From Fedora Project Wiki
(Add template for this test case) |
(Complete the test case) |
||
| Line 3: | Line 3: | ||
|setup= | |setup= | ||
# Prepare a clean Fedora 18 install. | # Prepare a clean Fedora 18 install. | ||
#: You can setup a new virtual machine using the [http://download.fedoraproject.org/pub/fedora/linux/releases/18/Live/x86_64/Fedora-18-x86_64-Live-Desktop.iso Fedora 18 Live CD]. | |||
#: Proceed with the setup as usual, and complete first boot, then log in. | |||
# Install `wget` | |||
#: <pre>sudo yum install wget</pre> | |||
# Download the necessary certificate file: | |||
#: <pre>$ wget https://fedoraproject.org/w/uploads/b/b1/Cert-trust-test-ca.pem</pre> | |||
# Become root | |||
#: <pre>$ sudo -s</pre> | |||
#: The commands below should be executed as root | |||
|actions= | |actions= | ||
# | # Modify the `ca-bundle.crt` `ca-bundle.trust.crt' and `cacerts` files, by adding a certificate: | ||
#: <pre># cat Cert-trust-test-ca.pem >> /etc/pki/tls/certs/ca-bundle.crt</pre> | |||
#: <pre># cat Cert-trust-test-ca.pem >> /etc/pki/tls/certs/ca-bundle.trust.crt</pre> | |||
# Modify the 'cacerts` file by adding a certificate: | |||
#: <pre># openssl x509 -in Cert-trust-test-ca.pem -out cert-test.der -outform DER</pre> | |||
#: <pre># keytool -importcert cert-test-der -keystore /etc/pki/java/cacerts -alias p11-test</pre> | |||
#: The password is 'changeit', answer 'yes' when prompted | |||
#: Should see "Certificate was added to keystore" | |||
# Verify that the files have been modified | |||
#: <pre>#rpm -V ca-certificates</pre> | |||
#: You should see all the three files modified above listed. | |||
# Upgrade the packages in question to Fedora 19 | |||
#: <pre># yum update --nogpgcheck --releasever=19 update ca-certificates</pre> | |||
#: A whole bunch of packages will be updated, and this step depends on the state of Fedora 19 at the time when this test is performed. | |||
#: Alternatively you may perform a complete upgrade | |||
|results= | |results= | ||
# You should see that the bundles which were modified above, are now saved as `.rpmsave` files in these locations: | |||
#: `/etc/pki/java/cacerts.rpmsave` | |||
#: `/etc/pki/tls/certs/ca-bundle.crt.rpmsave` | |||
#: `/etc/pki/tls/certs/ca-bundle.trust.crt.rpmsave` | |||
# Verify that the java `.rpmsave` file contains the added certificate: | |||
#: <pre>$ keytool -list -keystore /etc/pki/java/cacerts.rpmsave | grep p11-test</pre> | |||
#: The password is 'changeit' | |||
#: You should see a line of output that contains "p11-test" and "trustedCertEntry" | |||
# Verify that the java in use cacerts file does not contain the added certificate: | |||
#: <pre>$ keytool -list -keystore /etc/pki/java/cacerts | grep p11-test</pre> | |||
#: The password is 'changeit' | |||
#: You should see no certificate lines of output. | |||
# Verify that the `ca-bundle.crt.rpmsave` file contains your added certificate: | |||
#: <pre>$ tail -n 21 /etc/pki/tls/certs/ca-bundle.crt.rpmsave | openssl x509 -noout -subject</pre> | |||
#: You should see a line of output that contains "p11-kit Test CA" | |||
# Verify that the `ca-bundle.trust.crt.rpmsave` file contains your added certificate: | |||
#: <pre>$ tail -n 21 /etc/pki/tls/certs/ca-bundle.trust.crt.rpmsave | openssl x509 -noout -subject</pre> | |||
#: You should see a line of output that contains "p11-kit Test CA" | |||
}} | }} | ||
Revision as of 08:58, 27 March 2013
Description
This tests what happens when a ca-bundle.crt bundle has been modified in a previous Fedora release, which is then upgraded to use shared system cetrificates.
Setup
- Prepare a clean Fedora 18 install.
- You can setup a new virtual machine using the Fedora 18 Live CD.
- Proceed with the setup as usual, and complete first boot, then log in.
- Install
wgetsudo yum install wget
- Download the necessary certificate file:
$ wget https://fedoraproject.org/w/uploads/b/b1/Cert-trust-test-ca.pem
- Become root
$ sudo -s
- The commands below should be executed as root
How to test
- Modify the
ca-bundle.crtca-bundle.trust.crt' andcacerts` files, by adding a certificate:# cat Cert-trust-test-ca.pem >> /etc/pki/tls/certs/ca-bundle.crt
# cat Cert-trust-test-ca.pem >> /etc/pki/tls/certs/ca-bundle.trust.crt
- Modify the 'cacerts` file by adding a certificate:
# openssl x509 -in Cert-trust-test-ca.pem -out cert-test.der -outform DER
# keytool -importcert cert-test-der -keystore /etc/pki/java/cacerts -alias p11-test
- The password is 'changeit', answer 'yes' when prompted
- Should see "Certificate was added to keystore"
- Verify that the files have been modified
#rpm -V ca-certificates
- You should see all the three files modified above listed.
- Upgrade the packages in question to Fedora 19
# yum update --nogpgcheck --releasever=19 update ca-certificates
- A whole bunch of packages will be updated, and this step depends on the state of Fedora 19 at the time when this test is performed.
- Alternatively you may perform a complete upgrade
Expected Results
- You should see that the bundles which were modified above, are now saved as
.rpmsavefiles in these locations:/etc/pki/java/cacerts.rpmsave/etc/pki/tls/certs/ca-bundle.crt.rpmsave/etc/pki/tls/certs/ca-bundle.trust.crt.rpmsave
- Verify that the java
.rpmsavefile contains the added certificate:$ keytool -list -keystore /etc/pki/java/cacerts.rpmsave | grep p11-test
- The password is 'changeit'
- You should see a line of output that contains "p11-test" and "trustedCertEntry"
- Verify that the java in use cacerts file does not contain the added certificate:
$ keytool -list -keystore /etc/pki/java/cacerts | grep p11-test
- The password is 'changeit'
- You should see no certificate lines of output.
- Verify that the
ca-bundle.crt.rpmsavefile contains your added certificate:$ tail -n 21 /etc/pki/tls/certs/ca-bundle.crt.rpmsave | openssl x509 -noout -subject
- You should see a line of output that contains "p11-kit Test CA"
- Verify that the
ca-bundle.trust.crt.rpmsavefile contains your added certificate:$ tail -n 21 /etc/pki/tls/certs/ca-bundle.trust.crt.rpmsave | openssl x509 -noout -subject
- You should see a line of output that contains "p11-kit Test CA"
Troubleshooting
- No notes at this time