diff options
-rw-r--r-- | .gitignore | 1 | ||||
-rw-r--r-- | etc/root-ca.conf | 14 | ||||
-rw-r--r-- | etc/server.conf | 14 | ||||
-rw-r--r-- | etc/signing-ca.conf | 14 | ||||
-rwxr-xr-x[-rw-r--r--] | website-run-through | 27 |
5 files changed, 40 insertions, 30 deletions
@@ -3,3 +3,4 @@ rotate-keys.service sign-ca sign-ca.service sign-request +ca diff --git a/etc/root-ca.conf b/etc/root-ca.conf index cd00238..70df9cf 100644 --- a/etc/root-ca.conf +++ b/etc/root-ca.conf @@ -13,8 +13,8 @@ dir = . # Top dir # certificate. [ req ] -default_bits = 2048 # RSA key size -encrypt_key = yes # Protect private key +default_bits = 4096 # RSA key size +encrypt_key = no # Protect private key default_md = sha1 # MD to use utf8 = yes # Input is UTF-8 string_mask = utf8only # Emit UTF-8 strings @@ -23,11 +23,11 @@ distinguished_name = ca_dn # DN section req_extensions = ca_reqext # Desired extensions [ ca_dn ] -0.domainComponent = "org" -1.domainComponent = "simple" -organizationName = "Simple Inc" -organizationalUnitName = "Simple Root CA" -commonName = "Simple Root CA" +0.domainComponent = "net" +1.domainComponent = "eckner" +organizationName = "Eckner Net" +organizationalUnitName = "Eckner Net CA" +commonName = "Eckner Net Root CA" [ ca_reqext ] keyUsage = critical,keyCertSign,cRLSign diff --git a/etc/server.conf b/etc/server.conf index 7c07fe7..c19bb37 100644 --- a/etc/server.conf +++ b/etc/server.conf @@ -12,18 +12,16 @@ encrypt_key = no # Protect private key default_md = sha1 # MD to use utf8 = yes # Input is UTF-8 string_mask = utf8only # Emit UTF-8 strings -prompt = yes # Prompt for DN +prompt = no # Prompt for DN distinguished_name = server_dn # DN template req_extensions = server_reqext # Desired extensions [ server_dn ] -0.domainComponent = "1. Domain Component (eg, com) " -1.domainComponent = "2. Domain Component (eg, company) " -2.domainComponent = "3. Domain Component (eg, pki) " -organizationName = "4. Organization Name (eg, company) " -organizationalUnitName = "5. Organizational Unit Name (eg, section) " -commonName = "6. Common Name (eg, FQDN) " -commonName_max = 64 +0.domainComponent = "net" +1.domainComponent = "eckner" +organizationName = "Eckner Net" +organizationalUnitName = "Eckner Net" +commonName = $ENV::CN [ server_reqext ] keyUsage = critical,digitalSignature,keyEncipherment diff --git a/etc/signing-ca.conf b/etc/signing-ca.conf index 72d306f..ebba5d0 100644 --- a/etc/signing-ca.conf +++ b/etc/signing-ca.conf @@ -13,8 +13,8 @@ dir = . # Top dir # certificate. [ req ] -default_bits = 2048 # RSA key size -encrypt_key = yes # Protect private key +default_bits = 4096 # RSA key size +encrypt_key = no # Protect private key default_md = sha1 # MD to use utf8 = yes # Input is UTF-8 string_mask = utf8only # Emit UTF-8 strings @@ -23,11 +23,11 @@ distinguished_name = ca_dn # DN section req_extensions = ca_reqext # Desired extensions [ ca_dn ] -0.domainComponent = "org" -1.domainComponent = "simple" -organizationName = "Simple Inc" -organizationalUnitName = "Simple Signing CA" -commonName = "Simple Signing CA" +0.domainComponent = "net" +1.domainComponent = "eckner" +organizationName = "Eckner Net" +organizationalUnitName = "Eckner Net CA" +commonName = "Eckner Net Signing CA" [ ca_reqext ] keyUsage = critical,keyCertSign,cRLSign diff --git a/website-run-through b/website-run-through index b4d2f42..0432ba1 100644..100755 --- a/website-run-through +++ b/website-run-through @@ -1,5 +1,7 @@ #!/bin/bash +rm -rf --one-file-system ca certs + mkdir -p ca/root-ca/private ca/root-ca/db crl certs chmod 700 ca/root-ca/private @@ -13,7 +15,7 @@ openssl req -new \ -out ca/root-ca.csr \ -keyout ca/root-ca/private/root-ca.key -openssl ca -selfsign \ +openssl ca -batch -selfsign \ -config etc/root-ca.conf \ -in ca/root-ca.csr \ -out ca/root-ca.crt \ @@ -32,24 +34,33 @@ openssl req -new \ -out ca/signing-ca.csr \ -keyout ca/signing-ca/private/signing-ca.key -openssl ca \ +openssl ca -batch \ -config etc/root-ca.conf \ -in ca/signing-ca.csr \ -out ca/signing-ca.crt \ -extensions signing_ca_ext -SAN=DNS:www.simple.org \ +SAN=DNS:test.local \ +CN=test.local \ openssl req -new \ -config etc/server.conf \ - -out certs/simple.org.csr \ - -keyout certs/simple.org.key + -out /tmp/nginx.csr \ + -keyout /tmp/nginx.key -openssl ca \ +openssl ca -batch \ -config etc/signing-ca.conf \ - -in certs/simple.org.csr \ - -out certs/simple.org.crt \ + -in /tmp/nginx.csr \ + -out /tmp/nginx.crt \ -extensions server_ext +cat /tmp/nginx.crt ca/signing-ca.crt ca/root-ca.crt > /tmp/nginx.chain + +sudo systemctl restart nginx + +curl -Ss https://test.local --cacert ca/root-ca.crt + +exit 0 + openssl ca \ -config etc/signing-ca.conf \ -revoke ca/signing-ca/01.pem \ |