mirror of
https://github.com/internetee/registry.git
synced 2025-07-01 08:43:37 +02:00
Refactored ca into separate doc
This commit is contained in:
parent
20fbe5eef7
commit
30b81cf9c1
2 changed files with 154 additions and 149 deletions
150
CHANGELOG.md
150
CHANGELOG.md
|
@ -1,154 +1,6 @@
|
|||
19.02.2015
|
||||
|
||||
Go to registry shared folder and setup CA directory tree:
|
||||
```
|
||||
mkdir ca
|
||||
cd ca
|
||||
mkdir certs crl newcerts private csrs
|
||||
chmod 700 private
|
||||
touch index.txt
|
||||
echo 1000 > serial
|
||||
echo 1000 > crlnumber
|
||||
```
|
||||
|
||||
Generate the root key (prompts for pass phrase):
|
||||
```
|
||||
openssl genrsa -aes256 -out private/ca.key.pem 4096
|
||||
```
|
||||
|
||||
Configure OpenSSL:
|
||||
```
|
||||
sudo su -
|
||||
cd /etc/ssl/
|
||||
cp openssl.cnf openssl.cnf.bak
|
||||
nano openssl.cnf
|
||||
exit
|
||||
```
|
||||
|
||||
Make sure the following options are in place:
|
||||
```
|
||||
crl_extensions = crl_ext
|
||||
|
||||
[ CA_default ]
|
||||
# Where everything is kept
|
||||
dir = /home/registry/registry/shared/ca
|
||||
|
||||
[ usr_cert ]
|
||||
# These extensions are added when 'ca' signs a request.
|
||||
basicConstraints=CA:FALSE
|
||||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
nsComment = "OpenSSL Generated Certificate"
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer
|
||||
|
||||
[ v3_ca ]
|
||||
# Extensions for a typical CA
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid:always,issuer
|
||||
basicConstraints = CA:true
|
||||
keyUsage = cRLSign, keyCertSign
|
||||
|
||||
# For the CA policy
|
||||
[ policy_match ]
|
||||
countryName = optional
|
||||
stateOrProvinceName = optional
|
||||
organizationName = optional
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
emailAddress = optional
|
||||
```
|
||||
|
||||
Issue the root certificate (prompts for additional data):
|
||||
```
|
||||
openssl req -new -x509 -days 3650 -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.crt.pem
|
||||
chmod 444 certs/ca.crt.pem
|
||||
```
|
||||
|
||||
Create a CSR for the webclient:
|
||||
```
|
||||
openssl genrsa -out private/webclient.key.pem 4096
|
||||
chmod 400 private/webclient.key.pem
|
||||
openssl req -sha256 -new -key private/webclient.key.pem -out csrs/webclient.csr.pem
|
||||
```
|
||||
|
||||
Sign the request and create certificate:
|
||||
```
|
||||
openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/webclient.csr.pem -out certs/webclient.crt.pem
|
||||
chmod 444 certs/webclient.crt.pem
|
||||
```
|
||||
|
||||
Create certificate revocation list (prompts for pass phrase):
|
||||
```
|
||||
openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -gencrl -out crl/crl.pem
|
||||
```
|
||||
|
||||
Configure EPP virtual host:
|
||||
```
|
||||
sudo nano /etc/apache2/sites-enabled/epp.conf
|
||||
```
|
||||
|
||||
Replace this line:
|
||||
```
|
||||
SSLVerifyClient optional_no_ca
|
||||
```
|
||||
|
||||
With these lines:
|
||||
```
|
||||
SSLVerifyClient require
|
||||
SSLVerifyDepth 1
|
||||
SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem
|
||||
SSLCARevocationFile /home/registry/registry/shared/ca/crl/crl.pem
|
||||
# Uncomment this when upgrading to apache 2.4:
|
||||
# SSLCARevocationCheck chain
|
||||
RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
|
||||
```
|
||||
|
||||
Configure webclient virtual host:
|
||||
```
|
||||
sudo nano /etc/apache2/sites-enabled/webclient.conf
|
||||
```
|
||||
|
||||
Add these lines:
|
||||
```
|
||||
SSLVerifyClient none
|
||||
SSLVerifyDepth 1
|
||||
SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem
|
||||
SSLCARevocationFile /home/registry/registry/shared/ca/crl/crl.pem
|
||||
# Uncomment this when upgrading to apache 2.4:
|
||||
# SSLCARevocationCheck chain
|
||||
|
||||
RequestHeader set SSL_CLIENT_S_DN_CN ""
|
||||
|
||||
<Location /login/pki>
|
||||
SSLVerifyClient require
|
||||
</Location>
|
||||
|
||||
<Location /sessions/pki>
|
||||
SSLVerifyClient require
|
||||
RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
|
||||
</Location>
|
||||
```
|
||||
|
||||
Reload apache:
|
||||
```
|
||||
sudo a2enmod headers
|
||||
sudo /etc/init.d/apache2 restart
|
||||
```
|
||||
|
||||
Configure registry and epp application.yml to match the CA settings:
|
||||
```
|
||||
ca_cert_path: '/home/registry/registry/shared/ca/certs/ca.crt.pem'
|
||||
ca_key_path: '/home/registry/registry/shared/ca/private/ca.key.pem'
|
||||
ca_key_password: 'registryalpha'
|
||||
crl_path: '/home/registry/registry/shared/ca/crl/crl.pem'
|
||||
webclient_ip: '54.154.91.240'
|
||||
```
|
||||
|
||||
Configure webclient application.yml to match the CA settings:
|
||||
```
|
||||
cert_path: '/home/registry/registry/shared/ca/certs/webclient.crt.pem'
|
||||
key_path: '/home/registry/registry/shared/ca/private/webclient.key.pem'
|
||||
```
|
||||
* Cetrificate only enabled, please setup certificates following doc/certificate.md document.
|
||||
|
||||
20.01.2015
|
||||
|
||||
|
|
153
doc/certificate.md
Normal file
153
doc/certificate.md
Normal file
|
@ -0,0 +1,153 @@
|
|||
Setting up certificates
|
||||
-----------------------
|
||||
|
||||
Go to registry shared folder and setup CA directory tree:
|
||||
```
|
||||
mkdir ca
|
||||
cd ca
|
||||
mkdir certs crl newcerts private csrs
|
||||
chmod 700 private
|
||||
touch index.txt
|
||||
echo 1000 > serial
|
||||
echo 1000 > crlnumber
|
||||
```
|
||||
|
||||
Generate the root key (prompts for pass phrase):
|
||||
```
|
||||
openssl genrsa -aes256 -out private/ca.key.pem 4096
|
||||
```
|
||||
|
||||
Configure OpenSSL:
|
||||
```
|
||||
sudo su -
|
||||
cd /etc/ssl/
|
||||
cp openssl.cnf openssl.cnf.bak
|
||||
nano openssl.cnf
|
||||
exit
|
||||
```
|
||||
|
||||
Make sure the following options are in place:
|
||||
```
|
||||
crl_extensions = crl_ext
|
||||
|
||||
[ CA_default ]
|
||||
# Where everything is kept
|
||||
dir = /home/registry/registry/shared/ca
|
||||
|
||||
[ usr_cert ]
|
||||
# These extensions are added when 'ca' signs a request.
|
||||
basicConstraints=CA:FALSE
|
||||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
nsComment = "OpenSSL Generated Certificate"
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid,issuer
|
||||
|
||||
[ v3_ca ]
|
||||
# Extensions for a typical CA
|
||||
subjectKeyIdentifier=hash
|
||||
authorityKeyIdentifier=keyid:always,issuer
|
||||
basicConstraints = CA:true
|
||||
keyUsage = cRLSign, keyCertSign
|
||||
|
||||
# For the CA policy
|
||||
[ policy_match ]
|
||||
countryName = optional
|
||||
stateOrProvinceName = optional
|
||||
organizationName = optional
|
||||
organizationalUnitName = optional
|
||||
commonName = supplied
|
||||
emailAddress = optional
|
||||
```
|
||||
|
||||
Issue the root certificate (prompts for additional data):
|
||||
```
|
||||
openssl req -new -x509 -days 3650 -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.crt.pem
|
||||
chmod 444 certs/ca.crt.pem
|
||||
```
|
||||
|
||||
Create a CSR for the webclient:
|
||||
```
|
||||
openssl genrsa -out private/webclient.key.pem 4096
|
||||
chmod 400 private/webclient.key.pem
|
||||
openssl req -sha256 -new -key private/webclient.key.pem -out csrs/webclient.csr.pem
|
||||
```
|
||||
|
||||
Sign the request and create certificate:
|
||||
```
|
||||
openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/webclient.csr.pem -out certs/webclient.crt.pem
|
||||
chmod 444 certs/webclient.crt.pem
|
||||
```
|
||||
|
||||
Create certificate revocation list (prompts for pass phrase):
|
||||
```
|
||||
openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -gencrl -out crl/crl.pem
|
||||
```
|
||||
|
||||
Configure EPP virtual host:
|
||||
```
|
||||
sudo nano /etc/apache2/sites-enabled/epp.conf
|
||||
```
|
||||
|
||||
Replace this line:
|
||||
```
|
||||
SSLVerifyClient optional_no_ca
|
||||
```
|
||||
|
||||
With these lines:
|
||||
```
|
||||
SSLVerifyClient require
|
||||
SSLVerifyDepth 1
|
||||
SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem
|
||||
SSLCARevocationFile /home/registry/registry/shared/ca/crl/crl.pem
|
||||
# Uncomment this when upgrading to apache 2.4:
|
||||
# SSLCARevocationCheck chain
|
||||
RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
|
||||
```
|
||||
|
||||
Configure webclient virtual host:
|
||||
```
|
||||
sudo nano /etc/apache2/sites-enabled/webclient.conf
|
||||
```
|
||||
|
||||
Add these lines:
|
||||
```
|
||||
SSLVerifyClient none
|
||||
SSLVerifyDepth 1
|
||||
SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem
|
||||
SSLCARevocationFile /home/registry/registry/shared/ca/crl/crl.pem
|
||||
# Uncomment this when upgrading to apache 2.4:
|
||||
# SSLCARevocationCheck chain
|
||||
|
||||
RequestHeader set SSL_CLIENT_S_DN_CN ""
|
||||
|
||||
<Location /login/pki>
|
||||
SSLVerifyClient require
|
||||
</Location>
|
||||
|
||||
<Location /sessions/pki>
|
||||
SSLVerifyClient require
|
||||
RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
|
||||
</Location>
|
||||
```
|
||||
|
||||
Reload apache:
|
||||
```
|
||||
sudo a2enmod headers
|
||||
sudo /etc/init.d/apache2 restart
|
||||
```
|
||||
|
||||
Configure registry and epp application.yml to match the CA settings:
|
||||
```
|
||||
ca_cert_path: '/home/registry/registry/shared/ca/certs/ca.crt.pem'
|
||||
ca_key_path: '/home/registry/registry/shared/ca/private/ca.key.pem'
|
||||
ca_key_password: 'registryalpha'
|
||||
crl_path: '/home/registry/registry/shared/ca/crl/crl.pem'
|
||||
webclient_ip: '54.154.91.240'
|
||||
```
|
||||
|
||||
Configure webclient application.yml to match the CA settings:
|
||||
```
|
||||
cert_path: '/home/registry/registry/shared/ca/certs/webclient.crt.pem'
|
||||
key_path: '/home/registry/registry/shared/ca/private/webclient.key.pem'
|
||||
```
|
||||
|
Loading…
Add table
Add a link
Reference in a new issue