From Fedora Project Wiki
(Test case for adding an anchor) |
(Update for new paths) |
||
| Line 8: | Line 8: | ||
|actions= | |actions= | ||
# Copy the new certificate authority into the right place so it is treated as an anchor for other certificates: | # Copy the new certificate authority into the right place so it is treated as an anchor for other certificates: | ||
#: <pre>$ sudo cp ~/ | #: <pre>$ sudo cp ~/certificate-trust-test-cases/Cert-trust-test-ca.pem /etc/pki/ca-trust/source/anchors/</pre> | ||
#: The target directory should exist | #: The target <code>anchors/</code> directory should already exist. | ||
# Firefox should use the new system anchor automatically: | # Firefox should use the new system anchor automatically: | ||
#: Quit firefox completely | #: Quit firefox completely | ||
| Line 40: | Line 40: | ||
#: Messages on the console from epiphany are probably unrelated to this test, unless they say "p11-kit". | #: Messages on the console from epiphany are probably unrelated to this test, unless they say "p11-kit". | ||
# Java should use the new anchor: | # Java should use the new anchor: | ||
#: <pre>$ java -classpath ~/ | #: <pre>$ java -classpath ~/certificate-trust-test-cases TestCertTrust https://test9431.kuix.de:9431/</pre> | ||
#: This uses the java test program that you compiled in the prerequisites. | #: This uses the java test program that you compiled in the prerequisites. | ||
#: The output should say <code>connection worked</code> | #: The output should say <code>connection worked</code> | ||
Revision as of 09:00, 21 March 2013
Description
This tests configuring an additional certificate authority anchor on the system, which causes certificates signed by that anchor to be trusted.
Setup
- Make sure to complete the prerequisites before starting this test.
- You should run through the Untrusted Certificate Test Case first.
- This test case connects to test9431.kuix.de on port 9431
- If firefox, epiphany or other applications are running they must be exited, as they cache information.
How to test
- Copy the new certificate authority into the right place so it is treated as an anchor for other certificates:
$ sudo cp ~/certificate-trust-test-cases/Cert-trust-test-ca.pem /etc/pki/ca-trust/source/anchors/
- The target
anchors/directory should already exist.
- Firefox should use the new system anchor automatically:
- Quit firefox completely
$ firefox https://test9431.kuix.de:9431
- The page should load without an error message.
- Left of the URL should have a standard gray padlock, without a warning triangle.
- When you hover your mouse over the gray padlock, it should say "Verified by: p11-kit Test Org"
- Click on the icon, then click on More Information, then on View Certificate, , then on Details. Click on the top certificate (top line) in the Certificate Hierarchy. In certificate fields there should be a line that says: "System Trust:p11-kit Test CA"
- Messages on the console from firefox are probably unrelated to this test, unless they say "p11-kit".
- The other tests below require extraction of the system ca-trust compatibility bundles:
$ sudo update-ca-trust
- This extracts the new bundles so that gnutls, openssl, and java and so on can make use of them.
- There should be no output from this command.
- Verify that openssl recognizes the new anchor:
$ openssl s_client -verify 5 -connect test9431.kuix.de:9431
- You should see:
Verify return code: 0 (ok) - Press Ctrl-C to exit
- Check that gnutls recognizes the new anchor:
$ gnutls-cli -p 9431 test9431.kuix.de
- You should see:
Status: The certificate is trusted. - Press Ctrl-C to exit
- Check that curl recognizes the new anhcor:
$ curl -w "Verify: %{ssl_verify_result}\n" --head https://test9431.kuix.de:9431- You should see:
Verify: 0
- Epiphany should use the new anchor:
- Quit epiphany completely
$ epiphany https://test9431.kuix.de:9431
- Right of the URL bar should have a standard gray padlock
- Clicking on the padlock should show a window which says "The identity of this website has been verified"
- Messages on the console from epiphany are probably unrelated to this test, unless they say "p11-kit".
- Java should use the new anchor:
$ java -classpath ~/certificate-trust-test-cases TestCertTrust https://test9431.kuix.de:9431/
- This uses the java test program that you compiled in the prerequisites.
- The output should say
connection worked
Expected Results
While executing each of the above commands, check the output matches what's noted for each command. You should see no errors or warnings about invalid certificates or verification that failed.
Troubleshooting
- Epiphany and Firefox should be quit completely before testing.
- For reliable results, make sure to clear the firefox cache, as described in the test prerequisites.