Jump to: navigation, search

V4/Sub-CAs/Test Plan

Name: V4/Sub-CAs/Test Plan
Target version: 4.4.0
Design: V4/Sub-CAs
Reviewer: Incomplete.png missing
Last updated: 2016-08-19 by Akasurde

TBD

Test case: Default Sub CA properties

Autotest

{{{autotest}}}

Setup

Actions

1. Search for IPA CA

ipa ca-show ipa

2. Rename IPA CA

ipa ca-mod ipa

3. Delete IPA CA

ipa ca-del ipa

Expected results

1. The default IPA CA is present.
2. Rename operation is not permitted.
3. Delete operation is not permitted.

Test case: Sub CA manipulation

Autotest

{{{autotest}}}

Setup

Actions

1. Create Sub CA

ipa ca-add sampleca2 --subject='CN=sampleca2,O=testrelm.test'

2. Rename Sub CA

ipa ca-mod sampleca2 --setattr=cn=sampleca3

3. Delete Sub CA
4. Add Sub CA with malformed DN
5. Add CA with coliding name
6. Add CA with coliding subject DN
7. Try to modify ipacasubjectdn and ipacaissuerdn via addattr, setattr and delattr operations

Expected results

1. Sub CA is created
2. Sub CA can be renamed
3. Sub CA is deleted
4. Adding CA fails
5. Adding CA fails
6. Adding CA fails
7. Attributes cannot be modified as they are read only

Test case: Assign Sub CA to a CA ACL

Autotest

{{{autotest}}}

Setup

CA ACL without Sub CA

Actions

1. Add Sub CA to an ACL

Expected results

1. Sub CA is added to the ACL

Test case: Delete Sub CA from a CA ACL

Autotest

{{{autotest}}}

Setup

CA ACL with Sub CA

Actions

1. Remove sub CA from an ACL

Expected results

1. Sub CA is removed from the ACL

Test case: Assign Invalid Sub CA to a CA ACL

Autotest

{{{autotest}}}

Setup

CA ACL exists, name of added sub CA doesn't

Actions

1. Add Sub CA to an ACL

Expected results

1. Sub CA is not added to the ACL

Test case: Sign CSR with a Sub CA

Autotest

{{{autotest}}}

Setup

Sub CA, certificate profile and appropriate CA ACL exist,
CSR for user certificate complies with the certificate profile

Actions

1. Generate CSR complying with the certificate profile
2. Request the certificate signed by the Sub CA
3. Verify the certificate is signed by the Sub CA and not the IPA CA

Expected results

The certificate is signed by the Sub CA.

Test case: Show Sub CA certificate

Autotest

{{{autotest}}}

Setup

Actions

1. Find the certificate ID

 $ ipa cert-find test-subca

2. Retrieve the Sub CA certificate entry

 $ ipa cert-show $TEST-SUBCA-ID

3. Compare the Issuer DN to IPA CA subject DN

Expected results

The Sub CA certificate is issued by the IPA CA.

Test case: Test usage of default CA by cert request

Autotest

{{{autotest}}}

Setup

1. Prepare certificate profile
2. Prepare sub CA
3. Prepare the TEST_ACL that will contain cert profile and the CA
4. Prepare CSR

Actions

1. Request the certificate with only specifying the certificate profile.

 $ ipa cert-request CSR_FILE --profile-id PROFILE --principal alice@EXAMPLE.NET

Expected results

The request will satisfy TEST_ACL via the profile ID, however not specifying the CA will fallback to the IPA CA for which the test profile isn't enabled, thus violating ACL.