summary refs log tree commit diff stats
path: root/system/services/taskserver/certs/README.md
blob: 8ff0e448db850c21856c4b63245cce24e0cb1fa9 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
> This is taken from: https://github.com/GothenburgBitFactory/taskserver/blob/9794cff61e56bdfb193c6aa4cebb57970ac68aef/pki/README

PKI is a complex subject. These scripts and this description are not intended
to be a complete and accurate example of PKI.

Ideally you would purchase a server cert signed by a known CA, such as one of
the following:

- Symantec
- Comodo
- GoDaddy
- GlobalSign
- (Let's Encrypt)

That cert would need the 'encryption_key' and 'signing_key' attributes.
Using that server cert, you would then issue a server CRL and client keys.

If you are developing, testing, or running your own private server, you may
choose instead to generate the above yourself.  In this case you would generate
a CA key and cert, then use that to generate a server key, cert, and CRL.  Then
you would use the server key and cert to create a client key and cert.  But as
there is no trusted CA in this example, just yourself, the resultant client key
and cert will not be trusted by anyone, for good reasons.

Note, you can inspect any cert with the command:

```
$ gnutls-certtool -i --infile $CERT
```

There is a 'generate' script here that will perform the above steps.  Take a
look at it to see the individual steps it takes to generate the proper set of
keys and certs.

Note that you need to modify the 'vars' file to provide your own identity and
chosen parameters.

Validate a certificate with:

```
$ gnutls-certtool --verify --infile client.cert.pem --load-ca-certificate ca.cert.pem
```