From d735b1eb71377a4e0fbc0eeb93221045259ce273 Mon Sep 17 00:00:00 2001 From: bigeagle Date: Sat, 2 Apr 2016 16:36:40 +0800 Subject: [PATCH] docs: add doc to generate self-signed certs --- README.md | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) diff --git a/README.md b/README.md index 8dba249..8998a4b 100644 --- a/README.md +++ b/README.md @@ -43,3 +43,60 @@ tunasync - [ ] config file structure - [ ] support multi-file configuration (`/etc/tunasync.d/mirror-enabled/*.conf`) +## Generate Self-Signed Certificate + +Fisrt, create root CA + +``` +openssl genrsa -out rootCA.key 2048 +openssl req -x509 -new -nodes -key rootCA.key -days 365 -out rootCA.crt +``` + +Create host key + +``` +openssl genrsa -out host.key 2048 +``` + +Now create CSR, before that, write a `req.cnf` + +``` +[req] +distinguished_name = req_distinguished_name +req_extensions = v3_req + +[req_distinguished_name] +countryName = Country Name (2 letter code) +countryName_default = CN +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = BJ +localityName = Locality Name (eg, city) +localityName_default = Beijing +organizationalUnitName = Organizational Unit Name (eg, section) +organizationalUnitName_default = TUNA +commonName = Common Name (server FQDN or domain name) +commonName_default = +commonName_max = 64 + +[v3_req] +# Extensions to add to a certificate request +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +subjectAltName = @alt_names + +[alt_names] +DNS.1 = +DNS.2 = +``` + +Substitute `` with your server's FQDN, then run + +``` +openssl req -new -key host.key -out host.csr -config req.cnf +``` + +Finally generate and sign host cert with root CA + +``` +openssl x509 -req -in host.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out host.crt -days 365 -extensions v3_req -extfile req.cnf +```