From 3711a93726468be67b1bcb32bbf3fdebe4770022 Mon Sep 17 00:00:00 2001 From: Giacomo Marciani Date: Thu, 30 May 2024 00:47:41 +0200 Subject: [PATCH] [Docs] Fix instructions to configure server certificates. --- server/README.md | 115 +++-------------------------------------------- 1 file changed, 7 insertions(+), 108 deletions(-) diff --git a/server/README.md b/server/README.md index e453fe0..474614f 100644 --- a/server/README.md +++ b/server/README.md @@ -16,114 +16,13 @@ curl --request GET --url https://localhost:8000 --insecure ``` ### Certificates -Create a Certificate Authority (CA) on KeyChain, following [this guide](https://support.apple.com/en-gb/guide/keychain-access/kyca2686/mac): -* Common Name: GMARCIANI Root CA -* Identity Type: Self-Signed Root CA -* User Certificate: SSL Server -* Email from: giacomo.marciani+gmarciani-root-ca@gmail.com -* Let me override defaults: true -* Serial Number: 1 -* Validity Period (days): 3650 -* Sign your invitation: true -* Common Name: GMARCIANI Root CA -* Organization Name: GMARCIANI CORP -* Organizational Unit: GMARCIANI Certification Authority -* Country: IT -* Key Size (CA): 4098 -* Algorithm (CA): RSA -* Key Size (Users): 4098 -* Algorithm (Users): RSA -* Key Usage Extension (CA): Signature, Certificate Signing -* Key Usage Extension (Users): Signature, Key Encipherment -* Extended Key Usage Extension (CA): Any -* Extended Key Usage Extension (Users): SSL Server Authentication -* Basic Constraints Extensions (CA): Use this certificate as certificate authority -* Basic Constraints Extensions (Users): none -* SAN (CA): true -* SAN (Users): true -* Keychain: login -* Trust certificates signed by this CA: true - -Create a Certificate Signing Request (CSR), following [this guide](https://support.apple.com/en-gb/guide/keychain-access/kyca2793/mac): -* User Email: firstname.lastname+yawa@gmail.com -* CA Email: firstname.lastname+gmarciani-root-ca@gmail.com -* Save to disk: true - -Create the server certificate, by KeyChain > Certificate Assistant > Create a Certificate For Someone Else > Select the above CA and CSR. - -* Let me override defaults: true -* Serial Number: 1 -* Validity Period (days): 3650 -* Common Name: YAWA -* Organization: YAWA Corp -* Organizational Unit: Security -* City: Cagliari -* State/Province: CA -* Country: IT -* Extension: All -* Capabilities: All -* Subject Alternative Names - * rfc822Name: giacomo.marciani+yawa@gmail.com - * dnsName: localhost - -Export the CA certificate and the server certificate as separated PEM files from Keychain: `GMARCIANI-Root-CA.pem` and `YAWA.pem`. -Export the server certificate and the private key as a single P12 keystore from Keychain `YAWA.p12`, -providing the password that will be in `server.key-store-password`. - -``` -# rbaServerCertReq.config -[req] -req_extensions = v3_req -distinguished_name = dn -prompt = no - -[dn] -CN = yawa.com -C = IT -L = Cagliari -O = YAWA CORP -OU = Security - -[v3_req] -subjectAltName = DNS:localhost -``` - - -``` -# v3.ext -subjectAltName = DNS:localhost -``` - -``` -openssl genrsa -out rootCAKey.pem 2048 -openssl req -x509 -sha256 -new -nodes -key rootCAKey.pem -days 3650 -out rootCACert.pem -openssl genrsa -out rbaServerKey.pem 2048 -openssl req -new -key rbaServerKey.pem -sha256 -out rbaServerCert.csr -config rbaServerCertReq.config -openssl x509 -req -sha256 -in rbaServerCert.csr -CA rootCACert.pem -CAkey rootCAKey.pem -CAcreateserial -out rbaServerCert.pem -days 3650 -extfile v3.ext -openssl pkcs12 -export -out rbaServer.p12 -inkey rbaServerKey.pem -in rbaServerCert.pem -name "YAWA" -``` - - -Inspect the certificates and keystore: -``` -ROOT_CA_PEM="server/src/main/resources/secrets/certificates/GMARCIANI-Root-CA.pem" -SERVER_CERT_PEM="server/src/main/resources/secrets/certificates/YAWA.pem" -SERVER_CERT_P12="server/src/main/resources/secrets/certificates/YAWA.p12" - -openssl x509 -in $ROOT_CA_PEM -text -openssl x509 -in $SERVER_CERT_PEM -text -openssl pkcs12 -in $SERVER_CERT_P12 -info -nodes -legacy -``` - -Verify the server certificate: -``` -openssl verify -verbose -CAfile $ROOT_CA_PEM $SERVER_CERT_PEM -``` - -Copy the CA certificate to the Ops module to make it trust the root CA. -``` -cp $ROOT_CA_PEM ops/resources/certificates/ -``` +Generate the certificates using the project [gmarciani-ca](https://github.com/gmarciani/gmarciani-ca). +1. Generate a private key for yawa.com +2. Generate a CSR for yawa.com +3. Request a server certificate for yawa.com to the intermediate CA +4. Generate a P12 archive +5. Put the P12 file in `server/src/main/resources/secrets/certificates/yawa.p12` +6. Put the CA chain of the intermediate CA in `ops/resources/certificates/gmarciani-ca-chain.cert.pem` Check the returned certificate from the server: ```