SystemSh0cker/gocsaf
1
0
Fork 0
mirror of https://github.com/gocsaf/csaf.git synced 2025-12-22 11:55:40 +01:00
Code Issues Releases Activity Actions

Improve tls client cert handling

Browse source 
* Improve nginx setup to transfer auth information to the fcgiwrap
 backend.
 * Add instructions for creating client certs for testing.
 * Add debug output to see if and which client cert has been used when
   calling the csaf_provider.go .
This commit is contained in:
Bernhard Reiter 2022-02-15 18:20:24 +01:00
parent a71f490999
commit 2905a30cc0
No known key found for this signature in database
GPG key ID: 2B7BA3BF9BC3A554
4 changed files with 98 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

58
docs/development-client-certs.md Normal file
View file

@ -0,0 +1,58 @@
# Create TLS client certificates (for testing)
For testing and development purposes we reuse
the bare bones certificate authority from the
[development-ca.md](development-ca.md).
(In production setups, it is very likely that two different CAs
would used for server and for client certificates.)
The following lines directly create the client certificate.
(As opposed to first creating a certificate signing request and
then signing it.)
```bash
# being in devca1/
certtool --generate-privkey --outfile testclient1-key.pem
echo '
organization = "CSAF Tools Development (internal)"
country = DE
cn = "TLS Test Client 1"
tls_www_client
signing_key
encryption_key
serial = 020
expiration_days = 50
' > gnutls-certtool.testclient1.template
certtool --generate-certificate --load-privkey testclient1-key.pem --outfile testclient1.crt --load-ca-certificate rootca-cert.pem --load-ca-privkey rootca-key.pem --template gnutls-certtool.testclient1.template
certtool --load-ca-certificate rootca-cert.pem --load-certificate testclient1.crt --load-privkey testclient1-key.pem --to-p12 --p12-name "Test Client 1" --null-password --outder --outfile testclient1.p12
```
and we do a second one with shorter expiration day:
```bash
certtool --generate-privkey --outfile testclient2-key.pem
echo '
organization = "CSAF Tools Development (internal)"
country = DE
cn = "TLS Test Client 2"
tls_www_client
signing_key
encryption_key
serial = 021
expiration_days = 1
' > gnutls-certtool.testclient2.template
certtool --generate-certificate --load-privkey testclient2-key.pem --outfile testclient2.crt --load-ca-certificate rootca-cert.pem --load-ca-privkey rootca-key.pem --template gnutls-certtool.testclient2.template
certtool --load-ca-certificate rootca-cert.pem --load-certificate testclient2.crt --load-privkey testclient2-key.pem --to-p12 --p12-name "Test Client 2" --null-password --outder --outfile testclient2.p12
```