Merged certificate doc

2025-05-18 02:09:39 +02:00 · 2015-02-26 11:48:38 +02:00 · 2015-02-26 11:48:38 +02:00 · f11af415d9
commit f11af415d9
parent 4e5d7aea49
2 changed files with 115 additions and 201 deletions
--- a/README.md
+++ b/README.md
@ -186,98 +186,10 @@ All registry demo data can be found at:

 Initially you can use two type of users: admin users and EPP users.

-### CA
+### Certificates setup

-Go to registry shared folder and setup CA directory tree:
-```
-mkdir ca
-cd ca
-mkdir certs crl newcerts private csrs
-chmod 700 private
-touch index.txt
-echo 1000 > serial
-echo 1000 > crlnumber
-```
+* [Certificates setup](/doc/certificates.md)

-Generate the root key (prompts for pass phrase): 
-```
-openssl genrsa -aes256 -out private/ca.key.pem 4096
-```
-
-Configure OpenSSL:
-```
-sudo su -
-cd /etc/ssl/
-cp openssl.cnf openssl.cnf.bak
-nano openssl.cnf
-exit
-```
-
-Make sure the following options are in place:
-```
-[ CA_default ]
-# Where everything is kept
-dir = /home/registry/registry/shared/ca
-
-[ usr_cert ]
-# These extensions are added when 'ca' signs a request.
-basicConstraints=CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-nsComment = "OpenSSL Generated Certificate"
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
-
-[ v3_ca ]
-# Extensions for a typical CA
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer
-basicConstraints = CA:true
-keyUsage = cRLSign, keyCertSign
-
-# For the CA policy
-[ policy_match ]
-countryName             = optional
-stateOrProvinceName     = optional
-organizationName        = optional
-organizationalUnitName  = optional
-commonName              = supplied
-emailAddress            = optional
-```
-
-Issue the root certificate (prompts for additional data):
-```
-openssl req -new -x509 -days 3650 -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.crt.pem
-chmod 444 certs/ca.crt.pem
-```
-
-Create a CSR for the webclient:
-```
-openssl genrsa -out private/webclient.key.pem 4096
-chmod 400 private/webclient.key.pem
-openssl req -sha256 -new -key private/webclient.key.pem -out csrs/webclient.csr.pem
-```
-
-Sign the request and create certificate:
-```
-openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/webclient.csr.pem -out certs/webclient.crt.pem
-```
-
-Create certificate revocation list (prompts for pass phrase):
-```
-openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -gencrl -out crl/crl.pem
-```
-
-Certificates for API Users are generated via the user interface. CSR must be uploaded for each API User.
-
-Private key and certificate must be packaged to pkcs12 and added to the browser.
-
-Make sure application configuration files contain correct paths to certificates.
-
-In test environment it's important to set unique_subject option to false.  
-In CA directory:
-```
-echo "unique_subject = no" > index.txt.attr
-```

 ### EPP web client

--- a/doc/certificate.md
+++ b/doc/certificate.md
@ -1,8 +1,17 @@
-Setting up certificates
-----------------------
+Certificates setup
+------------------

-Go to registry shared folder and setup CA directory tree:
-```
+Certificates for API Users are generated via registnry admin user interface. 
+CSR must be uploaded for each API User.
+
+Private key and certificate must be packaged to pkcs12 and added to user browser.
+
+
+### Registry setup
+
+Setup CA directory tree:
+
+    cd /home/registry/registry/shared
    mkdir ca
    cd ca
    mkdir certs crl newcerts private csrs
@ -10,24 +19,21 @@ chmod 700 private
    touch index.txt
    echo 1000 > serial
    echo 1000 > crlnumber
-```

 Generate the root key (prompts for pass phrase): 
-```
+
    openssl genrsa -aes256 -out private/ca.key.pem 4096
-```

 Configure OpenSSL:
-```
+
    sudo su -
    cd /etc/ssl/
    cp openssl.cnf openssl.cnf.bak
    nano openssl.cnf
    exit
-```

 Make sure the following options are in place:
-```
+
    crl_extensions = crl_ext

    [ CA_default ]
@ -57,44 +63,37 @@ organizationName        = optional
    organizationalUnitName  = optional
    commonName              = supplied
    emailAddress            = optional
-```

 Issue the root certificate (prompts for additional data):
-```
+
    openssl req -new -x509 -days 3650 -key private/ca.key.pem -sha256 -extensions v3_ca -out certs/ca.crt.pem
    chmod 444 certs/ca.crt.pem
-```

 Create a CSR for the webclient:
-```
+
    openssl genrsa -out private/webclient.key.pem 4096
    chmod 400 private/webclient.key.pem
    openssl req -sha256 -new -key private/webclient.key.pem -out csrs/webclient.csr.pem
-```

 Sign the request and create certificate:
-```
+
    openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/webclient.csr.pem -out certs/webclient.crt.pem
    chmod 444 certs/webclient.crt.pem
-```

 Create certificate revocation list (prompts for pass phrase):
-```
+
    openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -gencrl -out crl/crl.pem
-```

 Configure EPP virtual host:
-```
+
    sudo nano /etc/apache2/sites-enabled/epp.conf
-```

 Replace this line:
-```
+
    SSLVerifyClient optional_no_ca
-```

 With these lines:
-```
+
    SSLVerifyClient require
    SSLVerifyDepth 1
    SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem
@ -102,15 +101,13 @@ With these lines:
    # Uncomment this when upgrading to apache 2.4:
    # SSLCARevocationCheck chain
    RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
-```

 Configure webclient virtual host:
-```
+
    sudo nano /etc/apache2/sites-enabled/webclient.conf
-```

 Add these lines:
-```
+
    SSLVerifyClient none
    SSLVerifyDepth 1
    SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem
@ -124,26 +121,31 @@ Add these lines:
      SSLVerifyClient require
      RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
    </Location> 
-```

 Reload apache:
-```
+
    sudo a2enmod headers
    sudo /etc/init.d/apache2 restart
-```

 Configure registry and epp application.yml to match the CA settings:
-```
+
    ca_cert_path: '/home/registry/registry/shared/ca/certs/ca.crt.pem'
    ca_key_path: '/home/registry/registry/shared/ca/private/ca.key.pem'
    ca_key_password: 'registryalpha'
    crl_path: '/home/registry/registry/shared/ca/crl/crl.pem'
    webclient_ip: '54.154.91.240'
-```

 Configure webclient application.yml to match the CA settings:
-```
+
    cert_path: '/home/registry/registry/shared/ca/certs/webclient.crt.pem'
    key_path: '/home/registry/registry/shared/ca/private/webclient.key.pem'
-```

+Development env
+---------------
+
+In development environment it's convenient to set unique_subject option to false,
+thus you can generate quickly as many certs as you wish.
+
+In CA directory:
+
+    echo "unique_subject = no" > index.txt.attr