diff --git a/pkg/util/pki/csr.go b/pkg/util/pki/csr.go index 08af5e199..04872451f 100644 --- a/pkg/util/pki/csr.go +++ b/pkg/util/pki/csr.go @@ -172,11 +172,6 @@ func GenerateTemplate(crt *v1alpha1.Certificate) (*x509.Certificate, error) { return nil, err } - keyUsages := x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment - if crt.Spec.IsCA { - keyUsages |= x509.KeyUsageCertSign - } - return &x509.Certificate{ Version: 3, BasicConstraintsValid: true, @@ -190,12 +185,21 @@ func GenerateTemplate(crt *v1alpha1.Certificate) (*x509.Certificate, error) { NotBefore: time.Now(), NotAfter: time.Now().Add(certDuration), // see http://golang.org/pkg/crypto/x509/#KeyUsage - KeyUsage: keyUsages, + KeyUsage: keyUsage(crt.Spec.IsCA), DNSNames: dnsNames, IPAddresses: ipAddresses, }, nil } +func keyUsage(isCA bool) x509.KeyUsage { + keyUsages := x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment + if isCA { + keyUsages |= x509.KeyUsageCertSign + } + + return keyUsages +} + // GenerateTemplate will create a x509.Certificate for the given // CertificateRequest resource func GenerateTemplateFromCertificateRequest(cr *v1alpha1.CertificateRequest) (*x509.Certificate, error) { @@ -224,8 +228,6 @@ func GenerateTemplateFromCertificateRequest(cr *v1alpha1.CertificateRequest) (*x certDuration = cr.Spec.Duration.Duration } - keyUsages := x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment - return &x509.Certificate{ Version: csr.Version, BasicConstraintsValid: true, @@ -237,7 +239,7 @@ func GenerateTemplateFromCertificateRequest(cr *v1alpha1.CertificateRequest) (*x NotBefore: time.Now(), NotAfter: time.Now().Add(certDuration), // see http://golang.org/pkg/crypto/x509/#KeyUsage - KeyUsage: keyUsages, + KeyUsage: keyUsage(cr.Spec.IsCA), DNSNames: csr.DNSNames, IPAddresses: csr.IPAddresses, URIs: csr.URIs, diff --git a/test/e2e/suite/issuers/ca/certificaterequest.go b/test/e2e/suite/issuers/ca/certificaterequest.go index 263239486..c2a7a3c7e 100644 --- a/test/e2e/suite/issuers/ca/certificaterequest.go +++ b/test/e2e/suite/issuers/ca/certificaterequest.go @@ -30,7 +30,7 @@ import ( "github.com/jetstack/cert-manager/test/e2e/util" ) -var _ = framework.CertManagerDescribe("CA Certificate", func() { +var _ = framework.CertManagerDescribe("CA CertificateRequest", func() { f := framework.NewDefaultFramework("create-ca-certificate") h := f.Helper() @@ -141,46 +141,4 @@ var _ = framework.CertManagerDescribe("CA Certificate", func() { }) } }) - - Context("when the CA is an issuer", func() { - BeforeEach(func() { - By("Creating a signing keypair fixture") - _, err := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(newSigningIssuer1KeypairSecret(issuerSecretName)) - Expect(err).NotTo(HaveOccurred()) - }) - - It("should generate a signed keypair", func() { - crClient := f.CertManagerClientSet.CertmanagerV1alpha1().CertificateRequests(f.Namespace.Name) - - By("Creating a CertificateRequest") - cr, key, err := util.NewCertManagerBasicCertificateRequest(certificateRequestName, issuerName, v1alpha1.IssuerKind, nil, nil, nil, nil, x509.RSA) - Expect(err).NotTo(HaveOccurred()) - _, err = crClient.Create(cr) - Expect(err).NotTo(HaveOccurred()) - By("Verifying the Certificate is valid") - err = h.WaitCertificateRequestIssuedValidTLS(f.Namespace.Name, certificateRequestName, time.Second*30, key, []byte(rootCert)) - Expect(err).NotTo(HaveOccurred()) - }) - }) - - Context("when the CA is a second level issuer", func() { - BeforeEach(func() { - By("Creating a signing keypair fixture") - _, err := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(newSigningIssuer2KeypairSecret(issuerSecretName)) - Expect(err).NotTo(HaveOccurred()) - }) - - It("should generate a signed keypair", func() { - crClient := f.CertManagerClientSet.CertmanagerV1alpha1().CertificateRequests(f.Namespace.Name) - - By("Creating a CertificateRequest") - cr, key, err := util.NewCertManagerBasicCertificateRequest(certificateRequestName, issuerName, v1alpha1.IssuerKind, nil, nil, nil, nil, x509.RSA) - Expect(err).NotTo(HaveOccurred()) - _, err = crClient.Create(cr) - Expect(err).NotTo(HaveOccurred()) - By("Verifying the Certificate is valid") - err = h.WaitCertificateRequestIssuedValidTLS(f.Namespace.Name, certificateRequestName, time.Second*30, key, []byte(rootCert)) - Expect(err).NotTo(HaveOccurred()) - }) - }) })