Controls/gitea-pages
0
2
Fork 0
Code Pull Requests Actions Activity

add hint about encrypted backups for SSL private keys

Browse Source
This commit is contained in:
buchel_k
2022-12-22 16:36:29 +01:00
parent 68321d8469
commit a855d4c031
2 changed files with 64 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

64
admin-guide/operations/certificates.md Normal file
View File

@@ -0,0 +1,64 @@
# Managing SSL certificates
We use DigiCert certificates.
## Requesting certificates
First create a certificate signing request (CSR) like this, replacing `$FQDN`
and `$ALIASES`
```
cat >$FQDN.cnf <<EOF
FQDN = $FQDN
ORGNAME = Paul Scherrer Institut (PSI)
# subjectAltName entries: to add DNS aliases to the CSR, delete
# the '#' character in the ALTNAMES line, and change the subsequent
# 'DNS:' entries accordingly. Please note: all DNS names must
# resolve to the same IP address as the FQDN.
ALTNAMES = DNS:\$FQDN $ALIASES
# --- no modifications required below ---
[ req ]
default_bits = 2048
default_md = sha256
prompt = no
encrypt_key = no
distinguished_name = dn
req_extensions = req_ext
[ dn ]
C = CH
O = \$ORGNAME
CN = \$FQDN
OU = AWI
[ req_ext ]
subjectAltName = \$ALTNAMES
EOF
/usr/bin/openssl req -new -config $FQDN.cnf -keyout $FQDN.key -out $FQDN.csr
```
Finally, [submit the CSR](https://www.digicert.com/secure/requests/products?guest_key=11dqrl7540p3t4jm4qhnvsnzjkvk).
Please note that the URL will work when accessed from PSI network (e.g. VPN).
DigiCert will send an email including instructions on how to download the certificate.
Our teams practice is to always create a new private key and to back it up encrypted in Gitlab, either
- in Hiera as [EYAML](https://linux.psi.ch/admin-guide/puppet/hiera.html#secret-values)
- for central infrastructure hosts in their [bootstrap repository](https://git.psi.ch/linux-infra/bootstrap)
- for the rest in our [team secret store](https://git.psi.ch/linux-infra/core-linux-secrets)
## Renewing certificates
Using the same configuration file as above, generate a new private key and CSR,
and submit the CSR as before.
## Revoke certificates
If you would like to revoke a DigiCert certificate, please send an e-mail to pki@psi.ch

62
admin-guide/operations/certificates.rst
View File

@@ -1,62 +0,0 @@
Managing SSL certificates
=========================
We use DigiCert certificates.
Requesting certificates
-----------------------
First create a certificate signing request (CSR) like this, replacing ``$FQDN``
and ``$ALIASES``::
cat >$FQDN.cnf <<EOF
FQDN = $FQDN
ORGNAME = Paul Scherrer Institut (PSI)
# subjectAltName entries: to add DNS aliases to the CSR, delete
# the '#' character in the ALTNAMES line, and change the subsequent
# 'DNS:' entries accordingly. Please note: all DNS names must
# resolve to the same IP address as the FQDN.
ALTNAMES = DNS:\$FQDN $ALIASES
# --- no modifications required below ---
[ req ]
default_bits = 2048
default_md = sha256
prompt = no
encrypt_key = no
distinguished_name = dn
req_extensions = req_ext
[ dn ]
C = CH
O = \$ORGNAME
CN = \$FQDN
OU = AWI
[ req_ext ]
subjectAltName = \$ALTNAMES
EOF
/usr/bin/openssl req -new -config $FQDN.cnf -keyout $FQDN.key -out $FQDN.csr
Finally, `submit the CSR <https://www.digicert.com/secure/requests/products?guest_key=11dqrl7540p3t4jm4qhnvsnzjkvk>`_. Please note
that the URL will work when accessed from PSI network (e.g. VPN).
DigiCert will send an email including instructions on how to download the
certificate.
Renewing certificates
---------------------
Using the same configuration file as above, generate a new private key and CSR,
and submit the CSR as before.
Revoke certificates
-------------------
If you would like to revoke a DigiCert certificate, please send an e-mail to pki@psi.ch