Add check for sha1 CA certificate

bin/katello-certs-check

@@ -249,6 +249,16 @@ function check-shortname () {
     fi
 }
 
+function check-ca-signing-algorithm () {
+    printf "Checking CA signing algorithm for sha1: "
+    CHECK=$(openssl crl2pkcs7 -nocrl -certfile "$CA_BUNDLE_FILE" | openssl pkcs7 -print | grep algorithm | grep -q 'sha1WithRSAEncryption')
+    if [[ $? == "0" ]]; then
+        error 4 "The file '$CA_BUNDLE_FILE' contains a certificate signed with sha1 and will break installation. Update the server CA certificate and its chain with one signed by sha256 or stronger."
+    else
+        success
+    fi
+}
+
 check-files-exist
 check-server-cert-encoding
 check-expiration
@@ -261,6 +271,7 @@ check-ca-bundle-trust-rules
 check-cert-san
 check-cert-usage-key-encipherment
 check-shortname
+check-ca-signing-algorithm
 
 if [[ $EXIT_CODE == "0" ]] && ([[ $TARGET == ${SERVER_TARGET} ]] || [[ -z "$TARGET" ]]) ; then
     echo -e "${GREEN}Validation succeeded${RESET}\n"

spec/fixtures/katello-certs-check/certs/.crt

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICwzCCAasCFCfqmT5iimHv5Qw7DMKZztytQza4MA0GCSqGSIb3DQEBBQUAMB4x
+HDAaBgNVBAMME1Rlc3QgU2VsZi1TaWduZWQgQ0EwHhcNMjQxMjA2MTk1NjI4WhcN
+MzQxMjA0MTk1NjI4WjAeMRwwGgYDVQQDDBNUZXN0IFNlbGYtU2lnbmVkIENBMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnjSxkMAFGgEw8/5kJ/GccLFZ
+4z4aJoYvf2brg1V158GOyEq3H49Uj46spgIFrMZeA38eQu4vWU0hm8G3mM73J/SM
+xxqO+O+9voqfO+aVtKIplt9u87Ae0KYhnFIIMvgdXFhsq51vPkWDmabc7Oaw1JM5
+aDigf2vcJ05gVOc4B8uw9S1cL8tsAyDXZfzlydvyPCVjFlj7TyPiCNqOL2WjqV8k
+MJ9VCERxz/ywWKU+1YQnxhK/25IHvlu1xgvNOs76FE9axkzx9q10N8xPSAZ3BZuW
+sdVrDLp5zbPcSZGuPjwRGiJ4V7bfpmloz91FyQh3o6cLGNtrVd/WNpr4Pj+0BQID
+AQABMA0GCSqGSIb3DQEBBQUAA4IBAQAPgDEYoJRcerXYvWZiNtyK+8F3SCwm/1vE
+mjBlq5604tcEPAkJCNqL4fEyj3vM5TUkPKBPZBvo3pkuMOCRqnlylfV+HVlPt7Zw
+cXpCQxEvV39HaL0eHOJ4eUHYwbXwecqX/rqf+ncA1IQJsAomFlvK4KMlcrYm53Ul
+vFd/o8xdeU3UvazPjPbxZ691DApkJ9WqxgXGemksQkZrK2i+7UZQ0CQNty6TKI8o
+mp44Df94w/dXrs3bjAueNzD47tGMIlfwhw19k+r9qlThWiX3PIiAKvmYB2mM1BX3
+XGlgRlt6C26INTO+GBTNo6YtuaTtNNxQrR97ASoNfF1rR0ZLwcqA
+-----END CERTIFICATE-----

spec/fixtures/katello-certs-check/certs/ca-sha1-bundle.crt

@@ -0,0 +1,36 @@
+-----BEGIN CERTIFICATE-----
+MIIDHTCCAgWgAwIBAgIUK+x25LNYYMHS83aWDnAYviwxEYEwDQYJKoZIhvcNAQEL
+BQAwHjEcMBoGA1UEAwwTVGVzdCBTZWxmLVNpZ25lZCBDQTAeFw0yMDExMTgwMjMw
+NDNaFw0zMDExMTYwMjMwNDNaMB4xHDAaBgNVBAMME1Rlc3QgU2VsZi1TaWduZWQg
+Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC92114uygw5KcqPCz1
+E/Cwd3Lo2ytyPD9FchWKPOxXpNisHMOr4zAfsxERXmgBLawHIkqc2Xae3TqHGGQa
+ll3J3HukwghZQAyjcNG/Q2Q2QqfQW1tzxHRnz2EKBoRoyhmVXcnu+qBoEgkf5QI/
+Rk9HzLJINZPcZuMEkRgcf5q1h/F+PY2yCMwT5qjB6whn6zX6FP6G3//fRtkZw4cI
+FPPjKJedbHlYEifRigmJfu+T5Q5xz19Og/1zDwfl7is5eBUV+KEoIE7UpmvR1UrM
++T6WYl3vxeM08y1QU6vR9GqummDMinfWLj0hV+dYwI9/1fHIjfPqgxPUa5AGw7ik
+vyrvAgMBAAGjUzBRMB0GA1UdDgQWBBQz80R5aRb/egnEMKHQonUM3xgj6DAfBgNV
+HSMEGDAWgBQz80R5aRb/egnEMKHQonUM3xgj6DAPBgNVHRMBAf8EBTADAQH/MA0G
+CSqGSIb3DQEBCwUAA4IBAQCdiBvQx6ExmteTzwkGCheKwUMvzCehuwvpoJRE/JXo
+zz67414oyWXkSN8/9HE3nkH/xxunD/Ni+N9ppk7iicSpyOKfdDXiaS8qq1O1OXCx
+CjoVuIFAPFWOEEhLdnb1v8YVWx2JwcbGvhCLNSoK1a6uwCmWixtoeQiKspBfwFcb
+wfU9qNdXsezBljahE4Q2E4SR+XclA6iHdooX4ajnleamqeH0ephyCqvMAhzfJA5F
+O1+SJRFbIjwfKxsEJS6Czrn+EU2eLtxk5g5+oO06ZYj4rVOfgc2Wc0+cisgP0fT/
+WVkAxgGS6L0jGvZSisEUBpoidJNddWnf9mzUT2kJ5DCO
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICwzCCAasCFCfqmT5iimHv5Qw7DMKZztytQza5MA0GCSqGSIb3DQEBBQUAMB4x
+HDAaBgNVBAMME1Rlc3QgU2VsZi1TaWduZWQgQ0EwHhcNMjQxMjA2MTk1NzM2WhcN
+MzQxMjA0MTk1NzM2WjAeMRwwGgYDVQQDDBNUZXN0IFNlbGYtU2lnbmVkIENBMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2SygWdi+BjZRyo8G5WW/527S
+JB3Mpkc35G0RQ+hszXlH6XqFw5NTcTebF5UnJ/DtuKQ0r4FAmJopH5/bejysb7xe
+tV6vgjcga3C7XVuHs1dbU7NUVWEiy0VvhI/znIK7HQ2AI//5v8CaDMxnBD4El55Y
+dagpBFCKuiuKTy4G1l4opeZGJe5ZFs10bPX5VbrqJs6l1p5C+ylrJmMxAwTtnq1Y
+qFu9B8k9wjZYTBFcEAO4CEAs/EAIfQZcd6XCq2L/YhofqBXy7Nr97NZgPUH8UtZA
+nTbG0P0dEBiSEx0rbbIg2ToAhcgLAgzPZbVV+fon/V2K7yq/Y+XQWMMGqTeuZwID
+AQABMA0GCSqGSIb3DQEBBQUAA4IBAQB7UCCFbs2kkpFR2epS97Zc7/OBd1M9ZLCh
+YRLJEjywrEnc/m8KQ9TqVSxWnk8O2Ld7hkrME4fZ+S8riXXrjv8kfRImoZE/3h2f
+QDmKOS10d79ehEtgSKBToukEcwgL5q/PjQ840wEjJK5gEG3UoFXIl3/EkvPi8Vrq
+ELBKYJhzaJA1g0ziOZWJh/sXI9ryIJ9XHUPwx5elqdtXMR0SRpvo1FmtATgBtPga
+wQ6H2KHLnas9h1owoyPETxYnd7qgbNORGSglhH0PiUTbucD6ozU+VcBuq9qPJnwZ
+76lKsVXoyGQydEuEYOmYstJqE+nBfVgPG4OwgHHHt99htimjCcn3
+-----END CERTIFICATE-----

spec/fixtures/katello-certs-check/certs/ca-sha1.crt

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICwzCCAasCFCfqmT5iimHv5Qw7DMKZztytQza5MA0GCSqGSIb3DQEBBQUAMB4x
+HDAaBgNVBAMME1Rlc3QgU2VsZi1TaWduZWQgQ0EwHhcNMjQxMjA2MTk1NzM2WhcN
+MzQxMjA0MTk1NzM2WjAeMRwwGgYDVQQDDBNUZXN0IFNlbGYtU2lnbmVkIENBMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2SygWdi+BjZRyo8G5WW/527S
+JB3Mpkc35G0RQ+hszXlH6XqFw5NTcTebF5UnJ/DtuKQ0r4FAmJopH5/bejysb7xe
+tV6vgjcga3C7XVuHs1dbU7NUVWEiy0VvhI/znIK7HQ2AI//5v8CaDMxnBD4El55Y
+dagpBFCKuiuKTy4G1l4opeZGJe5ZFs10bPX5VbrqJs6l1p5C+ylrJmMxAwTtnq1Y
+qFu9B8k9wjZYTBFcEAO4CEAs/EAIfQZcd6XCq2L/YhofqBXy7Nr97NZgPUH8UtZA
+nTbG0P0dEBiSEx0rbbIg2ToAhcgLAgzPZbVV+fon/V2K7yq/Y+XQWMMGqTeuZwID
+AQABMA0GCSqGSIb3DQEBBQUAA4IBAQB7UCCFbs2kkpFR2epS97Zc7/OBd1M9ZLCh
+YRLJEjywrEnc/m8KQ9TqVSxWnk8O2Ld7hkrME4fZ+S8riXXrjv8kfRImoZE/3h2f
+QDmKOS10d79ehEtgSKBToukEcwgL5q/PjQ840wEjJK5gEG3UoFXIl3/EkvPi8Vrq
+ELBKYJhzaJA1g0ziOZWJh/sXI9ryIJ9XHUPwx5elqdtXMR0SRpvo1FmtATgBtPga
+wQ6H2KHLnas9h1owoyPETxYnd7qgbNORGSglhH0PiUTbucD6ozU+VcBuq9qPJnwZ
+76lKsVXoyGQydEuEYOmYstJqE+nBfVgPG4OwgHHHt99htimjCcn3
+-----END CERTIFICATE-----

spec/fixtures/katello-certs-check/certs/ca-sha1.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDZLKBZ2L4GNlHK
+jwblZb/nbtIkHcymRzfkbRFD6GzNeUfpeoXDk1NxN5sXlScn8O24pDSvgUCYmikf
+n9t6PKxvvF61Xq+CNyBrcLtdW4ezV1tTs1RVYSLLRW+Ej/OcgrsdDYAj//m/wJoM
+zGcEPgSXnlh1qCkEUIq6K4pPLgbWXiil5kYl7lkWzXRs9flVuuomzqXWnkL7KWsm
+YzEDBO2erVioW70HyT3CNlhMEVwQA7gIQCz8QAh9Blx3pcKrYv9iGh+oFfLs2v3s
+1mA9QfxS1kCdNsbQ/R0QGJITHSttsiDZOgCFyAsCDM9ltVX5+if9XYrvKr9j5dBY
+wwapN65nAgMBAAECggEADqcmAI87rwPzkSUE/u2rvOFAziKxQAIrzBPsfMujVQUb
+AYP8n31YEsUA3V6jwDGk0Hb1KRGhpUo4KRk/lT1KbdWPVvxsVMRZwcte5kXP351Z
+cknLZbatQtAiCJcv2tOv7Ui6aHNpIJ4i/BG/Mk2UQL30flJvcLTrJJ7dxkmMOOK3
+VMjKjqpk+pQuoZ++WZ16wLcQV0UZZ2cwY5IbVfIuCAOtr95wB87D06qDkcfx6KsT
+aqimFqmct+KILq1oOTdeyLNPDgW6UL7wfhJd7/3gCC+nRjNuaW1yes33eyeRQ55o
+M3u8I+BqUADKYGW2+z7uObnEkNZqCbQzXOF61whCdQKBgQDzahS9rlGNunzW1Rit
+pQPjQ30fumDstwGRf75go5l0np9GMiHgNb9J89xvSW59gS5bWDt6bO9hAah05DBC
+IZtL66sKi1oeDiYZeV3Ua1UGBSmy8n8Zz7dSZmQUl0hxoPcnDv3iZx9UHYcuhJwW
+Uii5UCJZJolJBd+v+lef9pE0ewKBgQDkZzj/8dwOGtsWUIa8NPS4n2FTafnjsVvS
+lRodG+AS1YTv70RCrm0gqLWtv3BptedLeDuxUP1XWyTHMPI92xjg+Sn/3+2XdHv8
+0HoZYV7Fkmw3LkzEWrLrJ/drRNQOF9G/lVecQ/gHVQswPoaFn5U2yi3LV8avpaeU
+rxNjgNh4BQKBgQDBezfDUhV3H53tsfLsy7bcZZ/GoYI7hngTrEOqU0A+J3uY825j
+5rUHVnSIbQkLb6xmZSrZ9E8Of5/kUiFd35KudUQ+nGfkbgCwzPzdRPePUnlDyWdo
+H+iq8cJpb5rg3z61aEA8PxXy6YmzWysqvuGp811qGayUQ7v7CHWwK/BdkwKBgCPC
+uZzxLEgVElpjD0VmcS563c0mmZZ5zWuiJq2KEMJCJgc/Cgv6rWFgqNlkUOBsN6OM
+VqRDjvbfcVmyoyrmI/YNbPMAB34gIc2KgqN4qFL8wu681A4mOT8ySb3E0ALI3fFG
+G6p+xdW4DgFmuL8xJjam3xaoTpZvtFZGNx3sLXhVAoGBAKaQCjcR9EwCObim8+s8
+l97xSSDtkcvHBcV3bWRo+5c5RiNShjNRYGnJ2YhaVgbB3kkVZjkfdMN/Ms5H1htF
+SMrVKbByAQF9p8QeOoww99sx/dExwIA5p4VuUlmFHRhDCgnLhUXe/RJP5Y2+16hn
+vDYEQDTkTV2whuDB51qV29Gz
+-----END PRIVATE KEY-----

spec/fixtures/katello-certs-check/certs/foreman-sha1.example.com.crt

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDejCCAmKgAwIBAgIUcHqMbOmM7gGFcfi3jIb1vTitbkQwDQYJKoZIhvcNAQEL
+BQAwHjEcMBoGA1UEAwwTVGVzdCBTZWxmLVNpZ25lZCBDQTAeFw0yNDEyMDYxOTU3
+MzZaFw0zNDEyMDQxOTU3MzZaMB4xHDAaBgNVBAMME2ZvcmVtYW4uZXhhbXBsZS5j
+b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQChlvkIs/8vsEQCVN/j
+73ugXfufdYah8VzkcCjSocRoisszS+GUKKawwDd1zWdwOHcoV+7HBFKLAtyjhCFR
+kqezttMTePWXhT4ted9La07zasXHCmy+GUTnuf0jgEX7SeG+0HOwVrm9rvq5cswS
+up/QIL9BIYn+AQQELrS63yLqblc0WdV8VMnMjj46i/qZG2iJIoM/RVIfaq90if96
+TijXt53LKHh1SV+LXZxt3BJgGTRFfaG843S1Aea6h9UFdrn7dzIDknrb7kWzz81K
+Wear1trFdgkj13BbBF+AunbVejK8Pk6hm4i82ropBDxanSy7iOvlm/Uz9NDLKAON
+dJ4xAgMBAAGjga8wgawwCwYDVR0PBAQDAgUgMDkGA1UdEQQyMDCCE2ZvcmVtYW4u
+ZXhhbXBsZS5jb22CGWZvcmVtYW4tZWMzODQuZXhhbXBsZS5jb20wHQYDVR0OBBYE
+FHnA0BUv7moEuAeEn/DGrIQbjD08MEMGA1UdIwQ8MDqhIqQgMB4xHDAaBgNVBAMM
+E1Rlc3QgU2VsZi1TaWduZWQgQ0GCFCfqmT5iimHv5Qw7DMKZztytQza5MA0GCSqG
+SIb3DQEBCwUAA4IBAQC0NSSu2LBWAMHol1ywQSk1+L5naiX8hn9aafgOcE8UlEAk
+b05LCeqZ/MyDR1sxfDwKFIHjkDG0FjbizUr9R5J4PGHOgJuGFaePYrAGpCF03rFi
+GmrYnxFo309wC2uBiuK5yMTif7/WM9QfhaZ3JGe9tpiZAHWkcjfYb5Ujc/LqQJ13
+y6W9QpKWFaMEX/N6LMai6jto69Q+2WqTruw7mqBBW0MCaHNCeLIU9zzDyvwtoHzs
+EJEsvkVhUBXtWhMPomxjfybHOB7rHPbNnyY+3tCKXO80w3GuWPlpdSVvphTujZtv
+KMSeO4MwrU0j69tqzIsvG3ha0PNroRL6D0p45KLy
+-----END CERTIFICATE-----

spec/fixtures/katello-certs-check/certs/foreman-sha1.example.com.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQChlvkIs/8vsEQC
+VN/j73ugXfufdYah8VzkcCjSocRoisszS+GUKKawwDd1zWdwOHcoV+7HBFKLAtyj
+hCFRkqezttMTePWXhT4ted9La07zasXHCmy+GUTnuf0jgEX7SeG+0HOwVrm9rvq5
+cswSup/QIL9BIYn+AQQELrS63yLqblc0WdV8VMnMjj46i/qZG2iJIoM/RVIfaq90
+if96TijXt53LKHh1SV+LXZxt3BJgGTRFfaG843S1Aea6h9UFdrn7dzIDknrb7kWz
+z81KWear1trFdgkj13BbBF+AunbVejK8Pk6hm4i82ropBDxanSy7iOvlm/Uz9NDL
+KAONdJ4xAgMBAAECggEACZ1dkQaAwxomWcsqDTp1LSwaajkIez9MyyzfSPUmJiBI
+CfPUZsfqby7oveIsavF5KZXd18qqjKntbe9ROjTTNK7GrWxvlIXxlqwfPLIUXwh1
+3yuAH+mJ/43CAahCwbp6K6vkjlQCtkYglgM+IEkpdC1Wo+32c34k+oi66TmYrsEs
+xDba7VYDqsmUtkfykEGLkSMc0uUD40nh/IMo4TRvqgptJe3frjrw9TohECs1O3yt
+2of2tPeto2o/L6JSYyE0gtZBgt3R7UesfP1oyWs2Z9xUGCvvei/vjCZTYVanzlaR
+2E/ZUE+683XAP0M/7EkOqOVmdGdh/ogDZ5/fcKrxSQKBgQDV0AHSXqFsJHmIH9yk
+NZi9Wh3+3+jSmoFwzZ5A3OL35xy8P7W9Fxo0ZGSso9bFvyAXsjkhdoAh1F99cbmA
+0CSxzCQDcUZG7735ZTCcVQkpyojSee1rLdUrD3hebcg6LqQ2BBhg+JwCA22ZdUqe
+cuLrAhc2XGgYoVAhRMsNebquXQKBgQDBeR0l7jUF9kDLg9hHs+QapPpYDwRYX0a2
+JBJrUI4oePxbqYOhIlY3torCAw1hda7fYE2DIp3X4IshxGP5trWc6TGcuSPwwbT1
+PsYzoNt/2qiqFo13HwukpTMUfta4ZrzECe9EVvdeVmF+g6MWPQHqrSGHM0czumS/
+TfO4j5Tp5QKBgF57LFLpvisrcwjUC4wEoxoJWHfoOdnWrJxMQEIpWaJyXiBRht2n
+98xvEI25WI7JhkTyXIyM8NICJrAoMPDbCVwH+WIMDCIMjsZGENUEPqhY910Kw/84
+oZoFnAseN/x939J+vMcdFNNO8H9/dRnParauldNPwjAgGGibHZ82y2eBAoGAIwek
+yWtZ2lx92ttiW4kssc5RLYR6iu2lRfE+DIQnWRieyJHmrVQkPC4m7X3T/GNsaDFt
+l2K7JY0YY+LFHz9/notyWigDY+IOu6DEDjD/zSRwCWvP7VOHriXjG8Dja7veTbhm
+w/7jBweo21lGPA6LvEvgmDQmni0PdLvOdwo4MikCgYBHbMGfVtl4ht/YA+dkSDZ8
+I2LvMVu7hLVrYh0OS9xVX0A21TDdA4j3aGZI1I1d5PRZ3oIlNQkbpN7uMlnpgqWO
+2gw/s2fGJQ0ox0XGeJNDQQhN3BzKHy5sNDbVCwPkuBEG56c5Tj2VfgEFSucOp9AP
+QvH1TYJFELH0XveWP/b/Eg==
+-----END PRIVATE KEY-----

spec/fixtures/katello-certs-check/create_cert.sh

@@ -38,6 +38,29 @@ else
   echo "CA certificate bundle with trust rules exists. Skipping."
 fi
 
+CA_SHA1_CERT_NAME=ca-sha1
+CA_SHA1_CERT_BUNDLE=ca-sha1-bundle
+if [[ ! -f "$CERTS_DIR/$CA_SHA1_CERT_NAME.key" || ! -f "$CERTS_DIR/$CA_SHA1_CERT_NAME.crt" || ! -f "$CERTS_DIR/$CA_SHA1_CERT_BUNDLE.crt" ]]; then
+  echo "Generate CA with sha1 signing algorithm"
+  openssl genrsa -out $CERTS_DIR/$CA_SHA1_CERT_NAME.key 2048
+  openssl req -new -key $CERTS_DIR/$CA_SHA1_CERT_NAME.key -sha1 -out $CERTS_DIR/$CA_SHA1_CERT_NAME.csr -subj "/CN=Test Self-Signed CA"
+  openssl x509 -req -in $CERTS_DIR/$CA_SHA1_CERT_NAME.csr -CA $CERTS_DIR/$CA_CERT_NAME.crt -CAkey $CERTS_DIR/$CA_CERT_NAME.key -CAcreateserial -out $CERTS_DIR/$CA_SHA1_CERT_NAME.crt -days 3650 -sha1
+
+  cat $CERTS_DIR/$CA_CERT_NAME.crt $CERTS_DIR/$CA_SHA1_CERT_NAME.crt > $CERTS_DIR/$CA_SHA1_CERT_BUNDLE.crt
+else
+  echo "CA certificate exists. Skipping."
+fi
+
+CERT_NAME=foreman-sha1.example.com
+if [[ ! -f "$CERTS_DIR/$CERT_NAME.key" || ! -f "$CERTS_DIR/$CERT_NAME.crt" ]]; then
+  echo "Generate server certificate"
+  openssl genrsa -out $CERTS_DIR/$CERT_NAME.key 2048
+  openssl req -new -key $CERTS_DIR/$CERT_NAME.key -out $CERTS_DIR/$CERT_NAME.csr -subj "/CN=foreman.example.com"
+  openssl x509 -req -in $CERTS_DIR/$CERT_NAME.csr -CA $CERTS_DIR/$CA_SHA1_CERT_NAME.crt -CAkey $CERTS_DIR/$CA_SHA1_CERT_NAME.key -CAcreateserial -out $CERTS_DIR/$CERT_NAME.crt -days 3650 -sha256 -extfile extensions.txt -extensions extensions
+else
+  echo "Server certificate with bad SAN exists. Skipping."
+fi
+
 CERT_NAME=foreman-bad-san.example.com
 if [[ ! -f "$CERTS_DIR/$CERT_NAME.key" || ! -f "$CERTS_DIR/$CERT_NAME.crt" ]]; then
   echo "Generate server certificate"

spec/katello_certs_check_spec.rb

@@ -123,4 +123,30 @@ def fixture(filename)
       expect(status.exitstatus).to eq 10
     end
   end
+
+  context 'with sha1 server CA certificate' do
+    let(:key) { File.join(certs_directory, 'foreman-sha1.example.com.key') }
+    let(:cert) { File.join(certs_directory, 'foreman-sha1.example.com.crt') }
+    let(:ca) { File.join(certs_directory, 'ca-sha1.crt') }
+
+    it 'fails' do
+      command_with_certs = "#{command} -b #{ca} -k #{key} -c #{cert}"
+      _stdout, stderr, status = Open3.capture3(command_with_certs)
+      expect(stderr).to include "The file '#{ca}' contains a certificate signed with sha1 and will break installation. Update the server CA certificate and its chain with one signed by sha256 or stronger."
+      expect(status.exitstatus).to eq 4
+    end
+  end
+
+  context 'with sha1 server CA certificate bundle' do
+    let(:key) { File.join(certs_directory, 'foreman-sha1.example.com.key') }
+    let(:cert) { File.join(certs_directory, 'foreman-sha1.example.com.crt') }
+    let(:ca) { File.join(certs_directory, 'ca-sha1-bundle.crt') }
+
+    it 'fails' do
+      command_with_certs = "#{command} -b #{ca} -k #{key} -c #{cert}"
+      _stdout, stderr, status = Open3.capture3(command_with_certs)
+      expect(stderr).to include "The file '#{ca}' contains a certificate signed with sha1 and will break installation. Update the server CA certificate and its chain with one signed by sha256 or stronger."
+      expect(status.exitstatus).to eq 4
+    end
+  end
 end