finish off docs from train journey
This commit is contained in:
parent
07f8c26d5d
commit
21147b6b9a
3 changed files with 21 additions and 18 deletions
|
@ -19,7 +19,7 @@ __EOT__
|
|||
}
|
||||
|
||||
short='hcf:i:o:sx'
|
||||
long='help,encrypt,config:,template:,output:,crt-only,tpl-only'
|
||||
long='help,encrypt,config:,template:,output:,crt-only,cnf-only'
|
||||
opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" )
|
||||
if [ 0 -ne $? ]; then echo; usage; exit 1; fi
|
||||
eval set -- "$opts";
|
||||
|
@ -52,9 +52,6 @@ if [ 1 -ne "$CRT_ONLY" ]; then
|
|||
echo "01" > $CA_HOME/db/crlnumber
|
||||
touch $CA_HOME/db/index.txt
|
||||
touch $CA_HOME/db/.rand
|
||||
chmod -R 640 $CA_HOME
|
||||
chmod 600 $CA_HOME/db/.rand
|
||||
chmod 700 $CA_HOME/key
|
||||
|
||||
# generate an openssl configuration for this CA
|
||||
ca_template ca-config "$CA_HOME/cnf/$CA_NAME.ca.cnf"
|
||||
|
@ -67,6 +64,7 @@ if [ 1 -ne "$CNF_ONLY" ]; then
|
|||
openssl req -new $CRYPTKEY -config "$CA_HOME/cnf/$CA_NAME.ca.cnf" \
|
||||
-keyout "$CA_HOME/key/$CA_NAME.ca.key" \
|
||||
-out "$CA_HOME/csr/$CA_NAME.ca.csr"
|
||||
chmod 600 "$CA_HOME/key/$CA_NAME.ca.key"
|
||||
|
||||
openssl ca -create_serial -selfsign -days 3652 -batch \
|
||||
-name ca_scripts -extensions ca_x509_extensions \
|
||||
|
|
14
doc/README
14
doc/README
|
@ -43,7 +43,7 @@ templates provided with the scripts.
|
|||
|
||||
ca-create-cert(1) takes a number of options to customise the generated
|
||||
certificate. The --type option is mandatory, and for server certs it is very
|
||||
likely that the --alt-name option will be useful to set x509v3 SubjectAltName
|
||||
likely that the --alt-name option will be useful to set x509v3 subjectAltName
|
||||
DNS records for other hostnames for the server. Both the server hostname and
|
||||
any alternative names will be fully-qualified to CA_DOMAIN if they do not
|
||||
contain any dots, but if unqualified names are passed in they are also
|
||||
|
@ -87,9 +87,9 @@ information required for certificate renewal.
|
|||
|
||||
4. Revoking a certificate.
|
||||
|
||||
Revoking a certificate is done by giving the hostname, username or path to
|
||||
the certificat to revoke-cert.sh. This script also regenerates a new CRL in
|
||||
both PEM and DER encodings (firefox prefers the latter while IE and other
|
||||
browsers work better with the former), and re-generates the html file with the
|
||||
new fingerprints.
|
||||
|
||||
To revoke a certificate and re-generate the CA certficate revocation list in
|
||||
both PEM and DER encodings, invoke ca-revoke-cert(1), again providing the
|
||||
--type option and either the hostname, username or the path to the certificate
|
||||
to be revoked. Along with ca_init(1) this script can optionally generate a
|
||||
basic HTML template to serve the CA certificate and CRL with verifiable MD5 and
|
||||
SHA1 checksums.
|
||||
|
|
|
@ -9,6 +9,11 @@ CRYPTKEY="-nodes"
|
|||
INDEXTPL="index-html"
|
||||
INDEXOUT=""
|
||||
|
||||
# ideally, run these scripts as an unprivileged "ssl" user/group
|
||||
# and place users that need access to ssl certs into that group
|
||||
# no world-readable stuff here
|
||||
umask 027
|
||||
|
||||
error() {
|
||||
usage >&2
|
||||
echo -e "ERROR: $1\n" >&2
|
||||
|
|
Loading…
Reference in a new issue