diff --git a/.gitignore b/.gitignore index ee918ba..0de2018 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,4 @@ -all/ -server/ -client/ +certs # Logs logs diff --git a/README.md b/README.md index 83947ed..e7cede1 100644 --- a/README.md +++ b/README.md @@ -46,13 +46,20 @@ bash make-root-ca-and-certificates.sh 'local.ldsconnect.org' ``` ``` -example +certs/ +├── ca +│   ├── my-root-ca.crt.pem +│   ├── my-root-ca.key.pem +│   └── my-root-ca.srl +├── client +│   ├── my-root-ca.crt.pem +│   └── my-server.pub ├── server -|   ├── my-private-root-ca.crt.pem -|   ├── my-server.crt.pem -|   └── my-server.key.pem -└── client -    └── my-private-root-ca.crt.pem +│   ├── my-root-ca.crt.pem +│   ├── my-server.crt.pem +│   └── my-server.key.pem +└── tmp + └── my-server.csr.pem ``` ### Run the server @@ -75,7 +82,7 @@ Test (warning free) with cURL ```bash curl -v https://local.ldsconnect.org \ - --cacert client/my-private-root-ca.crt.pem + --cacert client/my-root-ca.crt.pem ``` Visit in a web browser @@ -84,7 +91,7 @@ Visit in a web browser To get rid of the warnings, simply add the certificate in the `client` folder to your list of certificates by alt-clicking "Open With => Keychain Access" -on `my-private-root-ca.crt.pem` +on `my-root-ca.crt.pem` You do have to set `Always Trust` a few times [as explained](http://www.robpeck.com/2010/10/google-chrome-mac-os-x-and-self-signed-ssl-certificates/#.U8RqrI1dVd8) by Rob Peck. diff --git a/make-root-ca-and-certificates.sh b/make-root-ca-and-certificates.sh index 13d2a19..78100f8 100755 --- a/make-root-ca-and-certificates.sh +++ b/make-root-ca-and-certificates.sh @@ -2,11 +2,11 @@ FQDN=$1 # make directories to work from -mkdir -p server/ client/ all/ +mkdir -p certs/{server,client,ca,tmp} # Create your very own Root Certificate Authority openssl genrsa \ - -out all/my-private-root-ca.key.pem \ + -out certs/ca/my-root-ca.key.pem \ 2048 # Self-sign your Root Certificate Authority @@ -15,34 +15,39 @@ openssl req \ -x509 \ -new \ -nodes \ - -key all/my-private-root-ca.key.pem \ + -key certs/ca/my-root-ca.key.pem \ -days 1024 \ - -out all/my-private-root-ca.crt.pem \ + -out certs/ca/my-root-ca.crt.pem \ -subj "/C=US/ST=Utah/L=Provo/O=ACME Signing Authority Inc/CN=example.com" # Create a Device Certificate for each domain, # such as example.com, *.example.com, awesome.example.com # NOTE: You MUST match CN to the domain name or ip address you want to use openssl genrsa \ - -out all/my-server.key.pem \ + -out certs/server/my-server.key.pem \ 2048 # Create a request from your Device, which your Root CA will sign openssl req -new \ - -key all/my-server.key.pem \ - -out all/my-server.csr.pem \ + -key certs/server/my-server.key.pem \ + -out certs/tmp/my-server.csr.pem \ -subj "/C=US/ST=Utah/L=Provo/O=ACME Tech Inc/CN=${FQDN}" # Sign the request from Device with your Root CA +# -CAserial certs/ca/my-root-ca.srl openssl x509 \ - -req -in all/my-server.csr.pem \ - -CA all/my-private-root-ca.crt.pem \ - -CAkey all/my-private-root-ca.key.pem \ + -req -in certs/tmp/my-server.csr.pem \ + -CA certs/ca/my-root-ca.crt.pem \ + -CAkey certs/ca/my-root-ca.key.pem \ -CAcreateserial \ - -out all/my-server.crt.pem \ + -out certs/server/my-server.crt.pem \ -days 500 +# Create a public key, for funzies +openssl rsa \ + -in certs/server/my-server.key.pem \ + -pubout -out certs/client/my-server.pub + # Put things in their proper place -rsync -a all/my-server.{key,crt}.pem server/ -rsync -a all/my-private-root-ca.crt.pem server/ -rsync -a all/my-private-root-ca.crt.pem client/ +rsync -a certs/ca/my-root-ca.crt.pem certs/server/ +rsync -a certs/ca/my-root-ca.crt.pem certs/client/ diff --git a/request-without-warnings.js b/request-without-warnings.js index 8d177ac..c266886 100755 --- a/request-without-warnings.js +++ b/request-without-warnings.js @@ -4,7 +4,7 @@ var https = require('https') , fs = require('fs') , path = require('path') - , ca = fs.readFileSync(path.join(__dirname, 'client', 'my-private-root-ca.crt.pem')) + , ca = fs.readFileSync(path.join(__dirname, 'certs', 'client', 'my-root-ca.crt.pem')) , port = process.argv[2] || 8043 , hostname = process.argv[3] || 'local.ldsconnect.org' ; diff --git a/serve.js b/serve.js index 11784d8..c7f2a85 100755 --- a/serve.js +++ b/serve.js @@ -11,14 +11,14 @@ var https = require('https') require('ssl-root-cas') .inject() - .addFile(path.join(__dirname, 'server', 'my-private-root-ca.crt.pem')) + .addFile(path.join(__dirname, 'certs', 'server', 'my-root-ca.crt.pem')) ; options = { - key: fs.readFileSync(path.join(__dirname, 'server', 'my-server.key.pem')) + key: fs.readFileSync(path.join(__dirname, 'certs', 'server', 'my-server.key.pem')) // You don't need to specify `ca`, it's done by `ssl-root-cas` -//, ca: [ fs.readFileSync(path.join(__dirname, 'server', 'my-private-root-ca.crt.pem'))] -, cert: fs.readFileSync(path.join(__dirname, 'server', 'my-server.crt.pem')) +//, ca: [ fs.readFileSync(path.join(__dirname, 'certs', 'server', 'my-root-ca.crt.pem'))] +, cert: fs.readFileSync(path.join(__dirname, 'certs', 'server', 'my-server.crt.pem')) }; diff --git a/test.sh b/test.sh index 7d5560d..5a881c4 100755 --- a/test.sh +++ b/test.sh @@ -17,14 +17,14 @@ sleep 1 echo "" curl https://local.ldsconnect.org:8043 \ - --cacert client/my-private-root-ca.crt.pem + --cacert certs/client/my-root-ca.crt.pem echo -n " - without warnings, love cURL" echo "" sleep 1 # For lots of output about the ssl connection try -v #curl -v https://local.ldsconnect.org:8043 \ -# --cacert client/my-private-root-ca.crt.pem +# --cacert certs/client/my-root-ca.crt.pem kill ${NODE_PID} echo ""