summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.gitignore1
-rw-r--r--etc/root-ca.conf14
-rw-r--r--etc/server.conf14
-rw-r--r--etc/signing-ca.conf14
-rwxr-xr-x[-rw-r--r--]website-run-through27
5 files changed, 40 insertions, 30 deletions
diff --git a/.gitignore b/.gitignore
index 7798a7d..b88fa36 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,4 @@ rotate-keys.service
sign-ca
sign-ca.service
sign-request
+ca
diff --git a/etc/root-ca.conf b/etc/root-ca.conf
index cd00238..70df9cf 100644
--- a/etc/root-ca.conf
+++ b/etc/root-ca.conf
@@ -13,8 +13,8 @@ dir = . # Top dir
# certificate.
[ req ]
-default_bits = 2048 # RSA key size
-encrypt_key = yes # Protect private key
+default_bits = 4096 # RSA key size
+encrypt_key = no # Protect private key
default_md = sha1 # MD to use
utf8 = yes # Input is UTF-8
string_mask = utf8only # Emit UTF-8 strings
@@ -23,11 +23,11 @@ distinguished_name = ca_dn # DN section
req_extensions = ca_reqext # Desired extensions
[ ca_dn ]
-0.domainComponent = "org"
-1.domainComponent = "simple"
-organizationName = "Simple Inc"
-organizationalUnitName = "Simple Root CA"
-commonName = "Simple Root CA"
+0.domainComponent = "net"
+1.domainComponent = "eckner"
+organizationName = "Eckner Net"
+organizationalUnitName = "Eckner Net CA"
+commonName = "Eckner Net Root CA"
[ ca_reqext ]
keyUsage = critical,keyCertSign,cRLSign
diff --git a/etc/server.conf b/etc/server.conf
index 7c07fe7..c19bb37 100644
--- a/etc/server.conf
+++ b/etc/server.conf
@@ -12,18 +12,16 @@ encrypt_key = no # Protect private key
default_md = sha1 # MD to use
utf8 = yes # Input is UTF-8
string_mask = utf8only # Emit UTF-8 strings
-prompt = yes # Prompt for DN
+prompt = no # Prompt for DN
distinguished_name = server_dn # DN template
req_extensions = server_reqext # Desired extensions
[ server_dn ]
-0.domainComponent = "1. Domain Component (eg, com) "
-1.domainComponent = "2. Domain Component (eg, company) "
-2.domainComponent = "3. Domain Component (eg, pki) "
-organizationName = "4. Organization Name (eg, company) "
-organizationalUnitName = "5. Organizational Unit Name (eg, section) "
-commonName = "6. Common Name (eg, FQDN) "
-commonName_max = 64
+0.domainComponent = "net"
+1.domainComponent = "eckner"
+organizationName = "Eckner Net"
+organizationalUnitName = "Eckner Net"
+commonName = $ENV::CN
[ server_reqext ]
keyUsage = critical,digitalSignature,keyEncipherment
diff --git a/etc/signing-ca.conf b/etc/signing-ca.conf
index 72d306f..ebba5d0 100644
--- a/etc/signing-ca.conf
+++ b/etc/signing-ca.conf
@@ -13,8 +13,8 @@ dir = . # Top dir
# certificate.
[ req ]
-default_bits = 2048 # RSA key size
-encrypt_key = yes # Protect private key
+default_bits = 4096 # RSA key size
+encrypt_key = no # Protect private key
default_md = sha1 # MD to use
utf8 = yes # Input is UTF-8
string_mask = utf8only # Emit UTF-8 strings
@@ -23,11 +23,11 @@ distinguished_name = ca_dn # DN section
req_extensions = ca_reqext # Desired extensions
[ ca_dn ]
-0.domainComponent = "org"
-1.domainComponent = "simple"
-organizationName = "Simple Inc"
-organizationalUnitName = "Simple Signing CA"
-commonName = "Simple Signing CA"
+0.domainComponent = "net"
+1.domainComponent = "eckner"
+organizationName = "Eckner Net"
+organizationalUnitName = "Eckner Net CA"
+commonName = "Eckner Net Signing CA"
[ ca_reqext ]
keyUsage = critical,keyCertSign,cRLSign
diff --git a/website-run-through b/website-run-through
index b4d2f42..0432ba1 100644..100755
--- a/website-run-through
+++ b/website-run-through
@@ -1,5 +1,7 @@
#!/bin/bash
+rm -rf --one-file-system ca certs
+
mkdir -p ca/root-ca/private ca/root-ca/db crl certs
chmod 700 ca/root-ca/private
@@ -13,7 +15,7 @@ openssl req -new \
-out ca/root-ca.csr \
-keyout ca/root-ca/private/root-ca.key
-openssl ca -selfsign \
+openssl ca -batch -selfsign \
-config etc/root-ca.conf \
-in ca/root-ca.csr \
-out ca/root-ca.crt \
@@ -32,24 +34,33 @@ openssl req -new \
-out ca/signing-ca.csr \
-keyout ca/signing-ca/private/signing-ca.key
-openssl ca \
+openssl ca -batch \
-config etc/root-ca.conf \
-in ca/signing-ca.csr \
-out ca/signing-ca.crt \
-extensions signing_ca_ext
-SAN=DNS:www.simple.org \
+SAN=DNS:test.local \
+CN=test.local \
openssl req -new \
-config etc/server.conf \
- -out certs/simple.org.csr \
- -keyout certs/simple.org.key
+ -out /tmp/nginx.csr \
+ -keyout /tmp/nginx.key
-openssl ca \
+openssl ca -batch \
-config etc/signing-ca.conf \
- -in certs/simple.org.csr \
- -out certs/simple.org.crt \
+ -in /tmp/nginx.csr \
+ -out /tmp/nginx.crt \
-extensions server_ext
+cat /tmp/nginx.crt ca/signing-ca.crt ca/root-ca.crt > /tmp/nginx.chain
+
+sudo systemctl restart nginx
+
+curl -Ss https://test.local --cacert ca/root-ca.crt
+
+exit 0
+
openssl ca \
-config etc/signing-ca.conf \
-revoke ca/signing-ca/01.pem \