SystemSh0cker/gocsaf
1
0
Fork 0
mirror of https://github.com/gocsaf/csaf.git synced 2025-12-22 05:40:11 +01:00
Code Issues Releases Activity Actions

Add docs to run a development ca with gnuls

Browse source
This commit is contained in:
Bernhard Reiter 2022-02-14 13:04:10 +01:00
parent 122cfb4757
commit ed82234305
No known key found for this signature in database
GPG key ID: 2B7BA3BF9BC3A554
2 changed files with 71 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

67
docs/development-ca.md Normal file
View file

@ -0,0 +1,67 @@
# Certificate Authority for development purposes
A bare bones development certificate authority (CA) can be set up
to create certs for serving TLS connections.
Install GnuTLS, E.g. with `apt install gnutls-bin` (3.7.1-5) on Debian Bullseye.
All the private keys will be created without password protection,
which is suitable for testing in development setups.
## create root CA
```bash
mkdir devca1
cd devca1
certtool --generate-privkey --outfile rootca-key.pem
echo '
organization = "CSAF Tools Development (internal)"
country = DE
cn = "Tester"
ca
cert_signing_key
crl_signing_key
serial = 001
expiration_days = 100
' >gnutls-certtool.rootca.template
certtool --generate-self-signed --load-privkey rootca-key.pem --outfile rootca-cert.pem --template gnutls-certtool.rootca.template
```
## create webserver cert
```bash
#being in devca1/
certtool --generate-privkey --outfile testserver-key.pem
echo '
organization = "CSAF Tools Development (internal)"
country = DE
cn = "Service Testing"
tls_www_server
signing_key
encryption_key
non_repudiation
dns_name = "*.local"
dns_name = "localhost"
serial = 010
expiration_days = 50
' > gnutls-certtool.testserver.template
certtool --generate-certificate --load-privkey testserver-key.pem --outfile testserver.crt --load-ca-certificate rootca-cert.pem --load-ca-privkey rootca-key.pem --template gnutls-certtool.testserver.template
cat testserver.crt rootca-cert.pem >bundle.crt
echo Full path config options for nginx:
echo " ssl_certificate \"$PWD/bundle.crt\";"
echo " ssl_certificate_key \"$PWD/testserver-key.pem\";"
```

6
docs/install-server-certificate.md
View file

@ -14,8 +14,10 @@ There are three ways to get a TLS certificate for your HTTPS server:
[Let's encrypt](https://letsencrypt.org/) without a fee.
See their instruction, e.g.
[certbot for nignx on Ubuntu](https://certbot.eff.org/instructions?ws=nginx&os=ubuntufocal).
3. Run your own little CA. Which has the major drawback that someone
will have to import the root certificate in the webbrowsers manually.
3. [Run your own little CA](development-ca.md).
Which has the major drawback that someone
will have to import the root certificate in the webbrowsers manually or
override warning on each connect.
Suitable for development purposes.
To decide between 1. and 2. you will need to weight the extra