diff --git a/examples/secure-terminals.txt b/examples/secure-terminals.txt index 5c27012..a24af67 100644 --- a/examples/secure-terminals.txt +++ b/examples/secure-terminals.txt @@ -17,15 +17,77 @@ D. SSL (do not settle for anything less) -Under Debian: -A. openssl req -new -x509 -nodes -out ssl-cert-snakeoil.pem -days 36500 -keyout ssl-cert-snakeoil.key (100 year certificate) -B. cp ssl-cert-snakeoil.key /etc/ssl/private/ - cp ssl-cert-snakeoil.pem /etc/ssl/certs/ -C. a2enmod ssl; - a2ensite default-ssl.conf; (standard on debian-based distributions .. add stanza above) - a2dissite 000-default.conf; +- SELF-SIGNED +Under Debian (updated for Chrome 58 or greater): + +I. +openssl genrsa -out rootCA.key 2048 +openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 36500 -out rootCA.pem + +create this file - v3.ext: +authorityKeyIdentifier=keyid,issuer +basicConstraints=CA:FALSE +keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment +subjectAltName = @alt_names + +[alt_names] +DNS.1 = %%DOMAIN%% + +Run this script in same directory as v3.ext file: +if [ -z "$1" ] +then + echo "Please supply a domain to create a certificate for"; + echo "e.g. mysite.com" + exit; +fi + +# Create a new private key if one doesnt exist, or use the existing one if it does +if [ -f device.key ]; then + KEY_OPT="-key" +else + KEY_OPT="-keyout" +fi + +DOMAIN=$1 +COMMON_NAME=${2:-*.$1} +SUBJECT="/C=CA/ST=None/L=NB/O=None/CN=$COMMON_NAME" +NUM_OF_DAYS=36500 +openssl req -new -newkey rsa:2048 -sha256 -nodes $KEY_OPT device.key -subj "$SUBJECT" -out device.csr +cat v3.ext | sed s/%%DOMAIN%%/$COMMON_NAME/g > /tmp/__v3.ext +openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days $NUM_OF_DAYS -sha256 -extfile /tmp/__v3.ext + +# move output files to final filenames +mv device.csr $DOMAIN.csr +cp device.crt $DOMAIN.crt + +# remove temp file +rm -f device.crt; + +echo +echo "###########################################################################" +echo Done! +echo "###########################################################################" +echo "To use these files on your server, simply copy both $DOMAIN.csr and" +echo "device.key to your webserver, and use like so (if Apache, for example)" +echo +echo " SSLCertificateFile /path_to_your_files/$DOMAIN.crt" +echo " SSLCertificateKeyFile /path_to_your_files/device.key" + + +II. cp device.key /etc/ssl/private/ssl-cert-snakeoil.key + cp mysite.com.csr /etc/ssl/certs/ssl-cert-snakeoil.pem + +III. a2enmod ssl; + a2ensite default-ssl.conf; (standard on debian-based distributions .. add stanza above) + a2dissite 000-default.conf; + +In the Chromium broswer: chrome://settings/certificates + Choose IMPORT in AUTHORITIES + Upload the public certificate you created, e.g. rootCA.key + check "Trust this certificate for identifying websites" - An alternative would be to use letsencrypt. If you are using a reverse proxy, usually nginx-proxy, +- LETSENCRYPT + A preferable alternative would be to use letsencrypt. If you are using a reverse proxy, usually nginx-proxy, make certain that HTTP_X_FORWARDED_FOR is used for identifying the originating IP address, because YBDB shops keep track of their unique ip.