Skip to content

Commit

Permalink
Remove default admin cert in containers
Browse files Browse the repository at this point in the history 
Currently if the CA container is started without any certs,
it will create an admin cert in the container's default NSS
database but it's not permanent, so every time the container
is restarted it will create a new admin cert.

To avoid problems all containers have been modified to no
longer generate or store anything in the container's default
NSS database. Instead, the admin cert will need to be created
after the CA container is started, and it will only be stored
in the client's NSS database outside of the container.
  • Loading branch information
@edewata
edewata committed Jun 21, 2024
1 parent 8077cff commit f0f39c1
Show file tree
Hide file tree
Showing 14 changed files with 221 additions and 381 deletions.
42 changes: 23 additions & 19 deletions .github/workflows/ca-container-basic-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -249,18 +249,31 @@ jobs:
--csr /conf/certs/sslserver.csr \
--profile /usr/share/pki/ca/conf/rsaServerCert.profile
- name: Import admin cert into CA database
- name: Create admin cert
run: |
docker exec ca pki nss-cert-export \
--output-file /conf/certs/admin.crt \
admin
# create cert request
docker exec client pki nss-cert-request \
--subject "CN=Administrator" \
--ext /usr/share/pki/server/certs/admin.conf \
--csr $SHARED/admin.csr
docker exec ca pki-server ca-cert-import \
--cert /conf/certs/admin.crt \
--csr /conf/certs/admin.csr \
--profile /usr/share/pki/ca/conf/rsaAdminCert.profile
docker cp admin.csr ca:.
# issue cert
docker exec ca pki-server ca-cert-create \
--csr admin.csr \
--profile /usr/share/pki/ca/conf/rsaAdminCert.profile \
--cert admin.crt \
--import-cert
docker cp ca:admin.crt .
- name: Check CA certs
# import cert
docker exec client pki nss-cert-import \
--cert $SHARED/admin.crt \
admin
- name: Check certs in CA
run: |
docker exec client pki \
-U https://ca.example.com:8443 \
Expand All @@ -273,7 +286,7 @@ jobs:
docker exec ca pki-server ca-user-add \
--full-name Administrator \
--type adminType \
--cert /conf/certs/admin.crt \
--cert admin.crt \
admin
# add CA admin user into CA groups
Expand All @@ -282,15 +295,6 @@ jobs:
- name: Check CA admin user
run: |
docker exec ca pki pkcs12-export \
--pkcs12 /conf/certs/admin.p12 \
--password Secret.123 \
admin
docker exec client pki pkcs12-import \
--pkcs12 $SHARED/conf/certs/admin.p12 \
--pkcs12-password Secret.123
docker exec client pki \
-U https://ca.example.com:8443 \
-n admin \
Expand Down
108 changes: 34 additions & 74 deletions .github/workflows/ca-container-existing-certs-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -162,29 +162,7 @@ jobs:
nss-cert-show \
sslserver
- name: Create admin cert
run: |
docker exec client pki \
nss-cert-request \
--subject "CN=Administrator" \
--ext /usr/share/pki/server/certs/admin.conf \
--csr $SHARED/certs/admin.csr
docker exec client pki \
nss-cert-issue \
--issuer ca_signing \
--csr $SHARED/certs/admin.csr \
--ext /usr/share/pki/server/certs/admin.conf \
--cert $SHARED/certs/admin.crt
docker exec client pki nss-cert-import \
--cert $SHARED/certs/admin.crt \
admin
docker exec client pki \
nss-cert-show \
admin
- name: Export system certs and keys
- name: Prepare CA certs and keys
run: |
docker exec client pki pkcs12-export \
--pkcs12 $SHARED/certs/server.p12 \
Expand All @@ -199,16 +177,7 @@ jobs:
--pkcs12 $SHARED/certs/server.p12 \
--password Secret.123
- name: Export admin cert and key
run: |
docker exec client pki pkcs12-export \
--pkcs12 $SHARED/certs/admin.p12 \
--password Secret.123 \
admin
docker exec client pki pkcs12-cert-find \
--pkcs12 $SHARED/certs/admin.p12 \
--password Secret.123
ls -la certs
- name: Set up CA container
run: |
Expand Down Expand Up @@ -393,69 +362,60 @@ jobs:
--csr /certs/sslserver.csr \
--profile /usr/share/pki/ca/conf/rsaServerCert.profile
- name: Import admin cert into CA database
- name: Create admin cert
run: |
docker exec ca pki-server ca-cert-import \
--cert /certs/admin.crt \
--csr /certs/admin.csr \
--profile /usr/share/pki/ca/conf/rsaAdminCert.profile
# create cert request
docker exec client pki nss-cert-request \
--subject "CN=Administrator" \
--ext /usr/share/pki/server/certs/admin.conf \
--csr $SHARED/admin.csr
docker cp admin.csr ca:.
# issue cert
docker exec ca pki-server ca-cert-create \
--csr admin.csr \
--profile /usr/share/pki/ca/conf/rsaAdminCert.profile \
--cert admin.crt \
--import-cert
docker cp ca:admin.crt .
# import cert
docker exec client pki nss-cert-import \
--cert $SHARED/admin.crt \
admin
- name: Check certs in CA
run: |
docker exec client pki \
-U https://ca.example.com:8443 \
ca-cert-find
# https://github.com/dogtagpki/pki/wiki/Setting-up-CA-Admin-User
- name: Add CA admin user
run: |
docker exec ca pki-server ca-user-add \
--full-name Administrator \
--type adminType \
--cert /certs/admin.crt \
--cert admin.crt \
admin
- name: Add CA admin user into CA groups
run: |
docker exec ca pki-server ca-user-role-add admin "Administrators"
docker exec ca pki-server ca-user-role-add admin "Certificate Manager Agents"
- name: Check public operations from CA container
run: |
# check certs in CA
docker exec ca pki ca-cert-find
- name: Check admin operations from CA container
run: |
# check CA admin user
docker exec ca pki \
-n admin \
ca-user-show \
admin
docker exec ca pki \
client-cert-request \
uid=testuser | tee output
REQUEST_ID=$(sed -n -e 's/^ *Request ID: *\(.*\)$/\1/p' output)
echo "REQUEST_ID: $REQUEST_ID"
docker exec ca pki \
-n admin \
ca-cert-request-approve \
$REQUEST_ID \
--force
- name: Check public operations from client container
run: |
# check certs in CA
docker exec client pki \
-U https://ca.example.com:8443 \
ca-cert-find
- name: Check admin operations from client container
- name: Check CA admin user
run: |
# check CA admin user
docker exec client pki \
-U https://ca.example.com:8443 \
-n admin \
ca-user-show \
admin
- name: Check cert enrollment
run: |
docker exec client pki \
-U https://ca.example.com:8443 \
client-cert-request \
Expand Down
11 changes: 0 additions & 11 deletions .github/workflows/ca-container-existing-config-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -145,16 +145,6 @@ jobs:
docker exec pki cp \
/var/lib/pki/pki-tomcat/conf/certs/sslserver.csr \
$SHARED/certs/sslserver.csr
docker exec pki cp \
/var/lib/pki/pki-tomcat/conf/certs/ca_admin.csr \
$SHARED/certs/admin.csr
# export admin cert and key
docker cp pki:/root/.dogtag/pki-tomcat/ca_admin_cert.p12 certs/admin.p12
docker exec pki pki pkcs12-cert-find \
--pkcs12 $SHARED/certs/admin.p12 \
--password Secret.123
ls -la certs
Expand Down Expand Up @@ -187,7 +177,6 @@ jobs:
-e PKI_AUDIT_SIGNING_NICKNAME=ca_audit_signing \
-e PKI_SUBSYSTEM_NICKNAME=subsystem \
-e PKI_SSLSERVER_NICKNAME=sslserver \
-e PKI_ADMIN_NICKNAME=caadmin \
--detach \
pki-ca
Expand Down
1 change: 0 additions & 1 deletion .github/workflows/ca-container-migration-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -131,7 +131,6 @@ jobs:
Environment=PKI_AUDIT_SIGNING_NICKNAME=ca_audit_signing
Environment=PKI_SUBSYSTEM_NICKNAME=subsystem
Environment=PKI_SSLSERVER_NICKNAME=sslserver
Environment=PKI_ADMIN_NICKNAME=caadmin
[Install]
WantedBy=multi-user.target
Expand Down
41 changes: 25 additions & 16 deletions .github/workflows/ca-container-system-service-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -243,20 +243,39 @@ jobs:
docker exec pki podman exec systemd-pki-ca \
pki-server ca-db-vlv-reindex -v
# https://github.com/dogtagpki/pki/wiki/Setting-up-CA-Admin-User
- name: Add CA admin user
- name: Create admin cert
run: |
docker exec pki podman exec systemd-pki-ca \
pki nss-cert-export \
--output-file /conf/certs/admin.crt \
# create cert request
docker exec pki pki nss-cert-request \
--subject "CN=Administrator" \
--ext /usr/share/pki/server/certs/admin.conf \
--csr admin.csr
docker exec pki podman cp admin.csr systemd-pki-ca:/home/pkiuser
# issue cert
docker exec pki podman exec systemd-pki-ca pki-server ca-cert-create \
--csr /home/pkiuser/admin.csr \
--profile /usr/share/pki/ca/conf/rsaAdminCert.profile \
--cert /home/pkiuser/admin.crt \
--import-cert
docker exec pki podman cp systemd-pki-ca:/home/pkiuser/admin.crt .
# import cert
docker exec pki pki nss-cert-import \
--cert admin.crt \
admin
# https://github.com/dogtagpki/pki/wiki/Setting-up-CA-Admin-User
- name: Add CA admin user
run: |
# create CA admin user
docker exec pki podman exec systemd-pki-ca \
pki-server ca-user-add \
--full-name Administrator \
--type adminType \
--cert /conf/certs/admin.crt \
--cert /home/pkiuser/admin.crt \
admin
# add CA admin user into CA groups
Expand All @@ -267,16 +286,6 @@ jobs:
- name: Check CA admin user
run: |
docker exec pki podman exec systemd-pki-ca \
pki pkcs12-export \
--pkcs12 /conf/certs/admin.p12 \
--password Secret.123 \
admin
docker exec pki pki pkcs12-import \
--pkcs12 /home/pkiuser/conf/certs/admin.p12 \
--password Secret.123
docker exec pki pki \
-n admin \
ca-user-show \
Expand Down
31 changes: 17 additions & 14 deletions .github/workflows/ca-container-user-service-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -297,23 +297,26 @@ jobs:
- name: Create admin cert
run: |
docker exec -u pkiuser pki pki \
nss-cert-request \
# create cert request
docker exec -u pkiuser pki pki nss-cert-request \
--subject "CN=Administrator" \
--ext /usr/share/pki/server/certs/admin.conf \
--csr /home/pkiuser/.dogtag/pki-ca/conf/certs/admin.csr
docker exec -u pkiuser pki podman exec systemd-pki-ca pki \
-d /conf/alias \
-f /conf/password.conf \
nss-cert-issue \
--issuer "ca_signing" \
--csr /conf/certs/admin.csr \
--ext /usr/share/pki/server/certs/admin.conf \
--cert /conf/certs/admin.crt
--csr /home/pkiuser/admin.csr
docker exec -u pkiuser pki podman cp /home/pkiuser/admin.csr systemd-pki-ca:/home/pkiuser
# issue cert
docker exec -u pkiuser pki podman exec systemd-pki-ca pki-server ca-cert-create \
--csr /home/pkiuser/admin.csr \
--profile /usr/share/pki/ca/conf/rsaAdminCert.profile \
--cert /home/pkiuser/admin.crt \
--import-cert
docker exec -u pkiuser pki podman cp systemd-pki-ca:/home/pkiuser/admin.crt /home/pkiuser
# import cert
docker exec -u pkiuser pki pki nss-cert-import \
--cert /home/pkiuser/.dogtag/pki-ca/conf/certs/admin.crt \
--cert /home/pkiuser/admin.crt \
admin
# https://github.com/dogtagpki/pki/wiki/Setting-up-CA-Admin-User
Expand All @@ -324,7 +327,7 @@ jobs:
pki-server ca-user-add \
--full-name Administrator \
--type adminType \
--cert /conf/certs/admin.crt \
--cert /home/pkiuser/admin.crt \
admin
# add CA admin user into CA groups
Expand Down
Loading

0 comments on commit f0f39c1

Please sign in to comment.