-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathREADME
94 lines (64 loc) · 2.76 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
What is it?
===========
MiniPKI is a set of small shell scripts to tame OpenSSL and hide its niggling
behaviour in order to create a state of the art certificate authority.
For each certificate, you will get:
* the private key
* the certificate
* the certificate chain up to the root CA
Hierarchy
=========
MiniPKI imposes the following hierarchy:
* Root CA:
C=Country, O=Organisation
* Sub CA:
C=Country, O=Organisation, OU=Organization Unit
* Sub-sub CA:
C=Country, O=Organisation, OU=Organization Unit, OU=Type
where Type is one of
* Server
* Client
* UserAuth
* UserMail
* Leaf cert:
C=Country, O=Organisation, OU=Organization Unit, OU=Type, CN=Subject
For leaf certificates, an alternate subject is required as well (FQDN
for Server/Client certificates, mail address for user auth or user mail
certificates).
Usage
=====
The usage is modeled after the hierarchy.
1. Create the root certificate (this will happen only once)
2. Create the sub CA for the realm, such as "web", "mail", ... (once for
each realm)
3. Create the sub-sub CA for the type, such as "server",
"client", ... (once for each type of certificate in a given realm)
4. Create your leaf certificates.
Example
=======
1. Create a root CA to rule 'em all, valid for 10 years
$ ./mk_root_CA.sh -f $((365*10)) FR MyDomain
2. Create certificates for your web servers
+ First the mandatory intermediate certificates (the "web" realm and the
"server" category):
$ ./mk_subCA.sh -f $((365*10)) FR MyDomain Web
$ ./mk_subsubCA.sh -f $((365*5)) FR MyDomain Web Server
+ Then create your web server certificate:
$ ./mk_leaf_cert.sh -f $((365*2)) FR MyDomain Web Server Home home.mydomain.fr
+ Need another one for your media player web server?
`
./mk_leaf_cert.sh -f $((365*2)) FR MyDomain Web Server MediaPlayer media.mydomain.fr
`
3. Create certificates for your mail infrastructure
+ First the mandatory intermediate certificates (the "mail" realm and the
"server" and "usermail" categories): `
$ ./mk_subCA.sh -f $((365*10)) FR MyDomain Mail
$ ./mk_subsubCA.sh -f $((365*5)) FR MyDomain Mail Server
$ ./mk_subsubCA.sh -f $((365*5)) FR MyDomain Mail UserMail
`
+ Then create certificates for your two MX:
$ ./mk_leaf_cert.sh -f $((365*2)) FR Example Mail Server MX1 mx1.mydomain.fr
$ ./mk_leaf_cert.sh -f $((365*2)) FR Example Mail Server MX2 mx2.mydomain.fr
+ And now certificates for your users to sign/encrypt mails:
./mk_leaf_cert.sh -f $((365*2)) FR Example Mail UserMail jeremie [email protected]
./mk_leaf_cert.sh -f $((365*2)) FR Example Mail UserMail jeremie [email protected]