From aaac70b0587facfac140a568b347b618c9bc790e Mon Sep 17 00:00:00 2001 From: Michael Klishin Date: Mon, 21 Mar 2022 21:34:50 +0400 Subject: [PATCH] Docs: update to generate passwordless keys by default but explain how to generate a password-protected private key if needed. Most QA environments do not need protected private keys --- README.md | 29 +++++++++++++----------- basic/README.md | 12 +++++----- separate_intermediates/README.md | 35 ++++++++++++++++++++--------- two_shared_intermediates/README.md | 36 +++++++++++++++++++++--------- 4 files changed, 71 insertions(+), 41 deletions(-) diff --git a/README.md b/README.md index 2bbc4f0..90333d0 100644 --- a/README.md +++ b/README.md @@ -46,8 +46,8 @@ providing the passphrase: ``` shell cd [path to tls-gen repository]/basic -# pass a password using the PASSWORD variable -make PASSWORD=bunnies +# pass a private key password using the PASSWORD variable if needed +make ## copy or move files to use hostname-neutral filenames, ## this step is optional @@ -67,8 +67,8 @@ It possible to use [ECC][ecc-intro] for leaf keys: ``` shell cd [path to tls-gen repository]/basic -# pass a password using the PASSWORD variable -make PASSWORD=bunnies USE_ECC=true ECC_CURVE="prime256v1" +# pass a private key password using the PASSWORD variable if needed +make USE_ECC=true ECC_CURVE="prime256v1" # results will be under the ./result directory ls -lha ./result ``` @@ -85,7 +85,8 @@ To generate a root CA, 2 shared intermediate CAs, client and server key/certific the [two_shared_intermediates](./two_shared_intermediates) directory: ``` shell -make PASSWORD=bunnies +# pass a private key password using the PASSWORD variable if needed +make # results will be under the ./result directory ls -lha ./result ``` @@ -93,7 +94,7 @@ ls -lha ./result It possible to use [ECC][ecc-intro] for intermediate and leaf keys: ``` shell -make PASSWORD=bunnies USE_ECC=true ECC_CURVE="prime256v1" +make USE_ECC=true ECC_CURVE="prime256v1" # results will be under the ./result directory ls -lha ./result ``` @@ -110,7 +111,8 @@ To generate a root CA, 2 intermediate CAs (one for server, one for client), clie the [separate_intermediates](./separate_intermediates) directory: ``` shell -make PASSWORD=bunnies +# pass a private key password using the PASSWORD variable if needed +make # results will be under the ./result directory ls -lha ./result ``` @@ -118,7 +120,7 @@ ls -lha ./result It possible to use [ECC][ecc-intro] for intermediate and leaf keys: ``` shell -make PASSWORD=bunnies USE_ECC=true ECC_CURVE="prime256v1" +make USE_ECC=true ECC_CURVE="prime256v1" # results will be under the ./result directory ls -lha ./result ``` @@ -134,7 +136,8 @@ openssl ecparam -list_curves To generate a new set of keys and certificates, use ``` shell -make regen PASSWORD=bunnies +# pass a private key password using the PASSWORD variable if needed +make regen ``` The `regen` target accepts the same variables as `gen` (default target) above. @@ -154,7 +157,7 @@ By default, certificate's CN ([Common Name](http://tldp.org/HOWTO/Apache-WebDAV- It is possible to override CN with a `make` variable: ``` shell -make PASSWORD=bunnies CN=secure.mydomain.local +make CN=secure.mydomain.local ``` ### Overriding Certificate Validity Period @@ -163,7 +166,7 @@ By default certificates will be valid for 3650 days (about 10 years). The period can be changed by overriding the `DAYS_OF_VALIDITY` variable ``` shell -make PASSWORD=bunnies DAYS_OF_VALIDITY=365 +make DAYS_OF_VALIDITY=365 ``` ### Generating Expired Certificates @@ -173,7 +176,7 @@ and peer verification failures. To do so, set the certificate validity in days to a negative value: ``` shell -make PASSWORD=bunnies DAYS_OF_VALIDITY=-7 +make DAYS_OF_VALIDITY=-7 ``` ### Overriding Number of Private Key Bits @@ -182,7 +185,7 @@ It is possible to override the number of private key bits with a `make` variable: ``` shell -make PASSWORD=bunnies NUMBER_OF_PRIVATE_KEY_BITS=4096 +make NUMBER_OF_PRIVATE_KEY_BITS=4096 ``` ### Certificate Information diff --git a/basic/README.md b/basic/README.md index 23ebe0e..46f0a1c 100644 --- a/basic/README.md +++ b/basic/README.md @@ -9,8 +9,8 @@ and two certificate/key pairs signed by it: ## Generating ```shell -# pass a password using the PASSWORD env variable -make PASSWORD=bunnies +# pass a private key password using the PASSWORD variable if needed +make # results will be under the ./result directory ls -lha ./result ``` @@ -23,7 +23,7 @@ It possible to use [ECC](https://blog.cloudflare.com/a-relatively-easy-to-unders ```shell cd [path to tls-gen repository]/basic # pass a password using the PASSWORD variable -make PASSWORD=bunnies USE_ECC=true ECC_CURVE="prime256v1" +make USE_ECC=true ECC_CURVE="prime256v1" # results will be under the ./result directory ls -lha ./result ``` @@ -39,7 +39,7 @@ openssl ecparam -list_curves If you want to generate additional server certificates using the same Root CA, use: ```shell -make CN=newname PASSWORD=bunnies gen-server +make CN=newname gen-server ``` ### Generate additional client certificate @@ -47,7 +47,7 @@ make CN=newname PASSWORD=bunnies gen-server If you want to generate additional client certificates using the same Root CA, use: ```shell -make CN=newname PASSWORD=bunnies gen-client +make CN=newname gen-client ``` ### Regeneration @@ -55,7 +55,7 @@ make CN=newname PASSWORD=bunnies gen-client To regenerate, use ```shell -make PASSWORD=bunnies regen +make regen ``` The `regen` target accepts the same variables as `gen` (default target) above. diff --git a/separate_intermediates/README.md b/separate_intermediates/README.md index bccbbba..b8b4d31 100644 --- a/separate_intermediates/README.md +++ b/separate_intermediates/README.md @@ -9,29 +9,38 @@ their respective intermediate CAs: ## Generating - # pass a password using the PASSWORD env variable - make PASSWORD=bunnies - # results will be under the ./result directory - ls -lha ./result +``` shell +# pass a password using the PASSWORD env variable +make +# results will be under the ./result directory +ls -lha ./result +``` Generated CA certificate as well as client and server certificate and private keys will be under the `result` directory. It possible to use [ECC](https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/) for intermediate and leaf keys: - make PASSWORD=bunnies USE_ECC=true ECC_CURVE="prime256v1" - # results will be under the ./result directory - ls -lha ./result +``` shell +# pass a private key password using the PASSWORD variable if needed +make USE_ECC=true ECC_CURVE="prime256v1" +# results will be under the ./result directory +ls -lha ./result +``` The list of available curves can be obtained with - openssl ecparam -list_curves +``` shell +openssl ecparam -list_curves +``` ### Regeneration To regenerate, use - make regen PASSWORD=bunnies +``` shell +make regen +``` The `regen` target accepts the same variables as `gen` (default target) above. @@ -39,12 +48,16 @@ The `regen` target accepts the same variables as `gen` (default target) above. You can verify the generated client and server certificates against the generated CA one with - make verify +``` shell +make verify +``` ## Certificate Information To display client and server certificate information, use - make info +``` shell +make info +``` This assumes the certificates were previously generated. diff --git a/two_shared_intermediates/README.md b/two_shared_intermediates/README.md index b11186f..87e1298 100644 --- a/two_shared_intermediates/README.md +++ b/two_shared_intermediates/README.md @@ -9,29 +9,39 @@ the 2nd intermediate CA: ## Generating - # pass a password using the PASSWORD env variable - make PASSWORD=bunnies - # results will be under the ./result directory - ls -lha ./result +``` shell +# pass a password using the PASSWORD env variable +make +# results will be under the ./result directory +ls -lha ./result +``` Generated CA certificate as well as client and server certificate and private keys will be under the `result` directory. It possible to use [ECC][ecc-intro] for intermediate and leaf keys: - make PASSWORD=bunnies USE_ECC=true ECC_CURVE="prime256v1" - # results will be under the ./result directory - ls -lha ./result +``` +# pass a private key password using the PASSWORD variable if needed +make USE_ECC=true ECC_CURVE="prime256v1" +# results will be under the ./result directory +ls -lha ./result +``` The list of available curves can be obtained with - openssl ecparam -list_curves +``` shell +openssl ecparam -list_curves +``` ### Regeneration To regenerate, use - make regen PASSWORD=bunnies +``` shell +# pass a private key password using the PASSWORD variable if needed +make regen +``` The `regen` target accepts the same variables as `gen` (default target) above. @@ -39,12 +49,16 @@ The `regen` target accepts the same variables as `gen` (default target) above. You can verify the generated client and server certificates against the generated CA one with - make verify +``` shell +make verify +``` ## Certificate Information To display client and server certificate information, use - make info +``` shell +make info +``` This assumes the certificates were previously generated.