zydronium/internetee-registry
1
0
Fork 0
mirror of https://github.com/internetee/registry.git synced 2025-05-20 19:29:39 +02:00
Code Issues Projects Releases Packages Wiki Activity

Certificate generation, readme updates

Browse source
This commit is contained in:
Martin Lensment 2015-02-12 16:31:39 +02:00
parent f2c9d18473
commit 676e5b5ae3
3 changed files with 86 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

77
CHANGELOG.md
View file

@ -1,3 +1,80 @@
12.02.2015
Go to registry shared folder and setup CA directory tree:
```
mkdir ca
cd ca
mkdir certs crl newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial
```
Generate the root key (prompts for pass phrase):
```
openssl genrsa -aes256 -out private/ca.key.pem 4096
```
Configure OpenSSL:
```
sudo su -
cd /etc/ssl/
cp openssl.cnf openssl.cnf.bak
nano openssl.cnf
```
Make sure the following options are in place:
```
[ CA_default ]
# Where everything is kept
dir = /home/registry/registry/shared/ca
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
basicConstraints=CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
[ v3_ca ]
# Extensions for a typical CA
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true
keyUsage = cRLSign, keyCertSign
```
Issue the root certificate (prompts for additional data):
```
openssl req -new -x509 -days 3650 -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.cert.pem
chmod 444 certs/ca.cert.pem
```
Configure EPP virtual host:
```
sudo nano /etc/apache2/sites-enabled/epp.conf
```
Replace this line:
```
SSLVerifyClient optional_no_ca
```
With these lines:
```
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.cert.pem
```
Configure application.yml to match the CA settings:
```
ca_cert_path: '/home/registry/registry/shared/ca/certs/ca.cert.pem'
ca_key_path: '/home/registry/registry/shared/ca/private/ca.key.pem'
ca_key_password: 'registryalpha'
```
20.01.2015 20.01.2015
* Added dedicated mina cron:setup and mina cron:clear for manual cron management. * Added dedicated mina cron:setup and mina cron:clear for manual cron management.

8
README.md
View file

@ -138,7 +138,9 @@ For Apache, registry admin goes to port 443 in production, /etc/apache2/sites-en
</VirtualHost> </VirtualHost>
``` ```
For Apache, epp goes to port 700, /etc/apache2/sites-enabled/epp.conf short example: For Apache, epp goes to port 700.
Be sure to update paths to match your system configuration.
/etc/apache2/sites-enabled/epp.conf short example:
```apache ```apache
<IfModule mod_epp.c> <IfModule mod_epp.c>
Listen 700 Listen 700
@ -148,7 +150,9 @@ For Apache, epp goes to port 700, /etc/apache2/sites-enabled/epp.conf short exam
SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key SSLCertificateKeyFile /etc/apache2/ssl/apache.key
SSLVerifyClient optional_no_ca SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.cert.pem
EPPEngine On EPPEngine On
EPPCommandRoot /proxy/command EPPCommandRoot /proxy/command

3
config/application-example.yml
View file

@ -7,6 +7,9 @@ defaults: &defaults
# If you change this key, all old signed cookies will become invalid! # If you change this key, all old signed cookies will become invalid!
secret_key_base: please-change-it-you-can-generate-it-with-rake-secret secret_key_base: please-change-it-you-can-generate-it-with-rake-secret
devise_secret: please-change-it-you-can-generate-it-with-rake-secret devise_secret: please-change-it-you-can-generate-it-with-rake-secret
ca_cert_path: ca-cert-path-here
ca_key_path: ca-key-path-here
ca_key_password: ca-key-pass-phrase-here
development: development:
<<: *defaults <<: *defaults