fix pathnames in README
This commit is contained in:
parent
b52bdfc813
commit
cb84c20e73
29
README.md
29
README.md
@ -36,19 +36,24 @@ certificate: when prompted for "Common Name", say "Certificate
|
||||
Authority" or something like that
|
||||
|
||||
```
|
||||
openssl genrsa -out ca.key 4096
|
||||
openssl req -addext basicConstraints=critical,CA:TRUE,pathlen:1 --x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt
|
||||
openssl genrsa -out private/ca.key 4096
|
||||
openssl req -addext basicConstraints=critical,CA:TRUE,pathlen:0 --x509 -new -nodes -key private/ca.key -sha256 -days 3650 -out certs/ca.crt
|
||||
```
|
||||
|
||||
### Server key and cert
|
||||
|
||||
The certifix service is exposed over HTTPS, so it needs its own
|
||||
certificate signed by the CA. Use your hostname when prompted for
|
||||
Common Name
|
||||
Common Name. If your server host is reachable using different
|
||||
names from different clients then you need to provide _all_ of them
|
||||
as `subjectAltName` - as in the example below.
|
||||
|
||||
```
|
||||
openssl req -newkey rsa:2048 -nodes -keyout server.key --out server.csr
|
||||
openssl x509 -req -in server.csr -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
|
||||
# it's important to list all the hostnames of your server machine in the
|
||||
# subjectAltName field
|
||||
openssl req -newkey rsa:2048 -addext "subjectAltName = DNS:loaclhost.lan,DNS:localhost,DNS:loaclhost.telent.net" -nodes -keyout private/server.key --out certs/server.csr
|
||||
openssl x509 -req -in certs/server.csr -days 365 -CA certs/ca.crt -CAkey private/ca.key -CAcreateserial -copy_extensions copyall -out certs/server.crt
|
||||
|
||||
```
|
||||
|
||||
### Build and start the server
|
||||
@ -61,9 +66,14 @@ it to check client certificate requests against.
|
||||
echo 'loves labours lost' > psk
|
||||
chmod 0700 psk
|
||||
nix-build
|
||||
result/bin/certifix --challenge-password psk --ca-certificate ca.crt --ca-private-key --server-certificate server.crt --server-private-key server.key localhost:19613
|
||||
result/bin/certifix --challenge-password psk --ca-certificate certs/ca.crt --ca-private-key private/ca.key --server-certificate certs/server.crt --server-private-key private/server.key localhost:19613
|
||||
```
|
||||
|
||||
* To listen on all interfaces, use a wildcard address instead of
|
||||
`localhost` - e.g. `::0:19613' will (at least on my machine) accept
|
||||
IPv4 and IPv6 connections on any interface
|
||||
|
||||
|
||||
### Try it and see if it works
|
||||
|
||||
To set the `challengePassword` attribute in a CSR using OpenSSL, you
|
||||
@ -76,10 +86,10 @@ need to create a configuration file. Copy `openssl.cnf.example` to
|
||||
|
||||
```
|
||||
# make CSR
|
||||
CN=mydevice openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout client.key -out client.csr
|
||||
CN=mydevice openssl req -config openssl.cnf -addext "subjectAltName = DNS:mydevice.lan" -newkey rsa:2048 -nodes -keyout client.key -out client.csr
|
||||
|
||||
# send it to certifix, should get a certificate in response
|
||||
curl --cacert ca.crt -v -H 'content-type: application/x-pem-file' --data-binary @client.csr https://localhost:19613/sign
|
||||
curl --cacert certs/ca.crt -v -H 'content-type: application/x-pem-file' --data-binary @client.csr https://localhost:19613/sign
|
||||
```
|
||||
|
||||
|
||||
@ -102,6 +112,8 @@ only invoked once an acceptable request has been received.
|
||||
|
||||
* probably has wrong basicConstraints in CA cert
|
||||
|
||||
* doesn't call SSL shutdown at the end of the response
|
||||
|
||||
* likewise other TLS best practices
|
||||
|
||||
|
||||
@ -110,3 +122,4 @@ only invoked once an acceptable request has been received.
|
||||
|
||||
* [RFC 5967 - spec for a CSR](https://datatracker.ietf.org/doc/html/rfc5967)
|
||||
* [A gentle introduction to ASN1. and DER](https://letsencrypt.org/docs/a-warm-welcome-to-asn1-and-der/)
|
||||
openssl req -newkey rsa:2048 -addext "subjectAltName = DNS:loaclhost.lan,DNS:localhost,DNS:loaclhost.telent.net" -nodes -keyout private/server.key --out certs/server.csr
|
||||
|
0
certs/.gitkeep
Normal file
0
certs/.gitkeep
Normal file
0
private/.gitkeep
Normal file
0
private/.gitkeep
Normal file
Loading…
Reference in New Issue
Block a user