Compatibility Tests#

The following tests verify the compatibility between Dogtag 10.0.x on F19 and Dogtag 10.1.x on F20 for IPA replication. Due to an existing bug (https://fedorahosted.org/pki/ticket/816), a workaround has to be added in the setup process. Otherwise the replica installation will fail.

Setup#

  • On an F19 machine, install IPA server (ipa-server-install).

  • Prepare an IPA replica (ipa-replica-prepare).

  • WORKAROUND: On an F20 machine, edit the CS.cfg template (/usr/share/pki/ca/conf/CS.cfg) and add the following line:

X500Name.directoryStringEncodingOrder=PrintableString,UTF8String,T61String,BMPString,UniversalString
  • Install IPA replica (ipa-replica-install).

Test 1: Verify the replica can issue valid certificate using the workaround#

Request a certificate on the replica#

On the replica, create a client security database:

$ pki -c Secret.123 client-init

Get profile template for a server certificate:

$ pki cert-request-profile-show caServerCert --output test1.xml

Generate a CSR:

$ certutil -R -d ~/.dogtag/nssdb -s "cn=test1.example.com" -a

Copy the CSR into test1.xml:

<CertEnrollmentRequest>
    ...
    <Input id="i1">
        <Attribute name="cert_request_type">
            <Value>pkcs10</Value>
        </Attribute>
        <Attribute name="cert_request">
            <Value>... CSR ...</Value>
        </Attribute>
    </Input>
    ...
</CertEnrollmentRequest>

Submit request:

$ pki cert-request-submit test1.xml

Make a note of the request ID.

Approve the certificate request#

On the master, export the agent certificate and key from the IPA security database:

$ pk12util -o agent.p12 -n ipaCert -d /etc/httpd/alias -k /etc/httpd/alias/pwdfile.txt -W Secret.123

On the replica, import the agent certificate and key into the client security database:

$ pk12util -i agent.p12 -d ~/.dogtag/nssdb -K Secret.123 -W Secret.123

Approve the certificate request:

$ pki -c Secret.123 -n ipaCert cert-request-review <request ID> --action approve

Retrieve the certificate ID:

$ pki cert-request-show <request ID>

Retrieve the certificate:

$ pki cert-show <certificate ID> --output test1.pem
$ AtoB test1.pem test1.crt

Import the certificate into the client security database:

$ pki -n test1 client-cert-import --cert test1.crt

Validate the new certificate#

Export CA certificate:

$ certutil -L -d ~/.dogtag/nssdb -n "<realm> IPA CA" -a > ca.pem
$ AtoB ca.pem ca.crt

View the content of the certificates:

$ dumpasn1 test1.crt
$ dumpasn1 ca.crt

Verify the certificate’s issuer DN matches the CA certificate’s subject DN (including the encoding).

SEQUENCE {
  SET {
    SEQUENCE {
      OBJECT IDENTIFIER organizationName (2 5 4 10)
      PrintableString '<realm>'
      }
    }
  SET {
    SEQUENCE {
      OBJECT IDENTIFIER commonName (2 5 4 3)
      PrintableString 'Certificate Authority'
      }
    }
  }

Verify the certificate is valid:

$ certutil -V -d ~/.dogtag/nssdb -n test1 -u V

Test 2: Verify the replica can issue valid certificate after removing the workaround#

Shut down the replica:

$ systemctl stop pki-tomcatd@pki-tomcat.service

Remove the workaround from the replica’s CS.cfg (/var/lib/pki/pki-tomcat/ca/conf/CS.cfg), not from the template.

Restart replica.

$ systemctl start pki-tomcatd@pki-tomcat.service

Issue another certificate (i.e. test2) using similar steps.

Verify the certificate’s issuer DN matches the CA certificate’s subject DN (including the encoding).

$ dumpasn1 test2.crt
$ dumpasn1 ca.crt

Verify the certificate is valid:

$ certutil -V -d ~/.dogtag/nssdb -n test2 -u V