[ssl_mgmt] Update documentation
This commit is contained in:
bovenliggende
7510335e26
commit
dba3360a3b
|
@ -12,59 +12,30 @@ If you want to renew certificates of all services, you should do:
|
|||
ssl_mgmt renew all
|
||||
|
||||
Note: This suppose that
|
||||
* all services are listed in /root/homemade_certs;
|
||||
* directories have special rights so that newly created certificates
|
||||
automatically get proper rights;
|
||||
* all services are listed in managedCerts in the configuration file whether
|
||||
directly or by setting its value from a file;
|
||||
* the root CA is already created;
|
||||
* openssl.cnf.in is copied in the CA hierarchy's root.
|
||||
* /usr/local/lib/ssl_mgmt contains an openssl configuration file template
|
||||
named openssl.cnf.in, a file serial containing a hex number indicating the
|
||||
number of signed certificates so far, a file index.txt with a list (possibly
|
||||
empty) of all certificates signed so far and the directories newcerts,
|
||||
newkeys and csr.
|
||||
|
||||
The file system hierarchy assumed is:
|
||||
lrwxrwxrwx 1 root root 14 6 janv. 2010 certs -> /etc/ssl/certs
|
||||
drws--S---+ 2 root ssl-cert 4096 23 janv. 2011 csr
|
||||
-rw------- 1 root ssl-cert 1937 20 févr. 16:38 index.txt
|
||||
-rw------- 1 root ssl-cert 20 20 févr. 16:38 index.txt.attr
|
||||
drwSr-Sr--+ 2 root ssl-cert 4096 20 févr. 16:38 newcerts
|
||||
drwSr-S---+ 2 root ssl-cert 4096 20 févr. 16:38 newkeys
|
||||
-rw-r--r-- 1 root ssl-cert 1546 20 févr. 14:24 openssl.cnf.in
|
||||
lrwxrwxrwx 1 root root 16 6 janv. 2010 private -> /etc/ssl/private
|
||||
-rw------- 1 root ssl-cert 3 20 févr. 16:38 serial
|
||||
/usr/local/lib/ssl_mgmt
|
||||
├── csr
|
||||
├── index.txt
|
||||
├── index.txt.attr
|
||||
├── newcerts
|
||||
├── newkeys
|
||||
├── openssl.cnf.in
|
||||
└── serial
|
||||
|
||||
About csr, newcerts and newkeys:
|
||||
To use this script, you need to have accessed to all the file above as well as
|
||||
the configuration file and the files mentionned in it and the certificate you
|
||||
wish to renew. You also need to have the right to create a new certificate
|
||||
with the same rights.
|
||||
|
||||
# file: usr/lib/ssl/CA/csr
|
||||
# owner: root
|
||||
# group: ssl-cert
|
||||
# flags: ss-
|
||||
user::rwx
|
||||
group::---
|
||||
other::---
|
||||
default:user::rw-
|
||||
default:group::r--
|
||||
default:other::---
|
||||
|
||||
# file: usr/lib/ssl/CA/newcerts
|
||||
# owner: root
|
||||
# group: ssl-cert
|
||||
# flags: ss-
|
||||
user::rw-
|
||||
group::r--
|
||||
other::r--
|
||||
default:user::rw-
|
||||
default:group::r--
|
||||
default:other::r--
|
||||
|
||||
# file: usr/lib/ssl/CA/newkeys
|
||||
# owner: root
|
||||
# group: ssl-cert
|
||||
# flags: ss-
|
||||
user::rw-
|
||||
group::r--
|
||||
other::---
|
||||
default:user::rw-
|
||||
default:group::r--
|
||||
default:other::---
|
||||
|
||||
To use this script, you have to be root, or to be able to execute
|
||||
commands with root privileges through sudo.
|
||||
You should install it in a directory within the PATH of the root user,
|
||||
such as /usr/local/sbin.
|
||||
You should install it in a directory within the PATH of the root user, such
|
||||
as /usr/local/sbin and its working directory in ../lib relative to where the
|
||||
scripts lies, such as /usr/local/lib/sbin.
|
||||
|
|
|
@ -0,0 +1,50 @@
|
|||
# Directory containing the files needed to generate new certificates.
|
||||
# DEFAULT: ../lib/<script_name> relative to the directory containing the script
|
||||
# itself.
|
||||
#workdir=../lib/ssl_mgmt
|
||||
#workDir=/usr/lib/ssl_mgmt
|
||||
|
||||
# Directory where to store new certificates
|
||||
# DEFAULT: /etc/ssl/certs
|
||||
#certDestDir=/etc/ssl/certs
|
||||
|
||||
# Directory where to store new keys (private part of certificates)
|
||||
# DEFAULT: /etc/ssl/private
|
||||
#keyDestDir=/etc/ssl/private
|
||||
|
||||
# Path to the root certificate file
|
||||
# DEFAULT: $certDestDir/ca-cert.pem
|
||||
#CACertPath=$certDestDir/ca-cert.pem
|
||||
|
||||
# Path to the root certificate key file
|
||||
# DEFAULT: $keyDestDir/ca-key.pem
|
||||
#CAKeyPath=$keyDestDir/ca-key.pem
|
||||
|
||||
# Path to the file containing the password of the root certificate key
|
||||
# DEFAULT: <none>
|
||||
#rootCAPwdPath=
|
||||
|
||||
# List of certificate handled by ssl_mgmt. This list is used by the command
|
||||
# renew all to determine the certificates that need to be renewed.
|
||||
# DEFAULT: <none>
|
||||
#managedCerts=
|
||||
|
||||
# List of users to be notified when a certificate is created or renewed.
|
||||
# DEFAULT: <none>
|
||||
#notifiedUsers=
|
||||
|
||||
# Subject of the mail sent to the users specified in $notifiedUsers when a
|
||||
# certificate is created or renewed.
|
||||
# DEFAULT: 'New fingerprint for service $service'
|
||||
#notifySubject='New fingerprint for service $service'
|
||||
|
||||
# Template of the body of the mail sent to the users specified in
|
||||
# $notifiedUsers when a certificate is created or renewed.
|
||||
# DEFAULT: 'Certificate for $service has changed.
|
||||
# The fingerprint of the new certificate is:
|
||||
#
|
||||
# $fingerprint'
|
||||
#notifyTemplate='Certificate for $service has changed.
|
||||
#The fingerprint of the new certificate is:
|
||||
#
|
||||
#$fingerprint'
|
Laden…
Verwijs in nieuw issue