diff --git a/README.md b/README.md index 9dffbea..32351f8 100644 --- a/README.md +++ b/README.md @@ -36,19 +36,24 @@ certificate: when prompted for "Common Name", say "Certificate Authority" or something like that ``` -openssl genrsa -out ca.key 4096 -openssl req -addext basicConstraints=critical,CA:TRUE,pathlen:1 --x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt +openssl genrsa -out private/ca.key 4096 +openssl req -addext basicConstraints=critical,CA:TRUE,pathlen:0 --x509 -new -nodes -key private/ca.key -sha256 -days 3650 -out certs/ca.crt ``` ### Server key and cert The certifix service is exposed over HTTPS, so it needs its own certificate signed by the CA. Use your hostname when prompted for -Common Name +Common Name. If your server host is reachable using different +names from different clients then you need to provide _all_ of them +as `subjectAltName` - as in the example below. ``` -openssl req -newkey rsa:2048 -nodes -keyout server.key --out server.csr -openssl x509 -req -in server.csr -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt +# it's important to list all the hostnames of your server machine in the +# subjectAltName field +openssl req -newkey rsa:2048 -addext "subjectAltName = DNS:loaclhost.lan,DNS:localhost,DNS:loaclhost.telent.net" -nodes -keyout private/server.key --out certs/server.csr +openssl x509 -req -in certs/server.csr -days 365 -CA certs/ca.crt -CAkey private/ca.key -CAcreateserial -copy_extensions copyall -out certs/server.crt + ``` ### Build and start the server @@ -61,9 +66,14 @@ it to check client certificate requests against. echo 'loves labours lost' > psk chmod 0700 psk nix-build -result/bin/certifix --challenge-password psk --ca-certificate ca.crt --ca-private-key --server-certificate server.crt --server-private-key server.key localhost:19613 +result/bin/certifix --challenge-password psk --ca-certificate certs/ca.crt --ca-private-key private/ca.key --server-certificate certs/server.crt --server-private-key private/server.key localhost:19613 ``` +* To listen on all interfaces, use a wildcard address instead of + `localhost` - e.g. `::0:19613' will (at least on my machine) accept + IPv4 and IPv6 connections on any interface + + ### Try it and see if it works To set the `challengePassword` attribute in a CSR using OpenSSL, you @@ -76,10 +86,10 @@ need to create a configuration file. Copy `openssl.cnf.example` to ``` # make CSR -CN=mydevice openssl req -config openssl.cnf -newkey rsa:2048 -nodes -keyout client.key -out client.csr +CN=mydevice openssl req -config openssl.cnf -addext "subjectAltName = DNS:mydevice.lan" -newkey rsa:2048 -nodes -keyout client.key -out client.csr # send it to certifix, should get a certificate in response -curl --cacert ca.crt -v -H 'content-type: application/x-pem-file' --data-binary @client.csr https://localhost:19613/sign +curl --cacert certs/ca.crt -v -H 'content-type: application/x-pem-file' --data-binary @client.csr https://localhost:19613/sign ``` @@ -102,6 +112,8 @@ only invoked once an acceptable request has been received. * probably has wrong basicConstraints in CA cert +* doesn't call SSL shutdown at the end of the response + * likewise other TLS best practices @@ -110,3 +122,4 @@ only invoked once an acceptable request has been received. * [RFC 5967 - spec for a CSR](https://datatracker.ietf.org/doc/html/rfc5967) * [A gentle introduction to ASN1. and DER](https://letsencrypt.org/docs/a-warm-welcome-to-asn1-and-der/) + openssl req -newkey rsa:2048 -addext "subjectAltName = DNS:loaclhost.lan,DNS:localhost,DNS:loaclhost.telent.net" -nodes -keyout private/server.key --out certs/server.csr diff --git a/certs/.gitkeep b/certs/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/private/.gitkeep b/private/.gitkeep new file mode 100644 index 0000000..e69de29