ca-scripts/doc/README

62 lines
3 KiB
Text
Raw Normal View History

1. Creating a Certificate Authority.
To fully understand it's contents you're unfortunately going to need to read ca(1ssl),
req(1ssl), x509(1ssl), config(5ssl), and x509v3_config(5ssl). Particularly
important are the x509v3 extensions present in the certificate, which are
defined in the "stglab_x509_ca_extensions" section of the config file.
The ca-cert script configures some important files in db/, then creates a
certificate request and signs it. It also generates an initial (empty)
revocation list, then substitutes the correct fingerprints into the html
template for serving the CA certificate and CRL to the intranet.
2. Creating a certificate.
The create-cert script can generate three "types" of certificate -- server
certificates for securing a service with SSL/TLS, client certificates for
authenticating a client to these services, and user certificates for
authentication, S/MIME e-mail signing or encryption, and code signing. There
are minor but important differences in the extensions present in these
different certificate types, but these are set in the *-ext.tpl files in tpl/
and thus you shouldn't need to worry about them.
The create-cert script takes a number of arguments, of which the hostname or
username and the type are mandatory. It is also a very good idea to supply a
number of alternative DNS names when generating a server certificate, because
while the script will happily append "stglab.manchester.uk.ibm.com" to an
un-qualified host name, it won't append "transitives.com" and for the moment we
probably need that.
You should also provide a team name for the organisational unit, e.g.
"Manchester STG Lab Test", an e-mail address (preferably for the team rather
than an individual for server/client certificates), and a comment that reflects
the usage of the certificate, e.g. "Soak Infrastructure Live Server". Reasonable
defaults are provided for all of these for our team's use.
3. Renewing a certificate.
The renew-cert script does some painful certificate manipulation that is not
strictly necessary in most cases, and may in fact decrease SSL security
slightly. This is done because the normal renewal process re-generates the
certificate signing request and thus creates a new public/private keypair.
If the certificates are used for S/MIME encryption or code signing, this
renders all the encrypted e-mail unreadable and requires you to re-sign the
code with your new private key. The code in renew-cert re-signs the old
certificate request with a new expiry date and the extensions generated when
the original certificate was created, and avoids this problem.
Renewing a certificate is done by giving the hostname, username or path to
the certificate to renew-cert.sh.
4. Revoking a certificate.
Revoking a certificate is done by giving the hostname, username or path to
the certificat to revoke-cert.sh. This script also regenerates a new CRL in
both PEM and DER encodings (firefox prefers the latter while IE and other
browsers work better with the former), and re-generates the html file with the
new fingerprints.