On Fri, Jun 10, 2016 at 05:58:02PM +0200, Milan Kubík wrote:
> Hi Fraser and list,
> 
> I've wrote a (minimal) draft [1] of the test plan for the Sub CAs feature
> and I also have several questions.
> 
> Could you please take a look at it?
> 
> Questions:
> 
> As described in the last (currently) test case, should it be possible to
> specify
> both the CA and certificate profile in cert-request call?
> This way one could use (at least) two ACLs (one affiliated with CA, one with
> a profile).
> Are there such use cases?
> 
You can specify both CA and profile in cert-request call.  CA ACLs
encompass both of these.  (Implementation-wise, we use the HBAC
machinery; CA is the "host" and profile is the "service").

> Related to this, what happens when CA ACL has specific CA and profile
> category (all)?
>
If an ACL has profilecat=all and cacat=all, it will match if the
subject principal's name or groups match one of the name or groups
in the ACL rule.

> Applicable to other combinations as well. The ACL category semantics is
> a bit unclear for me here.
> 
> Is there any validation of the CA's DN (syntax)?
> 
Yes; the subject DN is a DNParam (checked by IPA framework).  Dogtag
also checks it and CA creation will fail if it is invalid OR if
there is already a CA with that DN.

> How would you approach testing of the Sub CA certificate renewal and key
> replication
>
Renewal is not yet impemented, so ask me later :)

Key replication: if you create a CA on one replica, there are a
couple ways to check.

1) After a short delay, a key and cert with the CA's Authority ID
appear in the CA replica's NSSDB (/etc/pki/pki-tomcat/alias)

2) After a short delay, hit the Dogtag REST API (
GET /ca/rest/authorities/<id>) or invoke the `pki' command to see if
the CA is "ready to sign", e.g.:

    # pki -d /etc/httpd/alias -C /etc/httpd/alias/pwdfile.txt -n ipaCert \
        -P https -p 8443 ca-authority-show 24de435e-3b3b-4248-b187-fc719e579983
      Authority DN:   CN=smime
      ID:             24de435e-3b3b-4248-b187-fc719e579983
      Parent ID:      8568c666-00d6-435c-9446-1014c6ce1215
      Issuer DN:      CN=Certificate Authority,O=IPA.LOCAL 201606091248
      Serial no:      15
      Enabled:        true
      Ready to sign:  true    <--- key replication completed


> (I do not know if this is covered at the respective component's level or
> not)?
> 
> 
> [1]: http://www.freeipa.org/page/V4/Sub-CAs/Test_Plan
> 
> Thanks
> 
Thank you; I will review the rest of the test plan shortly.

Cheers,
Fraser

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to