From Fedora Project Wiki

Revision as of 18:49, 9 April 2013 by Rcritten (talk | contribs)

Description

IPA certificate search

Setup

This requires an IPA master with a CA which you should have already set up.

How to test

Basic Search

  1. ipa cert-find

Should return 10 or more certificates (12 if there is a replica) of the form:

Serial number (hex): 0x1
Serial number: 1
Status: VALID
Subject: CN=Certificate Authority,O=EXAMPLE.COM

Search by non-specific subject

Search for certificates with this domain in the subject:

  1. ipa cert-find --subject=example.com

Should return the same number of certificates as every certificate should match.

Search for specific subject

Search for certificates for the FQDN of this IPA server:

  1. ipa cert-find --subject=ipa.example.com

Should return 3 certificates. One is for the web server, one for 389-ds and one for Tomcat.

Search for an exact subject

Search for certificates for the FQDN of this IPA server, with the exact match flag set:

  1. ipa cert-find --subject=ipa.example.com --exact

Should return 3 certificates. One is for the web server, one for 389-ds and one for Tomcat.

Search for an exact subject, no matches

Search for certificates for the domain of this IPA server, with the exact match flag set:

  1. ipa cert-find --subject=example.com --exact

Should return 0 certificates because while example.com is in the subject it doesn't match exactly.

Search by serial number

Search for certificates by serial number:

  1. ipa cert-find --min-serial-number=8 --max-serial-number=9
 Serial number (hex): 0x8
 Serial number: 8
 Status: VALID
 Subject: CN=ipa.example.com,O=EXAMPLE.COM
 Serial number (hex): 0x9
 Serial number: 9
 Status: VALID
 Subject: CN=ipa.example.com,O=EXAMPLE.COM
----------------------------
Number of entries returned 2
----------------------------

We should get two. To do a negative test, search with the numbers reversed:

There should be 0 matches.

Search by dates

Let's pick a random cert and search using its dates. This serial number should show in all the responses.

  1. pki cert-show 8
-----------------
Certificate "0x8"
-----------------
 Serial Number: 0x8
 Issuer: CN=Certificate Authority,O=EXAMPLE.COM
 Subject: CN=rawhide2.greyoak.com,O=EXAMPLE.COM
 Status: VALID
 Not Before: Tue Apr 09 13:56:07 EDT 2013
 Not After: Fri Apr 10 13:56:07 EDT 2015

The not before date should be today, the not after tomorrow. We'll use those to dissect the data.

My example server was installed on April 9, 2013 so the dates I care about are April 9, 2013 and April 10, 2015.

Regardless of the number of certificates in the output, just make sure that certificate with serial #8 is included.

Our certificate is good for one more day.

  1. ipa cert-find --validnotafter-from=2015-04-09 --validnotafter-to=2016-04-09

8 should be in the list.

Search outside the after range.

  1. ipa cert-find --validnotafter-from=2015-04-11 --validnotafter-to=2016-04-09

8 should not be in the list

Search using both validnotbefore and validnotafter

  1. ipa cert-find --validnotbefore-from=2013-04-09 --validnotafter-to=2015-04-09

Should not be in the list, it is still valid after 2015.

Search again using both validnotbefore and validnotafter

  1. ipa cert-find --validnotbefore-from=2013-04-09 --validnotafter-to=2016-04-09

Now serial #8 is included.

Expected Results

All the test steps should end with the specified results.