Merged certificate doc

2025-08-04 00:42:04 +02:00 · 2015-02-26 11:48:38 +02:00 · 2015-02-26 11:48:38 +02:00 · f11af415d9
commit f11af415d9
parent 4e5d7aea49
2 changed files with 115 additions and 201 deletions
--- a/README.md
+++ b/README.md
@ -186,98 +186,10 @@ All registry demo data can be found at:

 Initially you can use two type of users: admin users and EPP users.

-### CA
+### Certificates setup

-Go to registry shared folder and setup CA directory tree:
-```
-mkdir ca
-cd ca
-mkdir certs crl newcerts private csrs
-chmod 700 private
-touch index.txt
-echo 1000 > serial
-echo 1000 > crlnumber
-```
+* [Certificates setup](/doc/certificates.md)

-Generate the root key (prompts for pass phrase): 
-```
-openssl genrsa -aes256 -out private/ca.key.pem 4096
-```
-
-Configure OpenSSL:
-```
-sudo su -
-cd /etc/ssl/
-cp openssl.cnf openssl.cnf.bak
-nano openssl.cnf
-exit
-```
-
-Make sure the following options are in place:
-```
-[ CA_default ]
-# Where everything is kept
-dir = /home/registry/registry/shared/ca
-
-[ usr_cert ]
-# These extensions are added when 'ca' signs a request.
-basicConstraints=CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-nsComment = "OpenSSL Generated Certificate"
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
-
-[ v3_ca ]
-# Extensions for a typical CA
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer
-basicConstraints = CA:true
-keyUsage = cRLSign, keyCertSign
-
-# For the CA policy
-[ policy_match ]
-countryName             = optional
-stateOrProvinceName     = optional
-organizationName        = optional
-organizationalUnitName  = optional
-commonName              = supplied
-emailAddress            = optional
-```
-
-Issue the root certificate (prompts for additional data):
-```
-openssl req -new -x509 -days 3650 -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.crt.pem
-chmod 444 certs/ca.crt.pem
-```
-
-Create a CSR for the webclient:
-```
-openssl genrsa -out private/webclient.key.pem 4096
-chmod 400 private/webclient.key.pem
-openssl req -sha256 -new -key private/webclient.key.pem -out csrs/webclient.csr.pem
-```
-
-Sign the request and create certificate:
-```
-openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/webclient.csr.pem -out certs/webclient.crt.pem
-```
-
-Create certificate revocation list (prompts for pass phrase):
-```
-openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -gencrl -out crl/crl.pem
-```
-
-Certificates for API Users are generated via the user interface. CSR must be uploaded for each API User.
-
-Private key and certificate must be packaged to pkcs12 and added to the browser.
-
-Make sure application configuration files contain correct paths to certificates.
-
-In test environment it's important to set unique_subject option to false.  
-In CA directory:
-```
-echo "unique_subject = no" > index.txt.attr
-```

 ### EPP web client