# Généré des certificats via la PKI interne de mini_risotto

## Génération du certificate sur le serveur

### Sous Fedora

```
<file>/etc/pki/ca-trust/source/anchors/ca_<AUTHORITY_NAME>.crt</file>
<file>/etc/pki/tls/certs/<SERVICE>.crt</file>
<file owner="root" group="<SERVICE>" mode="440">/etc/pki/tls/private/<SERVICE>.key</file>
```

### Les templates

Dans le template ca_<AUTHORITY_NAME>.crt :

```
%%get_chain(authority_cn=%%domain_name_eth0, authority_name="<AUTHORITY_NAME>")
```

Dans le template <SERVICE>.crt :

```
%%get_certificate(%%domain_name_eth0, '<AUTHORITY_NAME>')
```

Dans le template <SERVICE>.key :

```
%%get_private_key(%%domain_name_eth0, '<AUTHORITY_NAME>')
```

## Génération du certificat client

### Sous Fedora

```
<services>
  <service name="<SERVICE>client" manage="False">
    <file>/etc/pki/ca-trust/source/anchors/ca_<AUTHORITY_NAME>.crt</file>
    <file>/etc/pki/tls/certs/<SERVICE>.crt</file>
    <file owner_type="variable" owner="<VARIABLE_NAME>" mode="400">/etc/pki/tls/private/<SERVICE>.key</file>
  </service>
</services>
```

### La variable

```
<variable name="<VARIABLE_NAME>" type="unix_user" description="Key owner" mandatory="True">
  <value>DEFAULT_VALUE</value>
</variable>
```

### Les templates

Dans le template ca_<AUTHORITY_NAME>.crt :

```
%%get_chain(authority_cn=<SERVER_DOMAINNAME>, authority_name="<AUTHORITY_NAME>")
```

Dans le template <SERVICE>.crt :

```
%%get_certificate(cn=%%domain_name_eth0, authority_cn=<SERVER_DOMAINNAME>, authority_name='<AUTHORITY_NAME>', type="client")
```

Dans le template <SERVICE>.key :

```
%%get_private_key(cn=%%domain_name_eth0, authority_cn=<SERVER_DOMAINNAME>, authority_name='<AUTHORITY_NAME>', type="client")
```