diff --git a/test/container/builder/kojid.conf b/test/container/builder/kojid.conf
index 68a00f9..0f66b28 100644
--- a/test/container/builder/kojid.conf
+++ b/test/container/builder/kojid.conf
@@ -10,6 +10,6 @@ keytab = /share/kojid.keytab
; cert = /share/ssl/kojid/client.pem
; ca = /share/ssl/kojid/serverca.crt
-serverca = /share/ca-crt.pem
+serverca = /share/koji-ca.pem
plugins = osbuild
diff --git a/test/container/hub/ssl.conf b/test/container/hub/ssl.conf
index 1504207..f8c72ac 100644
--- a/test/container/hub/ssl.conf
+++ b/test/container/hub/ssl.conf
@@ -13,6 +13,7 @@ SSLCryptoDevice builtin
# localhost
ServerName localhost
+ServerAlias org.osbuild.koji.koji
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
@@ -23,44 +24,10 @@ SSLEngine on
SSLHonorCipherOrder on
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
-SSLCertificateFile /share/crt.pem
-SSLCertificateKeyFile /share/key.pem
-SSLCertificateChainFile /share/ca-crt.pem
-SSLCACertificateFile /share/ca-crt.pem
-SSLVerifyDepth 1
-
-
- SSLOptions +StdEnvVars
-
-
- SSLOptions +StdEnvVars
-
-
-BrowserMatch "MSIE [2-5]" \
- nokeepalive ssl-unclean-shutdown \
- downgrade-1.0 force-response-1.0
-
-CustomLog logs/ssl_request_log \
- "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
-
-
-
-# Full Qualified Domain Name, org.osbuild.koji.koji
-
-ServerName org.osbuild.koji.koji
-
-ErrorLog logs/ssl_error_log
-TransferLog logs/ssl_access_log
-LogLevel debug
-
-SSLEngine on
-SSLHonorCipherOrder on
-SSLCipherSuite PROFILE=SYSTEM
-SSLProxyCipherSuite PROFILE=SYSTEM
-SSLCertificateFile /share/crt-fqdn.pem
-SSLCertificateKeyFile /share/key.pem
-SSLCertificateChainFile /share/ca-crt.pem
-SSLCACertificateFile /share/ca-crt.pem
+SSLCertificateFile /share/koji-crt.pem
+SSLCertificateKeyFile /share/koji-key.pem
+SSLCertificateChainFile /share/koji-ca.pem
+SSLCACertificateFile /share/koji-ca.pem
SSLVerifyDepth 1
diff --git a/test/copy-creds.sh b/test/copy-creds.sh
index ec387ca..2401e10 100755
--- a/test/copy-creds.sh
+++ b/test/copy-creds.sh
@@ -10,13 +10,7 @@ fi
TEST_DATA=${TEST_DATA:-test/data}
SHARE_DIR=${SHARE_DIR:-/tmp/osbuild-composer-koji-test}
-if [[ -f "/etc/osbuild-composer/client-key.pem" ]]; then
- echo "Copying client certificates"
-
- cp /etc/osbuild-composer/client-key.pem ${SHARE_DIR}
- cp /etc/osbuild-composer/client-crt.pem ${SHARE_DIR}
- cp /etc/osbuild-composer/ca-crt.pem ${SHARE_DIR}/client-ca.pem
-fi
+mkdir -p "${SHARE_DIR}"
mkdir -p /etc/osbuild-composer
mkdir -p /etc/osbuild-worker
@@ -39,9 +33,3 @@ cp ${TEST_DATA}/osbuild-worker.toml \
echo "Copying system kerberos configuration"
cp ${TEST_DATA}/krb5.local.conf \
/etc/krb5.conf.d/local
-
-echo "Updating system trust chain"
-cp ${SHARE_DIR}/ca-crt.pem \
- /etc/pki/ca-trust/source/anchors/koji-ca-crt.pem
-
-update-ca-trust
diff --git a/test/integration.sh b/test/integration.sh
index bb64ed1..11a3dbd 100755
--- a/test/integration.sh
+++ b/test/integration.sh
@@ -75,6 +75,5 @@ greenprint "Stopping containers"
sudo test/run-koji-container.sh stop
greenprint "Removing generated CA cert"
-sudo rm \
- /etc/pki/ca-trust/source/anchors/koji-ca-crt.pem
+sudo rm /etc/pki/ca-trust/source/anchors/osbuild-ca-crt.pem
sudo update-ca-trust
diff --git a/test/make-certs.sh b/test/make-certs.sh
index 96e4287..fc52186 100755
--- a/test/make-certs.sh
+++ b/test/make-certs.sh
@@ -40,6 +40,21 @@ openssl ca -config "$CONFIG" -batch \
-in "${CA_DIR}/composer-csr.pem" \
-out "${CA_DIR}/composer-crt.pem"
+# koji
+echo "-=[ koji"
+openssl genrsa -out ${CA_DIR}/koji-key.pem 2048
+openssl req -new -sha256 \
+ -config "${CONFIG}" \
+ -key ${CA_DIR}/koji-key.pem \
+ -out ${CA_DIR}/koji-csr.pem \
+ -subj "/CN=localhost" \
+ -addext "subjectAltName=DNS.1:localhost,DNS.2:org.osbuild.koji.koji"
+
+openssl ca -config "$CONFIG" -batch \
+ -extensions osbuild_server_ext \
+ -in "${CA_DIR}/koji-csr.pem" \
+ -out "${CA_DIR}/koji-crt.pem"
+
# client
echo "-=[ client"
openssl genrsa -out ${CA_DIR}/client-key.pem 2048
@@ -57,3 +72,9 @@ openssl ca -config "$CONFIG" -batch \
# fix permissions for composer
chown _osbuild-composer:_osbuild-composer ${CA_DIR}/composer-*
+
+echo "-=[ Updating system trust chain"
+cp ${CA_DIR}/ca-crt.pem \
+ /etc/pki/ca-trust/source/anchors/osbuild-ca-crt.pem
+
+update-ca-trust
diff --git a/test/run-koji-container.sh b/test/run-koji-container.sh
index 7fb0fd1..b5c7f1e 100755
--- a/test/run-koji-container.sh
+++ b/test/run-koji-container.sh
@@ -50,17 +50,22 @@ koji_start() {
# create a share directory which is used to share files between the host and containers
mkdir -p "${SHARE_DIR}"
- # generate self-signed certificates in the share directory
- openssl req -new -nodes -x509 -days 365 -keyout "${SHARE_DIR}/ca-key.pem" -out "${SHARE_DIR}/ca-crt.pem" -subj "/CN=osbuild.org"
- openssl genrsa -out "${SHARE_DIR}/key.pem" 2048
+ # copy the koji certificates to the shared dir
+ if [[ -f "/etc/osbuild-composer/koji-key.pem" ]]; then
+ echo "Copying koji certificates"
- # certificate for "localhost" hostname
- openssl req -new -sha256 -key "${SHARE_DIR}/key.pem" -out "${SHARE_DIR}/csr.pem" -subj "/CN=localhost"
- openssl x509 -req -in "${SHARE_DIR}/csr.pem" -CA "${SHARE_DIR}/ca-crt.pem" -CAkey "${SHARE_DIR}/ca-key.pem" -CAcreateserial -out "${SHARE_DIR}/crt.pem"
+ cp /etc/osbuild-composer/koji-key.pem ${SHARE_DIR}
+ cp /etc/osbuild-composer/koji-crt.pem ${SHARE_DIR}
+ cp /etc/osbuild-composer/ca-crt.pem ${SHARE_DIR}/koji-ca.pem
+ fi
- # certificate for "org.osbuild.koji.koji" hostname
- openssl req -new -sha256 -key "${SHARE_DIR}/key.pem" -out "${SHARE_DIR}/csr-fqdn.pem" -subj "/CN=org.osbuild.koji.koji"
- openssl x509 -req -in "${SHARE_DIR}/csr-fqdn.pem" -CA "${SHARE_DIR}/ca-crt.pem" -CAkey "${SHARE_DIR}/ca-key.pem" -CAcreateserial -out "${SHARE_DIR}/crt-fqdn.pem"
+ if [[ -f "/etc/osbuild-composer/client-key.pem" ]]; then
+ echo "Copying client certificates"
+
+ cp /etc/osbuild-composer/client-key.pem ${SHARE_DIR}
+ cp /etc/osbuild-composer/client-crt.pem ${SHARE_DIR}
+ cp /etc/osbuild-composer/ca-crt.pem ${SHARE_DIR}/client-ca.pem
+ fi
${CONTAINER_RUNTIME} network create org.osbuild.koji