Improve readme

CHANGELOG.md

@@ -57,8 +57,8 @@ emailAddress            = optional
 
 Issue the root certificate (prompts for additional data):
 ```
-openssl req -new -x509 -days 3650 -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.cert.pem
+openssl req -new -x509 -days 3650 -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.crt.pem
-chmod 444 certs/ca.cert.pem
+chmod 444 certs/ca.crt.pem
 ```
 
 Create a CSR for the webclient:
@@ -70,7 +70,7 @@ openssl req -sha256 -new -key private/webclient.key.pem -out csrs/webclient.csr.
 
 Sign the request and create certificate:
 ```
-openssl ca -keyfile private/ca.key.pem -cert certs/ca.cert.pem -extensions usr_cert -notext -md sha256 -in csrs/webclient.csr.pem -out certs/webclient.cert.pem
+openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/webclient.csr.pem -out certs/webclient.crt.pem
 ```
 
 Configure EPP virtual host:
@@ -87,7 +87,7 @@ With these lines:
 ```
   SSLVerifyClient require
   SSLVerifyDepth 1
-  SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.cert.pem
+  SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem
   RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
 ```
 
@@ -100,7 +100,7 @@ Add these lines:
 ```
   SSLVerifyClient none
   SSLVerifyDepth 1
-  SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.cert.pem
+  SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem
 
   RequestHeader set SSL_CLIENT_S_DN_CN ""
 
@@ -109,7 +109,6 @@ Add these lines:
   </Location>
 
   <Location /sessions>
-    SSLVerifyClient require
     RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
   </Location> 
 ```
@@ -122,7 +121,7 @@ sudo /etc/init.d/apache2 restart
 
 Configure registry and epp application.yml to match the CA settings:
 ```
-ca_cert_path: '/home/registry/registry/shared/ca/certs/ca.cert.pem'
+ca_cert_path: '/home/registry/registry/shared/ca/certs/ca.crt.pem'
 ca_key_path: '/home/registry/registry/shared/ca/private/ca.key.pem'
 ca_key_password: 'registryalpha'
 webclient_ip: '54.154.91.240'
@@ -130,7 +129,7 @@ webclient_ip: '54.154.91.240'
 
 Configure webclient application.yml to match the CA settings:
 ```
-cert_path: '/home/registry/registry/shared/ca/certs/webclient.cert.pem'
+cert_path: '/home/registry/registry/shared/ca/certs/webclient.crt.pem'
 key_path: '/home/registry/registry/shared/ca/private/webclient.key.pem'
 ```
 

README.md

@@ -152,7 +152,8 @@ Be sure to update paths to match your system configuration.
 
     SSLVerifyClient require
     SSLVerifyDepth 1
-    SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.cert.pem
+    SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem
+    RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
 
     EPPEngine On
     EPPCommandRoot          /proxy/command
@@ -181,6 +182,86 @@ All registry demo data can be found at:
 
 Initially you can use two type of users: admin users and EPP users.
 
+### CA
+
+Go to registry shared folder and setup CA directory tree:
+```
+mkdir ca
+cd ca
+mkdir certs crl newcerts private csrs
+chmod 700 private
+touch index.txt
+echo 1000 > serial
+```
+
+Generate the root key (prompts for pass phrase): 
+```
+openssl genrsa -aes256 -out private/ca.key.pem 4096
+```
+
+Configure OpenSSL:
+```
+sudo su -
+cd /etc/ssl/
+cp openssl.cnf openssl.cnf.bak
+nano openssl.cnf
+exit
+```
+
+Make sure the following options are in place:
+```
+[ CA_default ]
+# Where everything is kept
+dir = /home/registry/registry/shared/ca
+
+[ usr_cert ]
+# These extensions are added when 'ca' signs a request.
+basicConstraints=CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+nsComment = "OpenSSL Generated Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+[ v3_ca ]
+# Extensions for a typical CA
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+basicConstraints = CA:true
+keyUsage = cRLSign, keyCertSign
+
+# For the CA policy
+[ policy_match ]
+countryName             = optional
+stateOrProvinceName     = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+```
+
+Issue the root certificate (prompts for additional data):
+```
+openssl req -new -x509 -days 3650 -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.crt.pem
+chmod 444 certs/ca.crt.pem
+```
+
+Create a CSR for the webclient:
+```
+openssl genrsa -out private/webclient.key.pem 4096
+chmod 400 private/webclient.key.pem
+openssl req -sha256 -new -key private/webclient.key.pem -out csrs/webclient.csr.pem
+```
+
+Sign the request and create certificate:
+```
+openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/webclient.csr.pem -out certs/webclient.crt.pem
+```
+
+Certificates for API Users are generated via the user interface. CSR must be uploaded for each API User. Certificates are created automatically after saving the user.
+
+Private key and certificate must be packaged to pkcs12 and added to the browser's certificate bank.
+
+Make sure application configuration files contain correct paths to certificates.
 
 ### EPP web client