From Fedora Project Wiki


CA-less install testing.


  1. Start with the setup steps in QA:Testcase_freeipav3_installation
  2. yum install freeipa-server nss-util

How to test

Prepare certificates

Set up a CA

First, we need to set up a simple NSS-based certification authority to provide certificates for our FreeIPA server.

If you already have a CA set up, you use it instead. (In that case you will need a SSL server certificate in PKCS#12 format, and the CA certificate in PEM format.)

We will put our CA in ~/test_ca; you may use another directory (or another machine) if you prefer.

Pick a password and store it in ~/test_ca/pwdfile.txt.

Create the NSS database:

   /usr/bin/certutil -d ~/test_ca -N -f ~/test_ca/pwdfile.txt

Create a noise file for the CA cert:

   head -c20 /dev/random > ~/test_ca/noise.txt

Each certificate needs a unique serial number. For a real CA you would save this number safely; for our test we will just use an environment variable. If you to this test multiple times, please use unique numbers each time (for example first start with 0, then with 1000, 2000, 3000, and so on).

   export CERT_SERIAL=0

Create a CA certificate:

   export CERT_SERIAL=$(($CERT_SERIAL + 1))
   /usr/bin/certutil -d ~/test_ca -S -n "CA" -s "CN=Certificate Authority" -x -t CT,,C -1 -2 -5 -m $CERT_SERIAL -v 120 -z ~/test_ca/noise.txt -f ~/test_ca/pwdfile.txt

Give the following answers (type the number/letter, and Enter):

  Create key usage extension:
      0 - Digital Signature
      1 - Non-repudiation
      5 - Cert signing key
      9 - done
      Is this a critical extension [y/N]? y
  Create basic constraint extension
      Is this a CA certificate [y/N]?  y
  Enter the path length constraint, enter to skip [<0 for unlimited path]
      Is this a critical extension [y/N]? y
      5 - SSL
      6 - S/MIME
      7 - Object Signing CA
      9 - done
      Is this a critical extension [y/N]? n

Issue a server certificate

The certificate contains the hostname of the server. Store it in an environment variable. (If your CA is on a different machine than the future IPA server, use the IPA server hostname instead.)

   export HOSTNAME=$(hostname)  # the machine where you'll install IPA

Generate a certificate request:

   head -c20 /dev/random > ~/test_ca/noise.txt
   /usr/bin/certutil -d ~/test_ca -R -s CN=$HOSTNAME,O=IPA -o /tmp/servercert.req -k rsa -g 2048 -z ~/test_ca/noise.txt -f ~/test_ca/pwdfile.txt -a

Sign the request to issue a server certificate:

   export CERT_SERIAL=$(($CERT_SERIAL + 1))
   /usr/bin/certutil -d ~/test_ca -C -c "CA" -i /tmp/servercert.req -o /tmp/servercert.pem -m $CERT_SERIAL -v 120 -f ~/test_ca/pwdfile.txt -1 -5 -a

Give the following answers:

  Create key usage extension:
      2 - Key encipherment
      9 - done
      n - not critical
  Create netscape cert type extension:
      1 - SSL Server
      9 - done
      n - not critical

If you wish, you may generate separate certificates for the HTTP and Directory servers.

Export certificates in the correct formats

Import the resulting certificate:

   /usr/bin/certutil -d ~/test_ca -A -i /tmp/servercert.pem -n Server-Cert -a -t ,,

And export as PKCS#12:

   /usr/bin/pk12util -o ~/test_ca/servercert.p12 -n Server-Cert -d ~/test_ca -k ~/test_ca/pwdfile.txt -w ~/test_ca/pwdfile.txt

Now export the CA cert in the PEM format:

   /usr/bin/certutil -d ~/test_ca -L -n "CA" -a > ~/test_ca/cacert.pem

If your CA is on a different machine, copy ~/test_ca/cacert.pem, ~/test_ca/servercert.p12, and ~/test_ca/pwdfile.txt to the machine where you want to install IPA.

Install CA-less IPA

Issue the following:

   export PWD=$(cat ~/test_ca/pwdfile.txt)
   ipa-server-install --http_pkcs ~/test_ca/servercert.p12 --dirsrv_pkcs ~/test_ca/servercert.p12 --http_pin $PWD --dirsrv_pin $PWD --root-ca-file ~/test_ca/cacert.pem

Answer the questions, and after a while, the IPA server will be installed. Try:

   kinit admin
   ipa user-find

Also make sure the following complain that the command is not found:

   ipa cert-find
   ipa cert-show 1

You may run any additional tests, but note that certificate-related functionality will be disabled (e.g. ipa-getcert, ipa cert-*).

Adding a client should work as usual (refer to QA:Testcase_freeipav3_installation#Client_testing).

Install a CA-less replica

For this section, you will need an additional machine. Skip the section if you don't have one.

To install a replica, first generate certificates for the new machine. Do the "Issue a server certificate" and "Export certificates in the correct formats" again, this time setting $HOSTNAME to the future replica's hostname. Use Replica-Cert instead of Server-Cert, and ~/test_ca/replicacert.p12 instead of ~/test_ca/servercert.p12

Then, on the existing master, do:

   export REPLICA_IP_ADDRESS=...  # the future replica's IP address
   ipa-replica-prepare --http_pkcs ~/test_ca/replicacert.p12 --dirsrv_pkcs ~/test_ca/replicacert.p12 --http_pin $PWD --dirsrv_pin $PWD $HOSTNAME --ip-address $REPLICA_IP_ADDRESS

Copy the resulting file from /var/lib/ipa/replica-info-$HOSTNAME.gpg to the machine with the future replica. Then, on that machine, do:

   ipa-replica-install /var/lib/ipa/replica-info-$HOSTNAME.gpg

You now have a CA-less replica. Refer to QA:Testcase_freeipav3_replication#Verifying_the_Installation for how to ensure it works.

Expected Results

All the test steps should end with the specified results.