Description
IPA certificate search
Setup
This requires an IPA master with a CA which you should have already set up.
How to test
Basic Search
- ipa cert-find
Should return 10 or more certificates (12 if there is a replica) of the form:
Serial number (hex): 0x1 Serial number: 1 Status: VALID Subject: CN=Certificate Authority,O=EXAMPLE.COM
Search by non-specific subject
Search for certificates with this domain in the subject:
- ipa cert-find --subject=example.com
Should return the same number of certificates as every certificate should match.
Search for specific subject
Search for certificates for the FQDN of this IPA server:
- ipa cert-find --subject=ipa.example.com
Should return 3 certificates. One is for the web server, one for 389-ds and one for Tomcat.
Search for an exact subject
Search for certificates for the FQDN of this IPA server, with the exact match flag set:
- ipa cert-find --subject=ipa.example.com --exact
Should return 3 certificates. One is for the web server, one for 389-ds and one for Tomcat.
Search for an exact subject, no matches
Search for certificates for the domain of this IPA server, with the exact match flag set:
- ipa cert-find --subject=example.com --exact
Should return 0 certificates because while example.com is in the subject it doesn't match exactly.
Search by serial number
Search for certificates by serial number:
- ipa cert-find --min-serial-number=8 --max-serial-number=9
Serial number (hex): 0x8 Serial number: 8 Status: VALID Subject: CN=ipa.example.com,O=EXAMPLE.COM
Serial number (hex): 0x9 Serial number: 9 Status: VALID Subject: CN=ipa.example.com,O=EXAMPLE.COM ---------------------------- Number of entries returned 2 ----------------------------
We should get two. To do a negative test, search with the numbers reversed:
There should be 0 matches.
Expected Results
All the test steps should end with the specified results.