Browse Source

move keys and certs to ./certs and update paths

master
AJ ONeal 8 years ago
parent
commit
d4db9c7d12
  1. 4
      .gitignore
  2. 23
      README.md
  3. 33
      make-root-ca-and-certificates.sh
  4. 2
      request-without-warnings.js
  5. 8
      serve.js
  6. 4
      test.sh

4
.gitignore

@ -1,6 +1,4 @@
all/
server/
client/
certs
# Logs
logs

23
README.md

@ -46,13 +46,20 @@ bash make-root-ca-and-certificates.sh 'local.ldsconnect.org'
```
```
example
certs/
├── ca
│   ├── my-root-ca.crt.pem
│   ├── my-root-ca.key.pem
│   └── my-root-ca.srl
├── client
│   ├── my-root-ca.crt.pem
│   └── my-server.pub
├── server
|   ├── my-private-root-ca.crt.pem
|   ├── my-server.crt.pem
|   └── my-server.key.pem
└── client
   └── my-private-root-ca.crt.pem
│   ├── my-root-ca.crt.pem
   ├── my-server.crt.pem
│   └── my-server.key.pem
└── tmp
└── my-server.csr.pem
```
### Run the server
@ -75,7 +82,7 @@ Test (warning free) with cURL
```bash
curl -v https://local.ldsconnect.org \
--cacert client/my-private-root-ca.crt.pem
--cacert client/my-root-ca.crt.pem
```
Visit in a web browser
@ -84,7 +91,7 @@ Visit in a web browser
To get rid of the warnings, simply add the certificate in the `client` folder
to your list of certificates by alt-clicking "Open With => Keychain Access"
on `my-private-root-ca.crt.pem`
on `my-root-ca.crt.pem`
You do have to set `Always Trust` a few times
[as explained](http://www.robpeck.com/2010/10/google-chrome-mac-os-x-and-self-signed-ssl-certificates/#.U8RqrI1dVd8) by Rob Peck.

33
make-root-ca-and-certificates.sh

@ -2,11 +2,11 @@
FQDN=$1
# make directories to work from
mkdir -p server/ client/ all/
mkdir -p certs/{server,client,ca,tmp}
# Create your very own Root Certificate Authority
openssl genrsa \
-out all/my-private-root-ca.key.pem \
-out certs/ca/my-root-ca.key.pem \
2048
# Self-sign your Root Certificate Authority
@ -15,34 +15,39 @@ openssl req \
-x509 \
-new \
-nodes \
-key all/my-private-root-ca.key.pem \
-key certs/ca/my-root-ca.key.pem \
-days 1024 \
-out all/my-private-root-ca.crt.pem \
-out certs/ca/my-root-ca.crt.pem \
-subj "/C=US/ST=Utah/L=Provo/O=ACME Signing Authority Inc/CN=example.com"
# Create a Device Certificate for each domain,
# such as example.com, *.example.com, awesome.example.com
# NOTE: You MUST match CN to the domain name or ip address you want to use
openssl genrsa \
-out all/my-server.key.pem \
-out certs/server/my-server.key.pem \
2048
# Create a request from your Device, which your Root CA will sign
openssl req -new \
-key all/my-server.key.pem \
-out all/my-server.csr.pem \
-key certs/server/my-server.key.pem \
-out certs/tmp/my-server.csr.pem \
-subj "/C=US/ST=Utah/L=Provo/O=ACME Tech Inc/CN=${FQDN}"
# Sign the request from Device with your Root CA
# -CAserial certs/ca/my-root-ca.srl
openssl x509 \
-req -in all/my-server.csr.pem \
-CA all/my-private-root-ca.crt.pem \
-CAkey all/my-private-root-ca.key.pem \
-req -in certs/tmp/my-server.csr.pem \
-CA certs/ca/my-root-ca.crt.pem \
-CAkey certs/ca/my-root-ca.key.pem \
-CAcreateserial \
-out all/my-server.crt.pem \
-out certs/server/my-server.crt.pem \
-days 500
# Create a public key, for funzies
openssl rsa \
-in certs/server/my-server.key.pem \
-pubout -out certs/client/my-server.pub
# Put things in their proper place
rsync -a all/my-server.{key,crt}.pem server/
rsync -a all/my-private-root-ca.crt.pem server/
rsync -a all/my-private-root-ca.crt.pem client/
rsync -a certs/ca/my-root-ca.crt.pem certs/server/
rsync -a certs/ca/my-root-ca.crt.pem certs/client/

2
request-without-warnings.js

@ -4,7 +4,7 @@
var https = require('https')
, fs = require('fs')
, path = require('path')
, ca = fs.readFileSync(path.join(__dirname, 'client', 'my-private-root-ca.crt.pem'))
, ca = fs.readFileSync(path.join(__dirname, 'certs', 'client', 'my-root-ca.crt.pem'))
, port = process.argv[2] || 8043
, hostname = process.argv[3] || 'local.ldsconnect.org'
;

8
serve.js

@ -11,14 +11,14 @@ var https = require('https')
require('ssl-root-cas')
.inject()
.addFile(path.join(__dirname, 'server', 'my-private-root-ca.crt.pem'))
.addFile(path.join(__dirname, 'certs', 'server', 'my-root-ca.crt.pem'))
;
options = {
key: fs.readFileSync(path.join(__dirname, 'server', 'my-server.key.pem'))
key: fs.readFileSync(path.join(__dirname, 'certs', 'server', 'my-server.key.pem'))
// You don't need to specify `ca`, it's done by `ssl-root-cas`
//, ca: [ fs.readFileSync(path.join(__dirname, 'server', 'my-private-root-ca.crt.pem'))]
, cert: fs.readFileSync(path.join(__dirname, 'server', 'my-server.crt.pem'))
//, ca: [ fs.readFileSync(path.join(__dirname, 'certs', 'server', 'my-root-ca.crt.pem'))]
, cert: fs.readFileSync(path.join(__dirname, 'certs', 'server', 'my-server.crt.pem'))
};

4
test.sh

@ -17,14 +17,14 @@ sleep 1
echo ""
curl https://local.ldsconnect.org:8043 \
--cacert client/my-private-root-ca.crt.pem
--cacert certs/client/my-root-ca.crt.pem
echo -n " - without warnings, love cURL"
echo ""
sleep 1
# For lots of output about the ssl connection try -v
#curl -v https://local.ldsconnect.org:8043 \
# --cacert client/my-private-root-ca.crt.pem
# --cacert certs/client/my-root-ca.crt.pem
kill ${NODE_PID}
echo ""

Loading…
Cancel
Save