Skip to content
Snippets Groups Projects
Normal view Permalink
README.openssl 2.06 KiB
Newer Older
Pavel Kácha's avatar
Rework documentation to include OpenSSL CA backend and examples
Pavel Kácha committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 
OpenSSL local backed for Warden 3.# Registration Authority
==========================================================

Introduction
------------

This backend allows using basic `openssl ca`_ facility for certificate
emission. Client information is kept as plain config files within "clients"
subdirectory. Also, received CSRs and issued certificates are saved in "csr"
and "newcerts" subdirectories, respectively. File "lock" is used to conduct
concurrent access to running openssl binary.

.. _openssl ca: https://www.openssl.org/docs/manmaster/man1/openssl-ca.html


Installation
------------

Choose directory where OpenSSL CA structure will reside (for example
"ca").

    # mkdir ca
    # cd ca/
    /ca# mkdir certs crl newcerts private clients csr
    /ca# chmod 700 private
    /ca# touch index.txt
    /ca# echo 1024 > serial

Adjust permissions.

   # s-bit, so newly created files receive permissions of parent
   # directory, not of creator
   ca# find . -type d | xargs chmod g+s
   # owner - apache group (this is for Debian, adjust accordingly for
   # different distribution)
   ca# chgrp -R www-data .

Generate CA root certificate.

    ca# openssl genrsa -out private/ca.key.pem 4096
    ca# openssl req -config openssl.cnf \
                -key private/ca.key.pem \
                -new -x509 -days 7300 -sha256 -extensions v3_ca \
                -out certs/ca.cert.pem
    ca# chmod 444 private/ca.key.pem certs/ca.cert.pem

Create "openssl.cnf" in base directory. You can use "openssl.cnf.example" as
a basis.


Configuration
-------------

    Options for "Registry: OpenSSLRegistry" section.

    base_dir: Base directory where OpenSSL CA environment is managed
    subject_dn_template: Template for DN of issued certs, defaults to "DC=cz,DC=example-ca,DC=warden,CN=%s"
    openssl_sign: OpenSSL command and arguments to run for signing, defaults to "openssl ca -config %(cnf)s -batch -extensions server_cert -days 375 -notext -md sha256 -in %(csr)s -subj '%(dn)s'"



------------------------------------------------------------------------------

Copyright (C) 2017 Cesnet z.s.p.o