On Fri, Jun 10, 2016 at 05:58:02PM +0200, Milan Kubík wrote:
> Hi Fraser and list,
> I've wrote a (minimal) draft  of the test plan for the Sub CAs feature
> and I also have several questions.
> Could you please take a look at it?
> As described in the last (currently) test case, should it be possible to
> both the CA and certificate profile in cert-request call?
> This way one could use (at least) two ACLs (one affiliated with CA, one with
> a profile).
> Are there such use cases?
You can specify both CA and profile in cert-request call. CA ACLs
encompass both of these. (Implementation-wise, we use the HBAC
machinery; CA is the "host" and profile is the "service").
> Related to this, what happens when CA ACL has specific CA and profile
> category (all)?
If an ACL has profilecat=all and cacat=all, it will match if the
subject principal's name or groups match one of the name or groups
in the ACL rule.
> Applicable to other combinations as well. The ACL category semantics is
> a bit unclear for me here.
> Is there any validation of the CA's DN (syntax)?
Yes; the subject DN is a DNParam (checked by IPA framework). Dogtag
also checks it and CA creation will fail if it is invalid OR if
there is already a CA with that DN.
> How would you approach testing of the Sub CA certificate renewal and key
Renewal is not yet impemented, so ask me later :)
Key replication: if you create a CA on one replica, there are a
couple ways to check.
1) After a short delay, a key and cert with the CA's Authority ID
appear in the CA replica's NSSDB (/etc/pki/pki-tomcat/alias)
2) After a short delay, hit the Dogtag REST API (
GET /ca/rest/authorities/<id>) or invoke the `pki' command to see if
the CA is "ready to sign", e.g.:
# pki -d /etc/httpd/alias -C /etc/httpd/alias/pwdfile.txt -n ipaCert \
-P https -p 8443 ca-authority-show 24de435e-3b3b-4248-b187-fc719e579983
Authority DN: CN=smime
Parent ID: 8568c666-00d6-435c-9446-1014c6ce1215
Issuer DN: CN=Certificate Authority,O=IPA.LOCAL 201606091248
Serial no: 15
Ready to sign: true <--- key replication completed
> (I do not know if this is covered at the respective component's level or
> : http://www.freeipa.org/page/V4/Sub-CAs/Test_Plan
Thank you; I will review the rest of the test plan shortly.
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code