Fix temporary SSL server key removal

.github/workflows/ca-basic-test.yml

@@ -64,14 +64,22 @@ jobs:
               -D pki_request_id_generator=random \
               -v
 
-          # set buffer size to 0 so that revocation takes effect immediately
-          docker exec pki pki-server ca-config-set auths.revocationChecking.bufferSize 0
+      - name: Check CA certs and keys
+        run: |
+          # check certs
+          docker exec pki pki-server cert-find
 
-          # enable signed audit log
-          docker exec pki pki-server ca-config-set log.instance.SignedAudit.logSigning true
+          # check keys
+          echo "Secret.123" > password.txt
+          docker cp password.txt pki:password.txt
+          docker exec pki certutil -K \
+              -d /etc/pki/pki-tomcat/alias \
+              -f password.txt | tee output
 
-          # restart CA subsystem
-          docker exec pki pki-server ca-redeploy --wait
+          # there should be no orphaned keys
+          echo "0" > expected
+          grep "(orphan)" output | wc -l > actual
+          diff expected actual
 
       - name: Check CA signing cert
         run: |
@@ -120,6 +128,17 @@ jobs:
       - name: Run PKI healthcheck
         run: docker exec pki pki-healthcheck --failures-only
 
+      - name: Update CA configuration
+        run: |
+          # set buffer size to 0 so that revocation takes effect immediately
+          docker exec pki pki-server ca-config-set auths.revocationChecking.bufferSize 0
+
+          # enable signed audit log
+          docker exec pki pki-server ca-config-set log.instance.SignedAudit.logSigning true
+
+          # restart CA subsystem
+          docker exec pki pki-server ca-redeploy --wait
+
       - name: Initialize PKI client
         run: |
           docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt

.github/workflows/ca-rsnv1-test.yml

@@ -63,6 +63,23 @@ jobs:
               -D pki_random_serial_numbers_enable=True \
               -v
 
+      - name: Check CA certs and keys
+        run: |
+          # check certs
+          docker exec pki pki-server cert-find
+
+          # check keys
+          echo "Secret.123" > password.txt
+          docker cp password.txt pki:password.txt
+          docker exec pki certutil -K \
+              -d /etc/pki/pki-tomcat/alias \
+              -f password.txt | tee output
+
+          # there should be no orphaned keys
+          echo "0" > expected
+          grep "(orphan)" output | wc -l > actual
+          diff expected actual
+
       # https://github.com/dogtagpki/pki/wiki/Configuring-CA-with-Random-Serial-Numbers-v3
       - name: Switch to RSNv3
         run: |

.github/workflows/ca-sequential-test.yml

@@ -63,6 +63,23 @@ jobs:
               -D pki_request_id_generator=legacy \
               -v
 
+      - name: Check CA certs and keys
+        run: |
+          # check certs
+          docker exec pki pki-server cert-find
+
+          # check keys
+          echo "Secret.123" > password.txt
+          docker cp password.txt pki:password.txt
+          docker exec pki certutil -K \
+              -d /etc/pki/pki-tomcat/alias \
+              -f password.txt | tee output
+
+          # there should be no orphaned keys
+          echo "0" > expected
+          grep "(orphan)" output | wc -l > actual
+          diff expected actual
+
       # https://github.com/dogtagpki/pki/wiki/Configuring-CA-with-Random-Serial-Numbers-v3
       - name: Switch to RSNv3
         run: |

.github/workflows/ipa-basic-test.yml

@@ -52,7 +52,7 @@ jobs:
 
           docker exec ipa pki-server cert-export ca_signing --cert-file ca_signing.crt
 
-      - name: Check DS certs
+      - name: Check DS certs and keys
         run: |
           docker exec ipa ls -la /etc/dirsrv/slapd-EXAMPLE-COM
           docker exec ipa pki -d /etc/dirsrv/slapd-EXAMPLE-COM nss-cert-find
@@ -62,12 +62,25 @@ jobs:
               -d /etc/dirsrv/slapd-EXAMPLE-COM \
               -C /etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt \
               nss-key-find
+          docker exec ipa certutil -K \
+              -d /etc/dirsrv/slapd-EXAMPLE-COM \
+              -f /etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt
 
-      - name: Check PKI certs
+      - name: Check PKI certs and keys
         run: |
-          docker exec ipa ls -la /etc/pki/pki-tomcat/alias
+          # check certs
           docker exec ipa pki-server cert-find
 
+          # check keys
+          docker exec ipa certutil -K \
+              -d /etc/pki/pki-tomcat/alias \
+              -f /etc/pki/pki-tomcat/alias/pwdfile.txt | tee output
+
+          # there should be no orphaned keys
+          echo "0" > expected
+          grep "(orphan)" output | wc -l > actual
+          diff expected actual
+
       - name: Check CA admin cert
         run: |
           docker exec ipa ls -la /root/.dogtag/pki-tomcat

base/server/python/pki/server/deployment/__init__.py

@@ -1790,29 +1790,19 @@ def create_temp_sslserver_cert(self, instance):
             nssdb.close()
             shutil.rmtree(tmpdir)
 
-    def remove_temp_sslserver_cert(self, instance, sslserver):
-
-        # TODO: replace with pki-server cert-import sslserver
+    def remove_temp_sslserver_cert(self, instance):
 
         nickname = self.mdict['pki_self_signed_nickname']
-        token = sslserver['token']
-
-        logger.info('Removing temp SSL server cert from internal token: %s', nickname)
+        logger.info('Removing temp SSL server cert: %s', nickname)
 
         nssdb = instance.open_nssdb(
             user=self.mdict['pki_user'],
             group=self.mdict['pki_group']
         )
 
         try:
-            # Remove temp SSL server cert from internal token.
-            # Remove temp key too if the perm cert uses HSM.
-            if pki.nssdb.normalize_token(token):
-                remove_key = True
-            else:
-                remove_key = False
-
-            nssdb.remove_cert(nickname=nickname, remove_key=remove_key)
+            # remove temp SSL server cert and key
+            nssdb.remove_cert(nickname=nickname, remove_key=True)
 
         finally:
             nssdb.close()

base/server/python/pki/server/deployment/scriptlets/configuration.py

@@ -286,7 +286,7 @@ def spawn(self, deployer):
                     timeout=deployer.request_timeout)
 
                 # Remove temp SSL server cert.
-                deployer.remove_temp_sslserver_cert(instance, system_certs['sslserver'])
+                deployer.remove_temp_sslserver_cert(instance)
 
             # Store perm SSL server cert nickname and token
             nickname = system_certs['sslserver']['nickname']