Description
IPA certificate search
Setup
This requires an IPA master with a CA which you should have already set up.
How to test
Basic Search
- ipa cert-find
Should return 10 or more certificates (12 if there is a replica) of the form:
Serial number (hex): 0x1 Serial number: 1 Status: VALID Subject: CN=Certificate Authority,O=EXAMPLE.COM
Search by non-specific subject
Search for certificates with this domain in the subject:
- ipa cert-find --subject=example.com
Should return the same number of certificates as every certificate should match.
Search for specific subject
Search for certificates for the FQDN of this IPA server:
- ipa cert-find --subject=ipa.example.com
Should return 3 certificates. One is for the web server, one for 389-ds and one for Tomcat.
Search for an exact subject
Search for certificates for the FQDN of this IPA server, with the exact match flag set:
- ipa cert-find --subject=ipa.example.com --exact
Should return 3 certificates. One is for the web server, one for 389-ds and one for Tomcat.
Search for an exact subject, no matches
Search for certificates for the domain of this IPA server, with the exact match flag set:
- ipa cert-find --subject=example.com --exact
Should return 0 certificates because while example.com is in the subject it doesn't match exactly.
Search by serial number
Search for certificates by serial number:
- ipa cert-find --min-serial-number=8 --max-serial-number=9
Serial number (hex): 0x8 Serial number: 8 Status: VALID Subject: CN=ipa.example.com,O=EXAMPLE.COM
Serial number (hex): 0x9 Serial number: 9 Status: VALID Subject: CN=ipa.example.com,O=EXAMPLE.COM ---------------------------- Number of entries returned 2 ----------------------------
We should get two. To do a negative test, search with the numbers reversed:
There should be 0 matches.
Search by dates
Let's pick a random cert and search using its dates. This serial number should show in all the responses.
- pki cert-show 8
----------------- Certificate "0x8" ----------------- Serial Number: 0x8 Issuer: CN=Certificate Authority,O=EXAMPLE.COM Subject: CN=rawhide2.greyoak.com,O=EXAMPLE.COM Status: VALID Not Before: Tue Apr 09 13:56:07 EDT 2013 Not After: Fri Apr 10 13:56:07 EDT 2015
The not before date should be today, the not after tomorrow. We'll use those to dissect the data.
My example server was installed on April 9, 2013 so the dates I care about are April 9, 2013 and April 10, 2015.
Regardless of the number of certificates in the output, just make sure that certificate with serial #8 is included.
Our certificate is good for one more day.
- ipa cert-find --validnotafter-from=2015-04-09 --validnotafter-to=2016-04-09
8 should be in the list.
Search outside the after range.
- ipa cert-find --validnotafter-from=2015-04-11 --validnotafter-to=2016-04-09
8 should not be in the list
Search using both validnotbefore and validnotafter
- ipa cert-find --validnotbefore-from=2013-04-09 --validnotafter-to=2015-04-09
Should not be in the list, it is still valid after 2015.
Search again using both validnotbefore and validnotafter
- ipa cert-find --validnotbefore-from=2013-04-09 --validnotafter-to=2016-04-09
Now serial #8 is included.
Expected Results
All the test steps should end with the specified results.