mirror of
https://git.dn42.dev/wiki/wiki.git
synced 2025-03-13 09:04:27 +01:00
Move subsections under “DN42 Self-Serve CA” setion
This commit is contained in:
parent
fac8702891
commit
b1b0efb0b4
@ -1,7 +1,7 @@
|
||||
DN42 ACME CA
|
||||
==================
|
||||
|
||||
Certificates can be automatically generated with the [ACME-CA](http://acme.dn42). More information can be found on [acme.dn42](http://acme.dn42/)
|
||||
Certificates can be automatically generated with the [ACME-CA](http://acme.dn42) using [acme.sh](https://github.com/acmesh-official/acme.sh) or [lego](https://github.com/go-acme/lego). More information can be found on [acme.dn42](http://acme.dn42/)
|
||||
|
||||
DN42 Self-Serve CA
|
||||
==================
|
||||
@ -9,8 +9,7 @@ DN42 Self-Serve CA
|
||||
This client is used for automating the process of requesting TLS certificates. (Available via: [dn42](https://ca.dn42/ca-client), [iana](https://ca.dn42.us/ca-client), [git](anon@git.dn42:dn42/ca-client))
|
||||
|
||||
|
||||
VALIDATION PROCESS
|
||||
==================
|
||||
## VALIDATION PROCESS
|
||||
|
||||
The process validates ownership by verifying control of both a users MNT object in the registry and the authoritative DNS server.
|
||||
The following steps take place in creating a signed certificate.
|
||||
@ -52,8 +51,7 @@ Server certificates are signed for 45 days. To renew follow the steps above star
|
||||
3. CA checks that owner in certificate matches.
|
||||
4. CA revokes certificate and updates revocation list.
|
||||
|
||||
INSTALL
|
||||
=======
|
||||
## INSTALL
|
||||
|
||||
get the script here:
|
||||
|
||||
@ -62,10 +60,9 @@ curl https://ca.dn42/ca.dn42 > ca.dn42; chmod +x ca.dn42
|
||||
available via git: anon@git.dn42:dn42/ca-client
|
||||
|
||||
|
||||
KNOWN ISSUES
|
||||
============
|
||||
## KNOWN ISSUES
|
||||
|
||||
## openssl prior to 1.0.2 returns "SSL certificate problem: permitted subtree violation"
|
||||
### openssl prior to 1.0.2 returns "SSL certificate problem: permitted subtree violation"
|
||||
|
||||
The way openssl validated name constraints prevented it from accepting dns names that started with a dot.
|
||||
Because the name constraint is "DNS:.dn42" it fails to validate.
|
||||
@ -76,7 +73,7 @@ Because the name constraint is "DNS:.dn42" it fails to validate.
|
||||
[libssl-1]: https://groups.google.com/forum/#!topic/mailing.openssl.dev/drG3U-S4iaE
|
||||
|
||||
|
||||
## X.509 nameConstraints on certificates not supported on OS X
|
||||
### X.509 nameConstraints on certificates not supported on OS X
|
||||
|
||||
Browsers and clients that rely on Apple's [Secure Transport][osx-1] library does not support X.509's nameConstraints.
|
||||
|
||||
@ -87,8 +84,7 @@ Read more on this [stack exchange post][osx-2]
|
||||
[osx-2]: http://security.stackexchange.com/a/97133
|
||||
|
||||
|
||||
How to Run
|
||||
==========
|
||||
## How to Run
|
||||
|
||||
```
|
||||
Usage: # OWNER is your MNT handle.
|
||||
@ -106,8 +102,7 @@ Environtment Options:
|
||||
DN42CA_PKCS12 = 1 # Generate pkcs12 file for certificate.
|
||||
```
|
||||
|
||||
Example
|
||||
=======
|
||||
## Example
|
||||
|
||||
Generate the user key
|
||||
|
||||
@ -124,7 +119,7 @@ writing new private key to 'XUU-MNT.key'
|
||||
|MNT Key Pin| remarks: pin-sha256:HdqCid0sedWXX3Q0uG98rYjJyTNOzaT13WfWpr1GvIw=
|
||||
```
|
||||
|
||||
## Sign the user key
|
||||
### Sign the user key
|
||||
|
||||
```
|
||||
$ ./ca.dn42 user-sign XUU-MNT xuu@sour.is
|
||||
@ -141,7 +136,7 @@ Enter Export Password:
|
||||
Verifying - Enter Export Password:
|
||||
```
|
||||
|
||||
## Generate the server key
|
||||
### Generate the server key
|
||||
|
||||
```
|
||||
$ ./ca.dn42 tls-gen ca.dn42 XUU-MNT xuu@sour.is DNS:ca.dn42
|
||||
@ -165,7 +160,7 @@ $ dig +short TXT _dn42_tlsverify.ca.dn42.
|
||||
"XUU-MNT:pin-sha256:Qu/X5GNqOo05TdL7oexkamE34OUuDE60T+f0xc60UPQ="
|
||||
```
|
||||
|
||||
## Sign the server key
|
||||
### Sign the server key
|
||||
|
||||
```
|
||||
$ ./ca.dn42 tls-sign ca.dn42 XUU-MNT
|
||||
@ -222,7 +217,7 @@ ExecStart=/etc/ssl/dn42/ca.dn42 tls-sign wiki.dn42 MIC92-MNT
|
||||
ExecStart=/usr/bin/nginx -s reload
|
||||
```
|
||||
|
||||
## Revoke a certificate.
|
||||
### Revoke a certificate.
|
||||
|
||||
```
|
||||
$ ./ca.dn42 revoke XUU-MNT XUU-MNT.crt
|
||||
@ -238,5 +233,5 @@ $ ./ca.dn42 revoke XUU-MNT XUU-MNT.crt
|
||||
OK
|
||||
```
|
||||
|
||||
## Certificate transparency
|
||||
### Certificate transparency
|
||||
All issued certificates will be logged to [xuu's mattermost instance](https://teams.dn42/dn42/channels/tls-certificates).
|
||||
|
Loading…
x
Reference in New Issue
Block a user