gitea-pages/admin-guide/operations/certificates.rst

Managing SSL certificates

We use QuoVadis certificates from Switch.

Requesting certificates

First create a certificate signing request (CSR) like this, replacing $FQDN and $ALIASES:

cat >$FQDN.cnf <<EOF
FQDN = $FQDN
ORGNAME = Paul-Scherrer-Institut (PSI)

# subjectAltName entries: to add DNS aliases to the CSR, delete
# the '#' character in the ALTNAMES line, and change the subsequent
# 'DNS:' entries accordingly. Please note: all DNS names must
# resolve to the same IP address as the FQDN.
ALTNAMES = DNS:\$FQDN $ALIASES

# --- no modifications required below ---
[ req ]
default_bits = 2048
default_md = sha256
prompt = no
encrypt_key = no
distinguished_name = dn
req_extensions = req_ext

[ dn ]
C = CH
O = \$ORGNAME
CN = \$FQDN
OU = AIT

[ req_ext ]
subjectAltName = \$ALTNAMES

EOF

/usr/bin/openssl req -new -config $FQDN.cnf -keyout $FQDN.key -out $FQDN.csr

Finally, submit the CSR.

This procedure is described in more detail at the SWITCH website.

SWITCH will send an email including instructions on how to download the certificate.

Renewing certificates

Using the same configuration file as above, generate a new private key and CSR, and submit the CSR as before.

Revoke certificates

When receiving the first mail from SWITCH as described in Requesting certificates one has to create an account to download the certificate. Using this account, certificates can be revoked at the QuoVadis website.