diff --git a/ssl_mgmt/README b/ssl_mgmt/README index 72a79c4..9817483 100644 --- a/ssl_mgmt/README +++ b/ssl_mgmt/README @@ -1,22 +1,22 @@ -ssl_mgmt is a helper to manage ssl certificate: creation, renewal and removal. +ssl_mgmt is a helper to manage SSL certificates: creation, renewal and removal. So far, only renewal is supported. ssl_mgmt refers to certificates through the service they are associated with. *** EXAMPLES *** -To renew the certificate associated to https, the command line is: -ssl_mgmt renew https +To renew the certificate associated to HTTPS, the command line is: + ssl_mgmt renew https If you want to renew certificates of all services, you should do: -ssl_mgmt renew all + ssl_mgmt renew all Note: This suppose that * all services are listed in /root/homemade_certs; * directories have special rights so that newly created certificates automatically get proper rights; - * Root CA is already created - * openssl.cnf.in is copied at the root of the CA hierarchy + * the root CA is already created; + * openssl.cnf.in is copied in the CA hierarchy's root. The file system hierarchy assumed is: lrwxrwxrwx 1 root root 14 6 janv. 2010 certs -> /etc/ssl/certs diff --git a/ssl_mgmt/openssl.cnf.in b/ssl_mgmt/openssl.cnf.in index 3ce6cb8..aa9d14a 100644 --- a/ssl_mgmt/openssl.cnf.in +++ b/ssl_mgmt/openssl.cnf.in @@ -32,15 +32,19 @@ commonName = supplied emailAddress = optional [ req ] -default_bits = 2048 # Taille des clés -default_keyfile = newkeys/key.pem # Nom de la clé généré (à spécifier en ligne de commande si différent) -default_md = md5 # Algorithme de résumé (hash) -string_mask = nombstr # Caractères authorisés +# Keys' size: +default_bits = 2048 +# Name of the generated key (specify it as a CLI argument if different): +default_keyfile = newkeys/key.pem +# Hash algorithm: +default_md = md5 +# Authorised characters: +string_mask = nombstr prompt = no distinguished_name = req_distinguished_name req_extensions = v3_req -# On ne veut ces extensions que pour générer les certificats racines -# donc on le spécifie sur la ligne de commande +# We want those extensions only to generate the root certificates, so +# we specify it on the command line: x509_extensions = v3_ca [ req_distinguished_name ]