安全协议>> letsencrypt-certificates>> 返回
项目作者: cilogon

项目描述 :
install Let's Encrypt CA certificates in /etc/grid-security/certificates
高级语言: Makefile
项目地址: git://github.com/cilogon/letsencrypt-certificates.git
创建时间: 2017-08-25T21:44:17Z
项目社区:https://github.com/cilogon/letsencrypt-certificates
开源协议:Apache License 2.0
下载


letsencrypt-certificates

You get user certificates from CILogon but you also need host certificates.
You looked over the list of IGTF CAs but they don’t meet your needs.
Why not use the Let’s Encrypt CA?
How do you set up /etc/grid-security?

Getting your host certificate

Follow the Let’s Encrypt Getting Started guide.

For example:

  1. git clone https://github.com/letsencrypt/letsencrypt
  2. cd letsencrypt/
  3. ./letsencrypt-auto --debug certonly --standalone --email human@example.org -d example.org
  4. # cert in /etc/letsencrypt
  5. # then before it expires...
  6. ./letsencrypt-auto renew

Setting up /etc/grid-security/host*.pem

  1. ln -s /etc/letsencrypt/live/*/cert.pem /etc/grid-security/hostcert.pem
  2. ln -s /etc/letsencrypt/live/*/privkey.pem /etc/grid-security/hostkey.pem
  3. chmod 0600 /etc/letsencrypt/archive/*/privkey*.pem # ugh!

Setting up /etc/grid-security/certificates

  1. git clone https://github.com/cilogon/letsencrypt-certificates.git
  2. cd letsencrypt-certificates/
  3. make check
  4. sudo make install

Caveats

Like other Internet CAs and unlike IGTF CAs, Let’s Encrypt issues end entity certificates with subject DNs outside a controlled namespace (i.e., "/CN=*"), so the signing_policy file is not enforcing a strong namespace restriction.

Let’s Encrypt does not issue CRLs for end-entity certificates (see the Certification Practice Statement).

Make sure to have a process in place to renew your certificates (e.g., Certbot).

Troubleshooting

  1. # hostname
  2. example.org
  3. # grid-proxy-init -debug -verify -cert /etc/grid-security/hostcert.pem -key /etc/grid-security/hostkey.pem -hours 1 -out /tmp/hostcerttest
  5. User Cert File: /etc/grid-security/hostcert.pem
  6. User Key File: /etc/grid-security/hostkey.pem
  8. Trusted CA Cert Dir: /etc/grid-security/certificates
  10. Output File: /tmp/hostcerttest
  11. Your identity: /CN=example.org
  12. Creating proxy ......++++++
  13. .....++++++
  14. Done
  15. Proxy Verify OK
  16. # openssl verify -CApath /etc/grid-security/certificates /etc/grid-security/hostcert.pem 
  17. /etc/grid-security/hostcert.pem: OK
  18. # if [ "`openssl x509 -in /etc/grid-security/hostcert.pem -noout -modulus`" = "`openssl rsa -in /etc/grid-security/hostkey.pem -noout -modulus`" ]; then echo "Match"; else echo "Different"; fi
  19. Match
  20. # openssl x509 -subject -noout -in /etc/grid-security/hostcert.pem 
  21. subject= /CN=example.org