test: add comprehensive test scripts for exports and private key storage

tests/README.md

@@ -0,0 +1,97 @@
+# Tests PKI API
+
+Scripts de test pour vérifier les fonctionnalités de l'API PKI.
+
+## Prérequis
+
+- Docker Compose en cours d'exécution (API + MongoDB)
+- `jq` et `curl` installés
+- La stack accessible sur `http://localhost:8080`
+
+## Scripts disponibles
+
+### test_complete.sh
+Test complet end-to-end de toutes les fonctionnalités:
+- Création de Root CA
+- Création de Sub-CA
+- Création de certificat standard
+- Exports (PEM, DER, avec clé privée, chaîne)
+- Révocation de certificat
+- Génération de CRL
+- Vérification du stockage MongoDB
+
+```bash
+./test_complete.sh
+```
+
+### test_exports.sh
+Test spécifique des formats d'export de certificats:
+- PEM
+- DER
+- PEM avec clé privée
+- Chaîne de certificats
+
+```bash
+./test_exports.sh
+```
+
+### test_private_keys.sh
+Test de vérification du stockage des clés privées:
+- Création de certificat standard (non-CA)
+- Création de CA
+- Export avec clés privées
+- Vérification MongoDB
+
+```bash
+./test_private_keys.sh
+```
+
+## Exécuter tous les tests
+
+```bash
+cd tests/
+bash test_complete.sh && bash test_exports.sh && bash test_private_keys.sh
+```
+
+## Résultats attendus
+
+Tous les tests doivent afficher `✓` pour chaque étape:
+
+```
+=== PKI Complete Feature Test ===
+[1] Login...
+✓ Login successful
+[2] Creating Root CA...
+✓ Root CA created: <uuid>
+...
+=== All tests passed! ===
+```
+
+## Fichiers exportés
+
+Les tests créent des fichiers d'export temporaires dans:
+- `/tmp/pki_exports_test/` (test_exports.sh)
+- `/tmp/` (test_private_keys.sh)
+
+## Dépannage
+
+**Erreur de connexion au serveur**:
+```bash
+# Vérifier que la stack est lancée
+docker compose ps
+
+# Redémarrer si nécessaire
+docker compose down && docker compose up -d --build
+```
+
+**Erreur MongoDB**:
+```bash
+# Vérifier la connexion MongoDB
+docker exec pkiapi-mongo mongosh -u admin -p password --authenticationDatabase admin pkiapi --eval "db.certificates.count()"
+```
+
+**Erreur jq**:
+```bash
+# Installer jq si nécessaire
+sudo apt-get install jq
+```

tests/pki_complete_test.sh

@@ -0,0 +1,84 @@
+#!/bin/bash
+
+API_URL="http://localhost:8080/api/v1"
+EXPORT_DIR="/tmp/pki_complete_test"
+mkdir -p "$EXPORT_DIR"
+
+echo "=== PKI Complete Feature Test ==="
+echo "Date: $(date)"
+echo ""
+
+# 1. Login
+TOKEN=$(curl -s -X POST "$API_URL/login" \
+  -H "Content-Type: application/json" \
+  -d '{"username":"admin","password":"admin"}' | jq -r '.token')
+echo "[✓] Login successful"
+
+# 2. Create Root CA
+ROOT_CA=$(curl -s -X POST "$API_URL/ca" \
+  -H "Authorization: Bearer $TOKEN" \
+  -H "Content-Type: application/json" \
+  -d '{"subject":"CN=Root CA,O=Example,C=FR","validity_days":3650}')
+ROOT_CA_ID=$(echo $ROOT_CA | jq -r '.ca.id')
+echo "[✓] Root CA created: $ROOT_CA_ID"
+
+# 3. Create Sub-CA
+SUB_CA=$(curl -s -X POST "$API_URL/ca/sign" \
+  -H "Authorization: Bearer $TOKEN" \
+  -H "Content-Type: application/json" \
+  -d "{\"parent_ca_id\":\"$ROOT_CA_ID\",\"subject\":\"CN=Intermediate CA,O=Example,C=FR\",\"validity_days\":1825}")
+SUB_CA_ID=$(echo $SUB_CA | jq -r '.ca.id')
+echo "[✓] Sub-CA created: $SUB_CA_ID"
+
+# 4. Create standard certificate (non-CA)
+CERT=$(curl -s -X POST "$API_URL/certificates/sign" \
+  -H "Authorization: Bearer $TOKEN" \
+  -H "Content-Type: application/json" \
+  -d "{\"ca_id\":\"$SUB_CA_ID\",\"subject\":\"CN=app.example.com,O=Example,C=FR\",\"validity_days\":365}")
+CERT_ID=$(echo $CERT | jq -r '.certificate.id')
+echo "[✓] Standard certificate created: $CERT_ID"
+
+# 5. Test PEM export
+curl -s -H "Authorization: Bearer $TOKEN" \
+  "$API_URL/certificates/$CERT_ID/export/pem" \
+  -o "$EXPORT_DIR/cert.pem"
+echo "[✓] PEM export: $(stat -c%s "$EXPORT_DIR/cert.pem") bytes"
+
+# 6. Test DER export
+curl -s -H "Authorization: Bearer $TOKEN" \
+  "$API_URL/certificates/$CERT_ID/export/der" \
+  -o "$EXPORT_DIR/cert.der"
+echo "[✓] DER export: $(stat -c%s "$EXPORT_DIR/cert.der") bytes"
+
+# 7. Test PEM with private key (for standard cert)
+curl -s -H "Authorization: Bearer $TOKEN" \
+  "$API_URL/certificates/$CERT_ID/export/pem-with-key" \
+  -o "$EXPORT_DIR/cert_with_key.pem"
+KEY_COUNT=$(grep -c "BEGIN PRIVATE KEY" "$EXPORT_DIR/cert_with_key.pem" 2>/dev/null || echo "0")
+echo "[✓] PEM with key export: $(stat -c%s "$EXPORT_DIR/cert_with_key.pem") bytes ($KEY_COUNT private keys)"
+
+# 8. Test chain export
+curl -s -H "Authorization: Bearer $TOKEN" \
+  "$API_URL/certificates/$CERT_ID/export/chain" \
+  -o "$EXPORT_DIR/cert_chain.pem"
+CHAIN_COUNT=$(grep -c "BEGIN CERTIFICATE" "$EXPORT_DIR/cert_chain.pem" 2>/dev/null || echo "0")
+echo "[✓] Chain export: $(stat -c%s "$EXPORT_DIR/cert_chain.pem") bytes ($CHAIN_COUNT certificates)"
+
+# 9. Test revocation
+REV=$(curl -s -X POST "$API_URL/revoke" \
+  -H "Authorization: Bearer $TOKEN" \
+  -H "Content-Type: application/json" \
+  -d "{\"certificate_id\":\"$CERT_ID\",\"reason\":\"Test\"}")
+echo "[✓] Certificate revoked"
+
+# 10. Test CRL
+CRL=$(curl -s -H "Authorization: Bearer $TOKEN" \
+  "$API_URL/crl" | jq '.crl | length')
+echo "[✓] CRL contains $CRL revoked certificates"
+
+# 11. Test MongoDB private key storage
+MONGO_CHECK=$(docker exec pkiapi-mongo mongosh -u admin -p password --authenticationDatabase admin pkiapi --eval "db.certificates.count({private_key: {\$exists: true, \$ne: ''}})" 2>/dev/null | tail -1)
+echo "[✓] MongoDB: $MONGO_CHECK certificates with stored private keys"
+
+echo ""
+echo "=== All tests passed! ==="

tests/test_complete.sh

@@ -0,0 +1,111 @@
+#!/bin/bash
+
+# Test complet des fonctionnalités PKI
+# Teste: création CA, sous-CA, certificats, exports, révocation, CRL
+
+API_URL="http://localhost:8080/api/v1"
+EXPORT_DIR="/tmp/pki_exports_test"
+mkdir -p "$EXPORT_DIR"
+
+echo "=== PKI Complete Feature Test ==="
+echo "Date: $(date)"
+echo ""
+
+# 1. Login
+echo "[1] Login..."
+TOKEN=$(curl -s -X POST "$API_URL/login" \
+  -H "Content-Type: application/json" \
+  -d '{"username":"admin","password":"admin"}' | jq -r '.token')
+
+if [ -z "$TOKEN" ] || [ "$TOKEN" = "null" ]; then
+  echo "❌ Login failed"
+  exit 1
+fi
+echo "✓ Login successful"
+echo ""
+
+# 2. Create Root CA
+echo "[2] Creating Root CA..."
+ROOT_CA=$(curl -s -X POST "$API_URL/ca" \
+  -H "Authorization: Bearer $TOKEN" \
+  -H "Content-Type: application/json" \
+  -d '{"subject":"CN=Root CA,O=Example,C=FR","validity_days":3650}')
+ROOT_CA_ID=$(echo $ROOT_CA | jq -r '.ca.id')
+echo "✓ Root CA created: $ROOT_CA_ID"
+echo ""
+
+# 3. Create Sub-CA
+echo "[3] Creating Sub-CA..."
+SUB_CA=$(curl -s -X POST "$API_URL/ca/sign" \
+  -H "Authorization: Bearer $TOKEN" \
+  -H "Content-Type: application/json" \
+  -d "{\"parent_ca_id\":\"$ROOT_CA_ID\",\"subject\":\"CN=Intermediate CA,O=Example,C=FR\",\"validity_days\":1825}")
+SUB_CA_ID=$(echo $SUB_CA | jq -r '.ca.id')
+echo "✓ Sub-CA created: $SUB_CA_ID"
+echo ""
+
+# 4. Create standard certificate
+echo "[4] Creating standard certificate..."
+CERT=$(curl -s -X POST "$API_URL/certificates/sign" \
+  -H "Authorization: Bearer $TOKEN" \
+  -H "Content-Type: application/json" \
+  -d "{\"ca_id\":\"$SUB_CA_ID\",\"subject\":\"CN=app.example.com,O=Example,C=FR\",\"validity_days\":365}")
+CERT_ID=$(echo $CERT | jq -r '.certificate.id')
+echo "✓ Standard certificate created: $CERT_ID"
+echo ""
+
+# 5. Test PEM export
+echo "[5] Testing exports..."
+curl -s -H "Authorization: Bearer $TOKEN" \
+  "$API_URL/certificates/$CERT_ID/export/pem" \
+  -o "$EXPORT_DIR/cert.pem"
+PEM_SIZE=$(stat -c%s "$EXPORT_DIR/cert.pem")
+echo "✓ PEM export: $PEM_SIZE bytes"
+
+# 6. Test DER export
+curl -s -H "Authorization: Bearer $TOKEN" \
+  "$API_URL/certificates/$CERT_ID/export/der" \
+  -o "$EXPORT_DIR/cert.der"
+DER_SIZE=$(stat -c%s "$EXPORT_DIR/cert.der")
+echo "✓ DER export: $DER_SIZE bytes"
+
+# 7. Test PEM with private key
+curl -s -H "Authorization: Bearer $TOKEN" \
+  "$API_URL/certificates/$CERT_ID/export/pem-with-key" \
+  -o "$EXPORT_DIR/cert_with_key.pem"
+KEY_SIZE=$(stat -c%s "$EXPORT_DIR/cert_with_key.pem")
+KEY_COUNT=$(grep -c "BEGIN PRIVATE KEY" "$EXPORT_DIR/cert_with_key.pem" 2>/dev/null || echo "0")
+echo "✓ PEM with private key export: $KEY_SIZE bytes ($KEY_COUNT private keys)"
+
+# 8. Test chain export
+curl -s -H "Authorization: Bearer $TOKEN" \
+  "$API_URL/certificates/$CERT_ID/export/chain" \
+  -o "$EXPORT_DIR/cert_chain.pem"
+CHAIN_SIZE=$(stat -c%s "$EXPORT_DIR/cert_chain.pem")
+CHAIN_COUNT=$(grep -c "BEGIN CERTIFICATE" "$EXPORT_DIR/cert_chain.pem" 2>/dev/null || echo "0")
+echo "✓ Chain export: $CHAIN_SIZE bytes ($CHAIN_COUNT certificates)"
+echo ""
+
+# 9. Test revocation
+echo "[6] Revoking certificate..."
+REV=$(curl -s -X POST "$API_URL/revoke" \
+  -H "Authorization: Bearer $TOKEN" \
+  -H "Content-Type: application/json" \
+  -d "{\"certificate_id\":\"$CERT_ID\",\"reason\":\"Test\"}")
+echo "✓ Certificate revoked"
+echo ""
+
+# 10. Test CRL
+echo "[7] Checking CRL..."
+CRL=$(curl -s -H "Authorization: Bearer $TOKEN" \
+  "$API_URL/crl" | jq '.crl | length')
+echo "✓ CRL contains $CRL revoked certificates"
+echo ""
+
+# 11. Test MongoDB private key storage
+echo "[8] Verifying MongoDB storage..."
+MONGO_CERT_COUNT=$(docker exec pkiapi-mongo mongosh -u admin -p password --authenticationDatabase admin pkiapi --eval "db.certificates.count({private_key: {\$exists: true, \$ne: ''}})" 2>/dev/null | tail -1)
+echo "✓ MongoDB: $MONGO_CERT_COUNT certificates with stored private keys"
+echo ""
+
+echo "=== All tests passed! ==="

tests/test_exports.sh

@@ -0,0 +1,88 @@
+#!/bin/bash
+
+# Test spécifique pour les exports de certificats
+# Teste: PEM, DER, PEM with key, chain
+
+API_URL="http://localhost:8080/api/v1"
+EXPORT_DIR="/tmp/pki_export_test"
+mkdir -p "$EXPORT_DIR"
+
+echo "=== PKI Certificate Export Test ==="
+echo ""
+
+# 1. Login
+TOKEN=$(curl -s -X POST "$API_URL/login" \
+  -H "Content-Type: application/json" \
+  -d '{"username":"admin","password":"admin"}' | jq -r '.token')
+echo "[1] Token obtained"
+
+# 2. Create Root CA
+CA=$(curl -s -X POST "$API_URL/ca" \
+  -H "Authorization: Bearer $TOKEN" \
+  -H "Content-Type: application/json" \
+  -d '{"subject":"CN=Export Test CA,O=Test,C=FR","validity_days":3650}')
+CA_ID=$(echo $CA | jq -r '.ca.id')
+echo "[2] Root CA created: $CA_ID"
+
+# 3. Create certificate signed by CA
+CERT=$(curl -s -X POST "$API_URL/certificates/sign" \
+  -H "Authorization: Bearer $TOKEN" \
+  -H "Content-Type: application/json" \
+  -d "{\"ca_id\":\"$CA_ID\",\"subject\":\"CN=test.example.com,O=Test,C=FR\",\"validity_days\":365}")
+CERT_ID=$(echo $CERT | jq -r '.certificate.id')
+echo "[3] Certificate created: $CERT_ID"
+echo ""
+
+# Test all export formats
+echo "Testing export formats:"
+echo ""
+
+# PEM export
+curl -s -H "Authorization: Bearer $TOKEN" \
+  "$API_URL/certificates/$CERT_ID/export/pem" \
+  -o "$EXPORT_DIR/cert.pem"
+if grep -q "BEGIN CERTIFICATE" "$EXPORT_DIR/cert.pem"; then
+  SIZE=$(stat -c%s "$EXPORT_DIR/cert.pem")
+  echo "✓ PEM export: $SIZE bytes"
+else
+  echo "❌ PEM export failed"
+fi
+
+# DER export
+curl -s -H "Authorization: Bearer $TOKEN" \
+  "$API_URL/certificates/$CERT_ID/export/der" \
+  -o "$EXPORT_DIR/cert.der"
+SIZE=$(stat -c%s "$EXPORT_DIR/cert.der")
+if [ "$SIZE" -gt 0 ]; then
+  echo "✓ DER export: $SIZE bytes"
+else
+  echo "❌ DER export failed"
+fi
+
+# PEM with private key export
+curl -s -H "Authorization: Bearer $TOKEN" \
+  "$API_URL/certificates/$CERT_ID/export/pem-with-key" \
+  -o "$EXPORT_DIR/cert_with_key.pem"
+SIZE=$(stat -c%s "$EXPORT_DIR/cert_with_key.pem")
+KEY_COUNT=$(grep -c "BEGIN PRIVATE KEY" "$EXPORT_DIR/cert_with_key.pem" 2>/dev/null || echo "0")
+if [ "$KEY_COUNT" -gt 0 ]; then
+  CERT_COUNT=$(grep -c "BEGIN CERTIFICATE" "$EXPORT_DIR/cert_with_key.pem")
+  echo "✓ PEM with key export: $SIZE bytes ($CERT_COUNT certs + $KEY_COUNT keys)"
+else
+  echo "❌ PEM with key export failed (no private key)"
+fi
+
+# Chain export
+curl -s -H "Authorization: Bearer $TOKEN" \
+  "$API_URL/certificates/$CERT_ID/export/chain" \
+  -o "$EXPORT_DIR/cert_chain.pem"
+SIZE=$(stat -c%s "$EXPORT_DIR/cert_chain.pem")
+CERT_COUNT=$(grep -c "BEGIN CERTIFICATE" "$EXPORT_DIR/cert_chain.pem" 2>/dev/null || echo "0")
+if [ "$CERT_COUNT" -ge 2 ]; then
+  echo "✓ Chain export: $SIZE bytes ($CERT_COUNT certificates)"
+else
+  echo "❌ Chain export failed (expected 2+ certs, got $CERT_COUNT)"
+fi
+
+echo ""
+echo "All exports completed. Files saved in: $EXPORT_DIR"

tests/test_private_key_storage.sh

@@ -0,0 +1,88 @@
+#!/bin/bash
+
+API_URL="http://localhost:8080/api/v1"
+EXPORT_DIR="/tmp/pki_privkey_test"
+mkdir -p "$EXPORT_DIR"
+
+echo "=== Test: Private Key Storage for All Certificates ==="
+echo ""
+
+# 1. Login
+TOKEN=$(curl -s -X POST "$API_URL/login" \
+  -H "Content-Type: application/json" \
+  -d '{"username":"admin","password":"admin"}' | jq -r '.token')
+echo "[1] Token obtenu"
+echo ""
+
+# 2. Créer un certificat standard (non-CA)
+CERT_RESP=$(curl -s -X POST "$API_URL/certificates" \
+  -H "Authorization: Bearer $TOKEN" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "subject":"CN=test-standard.example.com,O=Test,C=FR",
+    "validity_days":365
+  }')
+
+CERT_ID=$(echo $CERT_RESP | jq -r '.certificate.id')
+echo "[2] Certificat standard créé: $CERT_ID"
+echo ""
+
+# 3. Exporter avec clé privée
+echo "[3] Test export PEM+clé pour certificat standard..."
+curl -s -H "Authorization: Bearer $TOKEN" \
+  "$API_URL/certificates/$CERT_ID/export/pem-with-key" \
+  -o "$EXPORT_DIR/standard_cert_with_key.pem"
+
+if [ -f "$EXPORT_DIR/standard_cert_with_key.pem" ]; then
+  FILE_SIZE=$(stat -c%s "$EXPORT_DIR/standard_cert_with_key.pem")
+  CERT_COUNT=$(grep -c "BEGIN CERTIFICATE" "$EXPORT_DIR/standard_cert_with_key.pem" 2>/dev/null || echo "0")
+  KEY_COUNT=$(grep -c "BEGIN PRIVATE KEY" "$EXPORT_DIR/standard_cert_with_key.pem" 2>/dev/null || echo "0")
+  
+  if [ "$FILE_SIZE" -gt 100 ] && [ "$KEY_COUNT" -gt 0 ]; then
+    echo "✓ SUCCESS: Clé privée présente dans l'export!"
+    echo "  - Taille du fichier: $FILE_SIZE bytes"
+    echo "  - Certificats trouvés: $CERT_COUNT"
+    echo "  - Clés privées trouvées: $KEY_COUNT"
+    echo ""
+    echo "  Aperçu:"
+    head -3 "$EXPORT_DIR/standard_cert_with_key.pem"
+    echo "  ..."
+  else
+    echo "❌ FAILED: Pas de clé privée trouvée"
+    cat "$EXPORT_DIR/standard_cert_with_key.pem"
+  fi
+else
+  echo "❌ FAILED: Fichier non créé"
+fi
+echo ""
+
+# 4. Vérifier directement dans MongoDB
+echo "[4] Vérification directe dans MongoDB..."
+MONGO_COUNT=$(docker exec pkiapi-mongo mongosh -u admin -p password --authenticationDatabase admin pkiapi --eval "db.certificates.findOne({_id: '$CERT_ID'}).private_key ? 'HAS_KEY' : 'NO_KEY'" 2>/dev/null | tail -1)
+
+if [ "$MONGO_COUNT" = "HAS_KEY" ]; then
+  echo "✓ Clé privée présente dans MongoDB pour le certificat standard"
+else
+  echo "❌ Clé privée absente dans MongoDB"
+fi
+echo ""
+
+# 5. Créer une CA et vérifier aussi
+CA_RESP=$(curl -s -X POST "$API_URL/ca" \
+  -H "Authorization: Bearer $TOKEN" \
+  -H "Content-Type: application/json" \
+  -d '{"subject":"CN=Test Root CA,O=Test,C=FR","validity_days":3650}')
+
+CA_ID=$(echo $CA_RESP | jq -r '.ca.id')
+echo "[5] CA créée: $CA_ID"
+
+MONGO_CA_COUNT=$(docker exec pkiapi-mongo mongosh -u admin -p password --authenticationDatabase admin pkiapi --eval "db.certificates.findOne({_id: '$CA_ID'}).private_key ? 'HAS_KEY' : 'NO_KEY'" 2>/dev/null | tail -1)
+
+if [ "$MONGO_CA_COUNT" = "HAS_KEY" ]; then
+  echo "✓ Clé privée présente dans MongoDB pour la CA"
+else
+  echo "❌ Clé privée absente pour la CA"
+fi
+echo ""
+
+echo "=== Test complété ==="

tests/test_private_keys.sh

@@ -0,0 +1,97 @@
+#!/bin/bash
+
+# Test spécifique pour le stockage des clés privées
+# Vérifie que les clés privées sont stockées pour tous les certificats
+
+API_URL="http://localhost:8080/api/v1"
+
+echo "=== PKI Private Key Storage Test ==="
+echo ""
+
+# 1. Login
+TOKEN=$(curl -s -X POST "$API_URL/login" \
+  -H "Content-Type: application/json" \
+  -d '{"username":"admin","password":"admin"}' | jq -r '.token')
+echo "[1] Login successful"
+echo ""
+
+# 2. Create standard certificate (non-CA)
+echo "[2] Creating standard certificate..."
+CERT=$(curl -s -X POST "$API_URL/certificates" \
+  -H "Authorization: Bearer $TOKEN" \
+  -H "Content-Type: application/json" \
+  -d '{"subject":"CN=test-standard.example.com,O=Test,C=FR","validity_days":365}')
+CERT_ID=$(echo $CERT | jq -r '.certificate.id')
+echo "✓ Certificate created: $CERT_ID"
+echo ""
+
+# 3. Create Root CA
+echo "[3] Creating Root CA..."
+CA=$(curl -s -X POST "$API_URL/ca" \
+  -H "Authorization: Bearer $TOKEN" \
+  -H "Content-Type: application/json" \
+  -d '{"subject":"CN=Test Root CA,O=Test,C=FR","validity_days":3650}')
+CA_ID=$(echo $CA | jq -r '.ca.id')
+echo "✓ Root CA created: $CA_ID"
+echo ""
+
+# 4. Test export with private key for standard cert
+echo "[4] Testing private key export for standard certificate..."
+curl -s -H "Authorization: Bearer $TOKEN" \
+  "$API_URL/certificates/$CERT_ID/export/pem-with-key" \
+  -o /tmp/cert_test.pem
+
+KEY_COUNT=$(grep -c "BEGIN PRIVATE KEY" /tmp/cert_test.pem 2>/dev/null || echo "0")
+CERT_COUNT=$(grep -c "BEGIN CERTIFICATE" /tmp/cert_test.pem 2>/dev/null || echo "0")
+
+if [ "$KEY_COUNT" -gt 0 ]; then
+  SIZE=$(stat -c%s /tmp/cert_test.pem)
+  echo "✓ SUCCESS: Standard certificate has private key"
+  echo "  - Export size: $SIZE bytes"
+  echo "  - Certificates: $CERT_COUNT"
+  echo "  - Private keys: $KEY_COUNT"
+else
+  echo "❌ FAILED: Standard certificate has no private key"
+fi
+echo ""
+
+# 5. Test export with private key for CA
+echo "[5] Testing private key export for CA..."
+curl -s -H "Authorization: Bearer $TOKEN" \
+  "$API_URL/certificates/$CA_ID/export/pem-with-key" \
+  -o /tmp/ca_test.pem
+
+KEY_COUNT=$(grep -c "BEGIN PRIVATE KEY" /tmp/ca_test.pem 2>/dev/null || echo "0")
+CERT_COUNT=$(grep -c "BEGIN CERTIFICATE" /tmp/ca_test.pem 2>/dev/null || echo "0")
+
+if [ "$KEY_COUNT" -gt 0 ]; then
+  SIZE=$(stat -c%s /tmp/ca_test.pem)
+  echo "✓ SUCCESS: CA has private key"
+  echo "  - Export size: $SIZE bytes"
+  echo "  - Certificates: $CERT_COUNT"
+  echo "  - Private keys: $KEY_COUNT"
+else
+  echo "❌ FAILED: CA has no private key"
+fi
+echo ""
+
+# 6. Verify MongoDB storage
+echo "[6] Verifying MongoDB storage..."
+MONGO_STANDARD=$(docker exec pkiapi-mongo mongosh -u admin -p password --authenticationDatabase admin pkiapi --eval "db.certificates.findOne({_id: '$CERT_ID'}).private_key ? 'YES' : 'NO'" 2>/dev/null | tail -1)
+MONGO_CA=$(docker exec pkiapi-mongo mongosh -u admin -p password --authenticationDatabase admin pkiapi --eval "db.certificates.findOne({_id: '$CA_ID'}).private_key ? 'YES' : 'NO'" 2>/dev/null | tail -1)
+
+if [ "$MONGO_STANDARD" = "YES" ]; then
+  echo "✓ Standard certificate private key stored in MongoDB"
+else
+  echo "❌ Standard certificate private key NOT in MongoDB"
+fi
+
+if [ "$MONGO_CA" = "YES" ]; then
+  echo "✓ CA private key stored in MongoDB"
+else
+  echo "❌ CA private key NOT in MongoDB"
+fi
+echo ""
+
+TOTAL=$(docker exec pkiapi-mongo mongosh -u admin -p password --authenticationDatabase admin pkiapi --eval "db.certificates.count({private_key: {\$exists: true, \$ne: ''}})" 2>/dev/null | tail -1)
+echo "Total certificates with private keys in MongoDB: $TOTAL"

tests/test_results.txt

@@ -0,0 +1,44 @@
+=== Test Results: Private Key Storage & Certificate Exports ===
+Date: 2025-12-07 09:50 UTC+1
+
+## Test 1: Complete Features
+- Login: ✓ successful
+- Root CA creation: ✓ successful
+- Sub-CA creation: ✓ successful
+- Standard certificate creation: ✓ successful
+- PEM export: ✓ 1115 bytes
+- DER export: ✓ 781 bytes
+- PEM with private key: ✓ 2819 bytes (1 private key)
+- Chain export: ✓ 2283 bytes (2 certificates)
+- Certificate revocation: ✓ successful
+- CRL retrieval: ✓ 1 revoked certificate
+- MongoDB private key storage: ✓ 7 certificates with keys
+
+## Test 2: Certificate Exports
+- PEM export: ✓ 1107 bytes
+- DER export: ✓ 775 bytes
+- PEM with private key: ✓ 2811 bytes (1 cert + 1 key)
+- Chain export: ✓ 2230 bytes (2 certificates)
+
+## Test 3: Private Key Storage
+- Standard certificate private key: ✓ stored in MongoDB
+- Standard certificate export: ✓ includes private key
+- CA private key: ✓ stored in MongoDB
+- CA export: ✓ includes private key
+- Total certificates with private keys: 11
+
+## Summary
+✅ All features working correctly:
+- Certificate generation (standard & CA)
+- Hierarchical CA support (Root → Sub-CA)
+- Certificate signing
+- Certificate revocation
+- CRL generation
+- Private key storage for ALL certificates
+- Multiple export formats (PEM, DER, with key, chain)
+- MongoDB persistence
+
+## Test Scripts
+- tests/test_complete.sh: Full end-to-end test
+- tests/test_exports.sh: Certificate export formats
+- tests/test_private_keys.sh: Private key storage verification