Commit b09fce50 authored by Mitchell Monahan's avatar Mitchell Monahan
Browse files

CA docs

parent eeb598b8
Pipeline #113 passed with stages
in 1 minute and 12 seconds
# Certificate Authority
## Installing the 9net Root Certificate Authority
1. Download the 9net Root CA
- Can be done two ways - the Good Way™ or the Convenient Way™
- Good Way - **Needed to follow instructions for getting a signed certificate via ACME**
- Install Step-CLI
- [Documentation here](https://smallstep.com/cli/)
- Bootstrap CA cert locally
```sh
sudo -H step ca bootstrap --install \
--ca-url=https://ca.9net \
--fingerprint=17444b93edcf24609a95074b68b640cbb408884199e60424e3b39ddc03c23b1f
```
- Convenient Way - Note that this does not verify the root CA once downloaded.
- Install `curl` and `jq`
```sh
sudo apt install -y curl jq
```
- Fetch+Install Root CA
```sh
curl -k https://ca.9net/root/17444b93edcf24609a95074b68b640cbb408884199e60424e3b39ddc03c23b1f | \
jq -r .ca | \
sudo tee /usr/local/share/ca-certificates/9net.crt
```
2. Run `sudo update-ca-certificates`
## Requesting a certificate via ACME
Note: These instructions use the `step` CLI. Make sure you have the root CA installed as above. Also, to make renewals easier, I'd recommend having one certificate for all domains on a single machine (fairly easy with multiple `--san` parameteres)
1. Configure your webserver however you need to for webroot cert verification
2. Generate certificate/key (replace BASE_DOMAIN, YOUR_WEBROOT, and DOMAIN2-DOMAIN _n_ as needed)
```sh
sudo -H step ca certificate \
BASE_DOMAIN.9net \
/etc/ssl/certs/cert-9net.pem \
/etc/ssl/private/key-9net.pem \
--provisioner acme \
--webroot /var/www/YOUR_WEBROOT \
--san BASE_DOMAIN.9net \ # the only required --san parameter
--san DOMAIN2.9net \
--san DOMAIN3.9net \
--san DOMAIN4.9net # repeat as needed
```
3. Certificate renewal:
- Method A: Cron job - Put the following in a cron job
```sh
step ca renew /etc/ssl/certs/cert-9net.pem /etc/ssl/private/key-9net.pem \
--exec "systemctl reload nginx"
```
- Method B: Run `step` in daemon mode for automatic renewals under `systemd`
```ini
[Unit]
Description=Automatically renew SSL certificates for 9net
After=network.target
StartLimitIntervalSec=0
[Service]
Type=simple
Restart=always
RestartSec=1
ExecStart=/usr/bin/step ca renew --daemon --exec=systemctl\x20reload\x20nginx --ca-url=https://ca.9net /etc/ssl/certs/cert-9net.pem /etc/ssl/private/key-9net.pem
[Install]
WantedBy=multi-user.target
```
\ No newline at end of file
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment