From: Jakub Czajka <jakub@ekhem.eu.org>
Date: Fri, 5 May 2023 22:42:12 +0000 (+0200)
Subject: [ca] Document instructions.
X-Git-Url: https://git.ekhem.eu.org/?a=commitdiff_plain;h=78082920cf6068bc80dd2bdb74a9e9cef18f9dcc;p=server.git

[ca] Document instructions.
---

diff --git a/ca/README b/ca/README
new file mode 100644
index 0000000..6b2e567
--- /dev/null
+++ b/ca/README
@@ -0,0 +1,53 @@
+ca
+==
+
+A private certificate authority (CA) for signing own certificates.
+
+Install
+-------
+
+```
+$ mkdir certs
+$ mkdir --mode=700 private certs/private
+```
+
+Answer "." to each option except for `commonName`. Enter a password. `.pem` is an
+instance of `.crt` [1].
+
+```
+$ sudo --preserve-env openssl req -x509 -config ca.cnf -new -days 3650 -sha256 \
+    -newkey rsa:4096 -keyout private/ca.key -out ca.pem
+```
+
+Certificate
+-----------
+
+Answer "." to each option except for `commonName`. Leave challenge password
+empty [2]. Subject alternative names can also be added [3].
+
+```
+$ sudo --preserve-env openssl genrsa -out certs/private/<name>.key 4096
+$ sudo --preserve-env openssl req -config ca.cnf -new \
+    -key certs/private/<name>.key -out certs/<name>.csr
+$ sudo --preserve-env openssl x509 -req -days 365 -sha256 -CA ca.pem \
+    -CAkey private/ca.key -next_serial -in certs/<name>.csr -out certs/<name>.crt
+```
+
+Other output formats are also possible [4].
+
+Import
+------
+
+Transform the certificate and the private key [5]. Upload the result to the
+browser [6].
+
+```
+$ openssl pkcs12 -export -inkey <name>.key -in <name>.crt -out <name>.p12
+```
+
+[1] https://stackoverflow.com/a/71024854
+[2] https://stackoverflow.com/a/41366949
+[3] https://gist.github.com/croxton/ebfb5f3ac143cd86542788f972434c96
+[4] https://gist.github.com/alexishida/607cca2e51ec356b1fe1909047ec70fd
+[5] https://superuser.com/a/1628622
+[6] https://superuser.com/a/1577753