integration: save hierarchy across runs (#5729)

This allows repeated runs using the same hiearchy, and avoids spurious
errors from ocsp-updater saying "This CA doesn't have an issuer cert
with ID XXX"

Fixes #5721

.gitignore

@@ -37,3 +37,5 @@ tags
 .idea
 
 .vscode/*
+.hierarchy/
+.softhsm-tokens/

docker-compose.yml

@@ -9,6 +9,8 @@ services:
     volumes:
       - .:/go/src/github.com/letsencrypt/boulder:cached
       - ./.gocache:/root/.cache/go-build:cached
+      - ./.hierarchy:/hierarchy/:cached
+      - ./.softhsm-tokens/:/var/lib/softhsm/tokens/:cached
     networks:
       bluenet:
         ipv4_address: 10.77.77.77

test/cert-ceremonies/generate.go

@@ -76,7 +76,7 @@ func genCert(path string) error {
 func main() {
 	// If one of the output files already exists, assume this ran once
 	// already for the container and don't re-run.
-	outputFile := "/tmp/root-signing-pub-rsa.pem"
+	outputFile := "/hierarchy/root-signing-pub-rsa.pem"
 	if loc, err := os.Stat(outputFile); err == nil && loc.Mode().IsRegular() {
 		fmt.Println("skipping certificate generation: already exists")
 		return
@@ -113,13 +113,13 @@ func main() {
 	// signing key slots and IDs
 	rsaTmpIntermediateA, err := rewriteConfig("test/cert-ceremonies/intermediate-ceremony-rsa.yaml", map[string]string{
 		"SlotID":     rsaRootKeySlot,
-		"CertPath":   "/tmp/intermediate-cert-rsa-a.pem",
+		"CertPath":   "/hierarchy/intermediate-cert-rsa-a.pem",
 		"CommonName": "CA intermediate (RSA) A",
 	})
 	cmd.FailOnError(err, "failed to rewrite RSA intermediate cert config with key ID")
 	ecdsaTmpIntermediateA, err := rewriteConfig("test/cert-ceremonies/intermediate-ceremony-ecdsa.yaml", map[string]string{
 		"SlotID":     ecdsaRootKeySlot,
-		"CertPath":   "/tmp/intermediate-cert-ecdsa-a.pem",
+		"CertPath":   "/hierarchy/intermediate-cert-ecdsa-a.pem",
 		"CommonName": "CA intermediate (ECDSA) A",
 	})
 	cmd.FailOnError(err, "failed to rewrite ECDSA intermediate cert config with key ID")
@@ -134,13 +134,13 @@ func main() {
 	// signing key slots and IDs
 	rsaTmpIntermediateB, err := rewriteConfig("test/cert-ceremonies/intermediate-ceremony-rsa.yaml", map[string]string{
 		"SlotID":     rsaRootKeySlot,
-		"CertPath":   "/tmp/intermediate-cert-rsa-b.pem",
+		"CertPath":   "/hierarchy/intermediate-cert-rsa-b.pem",
 		"CommonName": "CA intermediate (RSA) B",
 	})
 	cmd.FailOnError(err, "failed to rewrite RSA intermediate cert config with key ID")
 	ecdsaTmpIntermediateB, err := rewriteConfig("test/cert-ceremonies/intermediate-ceremony-ecdsa.yaml", map[string]string{
 		"SlotID":     ecdsaRootKeySlot,
-		"CertPath":   "/tmp/intermediate-cert-ecdsa-b.pem",
+		"CertPath":   "/hierarchy/intermediate-cert-ecdsa-b.pem",
 		"CommonName": "CA intermediate (ECDSA) B",
 	})
 	cmd.FailOnError(err, "failed to rewrite ECDSA intermediate cert config with key ID")

test/cert-ceremonies/intermediate-ceremony-ecdsa.yaml

@@ -5,8 +5,8 @@ pkcs11:
     signing-key-slot: {{ .SlotID}}
     signing-key-label: root signing key (ecdsa)
 inputs:
-    public-key-path: /tmp/intermediate-signing-pub-ecdsa.pem
-    issuer-certificate-path: /tmp/root-cert-ecdsa.pem
+    public-key-path: /hierarchy/intermediate-signing-pub-ecdsa.pem
+    issuer-certificate-path: /hierarchy/root-cert-ecdsa.pem
 outputs:
     certificate-path: {{ .CertPath }}
 certificate-profile:

test/cert-ceremonies/intermediate-ceremony-rsa.yaml

@@ -5,8 +5,8 @@ pkcs11:
     signing-key-slot: {{ .SlotID}}
     signing-key-label: root signing key (rsa)
 inputs:
-    public-key-path: /tmp/intermediate-signing-pub-rsa.pem
-    issuer-certificate-path: /tmp/root-cert-rsa.pem
+    public-key-path: /hierarchy/intermediate-signing-pub-rsa.pem
+    issuer-certificate-path: /hierarchy/root-cert-rsa.pem
 outputs:
     certificate-path: {{ .CertPath }}
 certificate-profile:

test/cert-ceremonies/intermediate-key-ceremony-ecdsa.yaml

@@ -8,4 +8,4 @@ key:
     type: ecdsa
     ecdsa-curve: P-384
 outputs:
-    public-key-path: /tmp/intermediate-signing-pub-ecdsa.pem
+    public-key-path: /hierarchy/intermediate-signing-pub-ecdsa.pem

test/cert-ceremonies/intermediate-key-ceremony-rsa.yaml

@@ -8,4 +8,4 @@ key:
     type: rsa
     rsa-mod-length: 2048
 outputs:
-    public-key-path: /tmp/intermediate-signing-pub-rsa.pem
+    public-key-path: /hierarchy/intermediate-signing-pub-rsa.pem

test/cert-ceremonies/intermediate-ocsp-rsa.yaml

@@ -5,10 +5,10 @@ pkcs11:
     signing-key-slot: {{ .SlotID}}
     signing-key-label: root signing key (rsa)
 inputs:
-    certificate-path: /tmp/intermediate-cert-rsa-a.pem
-    issuer-certificate-path: /tmp/root-cert-rsa.pem
+    certificate-path: /hierarchy/intermediate-cert-rsa-a.pem
+    issuer-certificate-path: /hierarchy/root-cert-rsa.pem
 outputs:
-    response-path: /tmp/intermediate-ocsp-rsa.b64
+    response-path: /hierarchy/intermediate-ocsp-rsa.b64
 ocsp-profile:
     this-update: 2020-01-01 12:00:00
     next-update: 2039-01-01 12:00:00

test/cert-ceremonies/root-ceremony-ecdsa.yaml

@@ -8,8 +8,8 @@ key:
     type: ecdsa
     ecdsa-curve: P-384
 outputs:
-    public-key-path: /tmp/root-signing-pub-ecdsa.pem
-    certificate-path: /tmp/root-cert-ecdsa.pem
+    public-key-path: /hierarchy/root-signing-pub-ecdsa.pem
+    certificate-path: /hierarchy/root-cert-ecdsa.pem
 certificate-profile:
     signature-algorithm: ECDSAWithSHA384
     common-name: CA root (ECDSA)

test/cert-ceremonies/root-ceremony-rsa.yaml

@@ -8,8 +8,8 @@ key:
     type: rsa
     rsa-mod-length: 4096
 outputs:
-    public-key-path: /tmp/root-signing-pub-rsa.pem
-    certificate-path: /tmp/root-cert-rsa.pem
+    public-key-path: /hierarchy/root-signing-pub-rsa.pem
+    certificate-path: /hierarchy/root-cert-rsa.pem
 certificate-profile:
     signature-algorithm: SHA256WithRSA
     common-name: CA root (RSA)

test/config-next/ca-a.json

@@ -60,7 +60,7 @@
           "crlURL": "http://example.com/crl",
           "location": {
             "configFile": "test/test-ca.key-pkcs11.json",
-            "certFile": "/tmp/intermediate-cert-rsa-a.pem",
+            "certFile": "/hierarchy/intermediate-cert-rsa-a.pem",
             "numSessions": 2
           }
         },
@@ -72,7 +72,7 @@
           "crlURL": "http://example.com/crl",
           "location": {
             "configFile": "test/test-ca.key-pkcs11.json",
-            "certFile": "/tmp/intermediate-cert-rsa-b.pem",
+            "certFile": "/hierarchy/intermediate-cert-rsa-b.pem",
             "numSessions": 2
           }
         }

test/config-next/ca-b.json

@@ -60,7 +60,7 @@
           "crlURL": "http://example.com/crl",
           "location": {
             "configFile": "test/test-ca.key-pkcs11.json",
-            "certFile": "/tmp/intermediate-cert-rsa-a.pem",
+            "certFile": "/hierarchy/intermediate-cert-rsa-a.pem",
             "numSessions": 2
           }
         },
@@ -72,7 +72,7 @@
           "crlURL": "http://example.com/crl",
           "location": {
             "configFile": "test/test-ca.key-pkcs11.json",
-            "certFile": "/tmp/intermediate-cert-rsa-b.pem",
+            "certFile": "/hierarchy/intermediate-cert-rsa-b.pem",
             "numSessions": 2
           }
         }

test/config-next/ocsp-responder.json

@@ -7,9 +7,9 @@
     "path": "/",
     "listenAddress": "0.0.0.0:4002",
     "issuerCerts": [
-      "/tmp/intermediate-cert-rsa-a.pem",
-      "/tmp/intermediate-cert-rsa-b.pem",
-      "/tmp/intermediate-cert-ecdsa-a.pem"
+      "/hierarchy/intermediate-cert-rsa-a.pem",
+      "/hierarchy/intermediate-cert-rsa-b.pem",
+      "/hierarchy/intermediate-cert-ecdsa-a.pem"
     ],
     "maxAge": "10s",
     "timeout": "4.9s",

test/config-next/orphan-finder.json

@@ -1,9 +1,9 @@
 {
   "backdate": "1h",
   "issuerCerts": [
-    "/tmp/intermediate-cert-rsa-a.pem",
-    "/tmp/intermediate-cert-rsa-b.pem",
-    "/tmp/intermediate-cert-ecdsa-a.pem"
+    "/hierarchy/intermediate-cert-rsa-a.pem",
+    "/hierarchy/intermediate-cert-rsa-b.pem",
+    "/hierarchy/intermediate-cert-ecdsa-a.pem"
   ],
 
   "syslog": {

test/config-next/publisher.json

@@ -4,20 +4,20 @@
     "blockProfileRate": 1000000000,
     "chains": [
       [
-        "/tmp/intermediate-cert-rsa-a.pem",
-        "/tmp/root-cert-rsa.pem"
+        "/hierarchy/intermediate-cert-rsa-a.pem",
+        "/hierarchy/root-cert-rsa.pem"
       ],
       [
-        "/tmp/intermediate-cert-rsa-b.pem",
-        "/tmp/root-cert-rsa.pem"
+        "/hierarchy/intermediate-cert-rsa-b.pem",
+        "/hierarchy/root-cert-rsa.pem"
       ],
       [
-        "/tmp/intermediate-cert-ecdsa-a.pem",
-        "/tmp/root-cert-ecdsa.pem"
+        "/hierarchy/intermediate-cert-ecdsa-a.pem",
+        "/hierarchy/root-cert-ecdsa.pem"
       ],
       [
-        "/tmp/intermediate-cert-ecdsa-b.pem",
-        "/tmp/root-cert-ecdsa.pem"
+        "/hierarchy/intermediate-cert-ecdsa-b.pem",
+        "/hierarchy/root-cert-ecdsa.pem"
       ]
     ],
     "debugAddr": ":8009",

test/config-next/ra.json

@@ -12,9 +12,9 @@
     "blockedKeyFile": "test/example-blocked-keys.yaml",
     "orderLifetime": "168h",
     "issuerCerts": [
-      "/tmp/intermediate-cert-rsa-a.pem",
-      "/tmp/intermediate-cert-rsa-b.pem",
-      "/tmp/intermediate-cert-ecdsa-a.pem"
+      "/hierarchy/intermediate-cert-rsa-a.pem",
+      "/hierarchy/intermediate-cert-rsa-b.pem",
+      "/hierarchy/intermediate-cert-ecdsa-a.pem"
     ],
     "tls": {
       "caCertFile": "test/grpc-creds/minica.pem",

test/config-next/wfe.json

@@ -52,6 +52,6 @@
   },
 
   "common": {
-    "issuerCert": "/tmp/intermediate-cert-rsa-a.pem"
+    "issuerCert": "/hierarchy/intermediate-cert-rsa-a.pem"
   }
 }

test/config-next/wfe2.json

@@ -41,20 +41,20 @@
     },
     "chains": [
       [
-        "/tmp/intermediate-cert-rsa-a.pem",
-        "/tmp/root-cert-rsa.pem"
+        "/hierarchy/intermediate-cert-rsa-a.pem",
+        "/hierarchy/root-cert-rsa.pem"
       ],
       [
-        "/tmp/intermediate-cert-rsa-b.pem",
-        "/tmp/root-cert-rsa.pem"
+        "/hierarchy/intermediate-cert-rsa-b.pem",
+        "/hierarchy/root-cert-rsa.pem"
       ],
       [
-        "/tmp/intermediate-cert-ecdsa-a.pem",
-        "/tmp/root-cert-ecdsa.pem"
+        "/hierarchy/intermediate-cert-ecdsa-a.pem",
+        "/hierarchy/root-cert-ecdsa.pem"
       ],
       [
-        "/tmp/intermediate-cert-ecdsa-b.pem",
-        "/tmp/root-cert-ecdsa.pem"
+        "/hierarchy/intermediate-cert-ecdsa-b.pem",
+        "/hierarchy/root-cert-ecdsa.pem"
       ]
     ],
     "staleTimeout": "5m",

test/config/ca-a.json

@@ -60,7 +60,7 @@
           "crlURL": "http://example.com/crl",
           "location": {
             "configFile": "test/test-ca.key-pkcs11.json",
-            "certFile": "/tmp/intermediate-cert-rsa-a.pem",
+            "certFile": "/hierarchy/intermediate-cert-rsa-a.pem",
             "numSessions": 2
           }
         },
@@ -72,7 +72,7 @@
           "crlURL": "http://example.com/crl",
           "location": {
             "configFile": "test/test-ca.key-pkcs11.json",
-            "certFile": "/tmp/intermediate-cert-rsa-b.pem",
+            "certFile": "/hierarchy/intermediate-cert-rsa-b.pem",
             "numSessions": 2
           }
         }

test/config/ca-b.json

@@ -60,7 +60,7 @@
           "crlURL": "http://example.com/crl",
           "location": {
             "configFile": "test/test-ca.key-pkcs11.json",
-            "certFile": "/tmp/intermediate-cert-rsa-a.pem",
+            "certFile": "/hierarchy/intermediate-cert-rsa-a.pem",
             "numSessions": 2
           }
         },
@@ -72,7 +72,7 @@
           "crlURL": "http://example.com/crl",
           "location": {
             "configFile": "test/test-ca.key-pkcs11.json",
-            "certFile": "/tmp/intermediate-cert-rsa-b.pem",
+            "certFile": "/hierarchy/intermediate-cert-rsa-b.pem",
             "numSessions": 2
           }
         }

test/config/ocsp-responder.json

@@ -7,9 +7,9 @@
     "path": "/",
     "listenAddress": "0.0.0.0:4002",
     "issuerCerts": [
-      "/tmp/intermediate-cert-rsa-a.pem",
-      "/tmp/intermediate-cert-rsa-b.pem",
-      "/tmp/intermediate-cert-ecdsa-a.pem"
+      "/hierarchy/intermediate-cert-rsa-a.pem",
+      "/hierarchy/intermediate-cert-rsa-b.pem",
+      "/hierarchy/intermediate-cert-ecdsa-a.pem"
     ],
     "maxAge": "10s",
     "timeout": "4.9s",

test/config/orphan-finder.json

@@ -1,9 +1,9 @@
 {
   "backdate": "1h",
   "issuerCerts": [
-    "/tmp/intermediate-cert-rsa-a.pem",
-    "/tmp/intermediate-cert-rsa-b.pem",
-    "/tmp/intermediate-cert-ecdsa-a.pem"
+    "/hierarchy/intermediate-cert-rsa-a.pem",
+    "/hierarchy/intermediate-cert-rsa-b.pem",
+    "/hierarchy/intermediate-cert-ecdsa-a.pem"
   ],
 
 

test/config/publisher.json

@@ -4,20 +4,20 @@
     "blockProfileRate": 1000000000,
     "chains": [
       [
-        "/tmp/intermediate-cert-rsa-a.pem",
-        "/tmp/root-cert-rsa.pem"
+        "/hierarchy/intermediate-cert-rsa-a.pem",
+        "/hierarchy/root-cert-rsa.pem"
       ],
       [
-        "/tmp/intermediate-cert-rsa-b.pem",
-        "/tmp/root-cert-rsa.pem"
+        "/hierarchy/intermediate-cert-rsa-b.pem",
+        "/hierarchy/root-cert-rsa.pem"
       ],
       [
-        "/tmp/intermediate-cert-ecdsa-a.pem",
-        "/tmp/root-cert-ecdsa.pem"
+        "/hierarchy/intermediate-cert-ecdsa-a.pem",
+        "/hierarchy/root-cert-ecdsa.pem"
       ],
       [
-        "/tmp/intermediate-cert-ecdsa-b.pem",
-        "/tmp/root-cert-ecdsa.pem"
+        "/hierarchy/intermediate-cert-ecdsa-b.pem",
+        "/hierarchy/root-cert-ecdsa.pem"
       ]
     ],
     "debugAddr": ":8009",

test/config/ra.json

@@ -11,7 +11,7 @@
     "weakKeyFile": "test/example-weak-keys.json",
     "blockedKeyFile": "test/example-blocked-keys.yaml",
     "orderLifetime": "168h",
-    "issuerCertPath":  "/tmp/intermediate-cert-rsa-a.pem",
+    "issuerCertPath":  "/hierarchy/intermediate-cert-rsa-a.pem",
     "tls": {
       "caCertFile": "test/grpc-creds/minica.pem",
       "certFile": "test/grpc-creds/ra.boulder/cert.pem",

test/config/wfe.json

@@ -53,6 +53,6 @@
   },
 
   "common": {
-    "issuerCert": "/tmp/intermediate-cert-rsa-a.pem"
+    "issuerCert": "/hierarchy/intermediate-cert-rsa-a.pem"
   }
 }

test/config/wfe2.json

@@ -40,12 +40,12 @@
       }
     },
     "certificateChains": {
-      "http://boulder:4430/acme/issuer-cert": [ "/tmp/intermediate-cert-rsa-a.pem" ],
-      "http://127.0.0.1:4000/acme/issuer-cert": [ "/tmp/intermediate-cert-rsa-a.pem" ]
+      "http://boulder:4430/acme/issuer-cert": [ "/hierarchy/intermediate-cert-rsa-a.pem" ],
+      "http://127.0.0.1:4000/acme/issuer-cert": [ "/hierarchy/intermediate-cert-rsa-a.pem" ]
     },
     "alternateCertificateChains": {
-      "http://boulder:4430/acme/issuer-cert": [ "/tmp/intermediate-cert-rsa-a.pem" ],
-      "http://127.0.0.1:4000/acme/issuer-cert": [ "/tmp/intermediate-cert-rsa-a.pem" ]
+      "http://boulder:4430/acme/issuer-cert": [ "/hierarchy/intermediate-cert-rsa-a.pem" ],
+      "http://127.0.0.1:4000/acme/issuer-cert": [ "/hierarchy/intermediate-cert-rsa-a.pem" ]
     },
     "staleTimeout": "5m",
     "authorizationLifetimeDays": 30,

test/helpers.py

@@ -86,7 +86,7 @@ def ocsp_verify(cert_file, issuer_file, ocsp_response):
             '-issuer', issuer_file,
             '-cert', cert_file,
             '-verify_other', issuer_file,
-            '-CAfile', '/tmp/root-cert-rsa.pem',
+            '-CAfile', '/hierarchy/root-cert-rsa.pem',
             '-respin', f.name], stderr=subprocess.STDOUT).decode()
     # OpenSSL doesn't always return non-zero when response verify fails, so we
     # also look for the string "Response Verify Failure"

test/integration-test.py

@@ -62,7 +62,7 @@ def test_single_ocsp():
 
     # Verify that the static OCSP responder, which answers with a
     # pre-signed, long-lived response for the CA cert, works.
-    verify_ocsp("/tmp/intermediate-cert-rsa-a.pem", "/tmp/root-cert-rsa.pem", "http://localhost:4003", "good")
+    verify_ocsp("/hierarchy/intermediate-cert-rsa-a.pem", "/hierarchy/root-cert-rsa.pem", "http://localhost:4003", "good")
 
     p.send_signal(signal.SIGTERM)
     p.wait()

test/integration/orphan_finder_test.go

@@ -75,7 +75,7 @@ func makeFakeCert(precert bool) (*x509.Certificate, error) {
 	if err != nil {
 		return nil, err
 	}
-	pubKeyBytes, err := ioutil.ReadFile("/tmp/intermediate-signing-pub-rsa.pem")
+	pubKeyBytes, err := ioutil.ReadFile("/hierarchy/intermediate-signing-pub-rsa.pem")
 	if err != nil {
 		return nil, err
 	}
@@ -100,7 +100,7 @@ func makeFakeCert(precert bool) (*x509.Certificate, error) {
 	if err != nil {
 		return nil, err
 	}
-	issuer, err := issuance.LoadCertificate("/tmp/intermediate-cert-rsa-a.pem")
+	issuer, err := issuance.LoadCertificate("/hierarchy/intermediate-cert-rsa-a.pem")
 	if err != nil {
 		return nil, err
 	}

test/issuer-ocsp-responder.json

@@ -1,10 +1,10 @@
 {
   "ocspResponder": {
-    "source": "file:///tmp/intermediate-ocsp-rsa.b64",
+    "source": "file:///hierarchy/intermediate-ocsp-rsa.b64",
     "path": "/",
     "listenAddress": "0.0.0.0:4003",
     "issuerCerts": [
-      "/tmp/intermediate-cert-rsa-a.pem"
+      "/hierarchy/intermediate-cert-rsa-a.pem"
     ],
     "maxAge": "10s",
     "timeout": "4.9s",

test/v1_integration.py

@@ -345,7 +345,7 @@ def test_issuer():
     parsed_chain = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1, chain)
     parsed_cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1, cert)
     parsed_root = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM,
-        open("/tmp/root-cert-rsa.pem").read())
+        open("/hierarchy/root-cert-rsa.pem").read())
 
     store = OpenSSL.crypto.X509Store()
     store.add_cert(parsed_root)
@@ -365,7 +365,7 @@ def test_ocsp():
 
     # As OCSP-Updater is generating responses independently of the CA we sit in a loop
     # checking OCSP until we either see a good response or we timeout (5s).
-    verify_ocsp(cert_file.name, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002", "good")
+    verify_ocsp(cert_file.name, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002", "good")
 
 def test_ct_submission():
     hostname = random_domain()
@@ -418,7 +418,7 @@ def test_revoke_by_account():
     reset_akamai_purges()
     client.revoke(cert.body, 0)
 
-    verify_ocsp(cert_file.name, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked")
+    verify_ocsp(cert_file.name, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked")
 
     verify_akamai_purge()
 
@@ -580,7 +580,7 @@ def test_admin_revoker_cert():
         serial, '1'])
 
     # Wait for OCSP response to indicate revocation took place
-    verify_ocsp(cert_file.name, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked")
+    verify_ocsp(cert_file.name, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked")
     verify_akamai_purge()
 
 def test_admin_revoker_batched():
@@ -601,7 +601,7 @@ def test_admin_revoker_batched():
         serialFile.name, '0', '2'])
 
     for cert_file in cert_files:
-        verify_ocsp(cert_file.name, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked")
+        verify_ocsp(cert_file.name, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked")
 
 def test_sct_embedding():
     certr, authzs = auth_and_issue([random_domain()])

test/v2_integration.py

@@ -683,7 +683,7 @@ def test_revoke_by_account():
     reset_akamai_purges()
     client.revoke(josepy.ComparableX509(cert), 0)
 
-    verify_ocsp(cert_file.name, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked")
+    verify_ocsp(cert_file.name, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked")
     verify_akamai_purge()
 
 def test_revoke_by_issuer():
@@ -695,7 +695,7 @@ def test_revoke_by_issuer():
     reset_akamai_purges()
     client.revoke(josepy.ComparableX509(cert), 0)
 
-    verify_ocsp(cert_file.name, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked")
+    verify_ocsp(cert_file.name, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked")
     verify_akamai_purge()
 
 def test_revoke_by_authz():
@@ -711,7 +711,7 @@ def test_revoke_by_authz():
     reset_akamai_purges()
     client.revoke(josepy.ComparableX509(cert), 0)
 
-    verify_ocsp(cert_file.name, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked")
+    verify_ocsp(cert_file.name, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked")
     verify_akamai_purge()
 
 def test_revoke_by_privkey():
@@ -745,7 +745,7 @@ def test_revoke_by_privkey():
     cert_file.write(OpenSSL.crypto.dump_certificate(
         OpenSSL.crypto.FILETYPE_PEM, cert).decode())
     cert_file.close()
-    verify_ocsp(cert_file.name, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked")
+    verify_ocsp(cert_file.name, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked")
     verify_akamai_purge()
 
 def test_sct_embedding():
@@ -1159,7 +1159,7 @@ def test_ocsp():
 
     # As OCSP-Updater is generating responses independently of the CA we sit in a loop
     # checking OCSP until we either see a good response or we timeout (5s).
-    verify_ocsp(cert_file.name, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002", "good")
+    verify_ocsp(cert_file.name, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002", "good")
 
 def test_ct_submission():
     hostname = random_domain()
@@ -1215,7 +1215,7 @@ def ocsp_exp_unauth_setup():
     # Since our servers are pretending to be in the past, but the openssl cli
     # isn't, we'll get an expired OCSP response. Just check that it exists;
     # don't do the full verification (which would fail).
-    check_ocsp_basic_oid(cert_file.name, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002")
+    check_ocsp_basic_oid(cert_file.name, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002")
     global ocsp_exp_unauth_setup_data
     ocsp_exp_unauth_setup_data['cert_file'] = cert_file.name
 
@@ -1226,7 +1226,7 @@ def test_ocsp_exp_unauth():
     cert_file = ocsp_exp_unauth_setup_data['cert_file']
     while tries < 5:
         try:
-            verify_ocsp(cert_file, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002", "XXX")
+            verify_ocsp(cert_file, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002", "XXX")
             raise(Exception("Unexpected return from verify_ocsp"))
         except subprocess.CalledProcessError as cpe:
             if cpe.output == b"Responder Error: unauthorized (6)\n":
@@ -1476,7 +1476,7 @@ def test_admin_revoker_cert():
         '%x' % parsed_cert.serial_number, '1'])
 
     # Wait for OCSP response to indicate revocation took place
-    verify_ocsp(cert_file.name, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked")
+    verify_ocsp(cert_file.name, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked")
     verify_akamai_purge()
 
 def test_admin_revoker_batched():
@@ -1497,7 +1497,7 @@ def test_admin_revoker_batched():
         serialFile.name, '0', '2'])
 
     for cert_file in cert_files:
-        verify_ocsp(cert_file.name, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked")
+        verify_ocsp(cert_file.name, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked")
 
 def test_sct_embedding():
     order = chisel2.auth_and_issue([random_domain()])
@@ -1569,7 +1569,7 @@ def ocsp_resigning_setup():
     client.revoke(josepy.ComparableX509(cert), 3)
 
     ocsp_response, reason = get_ocsp_response_and_reason(
-        cert_file.name, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002")
+        cert_file.name, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002")
     global ocsp_resigning_setup_data
     ocsp_resigning_setup_data = {
         'cert_file': cert_file.name,
@@ -1585,7 +1585,7 @@ def test_ocsp_resigning():
     tries = 0
     while tries < 5:
         resp, reason = get_ocsp_response_and_reason(
-            ocsp_resigning_setup_data['cert_file'], "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002")
+            ocsp_resigning_setup_data['cert_file'], "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002")
         if resp != ocsp_resigning_setup_data['response']:
             break
         tries += 1