From Fedora Project Wiki

(Created page with "{{QA/Test_Case |description=This test case ensures the successful installation of an IPA server with HSM and the renewal of a certificate outside the grace period on Fedora. |setup=Install the pre-release version of Fedora to be tested on a bare metal system using the default Anaconda settings, except to reclaim all disk space in the process. |actions= Be as specific as required for the target audience. # Install the freeipa packages: <code> dnf install freeipa-server fr...")
 
No edit summary
 
Line 28: Line 28:
# The system date is successfully changed to simulate the expiration grace period.
# The system date is successfully changed to simulate the expiration grace period.
# Certificates (excluding the CA cert) are re-issued correctly when expired.
# Certificates (excluding the CA cert) are re-issued correctly when expired.
}}

Latest revision as of 17:13, 4 July 2024

Description

This test case ensures the successful installation of an IPA server with HSM and the renewal of a certificate outside the grace period on Fedora.

Setup

Install the pre-release version of Fedora to be tested on a bare metal system using the default Anaconda settings, except to reclaim all disk space in the process.

How to test

Be as specific as required for the target audience.

  1. Install the freeipa packages: dnf install freeipa-server freeipa-server-dns softhsm -y
  2. Rename the hostname with the domain to be used with ipa
    1. hostnamectl hostname ipa.example.test
    2. echo “<ip-address> ipa.example.test” >> /etc/hosts
  3. Create softhsm token : runuser -u pkiuser -- /usr/bin/softhsm2-util --init-token --free --pin $TOKEN_PASSWORD --so-pin $TOKEN_PASSWORD --label ipa_token
  4. Install the IPA server : ipa-server-install -a $ADMIN_PASSWORD -p $DM_PASSWORD -r EXAMPLE.TEST -U --random-serial-numbers --token-name=ipa_token --token-library-path=/usr/lib64/pkcs11/libsofthsm2.so --token-password=$TOKEN_PASSWORD
  5. Move date to within the expiration grace period
    1. date -s +2years+11months+20days
    2. ipactl restart
    3. sleep 90
  6. Force issuance of new certs
    1. ipa-cert-fix (answer yes)
  7. It will take a bit for new certs to be issued and for certmonger to notice. To monitor it: watch -n 5 'getcert list | grep status'
  8. Return date to current time (Uninstall the IPA server prior to moving time backwards. )

date +s +2years+11months+20days

Expected Results

  1. The expired certificates (all but the CA cert) will be re-issued. As you monitor using getcert list you may see the certificates go through different states including:
SUBMITTING, GENERATING_CSR, POST_SAVED_CERT, NEED_TO_SUBMIT and/or NEED_TO_SAVE_CERT
  1. All installation steps complete without errors.
  2. The hostname is successfully renamed and resolved.
  3. The softhsm token is created and initialized correctly.
  4. The IPA server installs without issues and recognizes the HSM token.
  5. The system date is successfully changed to simulate the expiration grace period.
  6. Certificates (excluding the CA cert) are re-issued correctly when expired.



Retrieved from "https://fedoraproject.org/w/index.php?title=QA:Testcase_Install_IPA_HSM_renew_cert&oldid=713660"