... | @@ -8,16 +8,31 @@ $ sudo apt-get install openssl |
... | @@ -8,16 +8,31 @@ $ sudo apt-get install openssl |
|
|
|
|
|
Two bash scripts placed in [JetConf repository](https://gitlab.labs.nic.cz/labs/jetconf/tree/master/utils/cert_gen) in `utils/cert_gen` directory are provided. First script `gen_server_cert.sh` for generating server certificate and second script `gen_client_cert.sh` for creating client certificate. Their usage is described below.
|
|
Two bash scripts placed in [JetConf repository](https://gitlab.labs.nic.cz/labs/jetconf/tree/master/utils/cert_gen) in `utils/cert_gen` directory are provided. First script `gen_server_cert.sh` for generating server certificate and second script `gen_client_cert.sh` for creating client certificate. Their usage is described below.
|
|
|
|
|
|
**Note:**
|
|
**WARNING: Such certificates are of course not considered trustworthy by common web
|
|
Such certificates are of course not considered trustworthy by common web
|
|
browsers and operating systems, they are only suitable for testing.**
|
|
browsers and operating systems, they are only suitable for testing.
|
|
|
|
|
|
## Certification Authority (CA)
|
|
|
|
To generate server and client certificates, you need to have CA like certificate to sign these certificates.
|
|
|
|
You can use pre-generated CA like certificate or generate your own. Pre-generated certificate files `ca.key`, `ca.pem` and `ca.srl` are placed in [JetConf](https://gitlab.labs.nic.cz/labs/jetconf) repository in `utils/cert_gen` subdirectory.
|
|
|
|
|
|
|
|
### Generate your own CA like certificate
|
|
|
|
Generate key
|
|
|
|
```bash
|
|
|
|
$ openssl genrsa -des3 -out ca.key 4096
|
|
|
|
```
|
|
|
|
Generate certificate
|
|
|
|
```bash
|
|
|
|
$ openssl req -x509 -new -nodes -key ca.key -sha256 -days 1024 -out ca.pem
|
|
|
|
```
|
|
|
|
|
|
|
|
**WARNING: Generated CA like certificates are only for testing purposes. Never use this CA like certificate and server, client certificates signed by this CA like certificate in real operation of applications.**
|
|
|
|
|
|
## Server Certificate
|
|
## Server Certificate
|
|
To generate a new server certificate for Jetconf, which will be in the correct
|
|
To generate a new server certificate for Jetconf, which will be in the correct
|
|
form and accepted even by the more pedantic web browsers like Chrome, just run
|
|
form and accepted even by the more pedantic web browsers like Chrome, just run
|
|
the provided `gen_server_cert.sh` script.
|
|
the provided `gen_server_cert.sh` script.
|
|
|
|
|
|
The script can used in two following ways.
|
|
The script can be used in two following ways.
|
|
|
|
|
|
```bash
|
|
```bash
|
|
$ ./gen_server_cert.sh <out_file_suffix> <domain/ip>
|
|
$ ./gen_server_cert.sh <out_file_suffix> <domain/ip>
|
... | @@ -40,11 +55,10 @@ private key `server_example.key`. |
... | @@ -40,11 +55,10 @@ private key `server_example.key`. |
|
If you want this certificate to be recognized as valid by your web browser,
|
|
If you want this certificate to be recognized as valid by your web browser,
|
|
the issuing CA's certificate needs to be imported to your browser.
|
|
the issuing CA's certificate needs to be imported to your browser.
|
|
|
|
|
|
**WARNING**:
|
|
**WARNING: It is strongly recommended not to import the provided CA's
|
|
It is strongly recommended not to import the provided CA's
|
|
|
|
certificate (ca.pem) to your production browser, as it's private key is
|
|
certificate (ca.pem) to your production browser, as it's private key is
|
|
publicly known. If you do so, someone could perform a MITM attack to
|
|
publicly known. If you do so, someone could perform a MITM attack to
|
|
any connection with an SSL-protected website.
|
|
any connection with an SSL-protected website.**
|
|
|
|
|
|
## Client Certificate
|
|
## Client Certificate
|
|
|
|
|
... | | ... | |