Overview
The following steps are for testing Certificate Management functionality. Certificate Management is an interface used to simplify the process of creating new certificate and managing certificates within KeyStore and TrustStore. It is divided into three sections - Manage KeyStore, Manage TrustStore and Import Wizard:
- Manage KeyStore: Displays list of available KeyStores from the CONNECT Configuration
- Manage TrustStore: Displays list of available TrustStores from the CONNECT Configuration. Allows user to Import, View and Delete a certificate in TrustStore
- Import Wizard: Allow user to create new certificate and import server certificate, CA root, CA intermediate into KeyStore, TrustStore
Test Environment
- Deploy CONNECT ear and AdminGUI war
- Successfully execute ConnectValidation suite before running AdminGUI test cases
- Browse to http://localhost:8080/CONNECTAdminGUI/
Certificate Management
Expand the Certificate Management from left navigation and execute the following tests:
Manage KeyStore
Test Scenario | Test Steps | Expected Result |
---|---|---|
Manage KeyStore left navigation menu item availability |
|
|
Verify Manage KeyStore page displays with list of all the available KeyStores from the CONNECT configuration |
| Manage KeyStore tab will show as below:
|
Using Keytool or KeyStore Explorer application verify list of certificates from KeyStore match with the list displayed in Manage KeyStore tab |
|
|
View certificate details |
|
|
Verify record selection validation |
|
|
Manage TrustStore
Expand the Certificate Manager from left navigation, select Manage TrustStore, and execute the following tests:
Test Scenario | Test Steps | Expected Results |
---|---|---|
Manage TrustStore left navigation menu item availability |
|
|
Verify Manage TrustStore page displays with list of all the available TrustStores from the CONNECT configuration |
| Manage TrustStore tab will show as below:
|
Using Keytool or KeyStore Explorer application verify list of certificates from cacerts.jks match with the list displayed in Manage TrustStore tab |
|
|
Verify record selection validation |
|
|
View certificate details |
|
|
Verify certificate alias editable |
|
|
Delete certificate from the TrustStore list (i.e. cacerts.jks) |
| Results as below:
|
Verify user not allowed to delete server's public certificate |
| Results as below:
|
Verify user allowed to import any certificate (i.e. root certificate, intermediate certificate, server leaf certificate) into truststore only (i.e. cacerts.jks) |
|
|
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
Verify Refresh functionality |
|
|
|
| |
View Chain of Trust record selection validation |
|
|
Verify View Chain of Trust functionality |
|
|
|
| |
|
|
Import Wizard
Import Wizard interface simplify the process of creating new certificate and importing CA certs into CONNECT configuration. A new set of certificates (i.e. KeyStore.jks, TrustStrore.jks) will be created under " //Connect-Properties/ImportWizard/New" folder. This page includes Start, Create Certificate, Certificate Signing Request,CA Providers, Import SSL Certificates tabs.
Start Tab
Test Scenario | Test Steps | Expected Results |
---|---|---|
Import Wizard left navigation menu item availability |
|
|
Verify below on Start tab:
|
| Start tab will show below:
|
| User should be able to create a CSR. | |
| User should be able to go to Import SSL Certificate(s) tab. | |
Verify tabs enable / disable functionality |
|
|
|
|
Create Certificate Tab
Test Scenario | Test Steps | Expected Results |
---|---|---|
Visually verify Create Certificate default screen display |
|
|
Required filed validation |
| UI errors must be present as below: |
Verify Exchange drop down functionality |
|
|
Verify updates in caauthority.properties file reflect Exchange drop down |
|
|
Verify Create Certificate cancel functionality |
|
|
Verify Create Certificate functionality |
|
|
Verify Certificate validity, key size and signature algorithm for newly created certificate |
|
|
Verify navigation from Create Certificate page |
|
|
|
|
Certificate Signing Request Tab
Test Scenario | Test Steps | Expected Results |
---|---|---|
Verify Certificate Signing Request (CSR) functionality | User navigated to CSR tab when:
| Results as below:
|
Verify CSR text populated when user navigated via Start tab → Certificate Signing Request tab |
|
|
Verify user allowed to copy or download CSR text |
|
|
Verify CSR tab cancel functionality |
|
|
Verify navigation from Certificate Signing Request tab |
|
|
CA Provider Tab
Test Scenario | Test Steps | Expected Results |
---|---|---|
Visually verify CA Providers tab default screen display |
|
|
Verify all links displayed from the caauthority.properties file |
|
|
|
| |
Submit CSR (i.e .csr file) to CA Authority and acquire a new SSL certificate. |
|
|
Verify navigation from CA Provider tab |
|
|
|
|
Import SSL Certificate(s)
Test Scenario | Test Steps | Expected Results |
---|---|---|
Visually verify Import SSL Certificates tab default screen display |
|
|
Verify required field validation |
|
|
Verify Clear functionality |
|
|
Verify importing only Server Certificate |
|
|
Verify importing Server Certificate, CA root and CA intermediate validation |
Note: Repeat same scenario without selecting CA root and select CA Intermediate |
|
Verify importing Server Certificate, CA root and CA intermediate |
|
|
Verify complete functionality |
|
|
Verify AdminGUI functions with new certificates |
|
Note: see Generate Chain of Trust
|
Verify replacing existing server certificate via Import Wizard |
|
|
Generate Chain of Trust
Manually generate the chain-of-trust for testing purpose; the official process is to submit your CSR to your CA provider and received CSR-Reply from your CA provider and chain of trust.
Note
The steps below reference to the script exist on the sonarqube server (internal use) that used to generate certificate with a chain-of-trust; this process required technical knowledge of the keytool and setup of individual user to make it work.
- Generate new key
- keytool -genkey -alias gateway -keyalg RSA -keystore gateway.jks -dname "CN=<computername>, OU=<yourinput>, O=<yourinput>, C=US" -validity 365 -keysize 2048
- Make sure we use unique name for computer name.
- OU,O,C is optional
- keytool -genkey -alias gateway -keyalg RSA -keystore gateway.jks -dname "CN=<computername>, OU=<yourinput>, O=<yourinput>, C=US" -validity 365 -keysize 2048
- Generate CSR (make sure we generate unique csr name)
- keytool -certreq -alias gateway -keystore gateway.jks -file gateway-yyyMMdd.csr
- Transfer CSR to sonarqube server (AWS-EC2-Sonarqube-server):
- ehealth exchange: /nhin/ca/intermediate/csr
- Carequality Exchange: /nhin/carequalityCA/intermediate/csr
- Generate CSR Reply:
ehealth exchange: (FYI - Password to use on Sonarqube box: admin1)
ehealthcd /nhin/ca openssl ca -config intermediate/openssl.cnf -extensions server_cert -days 375 -notext -md sha256 -in intermediate/csr/gateway-yyyMMdd.csr -out intermediate/certs/gateway-yyyMMdd.crt
carequality exchange:
CareQualitycd /nhin/carequalityCA openssl ca -config intermediate/openssl.cnf -extensions server_cert -days 375 -notext -md sha256 -in intermediate/csr/gateway-yyyyMMdd.csr -out intermediate/certs/gateway-yyyMMdd.crt
- Transfer gateway-yyyyMMdd.crt to your local
- ehealth exchange: /nhin/ca/intermediate/certs/gateway-yyyyMMdd.crt
- Carequality Exchange: /nhin/carequalityCA/intermediate/certs/gateway-yyyyMMdd.crt
- Transfer CA Root/Intermediate cert to your local.
- ehealth exchange:
- Root: /nhin/ca/certs/ca.cert.pem
- Intermediate: /nhin/ca/intermediate/certs/intermediate.cert.pem
- carequality exchange:
- Root: /nhin/carequalityCA/certs/ca.cert.pem
- Intermediate: /nhin/carequalityCA/intermediate/certs/intermediate.cert.pem
- ehealth exchange:
- Import Certs to Keystore
- keytool -import -trustcacerts -alias <exchange_name>-root -file ca.cert.pem -keystore gateway.jks
- keytool -import -trustcacerts -alias <exchange_name>-intermediate -file intermediate.cert.pem -keystore gateway.jks
- keytool -import -trustcacerts -alias gateway -file gateway-yyyyMMdd.crt -keystore gateway.jks
- Import CA Root/Intermediate Certs to TrustStore:
- keytool -import -trustcacerts -alias <exchange_name>-root -file ca.cert.pem -keystore cacerts.jks
- keytool -import -trustcacerts -alias <exchange_name>-intermediate -file intermediate.cert.pem -keystore cacerts.jks
- Optional: If you want to see chain of trust graphically, you may need to import Root and intermediate into browser
- Control Panel→Internet Optional→Content
- Click on Certificates→Trusted Root Certification Authorities.
- Click on Import and follow the wizard to import the root
- Follow the same for intermediate cert
- Control Panel→Internet Optional→Content