Commit | Line | Data |
---|---|---|
f5d78688 JH |
1 | |
2 | The three directories each contain a complete CA with server signing | |
3 | certificate, OCSP signing certificate and a selection of server | |
4 | certificates under each domain. | |
5 | ||
6 | For each directory there are a number of subdirectories. | |
7 | ||
8 | CA - The main certificate signing directory. | |
9 | ||
10 | Within this directory the primary file sof interest | |
11 | will be the two CRL files, crl.empty and crl.v2 | |
12 | These are valid CRLs; the "v2" containing the two | |
13 | revoked certs. | |
14 | ||
15 | BLANK - a template usable for client-only machines | |
16 | for clients of this private CA. | |
17 | ||
18 | *.example.* - individual server certificates. | |
19 | ||
20 | The six certificate subdirs each contain a cert for a machine | |
21 | by that name; those in the "expired" ones are out-of-date (the | |
22 | rest expire in 2038). The "1" and "2" systems/certs have | |
23 | equivalent properties. | |
24 | ||
25 | In each certicate subdir: the ".db" files are NSS version of the cert, | |
26 | the ".pem", ".key" and ".unlocked.key" are usable by OpenSSL (the | |
27 | ca_chain.pem being a copy of the CA public information and signer | |
28 | public information). | |
29 | ||
30 | The ".p12" file rolls up the CA, Signer and cert info. Both the ".p12" | |
31 | and NSS info are passworded using the "pwdfile". | |
32 | The ocsp request file is one a client would send to an OCSP responder. | |
33 | The ocsp response files are those gotten that way. in .der format; | |
34 | "good" being all well, "dated" meaning the response (not the cert) | |
35 | is out-of-date, and "revoked" meaning the cert has been revoked. | |
36 | ||
37 | ||
2b4a568d | 38 | The files were created using the "genall" script which utilises a |
f5d78688 JH |
39 | combination of tools, |
40 | ||
41 | openssl | |
42 | nss-tools | |
43 | clica | |
44 | ||
45 | of these the only unfamiliar one is likely to be clica, a command | |
46 | line CA tool which can be found at | |
47 | ||
48 | http://people.redhat.com/mpoole/clica/ | |
49 | ||
2b4a568d JH |
50 | NOTE: |
51 | During running of "genall" you need to manipulate the system | |
52 | date/time. Shutdown ntpd service before doing this, and restart | |
53 | after. | |
f5d78688 JH |
54 | |
55 |