From df57204922df91569b4d064cc0c7abedc5ede194 Mon Sep 17 00:00:00 2001
From: Priit Tark <priit@gitlab.eu>
Date: Thu, 26 Feb 2015 13:34:55 +0200
Subject: [PATCH] CA readme update

---
 config/application-example.yml |  13 ++-
 doc/certificate.md             | 156 +++++++++++++++++++--------------
 2 files changed, 98 insertions(+), 71 deletions(-)

diff --git a/config/application-example.yml b/config/application-example.yml
index 4ac8d0ddb..f5b0bf2ac 100644
--- a/config/application-example.yml
+++ b/config/application-example.yml
@@ -7,10 +7,15 @@ defaults: &defaults
   # If you change this key, all old signed cookies will become invalid!
   secret_key_base: please-change-it-you-can-generate-it-with-rake-secret
   devise_secret: please-change-it-you-can-generate-it-with-rake-secret
-  ca_cert_path: ca-cert-path-here
-  ca_key_path: ca-key-path-here
-  ca_key_password: ca-key-pass-phrase-here
-  crl_path: crl-path-here
+
+  # Used by registry admin server:
+  crl_path:     '/home/registry/registry/shared/ca/crl/crl.pem'
+  ca_cert_path: '/home/registry/registry/shared/ca/certs/ca.crt.pem'
+  ca_key_path:  '/home/registry/registry/shared/ca/private/ca.key.pem'
+  ca_key_password: 'your-root-key-password'
+
+  # Used by EPP server
+  webclient_ip: '54.154.91.240'
 
 development:
   <<: *defaults
diff --git a/doc/certificate.md b/doc/certificate.md
index c1131ed61..bf222a5e2 100644
--- a/doc/certificate.md
+++ b/doc/certificate.md
@@ -1,15 +1,59 @@
 Certificates setup
 ------------------
 
-Certificates for API Users are generated via registnry admin user interface. 
-CSR must be uploaded for each API User.
+Guide to setup all registry/epp/repp, webclient and api user certificates.
+
+There are three type of certificates:
+
+* root cert (one time action using command line)
+* webclient server cert (one time action using command line)
+* api user cert (multiple actions through admin interface)
+
+API users CSR are uploaded through registry admin interface for each API user.
 
 Private key and certificate must be packaged to pkcs12 and added to user browser.
 
 
 ### Registry setup
 
-Setup CA directory tree:
+Configure OpenSSL:
+
+    sudo cp /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.bak
+    sudo vi /etc/ssl/openssl.cnf
+
+Make sure the following options are in place:
+
+    [ CA_default ]
+    # Where everything is kept
+    dir = /home/registry/registry/shared/ca                       # around line nr 42
+
+    crl_extensions = crl_ext                                      # around line nr 71
+
+    # For the CA policy
+    [ policy_match ]
+    countryName             = optional                            # around line nr 85
+    stateOrProvinceName     = optional                            # around line nr 86
+    organizationName        = optional                            # around line nr 87
+    organizationalUnitName  = optional                            # around line nr 88
+    commonName              = supplied                            # around line nr 89
+    emailAddress            = optional                            # around line nr 90
+
+    [ usr_cert ]
+    # These extensions are added when 'ca' signs a request.
+    basicConstraints=CA:FALSE                                     # around line nr 170
+    keyUsage = nonRepudiation, digitalSignature, keyEncipherment  # around line nr 188
+    nsComment = "OpenSSL Generated Certificate"                   # around line nr 191
+    subjectKeyIdentifier=hash                                     # around line nr 194
+    authorityKeyIdentifier=keyid,issuer                           # around line nr 195
+
+    [ v3_ca ]
+    # Extensions for a typical CA
+    subjectKeyIdentifier=hash                                     # around line nr 232
+    authorityKeyIdentifier=keyid:always,issuer                    # around line nr 234
+    basicConstraints = CA:true                                    # around line nr 240
+    keyUsage = cRLSign, keyCertSign                               # around line nr 245
+
+Setup CA directory in shared directory:
 
     cd /home/registry/registry/shared
     mkdir ca
@@ -20,73 +64,47 @@ Setup CA directory tree:
     echo 1000 > serial
     echo 1000 > crlnumber
 
-Generate the root key (prompts for pass phrase): 
+Generate the root key and remember your password, you need it later in application.yml: 
 
     openssl genrsa -aes256 -out private/ca.key.pem 4096
 
-Configure OpenSSL:
+Create root registry certificate (prompts for additional data and review days flag):
 
-    sudo su -
-    cd /etc/ssl/
-    cp openssl.cnf openssl.cnf.bak
-    nano openssl.cnf
-    exit
-
-Make sure the following options are in place:
-
-    crl_extensions = crl_ext
-
-    [ CA_default ]
-    # Where everything is kept
-    dir = /home/registry/registry/shared/ca
-
-    [ usr_cert ]
-    # These extensions are added when 'ca' signs a request.
-    basicConstraints=CA:FALSE
-    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-    nsComment = "OpenSSL Generated Certificate"
-    subjectKeyIdentifier=hash
-    authorityKeyIdentifier=keyid,issuer
-
-    [ v3_ca ]
-    # Extensions for a typical CA
-    subjectKeyIdentifier=hash
-    authorityKeyIdentifier=keyid:always,issuer
-    basicConstraints = CA:true
-    keyUsage = cRLSign, keyCertSign
-
-    # For the CA policy
-    [ policy_match ]
-    countryName             = optional
-    stateOrProvinceName     = optional
-    organizationName        = optional
-    organizationalUnitName  = optional
-    commonName              = supplied
-    emailAddress            = optional
-
-Issue the root certificate (prompts for additional data):
-
-    openssl req -new -x509 -days 3650 -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.crt.pem
+    openssl req -new -x509 -days 3653 -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.crt.pem
     chmod 444 certs/ca.crt.pem
 
-Create a CSR for the webclient:
+Create a webclient key and CSR for accepting webclient request:
 
     openssl genrsa -out private/webclient.key.pem 4096
     chmod 400 private/webclient.key.pem
-    openssl req -sha256 -new -key private/webclient.key.pem -out csrs/webclient.csr.pem
+    openssl req -sha256 -new -days 3653 -key private/webclient.key.pem -out csrs/webclient.csr.pem
 
-Sign the request and create certificate:
+Sign CSR and create certificate:
 
-    openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/webclient.csr.pem -out certs/webclient.crt.pem
+    openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/webclient.csr.pem -days 3653 -out certs/webclient.crt.pem
     chmod 444 certs/webclient.crt.pem
 
 Create certificate revocation list (prompts for pass phrase):
 
     openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -gencrl -out crl/crl.pem
 
-Configure EPP virtual host:
+Configure registry registry/shared/config/application.yml to match the CA settings:
 
-    sudo nano /etc/apache2/sites-enabled/epp.conf
+    ca_cert_path: '/home/registry/registry/shared/ca/certs/ca.crt.pem'
+    ca_key_path: '/home/registry/registry/shared/ca/private/ca.key.pem'
+    ca_key_password: 'your-root-key-password'
+    crl_path: '/home/registry/registry/shared/ca/crl/crl.pem'
+
+
+### Registry EPP setup
+
+Configure registry epp registry-epp/shared/config/application.yml:
+
+    webclient_ip: '54.154.91.240'
+
+Configure EPP port 700 virtual host:
+
+    sudo vi /etc/apache2/sites-enabled/epp.conf
 
 Replace this line:
 
@@ -102,16 +120,32 @@ With these lines:
     # SSLCARevocationCheck chain
     RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
 
+Reload apache:
+
+    sudo a2enmod headers
+    sudo /etc/init.d/apache2 restart
+
+
+### Webclient setup
+
+Copy all registry/shared/ca directory to your webclient server if webclient is in different server,
+otherwise just point everything to your registry/shared/ca directory.
+
+Configure webclient/shared/config/application.yml to match the CA settings:
+
+    cert_path: '/home/webclient/webclient/shared/ca/certs/webclient.crt.pem'
+    key_path:  '/home/webclient/webclient/shared/ca/private/webclient.key.pem'
+
 Configure webclient virtual host:
 
-    sudo nano /etc/apache2/sites-enabled/webclient.conf
+    sudo vi /etc/apache2/sites-enabled/webclient.conf
 
 Add these lines:
 
     SSLVerifyClient none
     SSLVerifyDepth 1
-    SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem
-    SSLCARevocationFile /home/registry/registry/shared/ca/crl/crl.pem
+    SSLCACertificateFile /home/webclient/webclient/shared/ca/certs/ca.crt.pem
+    SSLCARevocationFile  /home/webclient/webclient/shared/ca/crl/crl.pem
     # Uncomment this when upgrading to apache 2.4:
     # SSLCARevocationCheck chain
 
@@ -127,18 +161,6 @@ Reload apache:
     sudo a2enmod headers
     sudo /etc/init.d/apache2 restart
 
-Configure registry and epp application.yml to match the CA settings:
-
-    ca_cert_path: '/home/registry/registry/shared/ca/certs/ca.crt.pem'
-    ca_key_path: '/home/registry/registry/shared/ca/private/ca.key.pem'
-    ca_key_password: 'registryalpha'
-    crl_path: '/home/registry/registry/shared/ca/crl/crl.pem'
-    webclient_ip: '54.154.91.240'
-
-Configure webclient application.yml to match the CA settings:
-
-    cert_path: '/home/registry/registry/shared/ca/certs/webclient.crt.pem'
-    key_path: '/home/registry/registry/shared/ca/private/webclient.key.pem'
 
 Development env
 ---------------