The IPA installer refuses to accept certs signed with a CA-signature that does
not have basic constraints enabled (Described in RFC 5280)
Reviewed-By: David Kupka <dkupka@redhat.com>
When serial numbers were generated with $RANDOM, there
could be collisions.
Use sequential numbers instead.
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
Differences from the test plan at
http://www.freeipa.org/index.php?title=V3/CA-less_install&oldid=6669 are:
- The following tests are included in all applicable positive
install tests, rather than being standalone test cases:
- Verify CA certificate stored in LDAP
- Verify CA PEM file created by IPA server install
- Verify that IPA server install does not configure certmonger
- Verify CA PEM file created by IPA replica install
- Verify that IPA replica install does not configure certmonger
- Verify CA PEM file created by IPA client install
- PKI setup is done only once for each test class
- Master installation is done once for the IPA command tests, and
once for the certinstall tests
- Certificates are compared after base64 decoding to avoid failures
from formatting mismatches
- Minor changes necessary for automation (e.g. adding --unattended
and --password options, correcting error messages)
- Web UI tests are not included here
https://fedorahosted.org/freeipa/ticket/3830
