Certificate generation, readme updates

CHANGELOG.md

@@ -1,3 +1,80 @@
+12.02.2015
+ 
+Go to registry shared folder and setup CA directory tree:
+```
+mkdir ca
+cd ca
+mkdir certs crl newcerts private
+chmod 700 private
+touch index.txt
+echo 1000 > serial
+```
+
+Generate the root key (prompts for pass phrase): 
+```
+openssl genrsa -aes256 -out private/ca.key.pem 4096
+```
+
+Configure OpenSSL:
+```
+sudo su -
+cd /etc/ssl/
+cp openssl.cnf openssl.cnf.bak
+nano openssl.cnf
+```
+
+Make sure the following options are in place:
+```
+[ CA_default ]
+# Where everything is kept
+dir = /home/registry/registry/shared/ca
+
+[ usr_cert ]
+# These extensions are added when 'ca' signs a request.
+basicConstraints=CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+nsComment = "OpenSSL Generated Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+[ v3_ca ]
+# Extensions for a typical CA
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+basicConstraints = CA:true
+keyUsage = cRLSign, keyCertSign
+```
+
+Issue the root certificate (prompts for additional data):
+```
+openssl req -new -x509 -days 3650 -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.cert.pem
+chmod 444 certs/ca.cert.pem
+```
+
+Configure EPP virtual host:
+```
+sudo nano /etc/apache2/sites-enabled/epp.conf
+```
+
+Replace this line:
+```
+SSLVerifyClient optional_no_ca
+```
+
+With these lines:
+```
+  SSLVerifyClient require
+  SSLVerifyDepth 1
+  SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.cert.pem
+```
+
+Configure application.yml to match the CA settings:
+```
+ca_cert_path: '/home/registry/registry/shared/ca/certs/ca.cert.pem'
+ca_key_path: '/home/registry/registry/shared/ca/private/ca.key.pem'
+ca_key_password: 'registryalpha'
+```
+
 20.01.2015
 
 * Added dedicated mina cron:setup and mina cron:clear for manual cron management.

README.md

@@ -138,7 +138,9 @@ For Apache, registry admin goes to port 443 in production, /etc/apache2/sites-en
 </VirtualHost>
 ```
 
-For Apache, epp goes to port 700, /etc/apache2/sites-enabled/epp.conf short example:
+For Apache, epp goes to port 700.  
+Be sure to update paths to match your system configuration.  
+/etc/apache2/sites-enabled/epp.conf short example:
 ```apache
 <IfModule mod_epp.c>
   Listen 700
@@ -148,7 +150,9 @@ For Apache, epp goes to port 700, /etc/apache2/sites-enabled/epp.conf short exam
     SSLCertificateFile /etc/apache2/ssl/apache.crt
     SSLCertificateKeyFile /etc/apache2/ssl/apache.key
 
-    SSLVerifyClient optional_no_ca
+    SSLVerifyClient require
+    SSLVerifyDepth 1
+    SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.cert.pem
 
     EPPEngine On
     EPPCommandRoot          /proxy/command

config/application-example.yml

@@ -7,6 +7,9 @@ defaults: &defaults
   # If you change this key, all old signed cookies will become invalid!
   secret_key_base: please-change-it-you-can-generate-it-with-rake-secret
   devise_secret: please-change-it-you-can-generate-it-with-rake-secret
+  ca_cert_path: ca-cert-path-here
+  ca_key_path: ca-key-path-here
+  ca_key_password: ca-key-pass-phrase-here
 
 development:
   <<: *defaults