Add --ca option to tedge cert renew

didier-wenzek · didier-wenzek · commit bc3e6ece006f · 2025-04-15T15:58:12.000+02:00
Signed-off-by: Didier Wenzek &lt;didier.wenzek@free.fr&gt;
diff --git a/crates/core/tedge/src/cli/certificate/cli.rs b/crates/core/tedge/src/cli/certificate/cli.rs
@@ -67,18 +67,17 @@ pub enum TEdgeCertCli {
         #[clap(long = "csr-path", global = true, value_hint = ValueHint::FilePath)]
         csr_path: Option<Utf8PathBuf>,
 
-        /// Force the renewal of self-signed certificates as self-signed
+        /// Certificate Authority (CA) used to renew the certificate
         ///
-        /// This can be used to bypass the default behavior
-        /// which is to forward the renewal request to the cloud CA
-        /// even if the current certificate has not been signed by this CA.
+        /// Cumulocity CA is currently the only supported one and this is the default,
+        /// even if the current certificate has not been signed by Cumulocity.
         /// In most cases, the default behavior is what you want:
         /// substitute a proper CA-signed certificate for a self-signed certificate.
         ///
         /// However, if this is not the case, or if the cloud endpoint doesn't provide a CA:
-        /// use `--self-signed` to get a renewed self-signed certificate.
-        #[clap(long = "self-signed", default_value_t = false)]
-        self_signed_only: bool,
+        /// use `--ca self-signed` to get a renewed self-signed certificate.
+        #[clap(long = "ca", default_value_t = CA::C8y)]
+        ca: CA,
 
         #[clap(subcommand)]
         cloud: Option<CloudArg>,
@@ -132,6 +131,15 @@ pub enum TEdgeCertCli {
     Download(DownloadCertCli),
 }
 
+#[derive(clap::ValueEnum, Clone, Debug, Eq, PartialEq, strum_macros::Display)]
+pub enum CA {
+    #[strum(serialize = "self-signed")]
+    SelfSigned,
+
+    #[strum(serialize = "c8y")]
+    C8y,
+}
+
 impl BuildCommand for TEdgeCertCli {
     fn build_command(
         self,
@@ -287,7 +295,7 @@ impl BuildCommand for TEdgeCertCli {
             TEdgeCertCli::Renew {
                 csr_path,
                 cloud,
-                self_signed_only,
+                ca,
             } => {
                 let cloud: Option<Cloud> = cloud.map(<_>::try_into).transpose()?;
                 let cert_path = config.device_cert_path(cloud.as_ref())?.to_owned();
@@ -310,15 +318,15 @@ impl BuildCommand for TEdgeCertCli {
                     }
                 };
 
-                if is_self_signed && self_signed_only {
+                if is_self_signed && ca == CA::SelfSigned {
                     let cmd = RenewCertCmd {
                         cert_path,
                         new_cert_path,
                         key_path,
                         csr_template,
                     };
                     cmd.into_boxed()
-                } else if self_signed_only {
+                } else if ca == CA::SelfSigned {
                     return Err(
                         anyhow!("Cannot renew certificate with `--self-signed`: {cert_path} is not self-signed").into()
                     );
diff --git a/tests/RobotFramework/tests/tedge/tedge_upload_cert.robot b/tests/RobotFramework/tests/tedge/tedge_upload_cert.robot
@@ -38,7 +38,7 @@ Renew the certificate
     [Setup]    Setup With Self-Signed Certificate
     Execute Command    sudo tedge disconnect c8y
     ${output}=    Execute Command
-    ...    sudo tedge cert renew --self-signed
+    ...    sudo tedge cert renew --ca self-signed
     ...    stderr=${True}
     ...    stdout=${False}
     ...    ignore_exit_code=${True}
@@ -57,7 +57,7 @@ Cert upload prompts for username (from stdin)
     [Setup]    Setup With Self-Signed Certificate
     Execute Command    sudo tedge disconnect c8y
     ${output}=    Execute Command
-    ...    sudo tedge cert renew --self-signed
+    ...    sudo tedge cert renew --ca self-signed
     ...    stderr=${True}
     ...    stdout=${False}
     ...    ignore_exit_code=${True}
@@ -75,7 +75,7 @@ Cert upload supports reading username/password from go-c8y-cli env variables
     [Setup]    Setup With Self-Signed Certificate
     Execute Command    sudo tedge disconnect c8y
     ${output}=    Execute Command
-    ...    sudo tedge cert renew --self-signed
+    ...    sudo tedge cert renew --ca self-signed
     ...    stderr=${True}
     ...    stdout=${False}
     ...    ignore_exit_code=${True}
@@ -93,7 +93,7 @@ Renew certificate fails
     [Setup]    Setup Without Certificate
     Execute Command    sudo tedge cert remove
     ${output}=    Execute Command
-    ...    sudo tedge cert renew --self-signed
+    ...    sudo tedge cert renew --ca self-signed
     ...    stderr=${True}
     ...    stdout=${False}
     ...    ignore_exit_code=${True}
diff --git a/tests/RobotFramework/tests/tedge/tedge_upload_cert_custom_root_cert_path.robot b/tests/RobotFramework/tests/tedge/tedge_upload_cert_custom_root_cert_path.robot
@@ -15,7 +15,7 @@ tedge cert upload c8y respects root cert path
     [Setup]    Setup With Self-Signed Certificate
     Execute Command    sudo tedge disconnect c8y
     ${output}=    Execute Command
-    ...    sudo tedge cert renew --self-signed
+    ...    sudo tedge cert renew --ca self-signed
     ...    stderr=${True}
     ...    stdout=${False}
     ...    ignore_exit_code=${True}
