# deploy/test/fixtures — integration-test material

This folder holds the fixture material that
`deploy/docker-compose.test.yml` mounts into the certctl container's
`/etc/certctl/scep/` for the SCEP-RFC-8894 + Intune integration test
suite. Test-only material; **do not use in production**.

## Files

| File | Generated by | Purpose |
| ---- | ------------ | ------- |
| `intune_trust_anchor.pem` | `deploy/test/scep_intune_e2e_test.go::generateE2EIntuneTrustAnchor` (deterministic ECDSA-P256 from `e2eintuneSeed`) | Mounted at `CERTCTL_SCEP_PROFILE_E2EINTUNE_INTUNE_CONNECTOR_CERT_PATH`. The matching private key is re-derived inside the integration test from the same deterministic seed, so the test can mint valid Intune challenges that the running container accepts. |
| `ra.crt` + `ra.key` | `setup-trust.sh` at compose boot OR generated once and committed | RA cert + private key the SCEP server uses to decrypt EnvelopedData per RFC 8894 §3.2.2. Mode 0600 enforced on `ra.key` by `preflightSCEPRACertKey`. |

## Regeneration

```sh
# Trust anchor (deterministic — re-run produces byte-identical PEM):
cd certctl && go test -tags integration \
  -run='^TestRegenerateE2EIntuneFixture$' -update-fixture \
  ./deploy/test/...

# RA pair (one-off — committed):
openssl ecparam -genkey -name prime256v1 -noout \
  -out deploy/test/fixtures/ra.key && chmod 600 deploy/test/fixtures/ra.key
openssl req -new -x509 -key deploy/test/fixtures/ra.key \
  -days 3650 -subj '/CN=certctl-test-ra' \
  -out deploy/test/fixtures/ra.crt
```

## Why these are committed (test-only material)

The integration test runs against the running container and needs to
mint Intune challenges that the container's trust anchor pool
recognizes. The deterministic-key approach gives us:

- A static PEM the operator can grep + inspect.
- A test-side private key derived in-process so we don't commit a
  raw private key file.

Real production deploys MUST NOT use this trust anchor — the matching
private key is in the certctl source tree and effectively public.