From Fedora Project Wiki
Description
This test case ensures the successful installation of an IPA server with HSM and the renewal of a certificate outside the grace period on Fedora.
Setup
Install the pre-release version of Fedora to be tested on a bare metal system using the default Anaconda settings, except to reclaim all disk space in the process.
How to test
- Install the freeipa packages:
dnf install freeipa-server freeipa-server-dns softhsm -y
- Rename the hostname with the domain to be used with ipa
hostnamectl hostname ipa.example.test
echo “<ip-address> ipa.example.test” >> /etc/hosts
- Create softhsm token :
runuser -u pkiuser -- /usr/bin/softhsm2-util --init-token --free --pin $TOKEN_PASSWORD --so-pin $TOKEN_PASSWORD --label ipa_token
- Install the IPA server :
ipa-server-install -a $ADMIN_PASSWORD -p $DM_PASSWORD -r EXAMPLE.TEST -U --random-serial-numbers --token-name=ipa_token --token-library-path=/usr/lib64/pkcs11/libsofthsm2.so --token-password=$TOKEN_PASSWORD
- Move date to near the end of the grace period
date -s +1years+11months+20days
- Monitor the renewal - It will take a bit for new certs to be issued and for certmonger to notice. To monitor it:
watch -n 5 'getcert list | grep status'
- The expired certificates (all but the CA cert) will be re-issued. As you monitor using getcert list you may see the certificates go through different states including: SUBMITTING, GENERATING_CSR, POST_SAVED_CERT, NEED_TO_SUBMIT and/or NEED_TO_SAVE_CERT
- If one certificate fails to renew with CA_UNREACHABLE wait until all of the certs are either in this state or MONITORING. Then restart certmonger and run the watch again. Certificate renewal can be bumpy as lots of service restarts happen and the renewals can step on one another.
Expected Results
- All installation steps complete without errors.
- The hostname is successfully renamed and resolved.
- The softhsm token is created and initialized correctly.
- The IPA server installs without issues and recognizes the HSM token.
- The system date is successfully changed to simulate the near-end expiration grace period.
- Certificates (excluding the CA cert) are re-issued correctly when expired.
- Certmonger successfully monitors and manages the certificate renewal process