1.7 KiB
1.7 KiB
Généré des certificats via la PKI interne de mini_risotto
Génération du certificate sur le serveur
Sous Fedora
<file>/etc/pki/ca-trust/source/anchors/ca_<AUTHORITY_NAME>.crt</file>
<file>/etc/pki/tls/certs/<SERVICE>.crt</file>
<file owner="root" group="<SERVICE>" mode="440">/etc/pki/tls/private/<SERVICE>.key</file>
Les templates
Dans le template ca_<AUTHORITY_NAME>.crt :
%%get_chain(authority_cn=%%domain_name_eth0, authority_name="<AUTHORITY_NAME>")
Dans le template .crt :
%%get_certificate(%%domain_name_eth0, '<AUTHORITY_NAME>')
Dans le template .key :
%%get_private_key(%%domain_name_eth0, '<AUTHORITY_NAME>')
Génération du certificat client
Sous Fedora
<services>
<service name="<SERVICE>client" manage="False">
<file>/etc/pki/ca-trust/source/anchors/ca_<AUTHORITY_NAME>.crt</file>
<file>/etc/pki/tls/certs/<SERVICE>.crt</file>
<file owner_type="variable" owner="<VARIABLE_NAME>" mode="400">/etc/pki/tls/private/<SERVICE>.key</file>
</service>
</services>
La variable
<variable name="<VARIABLE_NAME>" type="unix_user" description="Key owner" mandatory="True">
<value>DEFAULT_VALUE</value>
</variable>
Les templates
Dans le template ca_<AUTHORITY_NAME>.crt :
%%get_chain(authority_cn=<SERVER_DOMAINNAME>, authority_name="<AUTHORITY_NAME>")
Dans le template .crt :
%%get_certificate(cn=%%domain_name_eth0, authority_cn=<SERVER_DOMAINNAME>, authority_name='<AUTHORITY_NAME>', type="client")
Dans le template .key :
%%get_private_key(cn=%%domain_name_eth0, authority_cn=<SERVER_DOMAINNAME>, authority_name='<AUTHORITY_NAME>', type="client")