1
mirror of https://git.dn42.dev/wiki/wiki.git synced 2025-03-13 09:04:27 +01:00

Move subsections under “DN42 Self-Serve CA” setion

This commit is contained in:
DN42 Wiki (BURBLE-MNT) 2021-10-31 09:06:57 +00:00
parent fac8702891
commit b1b0efb0b4

View File

@ -1,7 +1,7 @@
DN42 ACME CA
==================
Certificates can be automatically generated with the [ACME-CA](http://acme.dn42). More information can be found on [acme.dn42](http://acme.dn42/)
Certificates can be automatically generated with the [ACME-CA](http://acme.dn42) using [acme.sh](https://github.com/acmesh-official/acme.sh) or [lego](https://github.com/go-acme/lego). More information can be found on [acme.dn42](http://acme.dn42/)
DN42 Self-Serve CA
==================
@ -9,8 +9,7 @@ DN42 Self-Serve CA
This client is used for automating the process of requesting TLS certificates. (Available via: [dn42](https://ca.dn42/ca-client), [iana](https://ca.dn42.us/ca-client), [git](anon@git.dn42:dn42/ca-client))
VALIDATION PROCESS
==================
## VALIDATION PROCESS
The process validates ownership by verifying control of both a users MNT object in the registry and the authoritative DNS server.
The following steps take place in creating a signed certificate.
@ -52,8 +51,7 @@ Server certificates are signed for 45 days. To renew follow the steps above star
3. CA checks that owner in certificate matches.
4. CA revokes certificate and updates revocation list.
INSTALL
=======
## INSTALL
get the script here:
@ -62,10 +60,9 @@ curl https://ca.dn42/ca.dn42 > ca.dn42; chmod +x ca.dn42
available via git: anon@git.dn42:dn42/ca-client
KNOWN ISSUES
============
## KNOWN ISSUES
## openssl prior to 1.0.2 returns "SSL certificate problem: permitted subtree violation"
### openssl prior to 1.0.2 returns "SSL certificate problem: permitted subtree violation"
The way openssl validated name constraints prevented it from accepting dns names that started with a dot.
Because the name constraint is "DNS:.dn42" it fails to validate.
@ -76,7 +73,7 @@ Because the name constraint is "DNS:.dn42" it fails to validate.
[libssl-1]: https://groups.google.com/forum/#!topic/mailing.openssl.dev/drG3U-S4iaE
## X.509 nameConstraints on certificates not supported on OS X
### X.509 nameConstraints on certificates not supported on OS X
Browsers and clients that rely on Apple's [Secure Transport][osx-1] library does not support X.509's nameConstraints.
@ -87,8 +84,7 @@ Read more on this [stack exchange post][osx-2]
[osx-2]: http://security.stackexchange.com/a/97133
How to Run
==========
## How to Run
```
Usage: # OWNER is your MNT handle.
@ -106,8 +102,7 @@ Environtment Options:
DN42CA_PKCS12 = 1 # Generate pkcs12 file for certificate.
```
Example
=======
## Example
Generate the user key
@ -124,7 +119,7 @@ writing new private key to 'XUU-MNT.key'
|MNT Key Pin| remarks: pin-sha256:HdqCid0sedWXX3Q0uG98rYjJyTNOzaT13WfWpr1GvIw=
```
## Sign the user key
### Sign the user key
```
$ ./ca.dn42 user-sign XUU-MNT xuu@sour.is
@ -141,7 +136,7 @@ Enter Export Password:
Verifying - Enter Export Password:
```
## Generate the server key
### Generate the server key
```
$ ./ca.dn42 tls-gen ca.dn42 XUU-MNT xuu@sour.is DNS:ca.dn42
@ -165,7 +160,7 @@ $ dig +short TXT _dn42_tlsverify.ca.dn42.
"XUU-MNT:pin-sha256:Qu/X5GNqOo05TdL7oexkamE34OUuDE60T+f0xc60UPQ="
```
## Sign the server key
### Sign the server key
```
$ ./ca.dn42 tls-sign ca.dn42 XUU-MNT
@ -222,7 +217,7 @@ ExecStart=/etc/ssl/dn42/ca.dn42 tls-sign wiki.dn42 MIC92-MNT
ExecStart=/usr/bin/nginx -s reload
```
## Revoke a certificate.
### Revoke a certificate.
```
$ ./ca.dn42 revoke XUU-MNT XUU-MNT.crt
@ -238,5 +233,5 @@ $ ./ca.dn42 revoke XUU-MNT XUU-MNT.crt
OK
```
## Certificate transparency
### Certificate transparency
All issued certificates will be logged to [xuu's mattermost instance](https://teams.dn42/dn42/channels/tls-certificates).