forked from cgzones/easy-ca
-
Notifications
You must be signed in to change notification settings - Fork 11
321 lines (275 loc) · 9.81 KB
/
master.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
name: easy-ca CI
on:
push:
branches: [ master ]
pull_request:
branches: [ master ]
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
jobs:
create-root-ca:
runs-on: ubuntu-latest
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v2
- name: create root ca
run: |
./create-root-ca -d test-root-ca-dir <<EOF
n
test-root-ca
bogus.com
US
California
San Francisco
Bogus Inc.
Operations
Bogus Inc. Certificate Authority
rootCA_password
rootCA_password
EOF
- name: tar root ca
run: tar -C test-root-ca-dir -cf test-root-ca.tar .
- name: Upload root ca
uses: actions/upload-artifact@v2
with:
name: root-ca
path: test-root-ca.tar
retention-days: 5
test-root-ca:
runs-on: ubuntu-latest
needs: create-root-ca
steps:
- name: Download root ca
uses: actions/download-artifact@v2
with:
name: root-ca
- name: untar root ca
run: |
# Use another directory name to make sure the CA is movable
mkdir test-root-ca
tar -C test-root-ca -xf test-root-ca.tar
- name: Create server cert
working-directory: test-root-ca
run: |
./bin/create-server -s test-server.bogus.com -a www.test-server.bogus.com << EOF
rootCA_password
California
San Francisco
Jurisdiction of test-server.bogus-com
n
EOF
- name: Create client cert
working-directory: test-root-ca
run: |
./bin/create-client -c test-client << EOF
rootCA_password
San Francisco
private
n
EOF
- name: Create code signing certificate
working-directory: test-root-ca
run: |
./bin/create-codesign -c test-codesign << EOF
rootCA_password
San Francisco
private
n
codesign_p12pass
EOF
- name: List expired certs
working-directory: test-root-ca
run: ./bin/list-expiring-certs
- name: Check that all certs (including the root ca) expire within 5 years
working-directory: test-root-ca
run: |
./bin/list-expiring-certs -t '5 years' | tee exp.tmp
grep -q 'Found 4 expiring' exp.tmp
rm -f exp.tmp
- name: Revoke server certificate
working-directory: test-root-ca
run: |
./bin/revoke-cert -c certs/server/test-server-bogus-com/test-server-bogus-com.crt << EOF
1
y
rootCA_password
EOF
- name: Revoke code signing certificate
working-directory: test-root-ca
run: |
./bin/revoke-cert -c certs/codesign/test-codesign/test-codesign.crt << EOF
6
y
rootCA_password
EOF
- name: Check that we only see the root ca and client certs expiring within 5 years
working-directory: test-root-ca
run: |
./bin/list-expiring-certs -t '5 years' | tee exp.tmp
grep -q 'CN=Bogus Inc. Certificate Authority' exp.tmp
grep -q 'CN=test-client' exp.tmp
rm -f exp.tmp
- name: Check that we see all certificates again when using -a
working-directory: test-root-ca
run: |
./bin/list-expiring-certs -t '5 years' -a | tee exp.tmp
grep -q 'Found 4 expiring' exp.tmp
rm -f exp.tmp
- name: Check that the exit code for expiring certificates work
working-directory: test-root-ca
run: ( set +e ; ./bin/list-expiring-certs -t '5 years' -x ; test $? == 5 )
- name: Create signing CA
working-directory: test-root-ca
run: |
./bin/create-signing-ca -d test-signing-ca-dir << EOF
rootCA_password
n
test-signing-ca
bogus.com
US
California
San Francisco
Bogus Inc.
Operations
Bogus Inc. Certificate test-signing-ca
signCA_password
signCA_password
EOF
- name: User CSR with email, but not in SAN requests
run: |
mkdir user-csr-with-email
cd user-csr-with-email
openssl req -nodes -new -batch -keyout a.key -out a.csr -subj '/C=US/ST=California/L=San Francisco/O=Bogus Inc./OU=Testing department/CN=John Withmail/[email protected]'
cd ../test-root-ca
./bin/sign-csr -c ../user-csr-with-email/a.csr << EOF
rootCA_password
EOF
openssl x509 -noout -text -in certs/clients/John-Withmail/John-Withmail.crt | grep email:[email protected]
- name: Server CSR with SAN-DNS
run: |
mkdir server-csr-with-san-dns
cd server-csr-with-san-dns
openssl req -nodes -new -batch -keyout a.key -out a.csr -addext subjectAltName=DNS:test.bogus.com,DNS:test2.bogus.com -subj '/C=US/ST=California/L=San Francisco/O=Bogus Inc./OU=Testing department/CN=test.bogus.com'
cd ../test-root-ca
export ca_pass=rootCA_password
./bin/sign-csr -s -c ../server-csr-with-san-dns/a.csr <<EOF
rootCA_password
EOF
openssl x509 -noout -text -in certs/server/test-bogus-com/test-bogus-com.crt | grep 'DNS:test\.bogus\.com'
openssl x509 -noout -text -in certs/server/test-bogus-com/test-bogus-com.crt | grep 'DNS:test2\.bogus\.com'
- name: Server CSR without SAN-DNS
run: |
mkdir server-csr-without-san-dns
cd server-csr-without-san-dns
openssl req -nodes -new -batch -keyout a.key -out a.csr -subj '/C=US/ST=California/L=San Francisco/O=Bogus Inc./OU=Testing department/CN=kilo.bogus.com'
cd ../test-root-ca
export ca_pass=rootCA_password
./bin/sign-csr -s -c ../server-csr-without-san-dns/a.csr <<EOF
rootCA_password
EOF
openssl x509 -noout -text -in certs/server/kilo-bogus-com/kilo-bogus-com.crt | grep 'DNS:kilo\.bogus\.com'
- name: tar signing ca
working-directory: test-root-ca
run: |
tar -C test-signing-ca-dir -cf test-signing-ca.tar .
- name: Upload signing ca
uses: actions/upload-artifact@v2
with:
name: signing-ca
path: test-root-ca/test-signing-ca.tar
retention-days: 5
- name: Generate 8 CRLs (to reach alphabetical territory for serial)
working-directory: test-root-ca
run: |
for _ in $(seq 1 8); do
./bin/update-crl << EOF
rootCA_password
EOF
done
- name: Manually create server certificate with missing bits to trip up status page
run: |
mkdir annoying
export ca_pass=rootCA_password
# Internal magic to keep the CA config working. Not beautiful, but
# this is not standard usage; we are trying to trip it up.
export CA_DIR=$(pwd)/test-root-ca
export SAN=
openssl req -nodes -new -batch -keyout annoying/annoying.key -out annoying/annoying.csr -addext extendedKeyUsage=serverAuth -subj '/C=US/ST=California/L=San Francisco/O=Bogus Inc./OU=Testing department/CN=annoying.bogus.com'
openssl ca -batch -notext -in annoying/annoying.csr -config test-root-ca/ca/ca.conf -passin env:ca_pass -out annoying/annoying.csr
- name: Show status of CA
working-directory: test-root-ca
run: ./bin/show-status
- name: Generate HTML page
working-directory: test-root-ca
run: ./bin/gen-html
- name: Upload HTML
uses: actions/upload-artifact@v2
with:
name: root-ca-html
path: test-root-ca/html
retention-days: 60
test-signing-ca:
runs-on: ubuntu-latest
needs: test-root-ca
steps:
- name: Download signing ca
uses: actions/download-artifact@v2
with:
name: signing-ca
- name: untar signing ca
run: |
mkdir test-signing-ca
tar -C test-signing-ca -xf test-signing-ca.tar
- name: Create server cert
working-directory: test-signing-ca
run: |
./bin/create-server -s test-server.bogus.com -a www.test-server.bogus.com << EOF
signCA_password
California
San Francisco
Jurisdiction of test-server.bogus-com
n
EOF
- name: Create client cert
working-directory: test-signing-ca
run: |
./bin/create-client -c test-client << EOF
signCA_password
San Francisco
private
n
EOF
- name: Revoke server cert
working-directory: test-signing-ca
run: |
./bin/revoke-cert -c certs/server/test-server-bogus-com/test-server-bogus-com.crt << EOF
1
y
signCA_password
EOF
- name: Revoke client cert
working-directory: test-signing-ca
run: |
./bin/revoke-cert -c certs/clients/test-client/test-client.crt << EOF
5
y
signCA_password
EOF
- name: List expired certs
working-directory: test-signing-ca
run: ./bin/list-expiring-certs
- name: Show status of CA
working-directory: test-signing-ca
run: ./bin/show-status
- name: Generate HTML page
working-directory: test-signing-ca
run: ./bin/gen-html
- name: Upload HTML
uses: actions/upload-artifact@v2
with:
name: signing-ca-html
path: test-signing-ca/html
retention-days: 60