From 676e5b5ae3d3ca0070200055fe318269efe68ec9 Mon Sep 17 00:00:00 2001 From: Martin Lensment Date: Thu, 12 Feb 2015 16:31:39 +0200 Subject: [PATCH] Certificate generation, readme updates --- CHANGELOG.md | 77 ++++++++++++++++++++++++++++++++++ README.md | 8 +++- config/application-example.yml | 3 ++ 3 files changed, 86 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a742e960c..33aa69d65 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,80 @@ +12.02.2015 + +Go to registry shared folder and setup CA directory tree: +``` +mkdir ca +cd ca +mkdir certs crl newcerts private +chmod 700 private +touch index.txt +echo 1000 > serial +``` + +Generate the root key (prompts for pass phrase): +``` +openssl genrsa -aes256 -out private/ca.key.pem 4096 +``` + +Configure OpenSSL: +``` +sudo su - +cd /etc/ssl/ +cp openssl.cnf openssl.cnf.bak +nano openssl.cnf +``` + +Make sure the following options are in place: +``` +[ CA_default ] +# Where everything is kept +dir = /home/registry/registry/shared/ca + +[ usr_cert ] +# These extensions are added when 'ca' signs a request. +basicConstraints=CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +nsComment = "OpenSSL Generated Certificate" +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +[ v3_ca ] +# Extensions for a typical CA +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer +basicConstraints = CA:true +keyUsage = cRLSign, keyCertSign +``` + +Issue the root certificate (prompts for additional data): +``` +openssl req -new -x509 -days 3650 -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.cert.pem +chmod 444 certs/ca.cert.pem +``` + +Configure EPP virtual host: +``` +sudo nano /etc/apache2/sites-enabled/epp.conf +``` + +Replace this line: +``` +SSLVerifyClient optional_no_ca +``` + +With these lines: +``` + SSLVerifyClient require + SSLVerifyDepth 1 + SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.cert.pem +``` + +Configure application.yml to match the CA settings: +``` +ca_cert_path: '/home/registry/registry/shared/ca/certs/ca.cert.pem' +ca_key_path: '/home/registry/registry/shared/ca/private/ca.key.pem' +ca_key_password: 'registryalpha' +``` + 20.01.2015 * Added dedicated mina cron:setup and mina cron:clear for manual cron management. diff --git a/README.md b/README.md index fb6d18bff..92b8f67c6 100644 --- a/README.md +++ b/README.md @@ -138,7 +138,9 @@ For Apache, registry admin goes to port 443 in production, /etc/apache2/sites-en ``` -For Apache, epp goes to port 700, /etc/apache2/sites-enabled/epp.conf short example: +For Apache, epp goes to port 700. +Be sure to update paths to match your system configuration. +/etc/apache2/sites-enabled/epp.conf short example: ```apache Listen 700 @@ -148,7 +150,9 @@ For Apache, epp goes to port 700, /etc/apache2/sites-enabled/epp.conf short exam SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key - SSLVerifyClient optional_no_ca + SSLVerifyClient require + SSLVerifyDepth 1 + SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.cert.pem EPPEngine On EPPCommandRoot /proxy/command diff --git a/config/application-example.yml b/config/application-example.yml index 389647a40..51a4661e5 100644 --- a/config/application-example.yml +++ b/config/application-example.yml @@ -7,6 +7,9 @@ defaults: &defaults # If you change this key, all old signed cookies will become invalid! secret_key_base: please-change-it-you-can-generate-it-with-rake-secret devise_secret: please-change-it-you-can-generate-it-with-rake-secret + ca_cert_path: ca-cert-path-here + ca_key_path: ca-key-path-here + ca_key_password: ca-key-pass-phrase-here development: <<: *defaults