[ssl_mgmt] Update documentation
This commit is contained in:
parent
7510335e26
commit
dba3360a3b
|
@ -12,59 +12,30 @@ If you want to renew certificates of all services, you should do:
|
||||||
ssl_mgmt renew all
|
ssl_mgmt renew all
|
||||||
|
|
||||||
Note: This suppose that
|
Note: This suppose that
|
||||||
* all services are listed in /root/homemade_certs;
|
* all services are listed in managedCerts in the configuration file whether
|
||||||
* directories have special rights so that newly created certificates
|
directly or by setting its value from a file;
|
||||||
automatically get proper rights;
|
|
||||||
* the root CA is already created;
|
* the root CA is already created;
|
||||||
* openssl.cnf.in is copied in the CA hierarchy's root.
|
* /usr/local/lib/ssl_mgmt contains an openssl configuration file template
|
||||||
|
named openssl.cnf.in, a file serial containing a hex number indicating the
|
||||||
|
number of signed certificates so far, a file index.txt with a list (possibly
|
||||||
|
empty) of all certificates signed so far and the directories newcerts,
|
||||||
|
newkeys and csr.
|
||||||
|
|
||||||
The file system hierarchy assumed is:
|
The file system hierarchy assumed is:
|
||||||
lrwxrwxrwx 1 root root 14 6 janv. 2010 certs -> /etc/ssl/certs
|
/usr/local/lib/ssl_mgmt
|
||||||
drws--S---+ 2 root ssl-cert 4096 23 janv. 2011 csr
|
├── csr
|
||||||
-rw------- 1 root ssl-cert 1937 20 févr. 16:38 index.txt
|
├── index.txt
|
||||||
-rw------- 1 root ssl-cert 20 20 févr. 16:38 index.txt.attr
|
├── index.txt.attr
|
||||||
drwSr-Sr--+ 2 root ssl-cert 4096 20 févr. 16:38 newcerts
|
├── newcerts
|
||||||
drwSr-S---+ 2 root ssl-cert 4096 20 févr. 16:38 newkeys
|
├── newkeys
|
||||||
-rw-r--r-- 1 root ssl-cert 1546 20 févr. 14:24 openssl.cnf.in
|
├── openssl.cnf.in
|
||||||
lrwxrwxrwx 1 root root 16 6 janv. 2010 private -> /etc/ssl/private
|
└── serial
|
||||||
-rw------- 1 root ssl-cert 3 20 févr. 16:38 serial
|
|
||||||
|
|
||||||
About csr, newcerts and newkeys:
|
To use this script, you need to have accessed to all the file above as well as
|
||||||
|
the configuration file and the files mentionned in it and the certificate you
|
||||||
|
wish to renew. You also need to have the right to create a new certificate
|
||||||
|
with the same rights.
|
||||||
|
|
||||||
# file: usr/lib/ssl/CA/csr
|
You should install it in a directory within the PATH of the root user, such
|
||||||
# owner: root
|
as /usr/local/sbin and its working directory in ../lib relative to where the
|
||||||
# group: ssl-cert
|
scripts lies, such as /usr/local/lib/sbin.
|
||||||
# flags: ss-
|
|
||||||
user::rwx
|
|
||||||
group::---
|
|
||||||
other::---
|
|
||||||
default:user::rw-
|
|
||||||
default:group::r--
|
|
||||||
default:other::---
|
|
||||||
|
|
||||||
# file: usr/lib/ssl/CA/newcerts
|
|
||||||
# owner: root
|
|
||||||
# group: ssl-cert
|
|
||||||
# flags: ss-
|
|
||||||
user::rw-
|
|
||||||
group::r--
|
|
||||||
other::r--
|
|
||||||
default:user::rw-
|
|
||||||
default:group::r--
|
|
||||||
default:other::r--
|
|
||||||
|
|
||||||
# file: usr/lib/ssl/CA/newkeys
|
|
||||||
# owner: root
|
|
||||||
# group: ssl-cert
|
|
||||||
# flags: ss-
|
|
||||||
user::rw-
|
|
||||||
group::r--
|
|
||||||
other::---
|
|
||||||
default:user::rw-
|
|
||||||
default:group::r--
|
|
||||||
default:other::---
|
|
||||||
|
|
||||||
To use this script, you have to be root, or to be able to execute
|
|
||||||
commands with root privileges through sudo.
|
|
||||||
You should install it in a directory within the PATH of the root user,
|
|
||||||
such as /usr/local/sbin.
|
|
||||||
|
|
|
@ -0,0 +1,50 @@
|
||||||
|
# Directory containing the files needed to generate new certificates.
|
||||||
|
# DEFAULT: ../lib/<script_name> relative to the directory containing the script
|
||||||
|
# itself.
|
||||||
|
#workdir=../lib/ssl_mgmt
|
||||||
|
#workDir=/usr/lib/ssl_mgmt
|
||||||
|
|
||||||
|
# Directory where to store new certificates
|
||||||
|
# DEFAULT: /etc/ssl/certs
|
||||||
|
#certDestDir=/etc/ssl/certs
|
||||||
|
|
||||||
|
# Directory where to store new keys (private part of certificates)
|
||||||
|
# DEFAULT: /etc/ssl/private
|
||||||
|
#keyDestDir=/etc/ssl/private
|
||||||
|
|
||||||
|
# Path to the root certificate file
|
||||||
|
# DEFAULT: $certDestDir/ca-cert.pem
|
||||||
|
#CACertPath=$certDestDir/ca-cert.pem
|
||||||
|
|
||||||
|
# Path to the root certificate key file
|
||||||
|
# DEFAULT: $keyDestDir/ca-key.pem
|
||||||
|
#CAKeyPath=$keyDestDir/ca-key.pem
|
||||||
|
|
||||||
|
# Path to the file containing the password of the root certificate key
|
||||||
|
# DEFAULT: <none>
|
||||||
|
#rootCAPwdPath=
|
||||||
|
|
||||||
|
# List of certificate handled by ssl_mgmt. This list is used by the command
|
||||||
|
# renew all to determine the certificates that need to be renewed.
|
||||||
|
# DEFAULT: <none>
|
||||||
|
#managedCerts=
|
||||||
|
|
||||||
|
# List of users to be notified when a certificate is created or renewed.
|
||||||
|
# DEFAULT: <none>
|
||||||
|
#notifiedUsers=
|
||||||
|
|
||||||
|
# Subject of the mail sent to the users specified in $notifiedUsers when a
|
||||||
|
# certificate is created or renewed.
|
||||||
|
# DEFAULT: 'New fingerprint for service $service'
|
||||||
|
#notifySubject='New fingerprint for service $service'
|
||||||
|
|
||||||
|
# Template of the body of the mail sent to the users specified in
|
||||||
|
# $notifiedUsers when a certificate is created or renewed.
|
||||||
|
# DEFAULT: 'Certificate for $service has changed.
|
||||||
|
# The fingerprint of the new certificate is:
|
||||||
|
#
|
||||||
|
# $fingerprint'
|
||||||
|
#notifyTemplate='Certificate for $service has changed.
|
||||||
|
#The fingerprint of the new certificate is:
|
||||||
|
#
|
||||||
|
#$fingerprint'
|
Loading…
Reference in New Issue