Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

Table of Contents

Overview

The following steps are for testing Certificate Management functionality. Certificate Management is an interface used to simplify the process of creating new certificate and managing certificates within KeyStore and TrustStore. It is divided into three sections - Manage KeyStore, Manage TrustStore and Import Wizard:

  1. Manage KeyStore: Displays list of available KeyStores from the CONNECT Configuration
  2. Manage TrustStore: Displays list of available TrustStores from the CONNECT Configuration. Allows user to Import, View and Delete a certificate in TrustStore
  3. Import Wizard: Allow user to create new certificate and import server certificate, CA root, CA intermediate into KeyStore, TrustStore

...

Expand the Certificate Management from left navigation and execute the following tests:

Manage KeyStore

Test ScenarioTest StepsExpected Result
Manage KeyStore left navigation menu item availability
  • Login to AdminGUI and click on Certificate Management from left navigation panel
  • Manage KeyStore menu item should appear under Certificate Management
Verify Manage KeyStore page displays with list of all the available KeyStores from the CONNECT configuration
  • Select Certificate Management → Manage KeyStore from the left navigation panel

Manage KeyStore tab will show as below:

  • KeyStore location from the CONNECT configuration
  • List of available KeyStores from the CONNECT configuration with below table values:
    • Alias: Name given to the CA certificate
    • Algorithm: Indicates cryptographic algorithm that are used for creating key pairs and performing digital signature operations (e. x. RSA)
    • Key Size: Defines length of the key used by algorithm
    • Expiration Date: Displays certificate expiration date. 
      • Green: Indicates valid > 90 days
      • Red: Indicates expired
      • Yellow: Indicates expiring soon < 90 days
    • Subject Key Identifier (SKI):  Hash value of the SSL certificate used to identify certificates that contain a particular public key
    • Authority Key Identifier (AKI): Key identifier of the issuing CA certificate that signed the SSL certificate. This value would match the SKI value of the intermediate CA certificate
  • 'View Certificate' button enabled
Using Keytool or KeyStore Explorer application verify list of certificates from KeyStore match with the list displayed in Manage KeyStore tab 
  • Open KeyStore file from the CONNECT configuration
  • List of certificates in the KeyStore file will match with the list displayed in Manage KeyStore tab
View certificate details
  • Manage KeyStore tab → Select a record from the Keystore list table and click <View Certificate>
  • User must see a non editable child window with all the certificate details for the selected record
Verify record selection validation
  • Manage KeyStore tab → Do not select any record from Keystore list table and click <View Certificate>
  • "Please choose a certificate to view details" message will appear

Manage TrustStore

Expand the Certificate Manager from left navigation, select Manage TrustStore, and execute the following tests:

Test ScenarioTest StepsExpected Results
Manage TrustStore left navigation menu item availability
  • Login to AdminGUI and click on Certificate Manager from left navigation panel
  • Manage TrustStore menu item should appear under Certificate Manager
Verify Manage TrustStore page displays with list of all the available TrustStores from the CONNECT configuration
  • Select Certificate Manager → Manage TrustStore from the left navigation panel

Manage TrustStore tab will show as below:

  • TrustStore (cacerts.jks) location from the CONNECT configuration
  • List of available TrustStores from the CONNECT configuration with below table values:
    • Alias: Name given to the CA certificate
    • Algorithm: Indicates cryptographic algorithm that are used for creating key pairs and performing digital signature operations (e. x. RSA)
    • Key Size: Defines length of the key used by algorithm
    • Expiration Date: Displays certificate expiration date
      • Green: Indicates valid > 90 days
      • Red: Indicates expired
      • Yellow: Indicates expiring soon < 90 days
    • Subject Key Identifier (SKI):  Hash value of the SSL certificate used to identify certificates that contain a particular public key.
    • Authority Key Identifier (AKI): Key identifier of the issuing CA certificate that signed the SSL certificate. This value would match the SKI value of the intermediate CA certificate.
  • 'Delete', 'Import' , 'View', 'Refresh' and 'View Chain of Trust' buttons enabled
Using Keytool or KeyStore Explorer application verify list of certificates from cacerts.jks match with the list displayed in Manage TrustStore tab 
  • Open cacerts.jks file from the CONNECT configuration
  • List of certificates in the cacerts.jks file must match with the list displayed in Manage TrustStore tab
Verify record selection validation
  • Manage TrustStore tab → Do not select any record from Truststore list table and click <View>
  • "Please choose a certificate to view details" message will appear
View certificate details
  • Manage TrustStore tab → Select a record from the Truststore list table and click <View>
  • User must see a non editable child window with all the certificate details for the selected record
Verify certificate alias editable
  • Manage TrustStore tab → Select a record from the Truststore list table and click <View>
  • Edit Alias name to desired name and click <Update Certificate>
  • Selected record/certificate alias name updated per user input. 
  • Note: To cross verify open certificate (i.e. cacerts.jks) using Keytool or KeyStore Explorer application and user should see updated alias name for selected record/certificate
Delete certificate from the TrustStore list (i.e. cacerts.jks)
  • Manage TrustStore tab → Select a record from the Truststore list table and click <Delete>
  • Delete confirmation popup window will display with message "Are you sure you want to delete the selected certificate ?" with Yes, No buttons

Results as below:

  • Yes:
    •  User required to enter TrustStore Credentials, i.e. TrustStore password and click <OK>
    • Selected certificate deleted from the TrustStore list and user navigated back to Manage TrustStore tab.
  •  No:
    •  Record not deleted and user navigated back to Manage TrustStore tab
Verify user not allowed to delete server's public certificate
  • Manage TrustStore tab → Select server's  public certificate from the Truststore list table and click <Delete>
  • Delete confirmation popup window will display with message "Are you sure you want to delete the selected certificate ?" with Yes, No buttons

Results as below:

  • Yes :
    •  User required to enter TrustStore Credentials, i.e. TrustStore password and click <OK>
    • "System cannot remove its own public certificate" message will appear. Click <Cancel> button to navigate back to Manage TrustStore tab.
  •  No
    •  Record not deleted and user navigated back to Manage TrustStore tab
Verify user allowed to import any certificate (i.e. root certificate, intermediate certificate, server leaf certificate)  into truststore only (i.e. cacerts.jks)







  • Manage TrustStore tab → Click <Import> 
  • User navigated to Import Certificate popup window
  • Click <Choose> and select desired certificate for import
  • Desired certificate selected for import
  • Click <Upload> to upload the selected certificate
  • Successfully uploaded selected certificate
  • Click on record's 'Alias' column and update desired name
  • Successfully update the Alias name for newly uploaded certificate
  • If Alias name not updated on click of <Import> an UI error message will display "Enter an alias for the certificate"
  • Optional: Select <Refresh Services Cache> checkbox. (Note: Not necessary for new exchange, but when replacing certificate for an existing exchange it is recommended to select this box. It is because CONNECT caches and reuses web-services ports. When the ports are created, they are bind to a specific certificate. Importing a new certificate and trying to use it will result in error if user has not refreshed the ports.)
  • Able to select Refresh Services Cache checkbox
    • Note: This is back-end or server-side refresh, hence will not be able to verify the step except selection
  • Click <Import> for certificate to import into truststore (i..e cacert.jks)
  • UI error message will display "Select certificate for import"
  • Choose the record and click <Import> for certificate to import into truststore (i..e cacert.jks)
  • User navigated to TrustStore Credentials popup window to enter Truststore password
  • Enter Truststore password in TrustStore Credentials popup window and click <OK>
  • If user enter an existing alias name then an UI error message will display " Alias already in use in Truststore" otherwise selected certificate successfully imported into truststore (i.e. cacerts.jks) and user navigated to Manage TrustStore tab.
  • User must see newly uploaded certificate under Truststore list
  • When user see "Alias already in use in Truststore" UI error message:
    • Update alias name to unique name (i.e. not already used in Truststore) and click <Import>
    • Enter password in TrustStore Credentials popup window and click <OK>
  • Selected certificate successfully imported into truststore and user navigated to Manage TrustStore tab.
  • User must see newly uploaded certificate under TrustStore list
Verify Refresh functionality
  • To test this feature it is required to modify truststore (i.e. cacerts.jks) from the CONNECT server configuration not via AdminGUI UI. 
  • Using Keytool or KeyStore Explorer application open truststore certificate from CONNECT server configuration
  • Import a trusted certificate that is not present in truststore (i.e. cacerts.jks)
    • Keytool → Tools → Import Trusted Certificate → choose desired certificate and click <Open>
    • New certificate will be imported into truststore.
    • Click Save icon in Keytool application
    • Without restarting server click <Refresh> button in Manage TrustStore tab
  • Newly imported certificate must be present under TrustStore list

  • Follow above steps to open truststore from CONNECT server configuration and delete an existing certificate from truststore 
  • Click Save icon in Keytool application
  • Without restarting server click <Refresh> button in Manage TrustStore tab
  • Deleted certificate must not be present under TrustStore list 
View Chain of Trust record selection validation
  • Manage TrustStore tab → Do not select any record from Truststore list table and click <View Chain of Trust>
  • "Please choose a certificate to view chain" message will appear
Verify View Chain of Trust functionality
  • Manage TrustStore tab → Select a record from the Truststore list table and click <View Chain of Trust>
  • User navigated to Chain of Trust view popup window which shows detailed certificate information for the selected record

  • Manage TrustStore tab → Select an intermediate certificate from the Truststore list table and click <View Chain of Trust>
    • Note: Make sure CA root , CA intermediate imported into truststore for the selected intermediate certificate
  • User navigated to a Chain of Trust view popup window which lists associated root, intermediate certificate details for the selected record.  Note: This feature helps user to view associated chain of trust certificates at single place when multiple certificates are present

  • Manage TrustStore tab → Select a server or leaf certificate from the Truststore list table and click  <View Chain of Trust>
  • User navigated to a Chain of Trust view popup window and results as below: 
    • If root, intermediate certificates imported into Manage TrustStore for the selected server certificate then Chain of Trust window lists associated leaf, root, intermediate certificate details for the selected record.
    • If root, intermediate did not imported into Manage TrustStore for the selected server or leaf certificate then Chain of Trust window show certificate details with UI error: "A Parent certificate is missing. Import all certificates in the trust chain and restart server"

Import Wizard

Import  Wizard interface simplify the process of creating new certificate and importing CA certs into CONNECT configuration. A new set of certificates (i.e. KeyStore.jks, TrustStrore.jks) will be created under " //Connect-Properties/ImportWizard/New" folder. This page includes Start, Create Certificate, Certificate Signing Request,CA Providers, Import SSL Certificates tabs.

Start Tab

Test ScenarioTest StepsExpected Results
Import Wizard left navigation menu item availability
  • Login into AdminGUI and click on Certificate Manager from left navigation panel
  • Import Wizard menu item should appear under Certificate Manager

Verify below on Start tab:

  • Static text
  • Clickable below 3 links
    • Create a new Certificate
    • Generate CSR for an existing Certificate
    • Import SSL Certificate(s)
  • Select Certificate Manager → Import Wizard from the left navigation panel

Start tab will show below:

  • Static text as below:
  • Clickable below 3 links:
    • Create a new Certificate
    • Generate CSR for an existing Certificate
    • Import SSL Certificate(s)

  • On server restart, Select Certificate Manager → Import Wizard  and click directly on Create CSR link.
User should be able to create a CSR.

  • On server restart, Select Certificate Manager → Import Wizard  and click directly on Import SSL Certificate(s).
User should be able to go to Import SSL Certificate(s) tab. 
Verify tabs enable / disable functionality
  • Select Certificate Manager → Import Wizard
  • On page load only Start tab is enabled. Rest of the tabs must be disabled.

  • Import Wizard → Start tab and click on any of the below links and verify tabs navigation and enable / disable functionality. 
    • Create a New Certificate 
    • Generate CSR for an existing Certificate 
    • Import SSL Certificate(s)
  • When click on:
    • "Create a New Certificate" link
      • Only Start , Create Certificate tabs enabled and user navigated to Create Certificate tab
    • "Generate CSR for an existing Certificate" link
      • Only Start, Certificate Signing Request tabs enabled and user navigated to Certificate Signing Request tab
    • "Import SSL Certificate(s)" link
      • Only Start, Import SSL Certificates tabs enabled and user navigated to Import SSL Certificates tab

Create Certificate Tab

Test ScenarioTest StepsExpected Results
Visually verify Create Certificate default screen display
  • Click on Create a New Certificate link
  • Create Certificate  tab default view as below:

     

  • A temporary folder (importWizard/temp) must be created under CONNECT server configuration folder.  Existing KeyStore (i.e. gateway.jks) backup must be created under this temporary folder.
Required filed validation
  • Do not provide any values and click <Create>

UI errors must be present as below:

Verify Exchange drop down functionality 
  • Select any value from Exchange drop down
  • Below field values must be pre-populated
    • Organizational Unit(OU)
    • Organization(O)
    • County Name (C)
Verify updates in caauthority.properties file reflect  Exchange drop down 
  • Update one of the exchange drop down pre-populated values in caauthority.properties and save file.
    • Ex: Health.Exchange.Valiation=NHIN-test\,nhin\,US        <<To>> 
    • e.Health.Exchange.Valiation=CONNECT-test\,CONNECT\,US
  • Updated values must be pre-populated for selected exchange
Verify Create Certificate cancel functionality
  • Enter data in all the required fields and click <Cancel>
  • Cancel Import Wizard popup window display with " WARNING: This will clean up the file created by wizard. Continue delete ?"
    • Yes:  Must delete backup keystore file and temp folder from the importWizard folder which is under CONNECT server configuration
    • No: Must navigate back to Create Certificate screen
Verify Create Certificate functionality
  • Continue with previously entered form data and click <Create>
  • Below UI messages will display:
    • Successfully created certificate for: <<certificatename>>
    • Successfully created CSR for: <<certificatename>>
  • <Next> button is enabled
Verify Certificate validity, key size and signature algorithm for newly created certificate
  • Open newly created certificate (under //importWizard/temp) using Keytool or KeyStore Explorer applications. Right click on certificate → View Details → Certificate Chain Details
  • Certificate must be valid
  • Certificate signature algorithm must be (SHA256withRSA)
  • Certificate publlic key size must be RSA 2048 bit
Verify navigation from Create Certificate page
  • Once the certificate created successfully Next button is enabled. Click <Next>
  • User navigated to Certificate Signing Request Tab

  • If AdminGUI session expired after certificate creation, then re login into application. From Start tab click on ' Generate CSR for an existing Certificate' link
  • User navigated to Certificate Signing Request Tab

Certificate Signing Request Tab

Test ScenarioTest StepsExpected Results
Verify Certificate Signing Request (CSR) functionality

User navigated to CSR tab when:

  • Certificate created successfully and click <Next> from Create Certificate tab (or)
  • Application session expired after Certificate creation. Re login into application. From Start tab click on 'Generate CSR for an existing Certificate' link

Results as below:

  • Via Certificate Create <Next> :
    • CSR Type : PKCS 10 <prepopulated value>
    • Alias: <<Newly created certificate alias prepopulated>>
    • CSR text: CSR text generated and not editable
    • Example screen snippet below:
  • Via Start tab 'Generate CSR for an existing Certificate' link:
    • CSR Type: PKCS 10 <prepopulated value>
    • Alias: — <selection mandatory>
    • CSR text: blank
    • Only Cancel button enabled
    • Example screen snippet below:
Verify CSR text populated when user navigated via Start tab → Certificate Signing Request tab
  • Select Alias name of the newly created certificate
  • CSR text is generated and UI message shows as "Successfully created CSR for: <<selected alias name>>" 
  • Copy, Download buttons enabled
Verify user allowed to copy or download CSR text
  • Click <Copy> or <Download> to get local copy of CSR text (i.e. .csr file)
  • File copied or download successfully
  • Next button enabled
Verify CSR tab cancel functionality
  • Click <Cancel> in CSR tab
  • Cancel Import Wizard popup window display with " WARNING: This will clean up the file created by wizard. Continue delete ?"
    • Yes:  Must delete files and temp folder from the importWizard folder which is under CONNECT server configuration
    • No: Must navigate back to CSR tab
Verify navigation from Certificate Signing Request tab
  • Click <Next> 
  • User navigated to CA Providers tab

CA Provider Tab

Test ScenarioTest StepsExpected Results
Visually verify CA Providers tab default screen display
  •  Click <Next> from CSR tab
  • CA Providers default view as below: 
Verify all links displayed from the caauthority.properties file
  • open caauthority.properties file from CONNECT server configuration
    • Visually verify links under "#CA Authority Info: identifiable links" displayed in CA Providers tab
  • CA Providers tab display all identifiable links from caacuthority.properties

  • Add new link or delete an existing link from caauthority.properties file
  • Verify CA Providers tab displays updated links
    • Changes will show up in CA Providers tab only after re-login and go to CA Providers tab
  • CA Providers tab display updated identifiable links from caauthority.properties

Submit CSR (i.e .csr file) to CA Authority and acquire a new SSL certificate.

  • Follow CA provider tab page instruction to get SSL certificate
  • In order to get root and intermediate certificates either you can use Open SSL command or via browser:
    • Via openssl cmd line: 
      • openssl s_client -showcerts -connect <<your domain name:443 will show server, root and intermediate certificates.
      • Copy intermediate content into CA intermediate and root content into CA root file.
    • Via browser:
      • Open SSL certificate via Keystore Explorer or browser it looks like below:
      • Copy CA root, CA intermediate as below:
  • This scenario can be tested by using CA on SonarQube server to get a signed certificate.
  • User must have a server certificate and chain of trust certificates (i.e.  CA root and CA Intermediate).
Verify navigation from CA Provider tab
  • Click <Next> 
  • User navigated to Import SSL Certificates tab

  • If AdminGUI session expired, then re login into application. From Start tab click on ' Import SSL Certificates' link
  • User navigated to Import SSL Certificates tab

Import SSL Certificate(s) 

Test ScenarioTest StepsExpected Results
Visually verify Import SSL Certificates tab default screen display
  •  Click <Next> from CA Provider tab
  • Import SSL Certificates default page view as below:
Verify required field validation
  • Do not select any values click <Import>
  • User must see below errors:
    • Alias is required
    • Server Certificate is required
Verify Clear functionality
  • Select values from the drop down and click <Clear>
  • Import SSL Certificates tab page refreshed and default page displayed.
Verify importing only Server Certificate
  • Select Alias value from drop down
  • Choose Server Certificate to import and click <Import>
  • Server Certificate must be imported into keystores (i.e. under //importWizard/temp/gateway.jks)
  • Using Keytool application open gateway.jks file from //importWizard/temp folder and make sure newly imported server certificate present. 
Verify importing Server Certificate, CA root and CA intermediate validation
  • Select Alias value from drop down
  • Choose Server Certificate
  • Choose CA Root
  • Do Not choose anything for CA Intermediate and  click <Import>

Note: Repeat same scenario without selecting CA root and select CA Intermediate

  • UI error message as "Root and Intermediate Certificates must both be present in order to import Chain of Trust."
Verify importing Server Certificate, CA root and CA intermediate
  • Select Alias value from drop down
  • Choose Server Certificate
  • Choose CA Root
  • Choose CA Intermediate and click <Upload> and then click <Import>
  • Server Certificate, CA Root and CA Intermediate must be imported into keystore , truststore (ie. under //importWizard/temp/gateway.jks, cacerts.jks)
  • UI confirmation message displayed "Import to temporary KeyStore/TrustStore is successful"
  • Using Keytool application open gateway.jks, cacerts.jks file from //importWizard/temp folder and make sure newly imported server certificate present.
Verify complete functionality
  • After successful import of Certificates click <Complete>
  • Complete Import Wizard popup window display as below:
  • Yes:
    • New Keystore, Truststore created under new folder (i.e. //importWizard/new) and temp folder deleted. 
    • User navigate back to Import SSL Certificate tab and confirmation message display as below:
  • No: User navigate back to Import SSL Certificate tab
Verify AdminGUI functions with new certificates
  • Stop the server
  • Copy certificates from //importWizard/New folder to the CONNECT server configuration folder (i.e. main)
  • Restart the server
  • AdminGUI functionality works as expected

Note: https://connectopensource.atlassian.net/wiki/x/AgCJKQsee Generate Chain of Trust

  • Generate a real-certificate from the CSR is expected for the server to work.
Verify replacing existing server certificate via Import Wizard
  • Select Alais value from drop down 
  • Choose Server Certificate and click <Import>
  • UI error message as "Create a CSR and get SSL Certificates from your CA Providers before replacing existing Certificates with alias: <<selected alias name>>

Note: In order to replace an existing server certificate, it is required to generate a CSR, SSL certs, then user will be able to replace existing server certificate successfully 


Generate Chain of Trust

Manually generate the chain-of-trust for testing purpose; the official process is to submit your CSR to your CA provider and received CSR-Reply from your CA provider and chain of trust.

Info
titleNote

The steps below reference to the script exist on the sonarqube server (internal use) that used to generate certificate with a chain-of-trust; this process required technical knowledge of the keytool and setup of individual user to make it work.

  1. Generate new key 
    1. keytool -genkey -alias gateway -keyalg RSA -keystore gateway.jks -dname "CN=<computername>, OU=<yourinput>, O=<yourinput>, C=US" -validity 365 -keysize 2048
      1. Make sure we use unique name for computer name. 
      2. OU,O,C is optional 
  2. Generate CSR (make sure we generate unique csr name)
    1. keytool -certreq -alias gateway -keystore gateway.jks -file gateway-yyyMMdd.csr
  3. Transfer CSR to sonarqube server (AWS-EC2-Sonarqube-server):
    1. ehealth exchange: /nhin/ca/intermediate/csr
    2. Carequality Exchange: /nhin/carequalityCA/intermediate/csr
  4. Generate CSR Reply:
    1. ehealth exchange:  (FYI - Password to use on Sonarqube box: admin1)

      Code Block
      titleehealth
      cd /nhin/ca
      openssl ca -config intermediate/openssl.cnf -extensions server_cert -days 375 -notext -md sha256 -in intermediate/csr/gateway-yyyMMdd.csr -out intermediate/certs/gateway-yyyMMdd.crt


    2. carequality exchange:

      Code Block
      titleCareQuality
      cd /nhin/carequalityCA
      openssl ca -config intermediate/openssl.cnf -extensions server_cert -days 375 -notext -md sha256 -in intermediate/csr/gateway-yyyyMMdd.csr -out intermediate/certs/gateway-yyyMMdd.crt


  5. Transfer gateway-yyyyMMdd.crt to your local
    1. ehealth exchange: /nhin/ca/intermediate/certs/gateway-yyyyMMdd.crt
    2. Carequality Exchange: /nhin/carequalityCA/intermediate/certs/gateway-yyyyMMdd.crt
  6. Transfer CA Root/Intermediate cert to your local.
    1. ehealth exchange: 
      1. Root: /nhin/ca/certs/ca.cert.pem
      2. Intermediate: /nhin/ca/intermediate/certs/intermediate.cert.pem
    2. carequality exchange:
      1. Root: /nhin/carequalityCA/certs/ca.cert.pem
      2. Intermediate: /nhin/carequalityCA/intermediate/certs/intermediate.cert.pem
  7. Import Certs to Keystore
    1. keytool -import -trustcacerts -alias <exchange_name>-root -file ca.cert.pem -keystore gateway.jks
    2. keytool -import -trustcacerts -alias <exchange_name>-intermediate -file intermediate.cert.pem -keystore gateway.jks
    3. keytool -import -trustcacerts -alias gateway -file gateway-yyyyMMdd.crt -keystore gateway.jks
  8. Import CA Root/Intermediate Certs to TrustStore:
    1. keytool -import -trustcacerts -alias <exchange_name>-root -file ca.cert.pem -keystore cacerts.jks
    2. keytool -import -trustcacerts -alias <exchange_name>-intermediate -file intermediate.cert.pem -keystore cacerts.jks
  9. Optional:  If you want to see chain of trust graphically, you may need to import Root and intermediate into browser
    1. Control Panel→Internet Optional→Content
      1. Click on Certificates→Trusted Root Certification Authorities.
      2. Click on Import and follow the wizard to import the root
      3. Follow the same for intermediate cert

Image Added