The current implementation of IPsec configuration by IPsec
server/client supports Root CA only. This commit adds support
for Intermediate CA. Now, IPSec Auth Server send both certificates
to IPSec Auth client to store. If it's a self-signed certificate,
the same certificate is send as Root CA.
Test plan:
PASS: In a DX system with available enabled active status with IPsec
server being executed from controller-0 and a self-signed CA
installed. Run "ipsec-client pxecontroller --opcode 1" in
controller-1. Observe that 4 CAs certificates are created,
but they are the same certificate. Observe that a security
association is established between the hosts via "swanctl
--list-sas" command.
PASS: In a DX system with available enabled active status with IPsec
server being executed from controller-0 and a self-signed CA
installed. Run "ipsec-client pxecontroller --opcode 2" in
controller-1. Observe the previously created CertificateRequest
was deleted and generated a new one for controller-1's node.
The new certificate is sent to IPsec Client with Root and
Intermediate CA, which is the same, to be stored and the
swanctl rekey command executed successfully.
PASS: In a DX system with available enabled active status with IPsec
server being executed from controller-0 and an intermediate CA
installed. Run "ipsec-client pxecontroller --opcode 1" in
worker-0. Observe that 4 CAs certificates are created,
including Root and Intermediate CA. Observe that a security
association is established between the hosts via "swanctl
--list-sas" command.
PASS: In a DX system with available enabled active status with IPsec
server being executed from controller-0 and an Intermediate CA
installed. Run "ipsec-client pxecontroller --opcode 2" in
worker-0. Observe the previously created CertificateRequest
was deleted and generated a new one for worker-0's node.
The new certificate is sent to IPsec Client with Root and
Intermediate CA to be stored and the swanctl rekey command
executed successfully.
PASS: In a DX system, simulate the IPsec cert is about to expire,
run the script, verify IPsec cert, private key and trusted CA
cert are renewed.
Story: 2010940
Task: 49825
Change-Id: I25c973350c4f460233a4e6e5ddda8366b948d120
Signed-off-by: Leonardo Mendes <Leonardo.MendesSantana@windriver.com>