The dns parameter of request_and_wait_for_cert() must be a string of
hostnames.
* Enforce list/tuple type so that API misuse no longer passes silently.
* Add commonNameToSANDefaultImpl to KDCs_PKINIT_Certs profile
* Explicitly pass hostname for service certs
Fixes: https://pagure.io/freeipa/issue/8685
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add a test with the following scenario:
ipa-server-install (with ca and pkinit enabled)
check that pkinit is properly enabled:
ipa-pkinit-manage status must return "enabled"
the KDC cert must be signed by IPA CA
Related to: https://pagure.io/freeipa/issue/7795
Reviewed-By: François Cami <fcami@redhat.com>
ipa-pkinit-manage enable was failing when run on a replica
without a CA instance.
Add a test with the following scenario:
- install a replica with --no-pkinit
- check that the KDC cert is self signed
- call ipa-pkinit-manage enable
- check that the KDC cert is signed by IPA CA
Related to https://pagure.io/freeipa/issue/7795
Reviewed-By: Francois Cami <fcami@redhat.com>
Add a test for ipa-pkinit-manage with the following scenario:
- install master with option --no-pkinit
- call ipa-pkinit-manage enable
- call ipa-pkinit-manage disable
- call ipa-pkinit-manage enable
At each step, check that the PKINIT cert is consistent with the
expectations: when pkinit is enabled, the cert is signed by IPA
CA and tracked by 'IPA' ca helper, but when pkinit is disabled,
the cert is self-signed and tracked by 'SelfSign' CA helper.
The new test is added in the nightly definitons.
Related to https://pagure.io/freeipa/issue/7200
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>