diff options
| author | Soispha <soispha@vhack.eu> | 2023-10-04 20:11:42 +0200 |
|---|---|---|
| committer | Soispha <soispha@vhack.eu> | 2023-10-16 17:20:00 +0200 |
| commit | 1dd6f8d3b4d7dc93095e662aaca190d3fe1be264 (patch) | |
| tree | a6b06ec7b3a400f22f41627f8497258fb6b8d6f1 /system/services/taskserver/certs/README.md | |
| parent | fix(system/services/taskserver): declare certs/keys in pki.manual (diff) | |
| download | nixos-server-1dd6f8d3b4d7dc93095e662aaca190d3fe1be264.tar.gz nixos-server-1dd6f8d3b4d7dc93095e662aaca190d3fe1be264.zip | |
feat(system/services/taskserver): Integrate Let's Encrypt certificates
The current setup now runs the `taskserver.vhack.eu` domain with a Let's Encrypt certificate and additionally uses a self-signed CA certificate to validate clients. The shell scripts used to generate the CA certificate and the derived client certificate (and keys) are taken nearly unmodified from the upstream repository [1]. [1]: https://github.com/GothenburgBitFactory/taskserver/tree/9794cff61e56bdfb193c6aa4cebb57970ac68aef/pki
Diffstat (limited to '')
| -rw-r--r-- | system/services/taskserver/certs/README.md | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/system/services/taskserver/certs/README.md b/system/services/taskserver/certs/README.md new file mode 100644 index 0000000..846379c --- /dev/null +++ b/system/services/taskserver/certs/README.md @@ -0,0 +1,39 @@ +> This is taken from: https://github.com/GothenburgBitFactory/taskserver/blob/9794cff61e56bdfb193c6aa4cebb57970ac68aef/pki/README + +PKI is a complex subject. These scripts and this description are not intended +to be a complete and accurate example of PKI. + +Ideally you would purchase a server cert signed by a known CA, such as one of +the following: + +- Symantec +- Comodo +- GoDaddy +- GlobalSign +- (Let's Encrypt) + +That cert would need the 'encryption_key' and 'signing_key' attributes. +Using that server cert, you would then issue a server CRL and client keys. + +If you are developing, testing, or running your own private server, you may +choose instead to generate the above yourself. In this case you would generate +a CA key and cert, then use that to generate a server key, cert, and CRL. Then +you would use the server key and cert to create a client key and cert. But as +there is no trusted CA in this example, just yourself, the resultant client key +and cert will not be trusted by anyone, for good reasons. + +Note, you can inspect any cert with the command: + + $ gnutls-certtool -i --infile $CERT + +There is a 'generate' script here that will perform the above steps. Take a +look at it to see the individual steps it takes to generate the proper set of +keys and certs. + +Note that you need to modify the 'vars' file to provide your own identity and +chosen parameters. + +Validate a certificate with: + + $ gnutls-certtool --verify --infile client.cert.pem --load-ca-certificate ca.cert.pem + |