forked from Controls/gitea-pages
add hint about encrypted backups for SSL private keys
This commit is contained in:
@@ -0,0 +1,64 @@
|
|||||||
|
# Managing SSL certificates
|
||||||
|
|
||||||
|
We use DigiCert certificates.
|
||||||
|
|
||||||
|
|
||||||
|
## Requesting certificates
|
||||||
|
|
||||||
|
First create a certificate signing request (CSR) like this, replacing `$FQDN`
|
||||||
|
and `$ALIASES`
|
||||||
|
|
||||||
|
```
|
||||||
|
cat >$FQDN.cnf <<EOF
|
||||||
|
FQDN = $FQDN
|
||||||
|
ORGNAME = Paul Scherrer Institut (PSI)
|
||||||
|
|
||||||
|
# subjectAltName entries: to add DNS aliases to the CSR, delete
|
||||||
|
# the '#' character in the ALTNAMES line, and change the subsequent
|
||||||
|
# 'DNS:' entries accordingly. Please note: all DNS names must
|
||||||
|
# resolve to the same IP address as the FQDN.
|
||||||
|
ALTNAMES = DNS:\$FQDN $ALIASES
|
||||||
|
|
||||||
|
# --- no modifications required below ---
|
||||||
|
[ req ]
|
||||||
|
default_bits = 2048
|
||||||
|
default_md = sha256
|
||||||
|
prompt = no
|
||||||
|
encrypt_key = no
|
||||||
|
distinguished_name = dn
|
||||||
|
req_extensions = req_ext
|
||||||
|
|
||||||
|
[ dn ]
|
||||||
|
C = CH
|
||||||
|
O = \$ORGNAME
|
||||||
|
CN = \$FQDN
|
||||||
|
OU = AWI
|
||||||
|
|
||||||
|
[ req_ext ]
|
||||||
|
subjectAltName = \$ALTNAMES
|
||||||
|
|
||||||
|
EOF
|
||||||
|
|
||||||
|
/usr/bin/openssl req -new -config $FQDN.cnf -keyout $FQDN.key -out $FQDN.csr
|
||||||
|
```
|
||||||
|
|
||||||
|
Finally, [submit the CSR](https://www.digicert.com/secure/requests/products?guest_key=11dqrl7540p3t4jm4qhnvsnzjkvk).
|
||||||
|
Please note that the URL will work when accessed from PSI network (e.g. VPN).
|
||||||
|
|
||||||
|
DigiCert will send an email including instructions on how to download the certificate.
|
||||||
|
|
||||||
|
Our teams practice is to always create a new private key and to back it up encrypted in Gitlab, either
|
||||||
|
- in Hiera as [EYAML](https://linux.psi.ch/admin-guide/puppet/hiera.html#secret-values)
|
||||||
|
- for central infrastructure hosts in their [bootstrap repository](https://git.psi.ch/linux-infra/bootstrap)
|
||||||
|
- for the rest in our [team secret store](https://git.psi.ch/linux-infra/core-linux-secrets)
|
||||||
|
|
||||||
|
|
||||||
|
## Renewing certificates
|
||||||
|
|
||||||
|
Using the same configuration file as above, generate a new private key and CSR,
|
||||||
|
and submit the CSR as before.
|
||||||
|
|
||||||
|
|
||||||
|
## Revoke certificates
|
||||||
|
|
||||||
|
If you would like to revoke a DigiCert certificate, please send an e-mail to pki@psi.ch
|
||||||
@@ -1,62 +0,0 @@
|
|||||||
Managing SSL certificates
|
|
||||||
=========================
|
|
||||||
|
|
||||||
We use DigiCert certificates.
|
|
||||||
|
|
||||||
|
|
||||||
Requesting certificates
|
|
||||||
-----------------------
|
|
||||||
|
|
||||||
First create a certificate signing request (CSR) like this, replacing ``$FQDN``
|
|
||||||
and ``$ALIASES``::
|
|
||||||
|
|
||||||
cat >$FQDN.cnf <<EOF
|
|
||||||
FQDN = $FQDN
|
|
||||||
ORGNAME = Paul Scherrer Institut (PSI)
|
|
||||||
|
|
||||||
# subjectAltName entries: to add DNS aliases to the CSR, delete
|
|
||||||
# the '#' character in the ALTNAMES line, and change the subsequent
|
|
||||||
# 'DNS:' entries accordingly. Please note: all DNS names must
|
|
||||||
# resolve to the same IP address as the FQDN.
|
|
||||||
ALTNAMES = DNS:\$FQDN $ALIASES
|
|
||||||
|
|
||||||
# --- no modifications required below ---
|
|
||||||
[ req ]
|
|
||||||
default_bits = 2048
|
|
||||||
default_md = sha256
|
|
||||||
prompt = no
|
|
||||||
encrypt_key = no
|
|
||||||
distinguished_name = dn
|
|
||||||
req_extensions = req_ext
|
|
||||||
|
|
||||||
[ dn ]
|
|
||||||
C = CH
|
|
||||||
O = \$ORGNAME
|
|
||||||
CN = \$FQDN
|
|
||||||
OU = AWI
|
|
||||||
|
|
||||||
[ req_ext ]
|
|
||||||
subjectAltName = \$ALTNAMES
|
|
||||||
|
|
||||||
EOF
|
|
||||||
|
|
||||||
/usr/bin/openssl req -new -config $FQDN.cnf -keyout $FQDN.key -out $FQDN.csr
|
|
||||||
|
|
||||||
|
|
||||||
Finally, `submit the CSR <https://www.digicert.com/secure/requests/products?guest_key=11dqrl7540p3t4jm4qhnvsnzjkvk>`_. Please note
|
|
||||||
that the URL will work when accessed from PSI network (e.g. VPN).
|
|
||||||
|
|
||||||
DigiCert will send an email including instructions on how to download the
|
|
||||||
certificate.
|
|
||||||
|
|
||||||
|
|
||||||
Renewing certificates
|
|
||||||
---------------------
|
|
||||||
|
|
||||||
Using the same configuration file as above, generate a new private key and CSR,
|
|
||||||
and submit the CSR as before.
|
|
||||||
|
|
||||||
|
|
||||||
Revoke certificates
|
|
||||||
-------------------
|
|
||||||
If you would like to revoke a DigiCert certificate, please send an e-mail to pki@psi.ch
|
|
||||||
Reference in New Issue
Block a user