useful defaults, no password on CAs

5 files changed, 40 insertions, 30 deletions

diff --git a/.gitignore b/.gitignore
index 7798a7d..b88fa36 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,4 @@ rotate-keys.service
 sign-ca
 sign-ca.service
 sign-request
+ca
diff --git a/etc/root-ca.conf b/etc/root-ca.conf
index cd00238..70df9cf 100644
--- a/etc/root-ca.conf
+++ b/etc/root-ca.conf
@@ -13,8 +13,8 @@ dir                     = .                     # Top dir
 # certificate.
 
 [ req ]
-default_bits            = 2048                  # RSA key size
-encrypt_key             = yes                   # Protect private key
+default_bits            = 4096                  # RSA key size
+encrypt_key             = no                    # Protect private key
 default_md              = sha1                  # MD to use
 utf8                    = yes                   # Input is UTF-8
 string_mask             = utf8only              # Emit UTF-8 strings
@@ -23,11 +23,11 @@ distinguished_name      = ca_dn                 # DN section
 req_extensions          = ca_reqext             # Desired extensions
 
 [ ca_dn ]
-0.domainComponent       = "org"
-1.domainComponent       = "simple"
-organizationName        = "Simple Inc"
-organizationalUnitName  = "Simple Root CA"
-commonName              = "Simple Root CA"
+0.domainComponent       = "net"
+1.domainComponent       = "eckner"
+organizationName        = "Eckner Net"
+organizationalUnitName  = "Eckner Net CA"
+commonName              = "Eckner Net Root CA"
 
 [ ca_reqext ]
 keyUsage                = critical,keyCertSign,cRLSign
diff --git a/etc/server.conf b/etc/server.conf
index 7c07fe7..c19bb37 100644
--- a/etc/server.conf
+++ b/etc/server.conf
@@ -12,18 +12,16 @@ encrypt_key             = no                    # Protect private key
 default_md              = sha1                  # MD to use
 utf8                    = yes                   # Input is UTF-8
 string_mask             = utf8only              # Emit UTF-8 strings
-prompt                  = yes                   # Prompt for DN
+prompt                  = no                    # Prompt for DN
 distinguished_name      = server_dn             # DN template
 req_extensions          = server_reqext         # Desired extensions
 
 [ server_dn ]
-0.domainComponent       = "1. Domain Component         (eg, com)      "
-1.domainComponent       = "2. Domain Component         (eg, company)  "
-2.domainComponent       = "3. Domain Component         (eg, pki)      "
-organizationName        = "4. Organization Name        (eg, company)  "
-organizationalUnitName  = "5. Organizational Unit Name (eg, section)  "
-commonName              = "6. Common Name              (eg, FQDN)     "
-commonName_max          = 64
+0.domainComponent       = "net"
+1.domainComponent       = "eckner"
+organizationName        = "Eckner Net"
+organizationalUnitName  = "Eckner Net"
+commonName              = $ENV::CN
 
 [ server_reqext ]
 keyUsage                = critical,digitalSignature,keyEncipherment
diff --git a/etc/signing-ca.conf b/etc/signing-ca.conf
index 72d306f..ebba5d0 100644
--- a/etc/signing-ca.conf
+++ b/etc/signing-ca.conf
@@ -13,8 +13,8 @@ dir                     = .                     # Top dir
 # certificate.
 
 [ req ]
-default_bits            = 2048                  # RSA key size
-encrypt_key             = yes                   # Protect private key
+default_bits            = 4096                  # RSA key size
+encrypt_key             = no                    # Protect private key
 default_md              = sha1                  # MD to use
 utf8                    = yes                   # Input is UTF-8
 string_mask             = utf8only              # Emit UTF-8 strings
@@ -23,11 +23,11 @@ distinguished_name      = ca_dn                 # DN section
 req_extensions          = ca_reqext             # Desired extensions
 
 [ ca_dn ]
-0.domainComponent       = "org"
-1.domainComponent       = "simple"
-organizationName        = "Simple Inc"
-organizationalUnitName  = "Simple Signing CA"
-commonName              = "Simple Signing CA"
+0.domainComponent       = "net"
+1.domainComponent       = "eckner"
+organizationName        = "Eckner Net"
+organizationalUnitName  = "Eckner Net CA"
+commonName              = "Eckner Net Signing CA"
 
 [ ca_reqext ]
 keyUsage                = critical,keyCertSign,cRLSign
diff --git a/website-run-through b/website-run-through
index b4d2f42..0432ba1 100644..100755
--- a/website-run-through
+++ b/website-run-through
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+rm -rf --one-file-system ca certs
+
 mkdir -p ca/root-ca/private ca/root-ca/db crl certs
 chmod 700 ca/root-ca/private
 
@@ -13,7 +15,7 @@ openssl req -new \
     -out ca/root-ca.csr \
     -keyout ca/root-ca/private/root-ca.key
 
-openssl ca -selfsign \
+openssl ca -batch -selfsign \
     -config etc/root-ca.conf \
     -in ca/root-ca.csr \
     -out ca/root-ca.crt \
@@ -32,24 +34,33 @@ openssl req -new \
     -out ca/signing-ca.csr \
     -keyout ca/signing-ca/private/signing-ca.key
 
-openssl ca \
+openssl ca -batch \
     -config etc/root-ca.conf \
     -in ca/signing-ca.csr \
     -out ca/signing-ca.crt \
     -extensions signing_ca_ext
 
-SAN=DNS:www.simple.org \
+SAN=DNS:test.local \
+CN=test.local \
 openssl req -new \
     -config etc/server.conf \
-    -out certs/simple.org.csr \
-    -keyout certs/simple.org.key
+    -out /tmp/nginx.csr \
+    -keyout /tmp/nginx.key
 
-openssl ca \
+openssl ca -batch \
     -config etc/signing-ca.conf \
-    -in certs/simple.org.csr \
-    -out certs/simple.org.crt \
+    -in /tmp/nginx.csr \
+    -out /tmp/nginx.crt \
     -extensions server_ext
 
+cat /tmp/nginx.crt ca/signing-ca.crt ca/root-ca.crt > /tmp/nginx.chain
+
+sudo systemctl restart nginx
+
+curl -Ss https://test.local --cacert ca/root-ca.crt
+
+exit 0
+
 openssl ca \
     -config etc/signing-ca.conf \
     -revoke ca/signing-ca/01.pem \