b1b0efb0b4dbdb9c7b2562cdc043c6497e23985a
services/Automatic-CA.md
| ... | ... | @@ -1,7 +1,7 @@ |
| 1 | 1 | DN42 ACME CA |
| 2 | 2 | ================== |
| 3 | 3 | |
| 4 | -Certificates can be automatically generated with the [ACME-CA](http://acme.dn42). More information can be found on [acme.dn42](http://acme.dn42/) |
|
| 4 | +Certificates can be automatically generated with the [ACME-CA](http://acme.dn42) using [acme.sh](https://github.com/acmesh-official/acme.sh) or [lego](https://github.com/go-acme/lego). More information can be found on [acme.dn42](http://acme.dn42/) |
|
| 5 | 5 | |
| 6 | 6 | DN42 Self-Serve CA |
| 7 | 7 | ================== |
| ... | ... | @@ -9,8 +9,7 @@ DN42 Self-Serve CA |
| 9 | 9 | This client is used for automating the process of requesting TLS certificates. (Available via: [dn42](https://ca.dn42/ca-client), [iana](https://ca.dn42.us/ca-client), [git]([email protected]:dn42/ca-client)) |
| 10 | 10 | |
| 11 | 11 | |
| 12 | -VALIDATION PROCESS |
|
| 13 | -================== |
|
| 12 | +## VALIDATION PROCESS |
|
| 14 | 13 | |
| 15 | 14 | The process validates ownership by verifying control of both a users MNT object in the registry and the authoritative DNS server. |
| 16 | 15 | The following steps take place in creating a signed certificate. |
| ... | ... | @@ -52,8 +51,7 @@ Server certificates are signed for 45 days. To renew follow the steps above star |
| 52 | 51 | 3. CA checks that owner in certificate matches. |
| 53 | 52 | 4. CA revokes certificate and updates revocation list. |
| 54 | 53 | |
| 55 | -INSTALL |
|
| 56 | -======= |
|
| 54 | +## INSTALL |
|
| 57 | 55 | |
| 58 | 56 | get the script here: |
| 59 | 57 | |
| ... | ... | @@ -62,10 +60,9 @@ curl https://ca.dn42/ca.dn42 > ca.dn42; chmod +x ca.dn42 |
| 62 | 60 | available via git: [email protected]:dn42/ca-client |
| 63 | 61 | |
| 64 | 62 | |
| 65 | -KNOWN ISSUES |
|
| 66 | -============ |
|
| 63 | +## KNOWN ISSUES |
|
| 67 | 64 | |
| 68 | -## openssl prior to 1.0.2 returns "SSL certificate problem: permitted subtree violation" |
|
| 65 | +### openssl prior to 1.0.2 returns "SSL certificate problem: permitted subtree violation" |
|
| 69 | 66 | |
| 70 | 67 | The way openssl validated name constraints prevented it from accepting dns names that started with a dot. |
| 71 | 68 | Because the name constraint is "DNS:.dn42" it fails to validate. |
| ... | ... | @@ -76,7 +73,7 @@ Because the name constraint is "DNS:.dn42" it fails to validate. |
| 76 | 73 | [libssl-1]: https://groups.google.com/forum/#!topic/mailing.openssl.dev/drG3U-S4iaE |
| 77 | 74 | |
| 78 | 75 | |
| 79 | -## X.509 nameConstraints on certificates not supported on OS X |
|
| 76 | +### X.509 nameConstraints on certificates not supported on OS X |
|
| 80 | 77 | |
| 81 | 78 | Browsers and clients that rely on Apple's [Secure Transport][osx-1] library does not support X.509's nameConstraints. |
| 82 | 79 | |
| ... | ... | @@ -87,8 +84,7 @@ Read more on this [stack exchange post][osx-2] |
| 87 | 84 | [osx-2]: http://security.stackexchange.com/a/97133 |
| 88 | 85 | |
| 89 | 86 | |
| 90 | -How to Run |
|
| 91 | -========== |
|
| 87 | +## How to Run |
|
| 92 | 88 | |
| 93 | 89 | ``` |
| 94 | 90 | Usage: # OWNER is your MNT handle. |
| ... | ... | @@ -106,8 +102,7 @@ Environtment Options: |
| 106 | 102 | DN42CA_PKCS12 = 1 # Generate pkcs12 file for certificate. |
| 107 | 103 | ``` |
| 108 | 104 | |
| 109 | -Example |
|
| 110 | -======= |
|
| 105 | +## Example |
|
| 111 | 106 | |
| 112 | 107 | Generate the user key |
| 113 | 108 | |
| ... | ... | @@ -124,7 +119,7 @@ writing new private key to 'XUU-MNT.key' |
| 124 | 119 | |MNT Key Pin| remarks: pin-sha256:HdqCid0sedWXX3Q0uG98rYjJyTNOzaT13WfWpr1GvIw= |
| 125 | 120 | ``` |
| 126 | 121 | |
| 127 | -## Sign the user key |
|
| 122 | +### Sign the user key |
|
| 128 | 123 | |
| 129 | 124 | ``` |
| 130 | 125 | $ ./ca.dn42 user-sign XUU-MNT [email protected] |
| ... | ... | @@ -141,7 +136,7 @@ Enter Export Password: |
| 141 | 136 | Verifying - Enter Export Password: |
| 142 | 137 | ``` |
| 143 | 138 | |
| 144 | -## Generate the server key |
|
| 139 | +### Generate the server key |
|
| 145 | 140 | |
| 146 | 141 | ``` |
| 147 | 142 | $ ./ca.dn42 tls-gen ca.dn42 XUU-MNT [email protected] DNS:ca.dn42 |
| ... | ... | @@ -165,7 +160,7 @@ $ dig +short TXT _dn42_tlsverify.ca.dn42. |
| 165 | 160 | "XUU-MNT:pin-sha256:Qu/X5GNqOo05TdL7oexkamE34OUuDE60T+f0xc60UPQ=" |
| 166 | 161 | ``` |
| 167 | 162 | |
| 168 | -## Sign the server key |
|
| 163 | +### Sign the server key |
|
| 169 | 164 | |
| 170 | 165 | ``` |
| 171 | 166 | $ ./ca.dn42 tls-sign ca.dn42 XUU-MNT |
| ... | ... | @@ -222,7 +217,7 @@ ExecStart=/etc/ssl/dn42/ca.dn42 tls-sign wiki.dn42 MIC92-MNT |
| 222 | 217 | ExecStart=/usr/bin/nginx -s reload |
| 223 | 218 | ``` |
| 224 | 219 | |
| 225 | -## Revoke a certificate. |
|
| 220 | +### Revoke a certificate. |
|
| 226 | 221 | |
| 227 | 222 | ``` |
| 228 | 223 | $ ./ca.dn42 revoke XUU-MNT XUU-MNT.crt |
| ... | ... | @@ -238,5 +233,5 @@ $ ./ca.dn42 revoke XUU-MNT XUU-MNT.crt |
| 238 | 233 | OK |
| 239 | 234 | ``` |
| 240 | 235 | |
| 241 | -## Certificate transparency |
|
| 236 | +### Certificate transparency |
|
| 242 | 237 | All issued certificates will be logged to [xuu's mattermost instance](https://teams.dn42/dn42/channels/tls-certificates). |