b1b0efb0b4dbdb9c7b2562cdc043c6497e23985a
services/Automatic-CA.md
... | ... | @@ -1,7 +1,7 @@ |
1 | 1 | DN42 ACME CA |
2 | 2 | ================== |
3 | 3 | |
4 | -Certificates can be automatically generated with the [ACME-CA](http://acme.dn42). More information can be found on [acme.dn42](http://acme.dn42/) |
|
4 | +Certificates can be automatically generated with the [ACME-CA](http://acme.dn42) using [acme.sh](https://github.com/acmesh-official/acme.sh) or [lego](https://github.com/go-acme/lego). More information can be found on [acme.dn42](http://acme.dn42/) |
|
5 | 5 | |
6 | 6 | DN42 Self-Serve CA |
7 | 7 | ================== |
... | ... | @@ -9,8 +9,7 @@ DN42 Self-Serve CA |
9 | 9 | This client is used for automating the process of requesting TLS certificates. (Available via: [dn42](https://ca.dn42/ca-client), [iana](https://ca.dn42.us/ca-client), [git]([email protected]:dn42/ca-client)) |
10 | 10 | |
11 | 11 | |
12 | -VALIDATION PROCESS |
|
13 | -================== |
|
12 | +## VALIDATION PROCESS |
|
14 | 13 | |
15 | 14 | The process validates ownership by verifying control of both a users MNT object in the registry and the authoritative DNS server. |
16 | 15 | The following steps take place in creating a signed certificate. |
... | ... | @@ -52,8 +51,7 @@ Server certificates are signed for 45 days. To renew follow the steps above star |
52 | 51 | 3. CA checks that owner in certificate matches. |
53 | 52 | 4. CA revokes certificate and updates revocation list. |
54 | 53 | |
55 | -INSTALL |
|
56 | -======= |
|
54 | +## INSTALL |
|
57 | 55 | |
58 | 56 | get the script here: |
59 | 57 | |
... | ... | @@ -62,10 +60,9 @@ curl https://ca.dn42/ca.dn42 > ca.dn42; chmod +x ca.dn42 |
62 | 60 | available via git: [email protected]:dn42/ca-client |
63 | 61 | |
64 | 62 | |
65 | -KNOWN ISSUES |
|
66 | -============ |
|
63 | +## KNOWN ISSUES |
|
67 | 64 | |
68 | -## openssl prior to 1.0.2 returns "SSL certificate problem: permitted subtree violation" |
|
65 | +### openssl prior to 1.0.2 returns "SSL certificate problem: permitted subtree violation" |
|
69 | 66 | |
70 | 67 | The way openssl validated name constraints prevented it from accepting dns names that started with a dot. |
71 | 68 | Because the name constraint is "DNS:.dn42" it fails to validate. |
... | ... | @@ -76,7 +73,7 @@ Because the name constraint is "DNS:.dn42" it fails to validate. |
76 | 73 | [libssl-1]: https://groups.google.com/forum/#!topic/mailing.openssl.dev/drG3U-S4iaE |
77 | 74 | |
78 | 75 | |
79 | -## X.509 nameConstraints on certificates not supported on OS X |
|
76 | +### X.509 nameConstraints on certificates not supported on OS X |
|
80 | 77 | |
81 | 78 | Browsers and clients that rely on Apple's [Secure Transport][osx-1] library does not support X.509's nameConstraints. |
82 | 79 | |
... | ... | @@ -87,8 +84,7 @@ Read more on this [stack exchange post][osx-2] |
87 | 84 | [osx-2]: http://security.stackexchange.com/a/97133 |
88 | 85 | |
89 | 86 | |
90 | -How to Run |
|
91 | -========== |
|
87 | +## How to Run |
|
92 | 88 | |
93 | 89 | ``` |
94 | 90 | Usage: # OWNER is your MNT handle. |
... | ... | @@ -106,8 +102,7 @@ Environtment Options: |
106 | 102 | DN42CA_PKCS12 = 1 # Generate pkcs12 file for certificate. |
107 | 103 | ``` |
108 | 104 | |
109 | -Example |
|
110 | -======= |
|
105 | +## Example |
|
111 | 106 | |
112 | 107 | Generate the user key |
113 | 108 | |
... | ... | @@ -124,7 +119,7 @@ writing new private key to 'XUU-MNT.key' |
124 | 119 | |MNT Key Pin| remarks: pin-sha256:HdqCid0sedWXX3Q0uG98rYjJyTNOzaT13WfWpr1GvIw= |
125 | 120 | ``` |
126 | 121 | |
127 | -## Sign the user key |
|
122 | +### Sign the user key |
|
128 | 123 | |
129 | 124 | ``` |
130 | 125 | $ ./ca.dn42 user-sign XUU-MNT [email protected] |
... | ... | @@ -141,7 +136,7 @@ Enter Export Password: |
141 | 136 | Verifying - Enter Export Password: |
142 | 137 | ``` |
143 | 138 | |
144 | -## Generate the server key |
|
139 | +### Generate the server key |
|
145 | 140 | |
146 | 141 | ``` |
147 | 142 | $ ./ca.dn42 tls-gen ca.dn42 XUU-MNT [email protected] DNS:ca.dn42 |
... | ... | @@ -165,7 +160,7 @@ $ dig +short TXT _dn42_tlsverify.ca.dn42. |
165 | 160 | "XUU-MNT:pin-sha256:Qu/X5GNqOo05TdL7oexkamE34OUuDE60T+f0xc60UPQ=" |
166 | 161 | ``` |
167 | 162 | |
168 | -## Sign the server key |
|
163 | +### Sign the server key |
|
169 | 164 | |
170 | 165 | ``` |
171 | 166 | $ ./ca.dn42 tls-sign ca.dn42 XUU-MNT |
... | ... | @@ -222,7 +217,7 @@ ExecStart=/etc/ssl/dn42/ca.dn42 tls-sign wiki.dn42 MIC92-MNT |
222 | 217 | ExecStart=/usr/bin/nginx -s reload |
223 | 218 | ``` |
224 | 219 | |
225 | -## Revoke a certificate. |
|
220 | +### Revoke a certificate. |
|
226 | 221 | |
227 | 222 | ``` |
228 | 223 | $ ./ca.dn42 revoke XUU-MNT XUU-MNT.crt |
... | ... | @@ -238,5 +233,5 @@ $ ./ca.dn42 revoke XUU-MNT XUU-MNT.crt |
238 | 233 | OK |
239 | 234 | ``` |
240 | 235 | |
241 | -## Certificate transparency |
|
236 | +### Certificate transparency |
|
242 | 237 | All issued certificates will be logged to [xuu's mattermost instance](https://teams.dn42/dn42/channels/tls-certificates). |