From dba3360a3b69ac69314815f6fb6c8995c327cf49 Mon Sep 17 00:00:00 2001 From: Thomas Preud'homme Date: Mon, 5 May 2014 22:44:35 +0800 Subject: [PATCH] [ssl_mgmt] Update documentation --- ssl_mgmt/README | 73 +++++++++++++----------------------------- ssl_mgmt/ssl_mgmt.conf | 50 +++++++++++++++++++++++++++++ 2 files changed, 72 insertions(+), 51 deletions(-) create mode 100644 ssl_mgmt/ssl_mgmt.conf diff --git a/ssl_mgmt/README b/ssl_mgmt/README index 9817483..5feb612 100644 --- a/ssl_mgmt/README +++ b/ssl_mgmt/README @@ -12,59 +12,30 @@ If you want to renew certificates of all services, you should do: ssl_mgmt renew all Note: This suppose that - * all services are listed in /root/homemade_certs; - * directories have special rights so that newly created certificates - automatically get proper rights; + * all services are listed in managedCerts in the configuration file whether + directly or by setting its value from a file; * the root CA is already created; - * openssl.cnf.in is copied in the CA hierarchy's root. + * /usr/local/lib/ssl_mgmt contains an openssl configuration file template + named openssl.cnf.in, a file serial containing a hex number indicating the + number of signed certificates so far, a file index.txt with a list (possibly + empty) of all certificates signed so far and the directories newcerts, + newkeys and csr. The file system hierarchy assumed is: -lrwxrwxrwx 1 root root 14 6 janv. 2010 certs -> /etc/ssl/certs -drws--S---+ 2 root ssl-cert 4096 23 janv. 2011 csr --rw------- 1 root ssl-cert 1937 20 févr. 16:38 index.txt --rw------- 1 root ssl-cert 20 20 févr. 16:38 index.txt.attr -drwSr-Sr--+ 2 root ssl-cert 4096 20 févr. 16:38 newcerts -drwSr-S---+ 2 root ssl-cert 4096 20 févr. 16:38 newkeys --rw-r--r-- 1 root ssl-cert 1546 20 févr. 14:24 openssl.cnf.in -lrwxrwxrwx 1 root root 16 6 janv. 2010 private -> /etc/ssl/private --rw------- 1 root ssl-cert 3 20 févr. 16:38 serial +/usr/local/lib/ssl_mgmt +├── csr +├── index.txt +├── index.txt.attr +├── newcerts +├── newkeys +├── openssl.cnf.in +└── serial -About csr, newcerts and newkeys: +To use this script, you need to have accessed to all the file above as well as +the configuration file and the files mentionned in it and the certificate you +wish to renew. You also need to have the right to create a new certificate +with the same rights. -# file: usr/lib/ssl/CA/csr -# owner: root -# group: ssl-cert -# flags: ss- -user::rwx -group::--- -other::--- -default:user::rw- -default:group::r-- -default:other::--- - -# file: usr/lib/ssl/CA/newcerts -# owner: root -# group: ssl-cert -# flags: ss- -user::rw- -group::r-- -other::r-- -default:user::rw- -default:group::r-- -default:other::r-- - -# file: usr/lib/ssl/CA/newkeys -# owner: root -# group: ssl-cert -# flags: ss- -user::rw- -group::r-- -other::--- -default:user::rw- -default:group::r-- -default:other::--- - -To use this script, you have to be root, or to be able to execute -commands with root privileges through sudo. -You should install it in a directory within the PATH of the root user, -such as /usr/local/sbin. +You should install it in a directory within the PATH of the root user, such +as /usr/local/sbin and its working directory in ../lib relative to where the +scripts lies, such as /usr/local/lib/sbin. diff --git a/ssl_mgmt/ssl_mgmt.conf b/ssl_mgmt/ssl_mgmt.conf new file mode 100644 index 0000000..d9a27ce --- /dev/null +++ b/ssl_mgmt/ssl_mgmt.conf @@ -0,0 +1,50 @@ +# Directory containing the files needed to generate new certificates. +# DEFAULT: ../lib/ relative to the directory containing the script +# itself. +#workdir=../lib/ssl_mgmt +#workDir=/usr/lib/ssl_mgmt + +# Directory where to store new certificates +# DEFAULT: /etc/ssl/certs +#certDestDir=/etc/ssl/certs + +# Directory where to store new keys (private part of certificates) +# DEFAULT: /etc/ssl/private +#keyDestDir=/etc/ssl/private + +# Path to the root certificate file +# DEFAULT: $certDestDir/ca-cert.pem +#CACertPath=$certDestDir/ca-cert.pem + +# Path to the root certificate key file +# DEFAULT: $keyDestDir/ca-key.pem +#CAKeyPath=$keyDestDir/ca-key.pem + +# Path to the file containing the password of the root certificate key +# DEFAULT: +#rootCAPwdPath= + +# List of certificate handled by ssl_mgmt. This list is used by the command +# renew all to determine the certificates that need to be renewed. +# DEFAULT: +#managedCerts= + +# List of users to be notified when a certificate is created or renewed. +# DEFAULT: +#notifiedUsers= + +# Subject of the mail sent to the users specified in $notifiedUsers when a +# certificate is created or renewed. +# DEFAULT: 'New fingerprint for service $service' +#notifySubject='New fingerprint for service $service' + +# Template of the body of the mail sent to the users specified in +# $notifiedUsers when a certificate is created or renewed. +# DEFAULT: 'Certificate for $service has changed. +# The fingerprint of the new certificate is: +# +# $fingerprint' +#notifyTemplate='Certificate for $service has changed. +#The fingerprint of the new certificate is: +# +#$fingerprint'