... | ... | @@ -12,92 +12,100 @@ Two bash scripts placed in [JetConf repository](https://gitlab.labs.nic.cz/labs/ |
|
|
Their usage is described below.
|
|
|
|
|
|
>>>
|
|
|
**Warning:**
|
|
|
|
|
|
Self-signed certificates are of course not considered trustworthy by common web
|
|
|
browsers and operating systems, so they are only suitable for testing.
|
|
|
**WARNING:** Self-signed certificates are of course not considered trustworthy
|
|
|
by common web browsers and operating systems, so they are only suitable for
|
|
|
testing.
|
|
|
>>>
|
|
|
|
|
|
## Certification Authority (CA)
|
|
|
To generate server and client certificates, you need to have CA like certificate to sign these certificates.
|
|
|
You can use pre-generated CA like certificate or generate your own. Pre-generated certificate files `ca.key` and `ca.pem` are placed in [JetConf](https://gitlab.labs.nic.cz/labs/jetconf) repository in `utils/cert_gen` subdirectory.
|
|
|
|
|
|
### Generate your own CA like certificate
|
|
|
The generated server and client certificates have to be signed by a Certificate Authority (CA). For production uses, a trusted CA should always be used. For testing purposes, though, a self-signed CA-like certificate will do. The easiest, but least secure, way is to use the pre-generated CA-like certificate and private key from the files `ca.pem` and `ca.key` available from the [JetConf](https://gitlab.labs.nic.cz/labs/jetconf) repository (subdirectory `utils/cert_gen`). Alternatively, the CA-like certificate and key can be generated using the procedure below.
|
|
|
|
|
|
### Generate your own CA-like certificate
|
|
|
Make or move to your working directory
|
|
|
```bash
|
|
|
$ mkdir my_ca_cert
|
|
|
$ cd my_ca_cert
|
|
|
```
|
|
|
Generate `ca.key` [more](https://www.openssl.org/docs/manmaster/man1/genrsa.html)
|
|
|
Generate `ca.key` [details](https://www.openssl.org/docs/manmaster/man1/genrsa.html)
|
|
|
```bash
|
|
|
$ openssl genrsa -out ca.key 2048
|
|
|
```
|
|
|
Generate `ca.pem` certificate. [more](https://www.openssl.org/docs/manmaster/man1/openssl-x509.html)
|
|
|
Generate `ca.pem` certificate. [details](https://www.openssl.org/docs/manmaster/man1/openssl-x509.html)
|
|
|
```bash
|
|
|
$ openssl req -x509 -new -nodes -key ca.key -sha256 -days 1024 -out ca.pem
|
|
|
```
|
|
|
Example CA setting to work with `gen_client_cert.sh` and `gen_server_cert.sh` scripts
|
|
|
* Country Name (2 letter code) [AU]:CZ
|
|
|
* State or Province Name (full name) [Some-State]:
|
|
|
* Locality Name (eg, city) []:
|
|
|
* Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example CA
|
|
|
* Organizational Unit Name (eg, section) []:exca.cz
|
|
|
* Common Name (e.g. server FQDN or YOUR name) []:mail@exca.cz
|
|
|
* Email Address []:
|
|
|
Some parameters of the certificate have to be filled in. They are not terribly important for testing purposes. For example:
|
|
|
|
|
|
|
|
|
**WARNING: Generated CA like certificate is only for testing purposes. Do not importing this certificate to your browser as trusted and never use server and client certificates signed by this CA like certificate in real operation of applications.**
|
|
|
```
|
|
|
Country Name (2 letter code) [AU]:CZ
|
|
|
State or Province Name (full name) [Some-State]:
|
|
|
Locality Name (eg, city) []:
|
|
|
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example CA
|
|
|
Organizational Unit Name (eg, section) []:exca.cz
|
|
|
Common Name (e.g. server FQDN or YOUR name) []:mail@exca.cz
|
|
|
Email Address []:
|
|
|
```
|
|
|
|
|
|
## Server Certificate
|
|
|
To generate a new server certificate for Jetconf, which will be in the correct
|
|
|
form and accepted even by the more pedantic web browsers like Chrome, just run
|
|
|
the provided `gen_server_cert.sh` script.
|
|
|
|
|
|
The script can be used in two following ways.
|
|
|
To generate a new server certificate for JetConf that will be accepted even by
|
|
|
the more pedantic web browsers like Chrome, just run the provided
|
|
|
`gen_server_cert.sh` script.
|
|
|
|
|
|
The script can be used in one of the two following ways:
|
|
|
|
|
|
```bash
|
|
|
$ ./gen_server_cert.sh <out_file_suffix> <domain/ip>
|
|
|
# or
|
|
|
```
|
|
|
|
|
|
The command will generate a new server private key along with the certificate.
|
|
|
|
|
|
```bash
|
|
|
$ ./gen_server_cert.sh <out_file_suffix> <domain/ip> <server_key>
|
|
|
```
|
|
|
The **first** form will generate a new server private key, while the **second** one
|
|
|
lets you to pass the private key file as an argument `<server_key>`.
|
|
|
In this case, the name of the private key file passed to the script as the `<server_key>` argument.
|
|
|
|
|
|
The script will autodetect if the certificate is being issued for a domain
|
|
|
name or an IP address `<domain/ip>`, and sets the appropriate SAN value.
|
|
|
The script autodetects if the certificate is being issued for a domain
|
|
|
name or an IP address (`<domain/ip>`), and sets the appropriate SAN value.
|
|
|
|
|
|
For example, this command will create a certificate named `server_example.crt`
|
|
|
for `example.com` domain with new private key `server_example.key`:
|
|
|
|
|
|
**Example**
|
|
|
```bash
|
|
|
$ ./gen_server_cert.sh example example.com
|
|
|
```
|
|
|
Script will create a certificate named `server_example.crt` for `example.com` domain with new
|
|
|
private key `server_example.key`.
|
|
|
|
|
|
If you want this certificate to be recognized as valid by your web browser,
|
|
|
If you want this certificate to be accepted by your web browser,
|
|
|
the issuing CA's certificate needs to be imported to your browser.
|
|
|
|
|
|
**WARNING: It is strongly recommended not to import the provided CA's
|
|
|
certificate (ca.pem) to your production browser, as it's private key is
|
|
|
>>>
|
|
|
**WARNING**: It is strongly recommended not to import the provided CA's
|
|
|
certificate (`ca.pem`) to your production browser, as its private key is
|
|
|
publicly known. If you do so, someone could perform a MITM attack to
|
|
|
any connection with an SSL-protected website.**
|
|
|
any connection with an SSL-protected website.
|
|
|
>>>
|
|
|
|
|
|
## Client Certificate
|
|
|
## Client Certificates
|
|
|
|
|
|
To generate a new client certificate the `gen_client_cert.sh` script is provided. This will issue a new
|
|
|
client certificate using the `CA.pem` as the certification authority.
|
|
|
The `gen_client_cert.sh` script is intended for generating client certificates signed by the previously created CA-like certificate.
|
|
|
|
|
|
To generate a client certificate, just run the provided script as follows:
|
|
|
The script is used simply as follows:
|
|
|
```bash
|
|
|
$ ./gen_client_cert.sh <username>
|
|
|
$ ./gen_client_cert.sh <email_address>
|
|
|
```
|
|
|
|
|
|
The issued certificate will have the **emailAddress DN** in the form of
|
|
|
`username@mail.cz`. This will be used as the username by Jetconf server.
|
|
|
The issued certificate will use the email address passed in the argument is used as the **emailAddress DN** parameter of the client certificate. Also, the email address identifies the client to the JetConf server.
|
|
|
|
|
|
The following files will be generated:
|
|
|
- **username.pem** - the client certificate
|
|
|
- **username.key** - the client private key
|
|
|
- **username_curl.pem** - the concatenation of previous 2 files. Some utilities, like
|
|
|
CURL, expect the client certificate in this form
|
|
|
- **username.pfx** - certificate and private key in PKCS#12 format. Required for
|
|
|
importing into web browsers (Chrome, Firefox, ...) *username* is a password. |
|
|
For example, the command
|
|
|
```bash
|
|
|
$ ./gen_client_cert.sh joe@example.net
|
|
|
```
|
|
|
will generate the following files:
|
|
|
|
|
|
- `joe@example.net.pem` - the client certificate
|
|
|
- `joe@example.net.key` - the client private key
|
|
|
- `joe@example.net_curl.pfx` - the previous 2 files combined and protected by a
|
|
|
password. Some utilities, such as [curl](https://curl.haxx.se/), expect the
|
|
|
client certificate in this so called PKCS#12 format. In case you are wondering,
|
|
|
the password is again the email address, i.e. `joe@example.net` in this case. |