Browse Source

[ssl_mgmt] Update documentation

master
Thomas Preud'homme 5 years ago
parent
commit
dba3360a3b
2 changed files with 74 additions and 53 deletions
  1. 24
    53
      ssl_mgmt/README
  2. 50
    0
      ssl_mgmt/ssl_mgmt.conf

+ 24
- 53
ssl_mgmt/README View File

@@ -12,59 +12,30 @@ If you want to renew certificates of all services, you should do:
12 12
  ssl_mgmt renew all
13 13
 
14 14
 Note: This suppose that
15
- * all services are listed in /root/homemade_certs;
16
- * directories have special rights so that newly created certificates
17
-   automatically get proper rights;
15
+ * all services are listed in managedCerts in the configuration file whether
16
+   directly or by setting its value from a file;
18 17
  * the root CA is already created;
19
- * openssl.cnf.in is copied in the CA hierarchy's root.
18
+ * /usr/local/lib/ssl_mgmt contains an openssl configuration file template
19
+   named openssl.cnf.in, a file serial containing a hex number indicating the
20
+   number of signed certificates so far, a file index.txt with a list (possibly
21
+   empty) of all certificates signed so far and the directories newcerts,
22
+   newkeys and csr.
20 23
 
21 24
 The file system hierarchy assumed is:
22
-lrwxrwxrwx  1 root root       14  6 janv.  2010 certs -> /etc/ssl/certs
23
-drws--S---+ 2 root ssl-cert 4096 23 janv.  2011 csr
24
--rw-------  1 root ssl-cert 1937 20 févr. 16:38 index.txt
25
--rw-------  1 root ssl-cert   20 20 févr. 16:38 index.txt.attr
26
-drwSr-Sr--+ 2 root ssl-cert 4096 20 févr. 16:38 newcerts
27
-drwSr-S---+ 2 root ssl-cert 4096 20 févr. 16:38 newkeys
28
--rw-r--r--  1 root ssl-cert 1546 20 févr. 14:24 openssl.cnf.in
29
-lrwxrwxrwx  1 root root       16  6 janv.  2010 private -> /etc/ssl/private
30
--rw-------  1 root ssl-cert    3 20 févr. 16:38 serial
31
-
32
-About csr, newcerts and newkeys:
33
-
34
-# file: usr/lib/ssl/CA/csr
35
-# owner: root
36
-# group: ssl-cert
37
-# flags: ss-
38
-user::rwx
39
-group::---
40
-other::---
41
-default:user::rw-
42
-default:group::r--
43
-default:other::---
44
-
45
-# file: usr/lib/ssl/CA/newcerts
46
-# owner: root
47
-# group: ssl-cert
48
-# flags: ss-
49
-user::rw-
50
-group::r--
51
-other::r--
52
-default:user::rw-
53
-default:group::r--
54
-default:other::r--
55
-
56
-# file: usr/lib/ssl/CA/newkeys
57
-# owner: root
58
-# group: ssl-cert
59
-# flags: ss-
60
-user::rw-
61
-group::r--
62
-other::---
63
-default:user::rw-
64
-default:group::r--
65
-default:other::---
66
-
67
-To use this script, you have to be root, or to be able to execute
68
-commands with root privileges through sudo.
69
-You should install it in a directory within the PATH of the root user,
70
-such as /usr/local/sbin.
25
+/usr/local/lib/ssl_mgmt
26
+├── csr
27
+├── index.txt
28
+├── index.txt.attr
29
+├── newcerts
30
+├── newkeys
31
+├── openssl.cnf.in
32
+└── serial
33
+
34
+To use this script, you need to have accessed to all the file above as well as
35
+the configuration file and the files mentionned in it and the certificate you
36
+wish to renew. You also need to have the right to create a new certificate
37
+with the same rights.
38
+
39
+You should install it in a directory within the PATH of the root user, such
40
+as /usr/local/sbin and its working directory in ../lib relative to where the
41
+scripts lies, such as /usr/local/lib/sbin.

+ 50
- 0
ssl_mgmt/ssl_mgmt.conf View File

@@ -0,0 +1,50 @@
1
+# Directory containing the files needed to generate new certificates.
2
+# DEFAULT: ../lib/<script_name> relative to the directory containing the script
3
+# itself.
4
+#workdir=../lib/ssl_mgmt
5
+#workDir=/usr/lib/ssl_mgmt
6
+
7
+# Directory where to store new certificates
8
+# DEFAULT: /etc/ssl/certs
9
+#certDestDir=/etc/ssl/certs
10
+
11
+# Directory where to store new keys (private part of certificates)
12
+# DEFAULT: /etc/ssl/private
13
+#keyDestDir=/etc/ssl/private
14
+
15
+# Path to the root certificate file
16
+# DEFAULT: $certDestDir/ca-cert.pem
17
+#CACertPath=$certDestDir/ca-cert.pem
18
+
19
+# Path to the root certificate key file
20
+# DEFAULT: $keyDestDir/ca-key.pem
21
+#CAKeyPath=$keyDestDir/ca-key.pem
22
+
23
+# Path to the file containing the password of the root certificate key
24
+# DEFAULT: <none>
25
+#rootCAPwdPath=
26
+
27
+# List of certificate handled by ssl_mgmt. This list is used by the command
28
+# renew all to determine the certificates that need to be renewed.
29
+# DEFAULT: <none>
30
+#managedCerts=
31
+
32
+# List of users to be notified when a certificate is created or renewed.
33
+# DEFAULT: <none>
34
+#notifiedUsers=
35
+
36
+# Subject of the mail sent to the users specified in $notifiedUsers when a
37
+# certificate is created or renewed.
38
+# DEFAULT: 'New fingerprint for service $service'
39
+#notifySubject='New fingerprint for service $service'
40
+
41
+# Template of the body of the mail sent to the users specified in
42
+# $notifiedUsers when a certificate is created or renewed.
43
+# DEFAULT: 'Certificate for $service has changed.
44
+# The fingerprint of the new certificate is:
45
+#
46
+# $fingerprint'
47
+#notifyTemplate='Certificate for $service has changed.
48
+#The fingerprint of the new certificate is:
49
+#
50
+#$fingerprint'

Loading…
Cancel
Save