github.com/Venafi/vcert/v5@v5.10.2/aruba/features/format/pkcs12.feature (about) 1 Feature: PKCS#12 format output 2 3 As user, I need VCert to output my certificate, private key, and chain certificates in the PKCS#12 format 4 required by my application so that I don't have to use OpenSSL to combine the individual PEM files generated 5 by VCert into a PKCS#12 keystore. 6 7 - User requests PKCS#12 by specifying "pkcs12" after the -format switch 8 9 - User must use the -file switch to specify the name of the keystore file when they specify -format pkcs12 10 (i.e. neither the -cert-file, -key-file, nor -chain-file switches may appear on the command line, 11 and console output as a base64 encoded blob will not be supported). 12 13 - User specifies the password for the PKCS#12 file using the -key-password switch 14 15 - User can request a PKCS#12 file with no password by including the -no-prompt switch 16 17 - PKCS#12 format is not allowed for the enroll or renew actions when -csr is "file" 18 19 - PKCS#12 format is not allowed for the enroll or renew action when -csr is "local" (or not specified) 20 and the -no-pickup switch is used 21 22 - PKCS#12 format is only allowed for the pickup action when the private key is stored in the Venafi Platform 23 24 25 Background: 26 And the default aruba exit timeout is 180 seconds 27 28 @FAKE 29 Scenario: where it outputs error if PKCS#12 format is specified, but STDOUT output is used (default output) 30 When I enroll random certificate in test-mode with -no-prompt -format pkcs12 31 Then it should fail with "PKCS#12 format requires certificate, private key, and chain to be written to a single file; specify using --file" 32 When I retrieve the certificate in test-mode with -pickup-id xxx -key-password xxx -format pkcs12 33 Then it should fail with "PKCS#12 format requires certificate, private key, and chain to be written to a single file; specify using --file" 34 When I renew the certificate in TPP with flags -id xxx -no-prompt -format pkcs12 35 Then it should fail with "PKCS#12 format requires certificate, private key, and chain to be written to a single file; specify using --file" 36 37 @FAKE 38 Scenario: where all objects are written to one PKCS#12 archive 39 When I enroll random certificate in test-mode with -no-prompt -format pkcs12 -file all.p12 40 Then the exit status should be 0 41 And "all.p12" should be PKCS#12 archive with password "" 42 43 @FAKE 44 Scenario: where all objects are written to one PKCS#12 archive with ecdsa key 45 When I enroll random certificate in test-mode with -no-prompt -format pkcs12 -file all.p12 -key-type ecdsa 46 Then the exit status should be 0 47 And "all.p12" should be PKCS#12 archive with password "" 48 49 Scenario Outline: where all objects are written to one PKCS#12 archive with key password 50 When I enroll random certificate with dummy password in <endpoint> with -format pkcs12 -file all.p12 51 Then the exit status should be 0 52 And "all.p12" should be PKCS#12 archive with dummy password 53 54 @FAKE 55 Examples: 56 | endpoint | 57 | test-mode | 58 59 @TPP 60 Examples: 61 | endpoint | 62 | TPP | 63 64 @VAAS 65 Examples: 66 | endpoint | 67 | Cloud | 68 69 Scenario Outline: where all objects are written to one PKCS#12 legacy archive with key password 70 When I enroll random certificate with dummy password in <endpoint> with -format legacy-pkcs12 -file all.p12 71 Then the exit status should be 0 72 And "all.p12" should be PKCS#12 archive in legacy mode with dummy password 73 74 @FAKE 75 Examples: 76 | endpoint | 77 | test-mode | 78 79 @TPP 80 Examples: 81 | endpoint | 82 | TPP | 83 84 @VAAS 85 Examples: 86 | endpoint | 87 | Cloud | 88 89 Scenario Outline: where it outputs error when trying to pickup local-generated certificate and output it in PKCS#12 format 90 When I enroll random certificate using <endpoint> with -no-prompt -no-pickup 91 And I retrieve the certificate using <endpoint> using the same Pickup ID with -timeout 180 -no-prompt -file all.p12 -format pkcs12 92 And it should fail with "key password must be provided" 93 94 @FAKE 95 Examples: 96 | endpoint | 97 | test-mode | 98 99 @TPP 100 Examples: 101 | endpoint | 102 | TPP | 103 104 @VAAS 105 Examples: 106 | endpoint | 107 | Cloud | 108 109 Scenario Outline: where it outputs error when trying to enroll certificate in -csr file: mode and output it in PKCS#12 format 110 Given I generate random CSR with -no-prompt -csr-file csr.pem -key-file k.pem 111 When I enroll certificate using <endpoint> with -no-prompt -csr file:csr.pem -file all.p12 -format pkcs12 112 And it should fail with "The --csr \"file\" option may not be used with the enroll or renew actions when --format is \"pkcs12\"" 113 114 @FAKE 115 Examples: 116 | endpoint | 117 | test-mode | 118 119 @TPP 120 Examples: 121 | endpoint | 122 | TPP | 123 124 @VAAS 125 Examples: 126 | endpoint | 127 | Cloud | 128 129 Scenario Outline: where it outputs error when trying to enroll certificate in -csr local (by default), -no-pickup and output it in PKCS#12 format 130 When I enroll random certificate using <endpoint> with -no-prompt -file all.p12 -format pkcs12 -no-pickup 131 And it should fail with "The --csr \"local\" option may not be used with the enroll or renew actions when --format is \"pkcs12\" and --no-pickup is specified" 132 133 @FAKE 134 Examples: 135 | endpoint | 136 | test-mode | 137 138 @TPP 139 Examples: 140 | endpoint | 141 | TPP | 142 143 @VAAS 144 Examples: 145 | endpoint | 146 | Cloud | 147 148 Scenario Outline: where it outputs error when trying to enroll certificate in -csr local (specified), -no-pickup and output it in PKCS#12 format 149 When I enroll random certificate using <endpoint> with -no-prompt -file all.p12 -format pkcs12 -no-pickup -csr local 150 And it should fail with "The --csr \"local\" option may not be used with the enroll or renew actions when --format is \"pkcs12\" and --no-pickup is specified" 151 152 @FAKE 153 Examples: 154 | endpoint | 155 | test-mode | 156 157 @TPP 158 Examples: 159 | endpoint | 160 | TPP | 161 162 @VAAS 163 Examples: 164 | endpoint | 165 | Cloud | 166 167 Scenario Outline: where it pickups up service-generated certificate and outputs it in PKCS#12 format 168 When I enroll random certificate using <endpoint> with -no-prompt -no-pickup -csr service 169 And I retrieve the certificate using <endpoint> using the same Pickup ID and using a dummy password with -timeout 180 -file all.p12 -format pkcs12 170 And "all.p12" should be PKCS#12 archive with dummy password 171 172 @FAKE 173 Examples: 174 | endpoint | 175 | test-mode | 176 177 @TPP 178 Examples: 179 | endpoint | 180 | TPP | 181 182 Scenario Outline: where it pickups up service-generated certificate and outputs it in PKCS#12 legacy format 183 When I enroll random certificate using <endpoint> with -no-prompt -no-pickup -csr service 184 And I retrieve the certificate using <endpoint> using the same Pickup ID and using a dummy password with -timeout 180 -file all.p12 -format legacy-pkcs12 185 And "all.p12" should be PKCS#12 archive in legacy mode with dummy password 186 187 @FAKE 188 Examples: 189 | endpoint | 190 | test-mode | 191 192 @TPP 193 Examples: 194 | endpoint | 195 | TPP | 196 197 # TODO: Now VaaS supports CSR, but we need to verify this behavior for this test 198 # @VAAS 199 # Examples: 200 # | endpoint | 201 # | Cloud | # -csr service is not supported by Cloud 202 # 203 # Scenario Outline: Pickup PKCS12 with typing pass phrases 204 # When I enroll random certificate using <endpoint> with -no-prompt -no-pickup -csr service 205 # And I interactively retrieve the certificate using <endpoint> using the same Pickup ID with -timeout 99 -file all.p12 -format pkcs12 206 # And I type dummy password 207 # And I type dummy password 208 # Then the exit status should be 0 209 # And "all.p12" should be PKCS#12 archive with dummy password 210 # Examples: 211 # | endpoint | 212 # | test-mode | 213 # | TPP | 214 # | Cloud | # -csr service is not supported by Cloud 215 216 Scenario Outline: where it should enroll a PKCS12 certificate with -csr service and without file option (VEN-48622) 217 When I enroll random certificate using <endpoint> with -csr service -no-prompt -no-pickup -format pkcs12 218 Then it should post certificate request 219 Then I retrieve the certificate using <endpoint> using the same Pickup ID and using a dummy password with -timeout 59 220 And it should retrieve certificate 221 And it should output encrypted private key 222 223 @FAKE 224 Examples: 225 | endpoint | 226 | test-mode | 227 228 @TPP 229 Examples: 230 | endpoint | 231 | TPP | 232