server kra-user-cert-add \
--cert /certs/admin.crt \
--cert /conf/certs/admin.crt \
admin
- name: Add KRA admin user into KRA groups
Expand All @@ -490,10 +520,9 @@ jobs:
- name: Assign CA subsystem cert to CA subsystem user
run: |
docker cp ca/certs/subsystem.crt kra:ca_subsystem.crt
docker exec kra ls -la
cp ca/conf/certs/subsystem.crt kra/conf/certs/ca_subsystem.crt
docker exec kra pki-server kra-user-cert-add \
--cert ca_subsystem.crt \
--cert /conf/certs/ca_subsystem.crt \
CA-ca.example.com-8443
- name: Assign roles to CA subsystem user
Expand Down
Loading

0 comments on commit d96159a

Please sign in to comment.