There were recently quite a number of bugs (e.g #5595, #5598, #5602, #5611, #5636) related to the CA-less to full-CA/externally signed CA conversion of IPA master and creation of replicas from it.
In order to catch bugs like these earlier in the development cycle, we need a comprehensive suite testing these scenarios as a part of continuous integration workflow.
These are some test cases we would need to cover:
1.) promotion of CA-less master to full CA
2.) installation of client against this master and requesting client certificate
3.) updating client-side nss databases using ipa-certupdate
4.) testing various cert-related commands (ipa cert-show, ipa certprofile-show --out, etc.) on the client and the master
5.) installation of CA-less and CA replicas against the master in both domain levels
A similar suite of test cases can be constructed for the conversion of CA-less master to externally signed CA.
Metadata Update from @mbabinsk: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
Note: we already have tests for
ipatests/test_integration/test_caless.py::TestServerReplicaCALessToCAFull
ipatests/test_integration/test_caless.py::TestReplicaCALessToCAFull
ipatests/test_integration/test_caless.py::TestServerCALessToExternalCA
Metadata Update from @frenaud: - Issue close_status updated to: None - Issue set to the milestone: None (was: FreeIPA 4.5 backlog)
Login to comment on this ticket.