Improve readme

2025-05-18 18:29:40 +02:00 · 2015-02-19 18:21:59 +02:00 · 2015-02-19 18:21:59 +02:00 · adfe2b3ddb
commit adfe2b3ddb
parent 4a5234f789
2 changed files with 89 additions and 9 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -57,8 +57,8 @@ emailAddress            = optional

 Issue the root certificate (prompts for additional data):
 ```
-openssl req -new -x509 -days 3650 -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.cert.pem
-chmod 444 certs/ca.cert.pem
+openssl req -new -x509 -days 3650 -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.crt.pem
+chmod 444 certs/ca.crt.pem
 ```

 Create a CSR for the webclient:
@ -70,7 +70,7 @@ openssl req -sha256 -new -key private/webclient.key.pem -out csrs/webclient.csr.

 Sign the request and create certificate:
 ```
-openssl ca -keyfile private/ca.key.pem -cert certs/ca.cert.pem -extensions usr_cert -notext -md sha256 -in csrs/webclient.csr.pem -out certs/webclient.cert.pem
+openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/webclient.csr.pem -out certs/webclient.crt.pem
 ```

 Configure EPP virtual host:
@ -87,7 +87,7 @@ With these lines:
 ```
  SSLVerifyClient require
  SSLVerifyDepth 1
-  SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.cert.pem
+  SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem
  RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
 ```

@ -100,7 +100,7 @@ Add these lines:
 ```
  SSLVerifyClient none
  SSLVerifyDepth 1
-  SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.cert.pem
+  SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem

  RequestHeader set SSL_CLIENT_S_DN_CN ""

@ -109,7 +109,6 @@ Add these lines:
  </Location>

  <Location /sessions>
-    SSLVerifyClient require
    RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
  </Location> 
 ```
@ -122,7 +121,7 @@ sudo /etc/init.d/apache2 restart

 Configure registry and epp application.yml to match the CA settings:
 ```
-ca_cert_path: '/home/registry/registry/shared/ca/certs/ca.cert.pem'
+ca_cert_path: '/home/registry/registry/shared/ca/certs/ca.crt.pem'
 ca_key_path: '/home/registry/registry/shared/ca/private/ca.key.pem'
 ca_key_password: 'registryalpha'
 webclient_ip: '54.154.91.240'
@ -130,7 +129,7 @@ webclient_ip: '54.154.91.240'

 Configure webclient application.yml to match the CA settings:
 ```
-cert_path: '/home/registry/registry/shared/ca/certs/webclient.cert.pem'
+cert_path: '/home/registry/registry/shared/ca/certs/webclient.crt.pem'
 key_path: '/home/registry/registry/shared/ca/private/webclient.key.pem'
 ```

--- a/README.md
+++ b/README.md
@ -152,7 +152,8 @@ Be sure to update paths to match your system configuration.

    SSLVerifyClient require
    SSLVerifyDepth 1
-    SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.cert.pem
+    SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem
+    RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"

    EPPEngine On
    EPPCommandRoot          /proxy/command
@ -181,6 +182,86 @@ All registry demo data can be found at:

 Initially you can use two type of users: admin users and EPP users.

+### CA
+
+Go to registry shared folder and setup CA directory tree:
+```
+mkdir ca
+cd ca
+mkdir certs crl newcerts private csrs
+chmod 700 private
+touch index.txt
+echo 1000 > serial
+```
+
+Generate the root key (prompts for pass phrase): 
+```
+openssl genrsa -aes256 -out private/ca.key.pem 4096
+```
+
+Configure OpenSSL:
+```
+sudo su -
+cd /etc/ssl/
+cp openssl.cnf openssl.cnf.bak
+nano openssl.cnf
+exit
+```
+
+Make sure the following options are in place:
+```
+[ CA_default ]
+# Where everything is kept
+dir = /home/registry/registry/shared/ca
+
+[ usr_cert ]
+# These extensions are added when 'ca' signs a request.
+basicConstraints=CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+nsComment = "OpenSSL Generated Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+[ v3_ca ]
+# Extensions for a typical CA
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+basicConstraints = CA:true
+keyUsage = cRLSign, keyCertSign
+
+# For the CA policy
+[ policy_match ]
+countryName             = optional
+stateOrProvinceName     = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+```
+
+Issue the root certificate (prompts for additional data):
+```
+openssl req -new -x509 -days 3650 -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.crt.pem
+chmod 444 certs/ca.crt.pem
+```
+
+Create a CSR for the webclient:
+```
+openssl genrsa -out private/webclient.key.pem 4096
+chmod 400 private/webclient.key.pem
+openssl req -sha256 -new -key private/webclient.key.pem -out csrs/webclient.csr.pem
+```
+
+Sign the request and create certificate:
+```
+openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/webclient.csr.pem -out certs/webclient.crt.pem
+```
+
+Certificates for API Users are generated via the user interface. CSR must be uploaded for each API User. Certificates are created automatically after saving the user.
+
+Private key and certificate must be packaged to pkcs12 and added to the browser's certificate bank.
+
+Make sure application configuration files contain correct paths to certificates.

 ### EPP web client