github.com/Venafi/vcert/v5@v5.10.2/aruba/features/renew/renew-with-csr-service.feature (about) 1 @TPP 2 Feature: renew action with `-csr service` option 3 4 As a user 5 I want to renew certificates that were enrolled by the app 6 Using `-csr service` option meaning that new private key and CSR are generated on service side 7 8 It requires key password typed interactively or -key-password option to be used to download key from TPP 9 10 - for TPP: 11 - certificate is requested to be renewed on service side. 12 if it's "User Provided CSR", 13 then "Waiting for new CSR" error returned, 14 15 if it's "Service Generated CSR", then 16 if policy allows key reuse, then old CSR is signed, or new key & CSR generated otherwise 17 18 if it's "Service Generated CSR" and PKCS#12 format is specified, then 19 if policy allows key reuse, then old CSR is signed, or new key & CSR generated otherwise and it should return PKCS#12 file 20 21 - for Condor: 22 - certificate is requested to be renewed on service side 23 if policy allows key reuse, then old CSR is signed, error returns otherwise 24 25 Background: 26 And the default aruba exit timeout is 180 seconds 27 28 Scenario: where it should return an error if renew is used in TPP with -csr=service and empty -key-password 29 When I renew the certificate in TPP with flags -id xxx -no-prompt -csr service 30 Then it should fail with "-key-password cannot be empty in -csr service mode for TPP unless -no-pickup specified" 31 32 Scenario: renew user-provided-CSR certificate in TPP with `-csr service` option 33 Given I enroll random certificate using TPP with -no-prompt -key-file k.pem -cert-file c.pem 34 And it should write private key to the file "k.pem" 35 And it should write certificate to the file "c.pem" 36 And it should output Pickup ID 37 When I renew the certificate in TPP using the same Pickup ID with flags -no-prompt -cert-file c1.pem -key-file k1.pem -csr service -key-password Passcode123! 38 Then it should fail with "Status: 400" 39 40 Scenario: renew service-generated-CSR certificate in TPP with `-csr service` option 41 Given I enroll random certificate using TPP with -csr service -key-file k.pem -cert-file c.pem -key-password Passcode123! 42 And it should write private key to the file "k.pem" 43 And it should write certificate to the file "c.pem" 44 And it should output Pickup ID 45 When I renew the certificate in TPP using the same Pickup ID with flags -cert-file c1.pem -key-file k1.pem -csr service -key-password Passcode123! 46 Then it should retrieve certificate 47 And it should write private key to the file "k1.pem" 48 And it should write certificate to the file "c1.pem" 49 And private key in "k1.pem" and certificate in "c1.pem" should have the same modulus 50 51 Scenario: renew service-generated-CSR certificate in TPP with `-csr service` option with no passphrase using -no-prompt 52 Given I enroll random certificate using TPP with -csr service -key-file k.pem -cert-file c.pem -no-prompt 53 And it should write private key to the file "k.pem" 54 And it should write certificate to the file "c.pem" 55 And it should output Pickup ID 56 When I renew the certificate in TPP using the same Pickup ID with flags -csr service -no-prompt -no-pickup 57 And it should output Pickup ID 58 And I retrieve the certificate from TPP using the same Pickup ID with --no-prompt -cert-file c1.pem -key-file k1.pem 59 And it should write private key to the file "k1.pem" 60 And it should write certificate to the file "c1.pem" 61 And private key in "k1.pem" and certificate in "c1.pem" should have the same modulus 62 63 @TODO @VAAS #CSR generated by VaaS is working now, but we still need to verify this test is functioning correctly before enabling it 64 # IMPORTANT: currently tests in this file, except this one, are for TPP, so we have a tag for TPP in the feature at the start of this file; 65 # keep this in mind when enabling it, since it may slip thought TPP tests instead of VaaS', if this is not handled correctly 66 Scenario: renew certificate in VaaS with -csr=service which is working only if Zone's policy allows key reuse 67 Given I enroll random certificate using VaaS with -csr service -no-prompt -key-file k.pem -cert-file c.pem -timeout 180 68 And it should write private key to the file "k.pem" 69 And it should write certificate to the file "c.pem" 70 And it should output Pickup ID 71 Then I renew the certificate in VaaS using the same Pickup ID with flags -csr service -no-prompt -cert-file c1.pem -key-file k1.pem 72 And it should retrieve certificate 73 But it should not output private key 74 And it should write certificate to the file "c1.pem" 75 And certificate in "k.pem" and certificate in "k1.pem" should have the same modulus 76 And certificate in "c.pem" and certificate in "c1.pem" should not have the same serial 77 78 Scenario: renew service-generated-CSR certificate in TPP with `-csr service` option with PKCS12 flag 79 Given I enroll random certificate with dummy password using TPP with -csr service -key-file k.pem -cert-file c.pem 80 And it should write private key to the file "k.pem" 81 And it should write certificate to the file "c.pem" 82 And it should output Pickup ID 83 When I renew the certificate using a dummy password in TPP using the same Pickup ID with flags -csr service -file all.p12 -format pkcs12 84 Then it should retrieve certificate 85 And "all.p12" should be PKCS#12 archive with dummy password 86 87 Scenario: renew service-generated-CSR certificate in TPP with `-csr service` option with PKCS12 legacy flag 88 Given I enroll random certificate with dummy password using TPP with -csr service -key-file k.pem -cert-file c.pem 89 And it should write private key to the file "k.pem" 90 And it should write certificate to the file "c.pem" 91 And it should output Pickup ID 92 When I renew the certificate using a dummy password in TPP using the same Pickup ID with flags -csr service -file all.p12 -format legacy-pkcs12 93 Then it should retrieve certificate 94 And "all.p12" should be PKCS#12 archive in legacy mode with dummy password