move keys and certs to ./certs and update paths

2014-07-15 22:54:02 -06:00 · 2014-07-15 22:54:02 -06:00 · d4db9c7d12
parent d636691954
commit d4db9c7d12
6 changed files with 42 additions and 32 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,6 +1,4 @@
-all/
-server/
-client/
+certs

 # Logs
 logs
--- a/README.md
+++ b/README.md
@ -46,13 +46,20 @@ bash make-root-ca-and-certificates.sh 'local.ldsconnect.org'
 ```

 ```
-example
+certs/
+├── ca
+│   ├── my-root-ca.crt.pem
+│   ├── my-root-ca.key.pem
+│   └── my-root-ca.srl
+├── client
+│   ├── my-root-ca.crt.pem
+│   └── my-server.pub
 ├── server
-|   ├── my-private-root-ca.crt.pem
-|   ├── my-server.crt.pem
-|   └── my-server.key.pem
-└── client
-    └── my-private-root-ca.crt.pem
+│   ├── my-root-ca.crt.pem
+│   ├── my-server.crt.pem
+│   └── my-server.key.pem
+└── tmp
+    └── my-server.csr.pem
 ```

 ### Run the server
@ -75,7 +82,7 @@ Test (warning free) with cURL

 ```bash
 curl -v https://local.ldsconnect.org \
-  --cacert client/my-private-root-ca.crt.pem
+  --cacert client/my-root-ca.crt.pem
 ```

 Visit in a web browser
@ -84,7 +91,7 @@ Visit in a web browser

 To get rid of the warnings, simply add the certificate in the `client` folder
 to your list of certificates by alt-clicking "Open With => Keychain Access"
-on `my-private-root-ca.crt.pem`
+on `my-root-ca.crt.pem`

 You do have to set `Always Trust` a few times
 [as explained](http://www.robpeck.com/2010/10/google-chrome-mac-os-x-and-self-signed-ssl-certificates/#.U8RqrI1dVd8) by Rob Peck.
--- a/make-root-ca-and-certificates.sh
+++ b/make-root-ca-and-certificates.sh
@ -2,11 +2,11 @@
 FQDN=$1

 # make directories to work from
-mkdir -p server/ client/ all/
+mkdir -p certs/{server,client,ca,tmp}

 # Create your very own Root Certificate Authority
 openssl genrsa \
-  -out all/my-private-root-ca.key.pem \
+  -out certs/ca/my-root-ca.key.pem \
  2048

 # Self-sign your Root Certificate Authority
@ -15,34 +15,39 @@ openssl req \
  -x509 \
  -new \
  -nodes \
-  -key all/my-private-root-ca.key.pem \
+  -key certs/ca/my-root-ca.key.pem \
  -days 1024 \
-  -out all/my-private-root-ca.crt.pem \
+  -out certs/ca/my-root-ca.crt.pem \
  -subj "/C=US/ST=Utah/L=Provo/O=ACME Signing Authority Inc/CN=example.com"

 # Create a Device Certificate for each domain,
 # such as example.com, *.example.com, awesome.example.com
 # NOTE: You MUST match CN to the domain name or ip address you want to use
 openssl genrsa \
-  -out all/my-server.key.pem \
+  -out certs/server/my-server.key.pem \
  2048

 # Create a request from your Device, which your Root CA will sign
 openssl req -new \
-  -key all/my-server.key.pem \
-  -out all/my-server.csr.pem \
+  -key certs/server/my-server.key.pem \
+  -out certs/tmp/my-server.csr.pem \
  -subj "/C=US/ST=Utah/L=Provo/O=ACME Tech Inc/CN=${FQDN}"

 # Sign the request from Device with your Root CA
+# -CAserial certs/ca/my-root-ca.srl
 openssl x509 \
-  -req -in all/my-server.csr.pem \
-  -CA all/my-private-root-ca.crt.pem \
-  -CAkey all/my-private-root-ca.key.pem \
+  -req -in certs/tmp/my-server.csr.pem \
+  -CA certs/ca/my-root-ca.crt.pem \
+  -CAkey certs/ca/my-root-ca.key.pem \
  -CAcreateserial \
-  -out all/my-server.crt.pem \
+  -out certs/server/my-server.crt.pem \
  -days 500

+# Create a public key, for funzies
+openssl rsa \
+  -in certs/server/my-server.key.pem \
+  -pubout -out certs/client/my-server.pub
+
 # Put things in their proper place
-rsync -a all/my-server.{key,crt}.pem server/
-rsync -a all/my-private-root-ca.crt.pem server/
-rsync -a all/my-private-root-ca.crt.pem client/
+rsync -a certs/ca/my-root-ca.crt.pem certs/server/
+rsync -a certs/ca/my-root-ca.crt.pem certs/client/
--- a/request-without-warnings.js
+++ b/request-without-warnings.js
@ -4,7 +4,7 @@
 var https = require('https')
  , fs = require('fs')
  , path = require('path')
-  , ca = fs.readFileSync(path.join(__dirname, 'client', 'my-private-root-ca.crt.pem'))
+  , ca = fs.readFileSync(path.join(__dirname, 'certs', 'client', 'my-root-ca.crt.pem'))
  , port = process.argv[2] || 8043
  , hostname = process.argv[3] || 'local.ldsconnect.org'
  ;
--- a/serve.js
+++ b/serve.js
@ -11,14 +11,14 @@ var https = require('https')

 require('ssl-root-cas')
  .inject()
-  .addFile(path.join(__dirname, 'server', 'my-private-root-ca.crt.pem'))
+  .addFile(path.join(__dirname, 'certs', 'server', 'my-root-ca.crt.pem'))
  ;

 options = {
-  key: fs.readFileSync(path.join(__dirname, 'server', 'my-server.key.pem'))
+  key: fs.readFileSync(path.join(__dirname, 'certs', 'server', 'my-server.key.pem'))
 // You don't need to specify `ca`, it's done by `ssl-root-cas`
-//, ca: [ fs.readFileSync(path.join(__dirname, 'server', 'my-private-root-ca.crt.pem'))]
-, cert: fs.readFileSync(path.join(__dirname, 'server', 'my-server.crt.pem'))
+//, ca: [ fs.readFileSync(path.join(__dirname, 'certs', 'server', 'my-root-ca.crt.pem'))]
+, cert: fs.readFileSync(path.join(__dirname, 'certs', 'server', 'my-server.crt.pem'))
 };


--- a/test.sh
+++ b/test.sh
@ -17,14 +17,14 @@ sleep 1

 echo ""
 curl https://local.ldsconnect.org:8043 \
-  --cacert client/my-private-root-ca.crt.pem
+  --cacert certs/client/my-root-ca.crt.pem
 echo -n " - without warnings, love cURL"
 echo ""
 sleep 1

 # For lots of output about the ssl connection try -v
 #curl -v https://local.ldsconnect.org:8043 \
-#  --cacert client/my-private-root-ca.crt.pem
+#  --cacert certs/client/my-root-ca.crt.pem

 kill ${NODE_PID}
 echo ""