-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Docs] Fix instructions to configure server certificates.
- Loading branch information
Showing
1 changed file
with
7 additions
and
108 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -16,114 +16,13 @@ curl --request GET --url https://localhost:8000 --insecure | |
| ``` | ||
|
|
||
| ### Certificates | ||
| Create a Certificate Authority (CA) on KeyChain, following [this guide](https://support.apple.com/en-gb/guide/keychain-access/kyca2686/mac): | ||
| * Common Name: GMARCIANI Root CA | ||
| * Identity Type: Self-Signed Root CA | ||
| * User Certificate: SSL Server | ||
| * Email from: [email protected] | ||
| * Let me override defaults: true | ||
| * Serial Number: 1 | ||
| * Validity Period (days): 3650 | ||
| * Sign your invitation: true | ||
| * Common Name: GMARCIANI Root CA | ||
| * Organization Name: GMARCIANI CORP | ||
| * Organizational Unit: GMARCIANI Certification Authority | ||
| * Country: IT | ||
| * Key Size (CA): 4098 | ||
| * Algorithm (CA): RSA | ||
| * Key Size (Users): 4098 | ||
| * Algorithm (Users): RSA | ||
| * Key Usage Extension (CA): Signature, Certificate Signing | ||
| * Key Usage Extension (Users): Signature, Key Encipherment | ||
| * Extended Key Usage Extension (CA): Any | ||
| * Extended Key Usage Extension (Users): SSL Server Authentication | ||
| * Basic Constraints Extensions (CA): Use this certificate as certificate authority | ||
| * Basic Constraints Extensions (Users): none | ||
| * SAN (CA): true | ||
| * SAN (Users): true | ||
| * Keychain: login | ||
| * Trust certificates signed by this CA: true | ||
|
|
||
| Create a Certificate Signing Request (CSR), following [this guide](https://support.apple.com/en-gb/guide/keychain-access/kyca2793/mac): | ||
| * User Email: [email protected] | ||
| * CA Email: [email protected] | ||
| * Save to disk: true | ||
|
|
||
| Create the server certificate, by KeyChain > Certificate Assistant > Create a Certificate For Someone Else > Select the above CA and CSR. | ||
|
|
||
| * Let me override defaults: true | ||
| * Serial Number: 1 | ||
| * Validity Period (days): 3650 | ||
| * Common Name: YAWA | ||
| * Organization: YAWA Corp | ||
| * Organizational Unit: Security | ||
| * City: Cagliari | ||
| * State/Province: CA | ||
| * Country: IT | ||
| * Extension: All | ||
| * Capabilities: All | ||
| * Subject Alternative Names | ||
| * rfc822Name: [email protected] | ||
| * dnsName: localhost | ||
|
|
||
| Export the CA certificate and the server certificate as separated PEM files from Keychain: `GMARCIANI-Root-CA.pem` and `YAWA.pem`. | ||
| Export the server certificate and the private key as a single P12 keystore from Keychain `YAWA.p12`, | ||
| providing the password that will be in `server.key-store-password`. | ||
|
|
||
| ``` | ||
| # rbaServerCertReq.config | ||
| [req] | ||
| req_extensions = v3_req | ||
| distinguished_name = dn | ||
| prompt = no | ||
| [dn] | ||
| CN = yawa.com | ||
| C = IT | ||
| L = Cagliari | ||
| O = YAWA CORP | ||
| OU = Security | ||
| [v3_req] | ||
| subjectAltName = DNS:localhost | ||
| ``` | ||
|
|
||
|
|
||
| ``` | ||
| # v3.ext | ||
| subjectAltName = DNS:localhost | ||
| ``` | ||
|
|
||
| ``` | ||
| openssl genrsa -out rootCAKey.pem 2048 | ||
| openssl req -x509 -sha256 -new -nodes -key rootCAKey.pem -days 3650 -out rootCACert.pem | ||
| openssl genrsa -out rbaServerKey.pem 2048 | ||
| openssl req -new -key rbaServerKey.pem -sha256 -out rbaServerCert.csr -config rbaServerCertReq.config | ||
| openssl x509 -req -sha256 -in rbaServerCert.csr -CA rootCACert.pem -CAkey rootCAKey.pem -CAcreateserial -out rbaServerCert.pem -days 3650 -extfile v3.ext | ||
| openssl pkcs12 -export -out rbaServer.p12 -inkey rbaServerKey.pem -in rbaServerCert.pem -name "YAWA" | ||
| ``` | ||
|
|
||
|
|
||
| Inspect the certificates and keystore: | ||
| ``` | ||
| ROOT_CA_PEM="server/src/main/resources/secrets/certificates/GMARCIANI-Root-CA.pem" | ||
| SERVER_CERT_PEM="server/src/main/resources/secrets/certificates/YAWA.pem" | ||
| SERVER_CERT_P12="server/src/main/resources/secrets/certificates/YAWA.p12" | ||
| openssl x509 -in $ROOT_CA_PEM -text | ||
| openssl x509 -in $SERVER_CERT_PEM -text | ||
| openssl pkcs12 -in $SERVER_CERT_P12 -info -nodes -legacy | ||
| ``` | ||
|
|
||
| Verify the server certificate: | ||
| ``` | ||
| openssl verify -verbose -CAfile $ROOT_CA_PEM $SERVER_CERT_PEM | ||
| ``` | ||
|
|
||
| Copy the CA certificate to the Ops module to make it trust the root CA. | ||
| ``` | ||
| cp $ROOT_CA_PEM ops/resources/certificates/ | ||
| ``` | ||
| Generate the certificates using the project [gmarciani-ca](https://github.com/gmarciani/gmarciani-ca). | ||
| 1. Generate a private key for yawa.com | ||
| 2. Generate a CSR for yawa.com | ||
| 3. Request a server certificate for yawa.com to the intermediate CA | ||
| 4. Generate a P12 archive | ||
| 5. Put the P12 file in `server/src/main/resources/secrets/certificates/yawa.p12` | ||
| 6. Put the CA chain of the intermediate CA in `ops/resources/certificates/gmarciani-ca-chain.cert.pem` | ||
|
|
||
| Check the returned certificate from the server: | ||
| ``` | ||
|
|
||