63 lines
1.6 KiB
ReStructuredText
63 lines
1.6 KiB
ReStructuredText
Managing SSL certificates
|
|
=========================
|
|
|
|
We use DigiCert certificates.
|
|
|
|
|
|
Requesting certificates
|
|
-----------------------
|
|
|
|
First create a certificate signing request (CSR) like this, replacing ``$FQDN``
|
|
and ``$ALIASES``::
|
|
|
|
cat >$FQDN.cnf <<EOF
|
|
FQDN = $FQDN
|
|
ORGNAME = Paul Scherrer Institut (PSI)
|
|
|
|
# subjectAltName entries: to add DNS aliases to the CSR, delete
|
|
# the '#' character in the ALTNAMES line, and change the subsequent
|
|
# 'DNS:' entries accordingly. Please note: all DNS names must
|
|
# resolve to the same IP address as the FQDN.
|
|
ALTNAMES = DNS:\$FQDN $ALIASES
|
|
|
|
# --- no modifications required below ---
|
|
[ req ]
|
|
default_bits = 2048
|
|
default_md = sha256
|
|
prompt = no
|
|
encrypt_key = no
|
|
distinguished_name = dn
|
|
req_extensions = req_ext
|
|
|
|
[ dn ]
|
|
C = CH
|
|
O = \$ORGNAME
|
|
CN = \$FQDN
|
|
OU = AWI
|
|
|
|
[ req_ext ]
|
|
subjectAltName = \$ALTNAMES
|
|
|
|
EOF
|
|
|
|
/usr/bin/openssl req -new -config $FQDN.cnf -keyout $FQDN.key -out $FQDN.csr
|
|
|
|
|
|
Finally, `submit the CSR <https://www.digicert.com/secure/requests/products?guest_key=11dqrl7540p3t4jm4qhnvsnzjkvk>`_. Please note
|
|
that the URL will work when accessed from PSI network (e.g. VPN).
|
|
|
|
DigiCert will send an email including instructions on how to download the
|
|
certificate.
|
|
|
|
|
|
Renewing certificates
|
|
---------------------
|
|
|
|
Using the same configuration file as above, generate a new private key and CSR,
|
|
and submit the CSR as before.
|
|
|
|
|
|
Revoke certificates
|
|
-------------------
|
|
If you would like to revoke a DigiCert certificate, please send an e-mail to pki@psi.ch
|