| 1 | |
| 2 | The three directories each contain a complete CA with server signing |
| 3 | certificate, OCSP signing certificate and a selection of server |
| 4 | certificates under each domain. The "server1" certificates have |
| 5 | a CRL distribution point extension; the "server2" ones instead have |
| 6 | a Authority Key extension/ |
| 7 | |
| 8 | For each directory there are a number of subdirectories. |
| 9 | |
| 10 | CA - The main certificate signing directory. |
| 11 | |
| 12 | Within this directory the primary file sof interest |
| 13 | will be the two CRL files, crl.empty and crl.v2 |
| 14 | These are valid CRLs; the "v2" containing the two |
| 15 | revoked certs. |
| 16 | |
| 17 | BLANK - a template usable for client-only machines |
| 18 | for clients of this private CA. |
| 19 | |
| 20 | *.example.* - individual server certificates. |
| 21 | |
| 22 | The six certificate subdirs each contain a cert for a machine |
| 23 | by that name; those in the "expired" ones are out-of-date (the |
| 24 | rest expire in 2038). The "1" and "2" systems/certs have |
| 25 | equivalent properties. |
| 26 | |
| 27 | In each certificate subdir: the ".db" files are NSS version of the cert, |
| 28 | the ".pem", ".key" and ".unlocked.key" are usable by OpenSSL (the |
| 29 | ca_chain.pem being a copy of the CA public information and signer |
| 30 | public information). |
| 31 | |
| 32 | The ".p12" file rolls up the CA, Signer and cert info. Both the ".p12" |
| 33 | and NSS info are passworded using the "pwdfile". |
| 34 | The ocsp request file is one a client would send to an OCSP responder. |
| 35 | The ocsp response files are those gotten that way. in .der format; |
| 36 | "good" being all well, "dated" meaning the response (not the cert) |
| 37 | is out-of-date, and "revoked" meaning the cert has been revoked. |
| 38 | |
| 39 | |
| 40 | The files were created using the "genall" script which utilises a |
| 41 | combination of tools, |
| 42 | |
| 43 | openssl |
| 44 | nss-tools |
| 45 | clica |
| 46 | |
| 47 | of these the only unfamiliar one is likely to be clica, a command |
| 48 | line CA tool which can be found at |
| 49 | |
| 50 | http://people.redhat.com/mpoole/clica/ |
| 51 | |
| 52 | NOTE: |
| 53 | During running of "genall" you need to manipulate the system |
| 54 | date/time. Shutdown ntpd service before doing this, and restart |
| 55 | after. |
| 56 | |
| 57 | |