1
0
Fork 0

[ssl_mgmt] Update documentation

Dieser Commit ist enthalten in:
Thomas Preud'homme 2014-05-05 22:44:35 +08:00
Ursprung 7510335e26
Commit dba3360a3b
2 geänderte Dateien mit 72 neuen und 51 gelöschten Zeilen

Datei anzeigen

@ -12,59 +12,30 @@ If you want to renew certificates of all services, you should do:
ssl_mgmt renew all
Note: This suppose that
* all services are listed in /root/homemade_certs;
* directories have special rights so that newly created certificates
automatically get proper rights;
* all services are listed in managedCerts in the configuration file whether
directly or by setting its value from a file;
* the root CA is already created;
* openssl.cnf.in is copied in the CA hierarchy's root.
* /usr/local/lib/ssl_mgmt contains an openssl configuration file template
named openssl.cnf.in, a file serial containing a hex number indicating the
number of signed certificates so far, a file index.txt with a list (possibly
empty) of all certificates signed so far and the directories newcerts,
newkeys and csr.
The file system hierarchy assumed is:
lrwxrwxrwx 1 root root 14 6 janv. 2010 certs -> /etc/ssl/certs
drws--S---+ 2 root ssl-cert 4096 23 janv. 2011 csr
-rw------- 1 root ssl-cert 1937 20 févr. 16:38 index.txt
-rw------- 1 root ssl-cert 20 20 févr. 16:38 index.txt.attr
drwSr-Sr--+ 2 root ssl-cert 4096 20 févr. 16:38 newcerts
drwSr-S---+ 2 root ssl-cert 4096 20 févr. 16:38 newkeys
-rw-r--r-- 1 root ssl-cert 1546 20 févr. 14:24 openssl.cnf.in
lrwxrwxrwx 1 root root 16 6 janv. 2010 private -> /etc/ssl/private
-rw------- 1 root ssl-cert 3 20 févr. 16:38 serial
/usr/local/lib/ssl_mgmt
├── csr
├── index.txt
├── index.txt.attr
├── newcerts
├── newkeys
├── openssl.cnf.in
└── serial
About csr, newcerts and newkeys:
To use this script, you need to have accessed to all the file above as well as
the configuration file and the files mentionned in it and the certificate you
wish to renew. You also need to have the right to create a new certificate
with the same rights.
# file: usr/lib/ssl/CA/csr
# owner: root
# group: ssl-cert
# flags: ss-
user::rwx
group::---
other::---
default:user::rw-
default:group::r--
default:other::---
# file: usr/lib/ssl/CA/newcerts
# owner: root
# group: ssl-cert
# flags: ss-
user::rw-
group::r--
other::r--
default:user::rw-
default:group::r--
default:other::r--
# file: usr/lib/ssl/CA/newkeys
# owner: root
# group: ssl-cert
# flags: ss-
user::rw-
group::r--
other::---
default:user::rw-
default:group::r--
default:other::---
To use this script, you have to be root, or to be able to execute
commands with root privileges through sudo.
You should install it in a directory within the PATH of the root user,
such as /usr/local/sbin.
You should install it in a directory within the PATH of the root user, such
as /usr/local/sbin and its working directory in ../lib relative to where the
scripts lies, such as /usr/local/lib/sbin.

50
ssl_mgmt/ssl_mgmt.conf Normale Datei
Datei anzeigen

@ -0,0 +1,50 @@
# Directory containing the files needed to generate new certificates.
# DEFAULT: ../lib/<script_name> relative to the directory containing the script
# itself.
#workdir=../lib/ssl_mgmt
#workDir=/usr/lib/ssl_mgmt
# Directory where to store new certificates
# DEFAULT: /etc/ssl/certs
#certDestDir=/etc/ssl/certs
# Directory where to store new keys (private part of certificates)
# DEFAULT: /etc/ssl/private
#keyDestDir=/etc/ssl/private
# Path to the root certificate file
# DEFAULT: $certDestDir/ca-cert.pem
#CACertPath=$certDestDir/ca-cert.pem
# Path to the root certificate key file
# DEFAULT: $keyDestDir/ca-key.pem
#CAKeyPath=$keyDestDir/ca-key.pem
# Path to the file containing the password of the root certificate key
# DEFAULT: <none>
#rootCAPwdPath=
# List of certificate handled by ssl_mgmt. This list is used by the command
# renew all to determine the certificates that need to be renewed.
# DEFAULT: <none>
#managedCerts=
# List of users to be notified when a certificate is created or renewed.
# DEFAULT: <none>
#notifiedUsers=
# Subject of the mail sent to the users specified in $notifiedUsers when a
# certificate is created or renewed.
# DEFAULT: 'New fingerprint for service $service'
#notifySubject='New fingerprint for service $service'
# Template of the body of the mail sent to the users specified in
# $notifiedUsers when a certificate is created or renewed.
# DEFAULT: 'Certificate for $service has changed.
# The fingerprint of the new certificate is:
#
# $fingerprint'
#notifyTemplate='Certificate for $service has changed.
#The fingerprint of the new certificate is:
#
#$fingerprint'