... | @@ -6,26 +6,64 @@ Generating Certificates for JetConf Server and Client using [OpenSSL](https://ww |
... | @@ -6,26 +6,64 @@ Generating Certificates for JetConf Server and Client using [OpenSSL](https://ww |
|
$ sudo apt-get install openssl
|
|
$ sudo apt-get install openssl
|
|
```
|
|
```
|
|
|
|
|
|
|
|
Two bash scripts placed in [JetConf repository](https://gitlab.labs.nic.cz/labs/jetconf/tree/master/utils/cert_gen) in `utils/cert_gen` directory are provided. First script `gen_server_cert.sh` for generating server certificate and second script `gen_client_cert.sh` for creating client certificate. Their usage is described below.
|
|
|
|
|
|
|
|
**Note:**
|
|
|
|
Such certificates are of course not considered trustworthy by common web
|
|
|
|
browsers and operating systems, they are only suitable for testing.
|
|
|
|
|
|
## Server Certificate
|
|
## Server Certificate
|
|
To generate a new server certificate for Jetconf, which will be in the correct
|
|
To generate a new server certificate for Jetconf, which will be in the correct
|
|
form and accepted even by the more pedantic web browsers like Chrome, just run
|
|
form and accepted even by the more pedantic web browsers like Chrome, just run
|
|
the provided `gen_server_cert.sh` script placed in [JetConf repository](https://gitlab.labs.nic.cz/labs/jetconf) in `utils/cert_gen` subdirectory.
|
|
the provided `gen_server_cert.sh` script placed in [JetConf repository](https://gitlab.labs.nic.cz/labs/jetconf/tree/master/utils/cert_gen) in `utils/cert_gen` subdirectory.
|
|
|
|
|
|
The script can used in two following ways.
|
|
The script can used in two following ways.
|
|
|
|
|
|
```bash
|
|
```bash
|
|
$ ./gen_server_cert.sh <out_file_suffix> <domain/ip>
|
|
$ ./gen_server_cert.sh <out_file_suffix> <domain/ip>
|
|
```
|
|
# or
|
|
or
|
|
|
|
```bash
|
|
|
|
$ ./gen_server_cert.sh <out_file_suffix> <domain/ip> <server_key>
|
|
$ ./gen_server_cert.sh <out_file_suffix> <domain/ip> <server_key>
|
|
|
|
```
|
|
|
|
The **first** form will generate a new server private key, while the **second** one
|
|
|
|
lets you to pass the private key file as an argument `<server_key>`.
|
|
|
|
|
|
|
|
The script will autodetect if the certificate is being issued for a domain
|
|
|
|
name or an IP address `<domain/ip>`, and sets the appropriate SAN value.
|
|
|
|
|
|
|
|
**Example**
|
|
|
|
```bash
|
|
|
|
$ ./gen_server_cert.sh example example.com
|
|
```
|
|
```
|
|
|
|
Script will create a certificate named `server_example.crt` for `example.com` domain with new
|
|
|
|
private key `server_example.key`.
|
|
|
|
|
|
## Client Certificate
|
|
If you want this certificate to be recognized as valid by your web browser,
|
|
|
|
the issuing CA's certificate needs to be imported to your browser.
|
|
|
|
|
|
|
|
**WARNING**:
|
|
|
|
It is strongly recommended not to import the provided CA's
|
|
|
|
certificate (ca.pem) to your production browser, as it's private key is
|
|
|
|
publicly known. If you do so, someone could perform a MITM attack to
|
|
|
|
any connection with an SSL-protected website.
|
|
|
|
|
|
|
|
## Client Certificate
|
|
|
|
[JetConf repository](https://gitlab.labs.nic.cz/labs/jetconf/tree/master/utils/cert_gen) in `utils/cert_gen
|
|
|
|
|
|
|
|
To generate a new client certificate the `gen_client_cert.sh` script is provided. This will issue a new
|
|
|
|
client certificate using the `CA.pem` as the certification authority.
|
|
|
|
|
|
|
|
To generate a client certificate, just run the provided script as follows:
|
|
```bash
|
|
```bash
|
|
$ openssl
|
|
$ ./gen_client_cert.sh <username>
|
|
``` |
|
```
|
|
\ No newline at end of file |
|
|
|
|
|
The issued certificate will have the **emailAddress DN** in the form of
|
|
|
|
`username@mail.cz`. This will be used as the username by Jetconf server.
|
|
|
|
|
|
|
|
The following files will be generated:
|
|
|
|
- **username.pem** - the client certificate
|
|
|
|
- **username.key** - the client private key
|
|
|
|
- **username_curl.pem** - the concatenation of previous 2 files. Some utilities, like
|
|
|
|
CURL, expect the client certificate in this form
|
|
|
|
- **username.pfx** - certificate and private key in PKCS#12 format. Required for
|
|
|
|
importing into web browsers (Chrome, Firefox, ...) |