bike/Yellow-Bike-Database-Mirror
1
0
Fork 0
mirror of https://github.com/fspc/Yellow-Bike-Database.git synced 2025-10-31 08:55:36 -04:00
Code Issues Projects Releases Wiki Activity

Updates self-signed certificates for more recent browsers.

Browse Source
This commit is contained in:
Jonathan Rosenbaum 2018-01-04 06:30:55 +00:00
parent b961002595
commit 38d66155c8
1 changed files with 70 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
examples/secure-terminals.txt
View File

@ -17,15 +17,77 @@ D. <Directory /var/www/html>
SSL (do not settle for anything less) SSL (do not settle for anything less)
Under Debian: - SELF-SIGNED
A. openssl req -new -x509 -nodes -out ssl-cert-snakeoil.pem -days 36500 -keyout ssl-cert-snakeoil.key (100 year certificate) Under Debian (updated for Chrome 58 or greater):
B. cp ssl-cert-snakeoil.key /etc/ssl/private/
cp ssl-cert-snakeoil.pem /etc/ssl/certs/
C. a2enmod ssl;
a2ensite default-ssl.conf; (standard on debian-based distributions .. add <Directory> stanza above)
a2dissite 000-default.conf;
An alternative would be to use letsencrypt. If you are using a reverse proxy, usually nginx-proxy, I.
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 36500 -out rootCA.pem
create this file - v3.ext:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = %%DOMAIN%%
Run this script in same directory as v3.ext file:
if [ -z "$1" ]
then
echo "Please supply a domain to create a certificate for";
echo "e.g. mysite.com"
exit;
fi
# Create a new private key if one doesnt exist, or use the existing one if it does
if [ -f device.key ]; then
KEY_OPT="-key"
else
KEY_OPT="-keyout"
fi
DOMAIN=$1
COMMON_NAME=${2:-*.$1}
SUBJECT="/C=CA/ST=None/L=NB/O=None/CN=$COMMON_NAME"
NUM_OF_DAYS=36500
openssl req -new -newkey rsa:2048 -sha256 -nodes $KEY_OPT device.key -subj "$SUBJECT" -out device.csr
cat v3.ext | sed s/%%DOMAIN%%/$COMMON_NAME/g > /tmp/__v3.ext
openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days $NUM_OF_DAYS -sha256 -extfile /tmp/__v3.ext
# move output files to final filenames
mv device.csr $DOMAIN.csr
cp device.crt $DOMAIN.crt
# remove temp file
rm -f device.crt;
echo
echo "###########################################################################"
echo Done!
echo "###########################################################################"
echo "To use these files on your server, simply copy both $DOMAIN.csr and"
echo "device.key to your webserver, and use like so (if Apache, for example)"
echo
echo " SSLCertificateFile /path_to_your_files/$DOMAIN.crt"
echo " SSLCertificateKeyFile /path_to_your_files/device.key"
II. cp device.key /etc/ssl/private/ssl-cert-snakeoil.key
cp mysite.com.csr /etc/ssl/certs/ssl-cert-snakeoil.pem
III. a2enmod ssl;
a2ensite default-ssl.conf; (standard on debian-based distributions .. add <Directory> stanza above)
a2dissite 000-default.conf;
In the Chromium broswer: chrome://settings/certificates
Choose IMPORT in AUTHORITIES
Upload the public certificate you created, e.g. rootCA.key
check "Trust this certificate for identifying websites"
- LETSENCRYPT
A preferable alternative would be to use letsencrypt. If you are using a reverse proxy, usually nginx-proxy,
make certain that HTTP_X_FORWARDED_FOR is used for identifying the originating IP address, make certain that HTTP_X_FORWARDED_FOR is used for identifying the originating IP address,
because YBDB shops keep track of their unique ip. because YBDB shops keep track of their unique ip.