Certificate Management Test

Overview

The following steps are for testing Certificate Management functionality. Certificate Management is an interface used to simplify the process of creating new certificate and managing certificates within KeyStore and TrustStore. It is divided into three sections - Manage KeyStore, Manage TrustStore and Import Wizard:

Manage KeyStore: Displays list of available KeyStores from the CONNECT Configuration
Manage TrustStore: Displays list of available TrustStores from the CONNECT Configuration. Allows user to Import, View and Delete a certificate in TrustStore
Import Wizard: Allow user to create new certificate and import server certificate, CA root, CA intermediate into KeyStore, TrustStore

Test Environment

Deploy CONNECT ear and AdminGUI war
Successfully execute ConnectValidation suite before running AdminGUI test cases
Browse to http://localhost:8080/CONNECTAdminGUI/

Certificate Management

Expand the Certificate Management from left navigation and execute the following tests:

Manage KeyStore

Test Scenario	Test Steps	Expected Result
Manage KeyStore left navigation menu item availability	Login to AdminGUI and click on Certificate Management from left navigation panel	Manage KeyStore menu item should appear under Certificate Management
Verify Manage KeyStore page displays with list of all the available KeyStores from the CONNECT configuration	Select Certificate Management → Manage KeyStore from the left navigation panel	Manage KeyStore tab will show as below: KeyStore location from the CONNECT configuration List of available KeyStores from the CONNECT configuration with below table values: Alias: Name given to the CA certificate Algorithm: Indicates cryptographic algorithm that are used for creating key pairs and performing digital signature operations (e. x. RSA) Key Size: Defines length of the key used by algorithm Expiration Date: Displays certificate expiration date. Green: Indicates valid > 90 days Red: Indicates expired Yellow: Indicates expiring soon < 90 days Subject Key Identifier (SKI): Hash value of the SSL certificate used to identify certificates that contain a particular public key Authority Key Identifier (AKI): Key identifier of the issuing CA certificate that signed the SSL certificate. This value would match the SKI value of the intermediate CA certificate 'View Certificate' button enabled
Using Keytool or KeyStore Explorer application verify list of certificates from KeyStore match with the list displayed in Manage KeyStore tab	Open KeyStore file from the CONNECT configuration	List of certificates in the KeyStore file will match with the list displayed in Manage KeyStore tab
View certificate details	Manage KeyStore tab → Select a record from the Keystore list table and click <View Certificate>	User must see a non editable child window with all the certificate details for the selected record
Verify record selection validation	Manage KeyStore tab → Do not select any record from Keystore list table and click <View Certificate>	"Please choose a certificate to view details" message will appear

Manage TrustStore

Expand the Certificate Manager from left navigation, select Manage TrustStore, and execute the following tests:

Test Scenario	Test Steps	Expected Results
Manage TrustStore left navigation menu item availability	Login to AdminGUI and click on Certificate Manager from left navigation panel	Manage TrustStore menu item should appear under Certificate Manager
Verify Manage TrustStore page displays with list of all the available TrustStores from the CONNECT configuration	Select Certificate Manager → Manage TrustStore from the left navigation panel	Manage TrustStore tab will show as below: TrustStore (cacerts.jks) location from the CONNECT configuration List of available TrustStores from the CONNECT configuration with below table values: Alias: Name given to the CA certificate Algorithm: Indicates cryptographic algorithm that are used for creating key pairs and performing digital signature operations (e. x. RSA) Key Size: Defines length of the key used by algorithm Expiration Date: Displays certificate expiration date Green: Indicates valid > 90 days Red: Indicates expired Yellow: Indicates expiring soon < 90 days Subject Key Identifier (SKI): Hash value of the SSL certificate used to identify certificates that contain a particular public key. Authority Key Identifier (AKI): Key identifier of the issuing CA certificate that signed the SSL certificate. This value would match the SKI value of the intermediate CA certificate. 'Delete', 'Import' , 'View', 'Refresh' and 'View Chain of Trust' buttons enabled
Using Keytool or KeyStore Explorer application verify list of certificates from cacerts.jks match with the list displayed in Manage TrustStore tab	Open cacerts.jks file from the CONNECT configuration	List of certificates in the cacerts.jks file must match with the list displayed in Manage TrustStore tab
Verify record selection validation	Manage TrustStore tab → Do not select any record from Truststore list table and click <View>	"Please choose a certificate to view details" message will appear
View certificate details	Manage TrustStore tab → Select a record from the Truststore list table and click <View>	User must see a non editable child window with all the certificate details for the selected record
Verify certificate alias editable	Manage TrustStore tab → Select a record from the Truststore list table and click <View> Edit Alias name to desired name and click <Update Certificate>	Selected record/certificate alias name updated per user input. Note: To cross verify open certificate (i.e. cacerts.jks) using Keytool or KeyStore Explorer application and user should see updated alias name for selected record/certificate
Delete certificate from the TrustStore list (i.e. cacerts.jks)	Manage TrustStore tab → Select a record from the Truststore list table and click <Delete> Delete confirmation popup window will display with message "Are you sure you want to delete the selected certificate ?" with Yes, No buttons	Results as below: Yes: User required to enter TrustStore Credentials, i.e. TrustStore password and click <OK> Selected certificate deleted from the TrustStore list and user navigated back to Manage TrustStore tab. No: Record not deleted and user navigated back to Manage TrustStore tab
Verify user not allowed to delete server's public certificate	Manage TrustStore tab → Select server's public certificate from the Truststore list table and click <Delete> Delete confirmation popup window will display with message "Are you sure you want to delete the selected certificate ?" with Yes, No buttons	Results as below: Yes : User required to enter TrustStore Credentials, i.e. TrustStore password and click <OK> "System cannot remove its own public certificate" message will appear. Click <Cancel> button to navigate back to Manage TrustStore tab. No Record not deleted and user navigated back to Manage TrustStore tab
Verify user allowed to import any certificate (i.e. root certificate, intermediate certificate, server leaf certificate) into truststore only (i.e. cacerts.jks)	Manage TrustStore tab → Click <Import>	User navigated to Import Certificate popup window
	Click <Choose> and select desired certificate for import	Desired certificate selected for import
	Click <Upload> to upload the selected certificate	Successfully uploaded selected certificate
	Click on record's 'Alias' column and update desired name	Successfully update the Alias name for newly uploaded certificate If Alias name not updated on click of <Import> an UI error message will display "Enter an alias for the certificate"
	Optional: Select <Refresh Services Cache> checkbox. (Note: Not necessary for new exchange, but when replacing certificate for an existing exchange it is recommended to select this box. It is because CONNECT caches and reuses web-services ports. When the ports are created, they are bind to a specific certificate. Importing a new certificate and trying to use it will result in error if user has not refreshed the ports.)	Able to select Refresh Services Cache checkbox Note: This is back-end or server-side refresh, hence will not be able to verify the step except selection
	Click <Import> for certificate to import into truststore (i..e cacert.jks)	UI error message will display "Select certificate for import"
	Choose the record and click <Import> for certificate to import into truststore (i..e cacert.jks)	User navigated to TrustStore Credentials popup window to enter Truststore password
	Enter Truststore password in TrustStore Credentials popup window and click <OK>	If user enter an existing alias name then an UI error message will display " Alias already in use in Truststore" otherwise selected certificate successfully imported into truststore (i.e. cacerts.jks) and user navigated to Manage TrustStore tab. User must see newly uploaded certificate under Truststore list
	When user see "Alias already in use in Truststore" UI error message: Update alias name to unique name (i.e. not already used in Truststore) and click <Import> Enter password in TrustStore Credentials popup window and click <OK>	Selected certificate successfully imported into truststore and user navigated to Manage TrustStore tab. User must see newly uploaded certificate under TrustStore list
Verify Refresh functionality	To test this feature it is required to modify truststore (i.e. cacerts.jks) from the CONNECT server configuration not via AdminGUI UI. Using Keytool or KeyStore Explorer application open truststore certificate from CONNECT server configuration Import a trusted certificate that is not present in truststore (i.e. cacerts.jks) Keytool → Tools → Import Trusted Certificate → choose desired certificate and click <Open> New certificate will be imported into truststore. Click Save icon in Keytool application Without restarting server click <Refresh> button in Manage TrustStore tab	Newly imported certificate must be present under TrustStore list
	Follow above steps to open truststore from CONNECT server configuration and delete an existing certificate from truststore Click Save icon in Keytool application Without restarting server click <Refresh> button in Manage TrustStore tab	Deleted certificate must not be present under TrustStore list
View Chain of Trust record selection validation	Manage TrustStore tab → Do not select any record from Truststore list table and click <View Chain of Trust>	"Please choose a certificate to view chain" message will appear
Verify View Chain of Trust functionality	Manage TrustStore tab → Select a record from the Truststore list table and click <View Chain of Trust>	User navigated to Chain of Trust view popup window which shows detailed certificate information for the selected record
	Manage TrustStore tab → Select an intermediate certificate from the Truststore list table and click <View Chain of Trust> Note: Make sure CA root , CA intermediate imported into truststore for the selected intermediate certificate	User navigated to a Chain of Trust view popup window which lists associated root, intermediate certificate details for the selected record. Note: This feature helps user to view associated chain of trust certificates at single place when multiple certificates are present
	Manage TrustStore tab → Select a server or leaf certificate from the Truststore list table and click <View Chain of Trust>	User navigated to a Chain of Trust view popup window and results as below: If root, intermediate certificates imported into Manage TrustStore for the selected server certificate then Chain of Trust window lists associated leaf, root, intermediate certificate details for the selected record. If root, intermediate did not imported into Manage TrustStore for the selected server or leaf certificate then Chain of Trust window show certificate details with UI error: "A Parent certificate is missing. Import all certificates in the trust chain and restart server"

Import Wizard

Import Wizard interface simplify the process of creating new certificate and importing CA certs into CONNECT configuration. A new set of certificates (i.e. KeyStore.jks, TrustStrore.jks) will be created under " //Connect-Properties/ImportWizard/New" folder. This page includes Start, Create Certificate, Certificate Signing Request,CA Providers, Import SSL Certificates tabs.

Start Tab

Test Scenario	Test Steps	Expected Results
Import Wizard left navigation menu item availability	Login into AdminGUI and click on Certificate Manager from left navigation panel	Import Wizard menu item should appear under Certificate Manager
Verify below on Start tab: Static text Clickable below 3 links Create a new Certificate Generate CSR for an existing Certificate Import SSL Certificate(s)	Select Certificate Manager → Import Wizard from the left navigation panel	Start tab will show below: Static text as below: Clickable below 3 links: Create a new Certificate Generate CSR for an existing Certificate Import SSL Certificate(s)
	On server restart, Select Certificate Manager → Import Wizard and click directly on Create CSR link.	User should be able to create a CSR.
	On server restart, Select Certificate Manager → Import Wizard and click directly on Import SSL Certificate(s).	User should be able to go to Import SSL Certificate(s) tab.
Verify tabs enable / disable functionality	Select Certificate Manager → Import Wizard	On page load only Start tab is enabled. Rest of the tabs must be disabled.
	Import Wizard → Start tab and click on any of the below links and verify tabs navigation and enable / disable functionality. Create a New Certificate Generate CSR for an existing Certificate Import SSL Certificate(s)	When click on: "Create a New Certificate" link Only Start , Create Certificate tabs enabled and user navigated to Create Certificate tab "Generate CSR for an existing Certificate" link Only Start, Certificate Signing Request tabs enabled and user navigated to Certificate Signing Request tab "Import SSL Certificate(s)" link Only Start, Import SSL Certificates tabs enabled and user navigated to Import SSL Certificates tab

Create Certificate Tab

Test Scenario	Test Steps	Expected Results
Visually verify Create Certificate default screen display	Click on Create a New Certificate link	Create Certificate tab default view as below: A temporary folder (importWizard/temp) must be created under CONNECT server configuration folder. Existing KeyStore (i.e. gateway.jks) backup must be created under this temporary folder.
Required filed validation	Do not provide any values and click <Create>	UI errors must be present as below:
Verify Exchange drop down functionality	Select any value from Exchange drop down	Below field values must be pre-populated Organizational Unit(OU) Organization(O) County Name (C)
Verify updates in caauthority.properties file reflect Exchange drop down	Update one of the exchange drop down pre-populated values in caauthority.properties and save file. Ex: Health.Exchange.Valiation=NHIN-test\,nhin\,US <<To>> e.Health.Exchange.Valiation=CONNECT-test\,CONNECT\,US	Updated values must be pre-populated for selected exchange
Verify Create Certificate cancel functionality	Enter data in all the required fields and click <Cancel>	Cancel Import Wizard popup window display with " WARNING: This will clean up the file created by wizard. Continue delete ?" Yes: Must delete backup keystore file and temp folder from the importWizard folder which is under CONNECT server configuration No: Must navigate back to Create Certificate screen
Verify Create Certificate functionality	Continue with previously entered form data and click <Create>	Below UI messages will display: Successfully created certificate for: <<certificatename>> Successfully created CSR for: <<certificatename>> <Next> button is enabled
Verify Certificate validity, key size and signature algorithm for newly created certificate	Open newly created certificate (under //importWizard/temp) using Keytool or KeyStore Explorer applications. Right click on certificate → View Details → Certificate Chain Details	Certificate must be valid Certificate signature algorithm must be (SHA256withRSA) Certificate publlic key size must be RSA 2048 bit
Verify navigation from Create Certificate page	Once the certificate created successfully Next button is enabled. Click <Next>	User navigated to Certificate Signing Request Tab
	If AdminGUI session expired after certificate creation, then re login into application. From Start tab click on ' Generate CSR for an existing Certificate' link	User navigated to Certificate Signing Request Tab

Certificate Signing Request Tab

Test Scenario	Test Steps	Expected Results
Verify Certificate Signing Request (CSR) functionality	User navigated to CSR tab when: Certificate created successfully and click <Next> from Create Certificate tab (or) Application session expired after Certificate creation. Re login into application. From Start tab click on 'Generate CSR for an existing Certificate' link	Results as below: Via Certificate Create <Next> : CSR Type : PKCS 10 <prepopulated value> Alias: <<Newly created certificate alias prepopulated>> CSR text: CSR text generated and not editable Example screen snippet below: Via Start tab 'Generate CSR for an existing Certificate' link: CSR Type: PKCS 10 <prepopulated value> Alias: — <selection mandatory> CSR text: blank Only Cancel button enabled Example screen snippet below:
Verify CSR text populated when user navigated via Start tab → Certificate Signing Request tab	Select Alias name of the newly created certificate	CSR text is generated and UI message shows as "Successfully created CSR for: <<selected alias name>>" Copy, Download buttons enabled
Verify user allowed to copy or download CSR text	Click <Copy> or <Download> to get local copy of CSR text (i.e. .csr file)	File copied or download successfully Next button enabled
Verify CSR tab cancel functionality	Click <Cancel> in CSR tab	Cancel Import Wizard popup window display with " WARNING: This will clean up the file created by wizard. Continue delete ?" Yes: Must delete files and temp folder from the importWizard folder which is under CONNECT server configuration No: Must navigate back to CSR tab
Verify navigation from Certificate Signing Request tab	Click <Next>	User navigated to CA Providers tab

CA Provider Tab

Test Scenario	Test Steps	Expected Results
Visually verify CA Providers tab default screen display	Click <Next> from CSR tab	CA Providers default view as below:
Verify all links displayed from the caauthority.properties file	open caauthority.properties file from CONNECT server configuration Visually verify links under "#CA Authority Info: identifiable links" displayed in CA Providers tab	CA Providers tab display all identifiable links from caacuthority.properties
	Add new link or delete an existing link from caauthority.properties file Verify CA Providers tab displays updated links Changes will show up in CA Providers tab only after re-login and go to CA Providers tab	CA Providers tab display updated identifiable links from caauthority.properties
Submit CSR (i.e .csr file) to CA Authority and acquire a new SSL certificate.	Follow CA provider tab page instruction to get SSL certificate In order to get root and intermediate certificates either you can use Open SSL command or via browser: Via openssl cmd line: openssl s_client -showcerts -connect <<your domain name:443 will show server, root and intermediate certificates. Copy intermediate content into CA intermediate and root content into CA root file. Via browser: Open SSL certificate via Keystore Explorer or browser it looks like below: Copy CA root, CA intermediate as below: This scenario can be tested by using CA on SonarQube server to get a signed certificate. Connect to SonarQube EC2 instance and follow step #3 <To> #6 from Generate Chain of Trust	User must have a server certificate and chain of trust certificates (i.e. CA root and CA Intermediate).
Verify navigation from CA Provider tab	Click <Next>	User navigated to Import SSL Certificates tab
	If AdminGUI session expired, then re login into application. From Start tab click on ' Import SSL Certificates' link	User navigated to Import SSL Certificates tab

Import SSL Certificate(s)

Test Scenario	Test Steps	Expected Results
Visually verify Import SSL Certificates tab default screen display	Click <Next> from CA Provider tab	Import SSL Certificates default page view as below:
Verify required field validation	Do not select any values click <Import>	User must see below errors: Alias is required Server Certificate is required
Verify Clear functionality	Select values from the drop down and click <Clear>	Import SSL Certificates tab page refreshed and default page displayed.
Verify importing only Server Certificate	Select Alias value from drop down Choose Server Certificate to import and click <Import>	Server Certificate must be imported into keystores (i.e. under //importWizard/temp/gateway.jks) Using Keytool application open gateway.jks file from //importWizard/temp folder and make sure newly imported server certificate present.
Verify importing Server Certificate, CA root and CA intermediate validation	Select Alias value from drop down Choose Server Certificate Choose CA Root Do Not choose anything for CA Intermediate and click <Import> Note: Repeat same scenario without selecting CA root and select CA Intermediate	UI error message as "Root and Intermediate Certificates must both be present in order to import Chain of Trust."
Verify importing Server Certificate, CA root and CA intermediate	Select Alias value from drop down Choose Server Certificate Choose CA Root Choose CA Intermediate and click <Upload> and then click <Import>	Server Certificate, CA Root and CA Intermediate must be imported into keystore , truststore (ie. under //importWizard/temp/gateway.jks, cacerts.jks) UI confirmation message displayed "Import to temporary KeyStore/TrustStore is successful" Using Keytool application open gateway.jks, cacerts.jks file from //importWizard/temp folder and make sure newly imported server certificate present.
Verify complete functionality	After successful import of Certificates click <Complete>	Complete Import Wizard popup window display as below: Yes: New Keystore, Truststore created under new folder (i.e. //importWizard/new) and temp folder deleted. User navigate back to Import SSL Certificate tab and confirmation message display as below: No: User navigate back to Import SSL Certificate tab
Verify AdminGUI functions with new certificates	Stop the server Copy certificates from //importWizard/New folder to the CONNECT server configuration folder (i.e. main) Restart the server	AdminGUI functionality works as expected Note: see Generate Chain of Trust Generate a real-certificate from the CSR is expected for the server to work.
Verify replacing existing server certificate via Import Wizard	Select Alais value from drop down Choose Server Certificate and click <Import>	UI error message as "Create a CSR and get SSL Certificates from your CA Providers before replacing existing Certificates with alias: <<selected alias name>> Note: In order to replace an existing server certificate, it is required to generate a CSR, SSL certs, then user will be able to replace existing server certificate successfully

Generate Chain of Trust

Manually generate the chain-of-trust for testing purpose; the official process is to submit your CSR to your CA provider and received CSR-Reply from your CA provider and chain of trust.

Note

The steps below reference to the script exist on the sonarqube server (internal use) that used to generate certificate with a chain-of-trust; this process required technical knowledge of the keytool and setup of individual user to make it work.

Generate new key
1. keytool -genkey -alias gateway -keyalg RSA -keystore gateway.jks -dname "CN=<computername>, OU=<yourinput>, O=<yourinput>, C=US" -validity 365 -keysize 2048
  1. Make sure we use unique name for computer name.
  2. OU,O,C is optional
Generate CSR (make sure we generate unique csr name)
1. keytool -certreq -alias gateway -keystore gateway.jks -file gateway-yyyMMdd.csr
Transfer CSR to sonarqube server (AWS-EC2-Sonarqube-server):
1. ehealth exchange: /nhin/ca/intermediate/csr
2. Carequality Exchange: /nhin/carequalityCA/intermediate/csr

Generate CSR Reply:

ehealth exchange: (FYI - Password to use on Sonarqube box: admin1)

ehealth

cd /nhin/ca
openssl ca -config intermediate/openssl.cnf -extensions server_cert -days 375 -notext -md sha256 -in intermediate/csr/gateway-yyyMMdd.csr -out intermediate/certs/gateway-yyyMMdd.crt

carequality exchange:

CareQuality

cd /nhin/carequalityCA
openssl ca -config intermediate/openssl.cnf -extensions server_cert -days 375 -notext -md sha256 -in intermediate/csr/gateway-yyyyMMdd.csr -out intermediate/certs/gateway-yyyMMdd.crt

Transfer gateway-yyyyMMdd.crt to your local
1. ehealth exchange: /nhin/ca/intermediate/certs/gateway-yyyyMMdd.crt
2. Carequality Exchange: /nhin/carequalityCA/intermediate/certs/gateway-yyyyMMdd.crt
Transfer CA Root/Intermediate cert to your local.
1. ehealth exchange:
  1. Root: /nhin/ca/certs/ca.cert.pem
  2. Intermediate: /nhin/ca/intermediate/certs/intermediate.cert.pem
2. carequality exchange:
  1. Root: /nhin/carequalityCA/certs/ca.cert.pem
  2. Intermediate: /nhin/carequalityCA/intermediate/certs/intermediate.cert.pem
Import Certs to Keystore
1. keytool -import -trustcacerts -alias <exchange_name>-root -file ca.cert.pem -keystore gateway.jks
2. keytool -import -trustcacerts -alias <exchange_name>-intermediate -file intermediate.cert.pem -keystore gateway.jks
3. keytool -import -trustcacerts -alias gateway -file gateway-yyyyMMdd.crt -keystore gateway.jks
Import CA Root/Intermediate Certs to TrustStore:
1. keytool -import -trustcacerts -alias <exchange_name>-root -file ca.cert.pem -keystore cacerts.jks
2. keytool -import -trustcacerts -alias <exchange_name>-intermediate -file intermediate.cert.pem -keystore cacerts.jks
Optional: If you want to see chain of trust graphically, you may need to import Root and intermediate into browser
1. Control Panel→Internet Optional→Content
  1. Click on Certificates→Trusted Root Certification Authorities.
  2. Click on Import and follow the wizard to import the root
  3. Follow the same for intermediate cert