Commit | Line | Data |
---|---|---|
f5d78688 JH |
1 | |
2 | The three directories each contain a complete CA with server signing | |
3 | certificate, OCSP signing certificate and a selection of server | |
854586e1 JH |
4 | certificates under each domain. The "server1" certificates have |
5 | a CRL distribution point extension; the "server2" ones instead have | |
6 | a Authority Key extension/ | |
f5d78688 JH |
7 | |
8 | For each directory there are a number of subdirectories. | |
9 | ||
10 | CA - The main certificate signing directory. | |
11 | ||
12 | Within this directory the primary file sof interest | |
13 | will be the two CRL files, crl.empty and crl.v2 | |
14 | These are valid CRLs; the "v2" containing the two | |
15 | revoked certs. | |
16 | ||
17 | BLANK - a template usable for client-only machines | |
18 | for clients of this private CA. | |
19 | ||
20 | *.example.* - individual server certificates. | |
21 | ||
22 | The six certificate subdirs each contain a cert for a machine | |
23 | by that name; those in the "expired" ones are out-of-date (the | |
24 | rest expire in 2038). The "1" and "2" systems/certs have | |
25 | equivalent properties. | |
26 | ||
aded2255 | 27 | In each certificate subdir: the ".db" files are NSS version of the cert, |
f5d78688 JH |
28 | the ".pem", ".key" and ".unlocked.key" are usable by OpenSSL (the |
29 | ca_chain.pem being a copy of the CA public information and signer | |
30 | public information). | |
31 | ||
32 | The ".p12" file rolls up the CA, Signer and cert info. Both the ".p12" | |
33 | and NSS info are passworded using the "pwdfile". | |
34 | The ocsp request file is one a client would send to an OCSP responder. | |
35 | The ocsp response files are those gotten that way. in .der format; | |
36 | "good" being all well, "dated" meaning the response (not the cert) | |
37 | is out-of-date, and "revoked" meaning the cert has been revoked. | |
38 | ||
39 | ||
2b4a568d | 40 | The files were created using the "genall" script which utilises a |
f5d78688 JH |
41 | combination of tools, |
42 | ||
43 | openssl | |
44 | nss-tools | |
45 | clica | |
46 | ||
47 | of these the only unfamiliar one is likely to be clica, a command | |
48 | line CA tool which can be found at | |
49 | ||
50 | http://people.redhat.com/mpoole/clica/ | |
51 | ||
2b4a568d JH |
52 | NOTE: |
53 | During running of "genall" you need to manipulate the system | |
54 | date/time. Shutdown ntpd service before doing this, and restart | |
55 | after. | |
f5d78688 JH |
56 | |
57 |