Skip to content

Instantly share code, notes, and snippets.

@epcim

epcim/action_gnutls_scripted.md

Last active February 3, 2024 18:50
Show Gist options
  • Save epcim/832cec2482a255e3f392 to your computer and use it in GitHub Desktop.
Save epcim/832cec2482a255e3f392 to your computer and use it in GitHub Desktop.
Download ZIP
gnutls certtool ssl tls openssl
Raw
action_gnutls_scripted.md

CA - based on gnutls-bin

this directory holds CA key + wildcard certificates created for new infrastructure the CA key/cert is "ca-cert.pem/key"

TODO:

  • create scripts to re-generate client certificates based on NEW CA
  • develop procedure to generate client/server certs from template (partialy done)
  • develop procedure to generate clr files + revocate certificate + distribute them on public places
  • document structure in client/server CERTS - so it can be used to filter HTTPS logins (per project, etc..)
  • completely replace OLD CA in whole infrastructure

GENERAL RULES:

For new server certificate add [a-z] or [0-9][0-9] ID before the suffix.

Install gnu-tls

sudo apt-get install gnutls-bin

Generate CA

certtool --generate-privkey --outfile ca-key.pem
certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem \
  --template gnutls-certtool.CA.template

This asks questions about the usage of the certificate. To get a ten year one I used the following options:

Common name: ca.lab.xxx The certificate will expire in (days): 3650 Does the certificate belong to an authority? (y/N): y Path length constraint (decimal, -1 for no constraint): -1 Will the certificate be used to sign other certificates? (y/N): y

Create the server key and certificate:

SRVFQDN=wildcard

certtool --generate-privkey --outfile $SRVFQDN.key
certtool --generate-certificate --load-privkey $SRVFQDN.key \
 --outfile $SRVFQDN.crt --load-ca-certificate ca-cert.pem \
 --load-ca-privkey ca-key.pem \
 --template gnutls-certtool.SERVICE.template

The common name needs to be ldap.edu.example.org for the slapd certificate:

Common name: ldap.lab.xxx The certificate will expire in (days): 3650 Will the certificate be used for signing (required for TLS)? (y/N): y Will the certificate be used for encryption (not required for TLS)? (y/N): y

Example:

certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem
Generating a self signed certificate...
Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
Country name (2 chars): CZ
Organization name: lab
Organizational unit name: devops
Locality name: Prague
State or province name: Prague
Common name: ca.lab.xxx
UID: 
This field should not be used in new certificates.
E-mail: 
Enter the certificate's serial number in decimal (default: 1452442724): 


Activation/Expiration time.
The certificate will expire in (days): 3650


Extensions.
Does the certificate belong to an authority? (y/N): y
Path length constraint (decimal, -1 for no constraint): 
Is this a TLS web client certificate? (y/N): 
Will the certificate be used for IPsec IKE operations? (y/N): 
Is this also a TLS web server certificate? (y/N): 
Enter the e-mail of the subject of the certificate: 
Will the certificate be used to sign other certificates? (y/N): y
Will the certificate be used to sign CRLs? (y/N): y
Will the certificate be used to sign code? (y/N): y
Will the certificate be used to sign OCSP requests? (y/N): y
Will the certificate be used for time stamping? (y/N): y
Enter the URI of the CRL distribution point: http://pki.blueit.cz/lab.crl        
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 56928464
	Validity:
		Not Before: Sun Jan 10 16:18:47 UTC 2016
		Not After: Wed Jan 07 16:18:54 UTC 2026
	Subject: C=CZ,O=lab,OU=devops,L=Prague,ST=Prague,CN=ca.lab.xxx
	Subject Public Key Algorithm: RSA
	Certificate Security Level: Normal
		Modulus (bits 2432):
			00:be:d5:f0:6b:69:4f:10:53:cc:51:7e:b7:e6:69:40
			e5:c1:1d:25:3f:59:e3:8a:e9:fa:f2:94:2b:f8:3b:f1
			65:65:21:37:2a:40:e7:98:2a:64:d4:e2:c0:f6:66:3f
			30:de:64:33:70:bf:67:b1:b7:34:c6:a0:ad:bf:fd:9c
			9b:be:a2:b4:a0:a6:3f:30:e3:20:6e:42:51:d7:21:d4
			8e:36:33:72:6f:5a:11:f7:62:90:3d:d6:0b:40:71:fe
			29:27:ad:58:48:4e:81:b2:c1:f4:cd:c5:c4:98:28:5b
			0f:b7:8e:6a:61:d2:8d:e7:cf:79:a6:f7:ab:b9:bc:02
			22:03:84:cb:82:c7:05:87:7a:10:3d:72:1d:f8:9b:20
			4d:71:20:4b:26:95:85:bc:5a:25:c1:2a:8b:82:61:57
			02:fa:3d:70:b3:5b:43:58:a9:d4:63:49:67:a2:80:e0
			95:35:49:7d:a8:2a:0b:49:16:93:00:e1:ad:75:22:8c
			d5:ad:74:ba:c3:90:2c:3b:3d:96:e3:55:f9:14:98:cf
			98:9b:15:ab:26:b9:0d:4f:bb:30:55:91:05:df:18:97
			5d:8d:6f:9e:04:1e:f3:f3:5d:b0:f5:27:e7:40:a0:04
			82:2e:f2:fd:c5:34:30:a6:2f:64:96:cc:2f:cc:32:1e
			fc:ba:d1:3c:8b:85:37:bc:36:f2:dd:48:a3:53:9c:7b
			77:d7:2a:dc:2e:91:96:b9:23:57:98:4e:8c:81:3b:ae
			d5:19:0f:af:09:93:81:db:03:a8:34:7a:cf:ac:17:f3
			99
		Exponent (bits 24):
			01:00:01
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): TRUE
		Key Purpose (not critical):
			Code signing.
			OCSP signing.
			Time stamping.
		Key Usage (critical):
			Certificate signing.
			CRL signing.
		Subject Key Identifier (not critical):
			06cc727df353de1b8b63b637eb0fb092de71f06f
		CRL Distribution points (not critical):
			URI: http://pki.blueit.cz/lab.crl
Other Information:
	Public Key Id:
		06cc727df353de1b8b63b637eb0fb092de71f06f

Is the above information ok? (y/N): y
Raw
gnutls-certtool.CA.template
#Certificate Authority Certificates
# X.509 Certificate options
#
# DN options
# The organization of the subject.
organization = "mirantis"
# The organizational unit of the subject.
#unit = "sleeping dept."
# The state of the certificate owner.
state = "Prague"
# The country of the subject. Two letter code.
country = CZ
# The common name of the certificate owner.
cn = "cloud devops"
# The serial number of the certificate. Should be incremented each time a new certificate is generated.
#serial = 007
# In how many days, counting from today, this certificate will expire.
expiration_days = 3650
# Whether this is a CA certificate or not
ca
# Whether this key will be used to sign other certificates.
cert_signing_key
# Whether this key will be used to sign CRLs.
crl_signing_key
Raw
gnutls-certtool.howto.md

Install gnu-tls

sudo apt-get install gnutls-bin

Generate CA

certtool --generate-privkey --outfile ca-key.pem
certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem

This asks questions about the usage of the certificate. To get a ten year one I used the following options:

Common name: ca.myorg.xxx The certificate will expire in (days): 3650 Does the certificate belong to an authority? (y/N): y Path length constraint (decimal, -1 for no constraint): -1 Will the certificate be used to sign other certificates? (y/N): y

Create the server key and certificate:

SRVFQDN=wildcard

certtool --generate-privkey --outfile $SRVFQDN.key
certtool --generate-certificate --load-privkey $SRVFQDN.key \
 --outfile $SRVFQDN.crt --load-ca-certificate ca-cert.pem \
 --load-ca-privkey ca-key.pem

The common name needs to be ldap.edu.example.org for the slapd certificate:

Common name: ldap.myorg.xxx The certificate will expire in (days): 3650 Will the certificate be used for signing (required for TLS)? (y/N): y Will the certificate be used for encryption (not required for TLS)? (y/N): y

EXAMPLES

    ➜  pki git:(master) ✗ certtool --certificate-info --infile  ca-cert.pem
    X.509 Certificate Information:
        Version: 3
        Serial Number (hex): 532a3490
        Issuer: C=CZ,O=xxx,OU=PROJECTyy.L=Prague,ST=Prague,CN=ca.projectyy.xxx
        Validity:
            Not Before: Thu Mar 20 00:21:38 UTC 2014
            Not After: Sun Mar 17 00:21:47 UTC 2024
        Subject: C=CZ,O=xxx,OU=PROJECTyy.L=Prague,ST=Prague,CN=ca.projectyy.xxx
        Subject Public Key Algorithm: RSA
        Certificate Security Level: Normal
            Modulus (bits 2432):
                00:cd:5f:08:82:e4:b4:1b:e9:ee:ba:a8:ad:cb:dd:62
                22:51:fa:11:f2:70:bb:f2:41:78:ad:6d:b9:c8:cd:69
                cc:c1:43:28:62:bd:7d:a9:8d:41:19:9d:03:7e:c0:ec
                5e:34:c4:eb:63:c9:47:7f:b7:97:f5:85:a8:24:5c:18
                60:2d:03:52:0f:62:97:05:20:6e:fc:a3:54:03:36:97
                bd:80:1a:e2:8e:d5:55:53:e6:60:c5:d2:c7:0c:d2:13
                e1:f8:03:b0:fc:3a:bd:19:b5:a8:d6:93:31:7c:8e:df
                f1:09:47:b4:87:c5:31:1c:9b:93:be:9c:82:f4:7f:49
                b8:2b:4b:5c:de:3a:f6:ba:15:40:7f:57:af:1b:39:90
                91:d4:e3:43:1a:7b:a9:40:bc:81:70:80:6a:5d:ee:fb
                6d:b1:4a:72:92:f5:f9:e0:da:ff:45:4c:2a:a1:0e:89
                ae:db:59:e0:65:0e:08:b1:a9:66:85:a4:22:af:8c:ea
                5a:01:9e:65:c8:7f:41:24:bc:d5:01:d6:9d:20:9d:a1
                69:50:6b:1c:9e:65:e9:8e:7d:37:f7:ac:17:19:de:6d
                15:e7:be:5e:d5:c7:c8:67:9d:d9:af:94:74:55:e5:e3
                61:b7:61:6d:40:b1:79:54:3d:4f:4c:e6:f0:bd:b0:43
                c9:d6:33:f4:53:f8:e1:ff:43:f0:ef:58:df:8a:7a:b1
                17:36:54:04:36:a1:e8:44:9f:e1:ab:63:46:51:08:34
                a9
            Exponent (bits 24):
                01:00:01
        Extensions:
            Basic Constraints (critical):
                Certificate Authority (CA): TRUE
            Subject Alternative Name (not critical):
                RFC822name: n
            Key Usage (critical):
                Certificate signing.
                CRL signing.
            Subject Key Identifier (not critical):
                93aa99b6e30ea4a37539c0a0bd946883ddeaa134
            CRL Distribution points (not critical):
                URI: https://ca.projectyy.xxx/crl
        Signature Algorithm: RSA-SHA256
        Signature:
            47:89:3f:68:a9:d5:4d:72:de:c1:de:2a:4b:bb:7c:38
            15:a3:ef:cf:ed:52:ae:7b:36:17:51:fe:85:31:62:b2
            f4:35:17:f6:e9:cd:d3:57:d9:c1:6c:e4:ba:90:8e:67
            f6:9b:90:41:82:3f:8e:24:88:3f:cb:15:16:15:80:09
            7a:ce:08:e7:7b:c6:c1:60:99:03:cc:e9:02:1f:b3:61
            7f:f1:61:0e:7c:8c:dc:e3:00:34:62:1d:e1:54:85:84
            29:98:ee:e0:d9:cf:fe:71:f0:03:50:a9:7f:ad:08:14
            4e:40:9e:9e:54:50:5a:ea:22:d2:e7:ba:fa:90:bc:35
            24:54:11:1f:db:6e:cd:64:bd:41:90:71:0f:76:a2:c5
            d7:79:32:cd:d8:2b:ed:b8:6e:4c:3d:bb:2f:e7:66:c6
            49:17:9b:52:56:18:42:87:f4:ae:32:59:55:3b:dc:02
            f2:01:d0:dc:c6:d8:39:e3:71:14:0a:ca:10:01:f1:ea
            2f:a6:9e:4b:6c:ff:62:5a:15:fd:22:97:df:4b:3a:c9
            c5:cb:0c:35:7d:48:fb:64:40:32:4a:8a:39:8c:f5:e9
            cd:bd:d2:57:fa:83:1f:1d:a9:9b:e6:dc:76:c2:75:3f
            f5:ef:68:89:db:b1:fe:81:c0:21:ed:ca:61:3b:85:de
            47:ef:cf:b6:02:d3:66:3a:ef:54:20:a0:e8:fa:30:75
            22:1e:94:89:3a:00:a8:18:47:c0:ef:d5:2a:81:3c:3b
    Other Information:
        MD5 fingerprint:
            26cb3f541cad6c1d52680d2f27654be0
        SHA-1 fingerprint:
            974fca7924a02adc7b2b91442ecd698eb39ae497
        Public Key Id:
            93aa99b6e30ea4a37539c0a0bd946883ddeaa134

    -----BEGIN CERTIFICATE-----
    MIIENzCCAu+gAwIBAgIEUyo0kDANBgkqhkiG9w0BAQsFADBsMQswCQYDVQQGEwJD
    WjEMMAoGA1UEChMDSUJNMRIwEAYDVQQLEwlQUk9KRUNUS0IxDzANBgNVBAcTBlBy
    YWd1ZTEPMA0GA1UECBMGUHJhZ3VlMRkwFwYDVQQDExBjYS5wcm9qZWN0a2IuaWJt
    MB4XDTE0MDMyMDAwMjEzOFoXDTI0MDMxNzAwMjE0N1owbDELMAkGA1UEBhMCQ1ox
    DDAyy.NVBAoTA0lCTTESMBAGA1UECxMJUFJPSkVDVEtCMQ8wDQYDVQQHEwZQcmFn
    dWUxDzANBgNVBAgTBlByYWd1ZTEZMBcGA1UEAxMQY2EucHJvamVjdGtiLmlibTCC
    AVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExAM1fCILktBvp7rqorcvdYiJR
    +hHycLvyQXitbbnIzWnMwUMoYr19qY1BGZ0DfsDsXjTE62PJR3+3l/WFqCRcGGAt
    A1IPYpcFIG78o1QDNpe9gBrijtVVU+ZgxdLHDNIT4fgDsPw6vRm1qNaTMXyO3/EJ
    R7SHxTEcm5O+nIL0f0m4K0tc3jr2uhVAf1evGzmQkdTjQxp7qUC8gXCAal3u+22x
    AwEAAaOBgDB+MA8GA1UdEwEB/wQFMAMBAf8wDAYDVR0RBAUwA4EBbjAPBgNVHQ8B
    Af8EBQMDBwYAMB0GA1UdDgQWBBSTqpm24w6ko3U5wKC9lGiD3eqhNDAtBgNVHR8E
    JjAkMCKgIKAehhxodHRwczovL2NhLnByb2plY3RrYi5pYm0vY3JsMA0GCSqGSIb3
    DQEBCwUAA4xxxQBHiT9oqdVNct7B3ipLu3w4FaPvz+1Srns2F1H+hTFisvQ1F/bp
    zdNX2cFs5LqQjmf2m5BBgj+OJIg/yxUWFYAJes4I53vGwWCZA8zpAh+zYX/xYQ58
    jNzjADRiHeFUhYQpmO7g2c/+cfADUKl/rQgUyhUvbLLz85YS8yMm48yUIk5Anp5U
    UFrqItLnuvqQvDUkVBEf227NZL1BkHEPdqLF13kyzdgr7bhuTD27L+dmxkkXm1JW
    GEKH9K4yWVU73ALyAdDcxtg543EUCsoQAfHqL6aeS2z/YloV/SKX30s6ycXLDDV9
    SPtkQDJKijmM9enNvdJX+oMfHamb5tx2wnU/9e9oidux/oHAIe3KYTuF3kfvz7YC
    02Y671QgoOj6MHUiHpSJOgCoGEfA79UqgTw7
    -----END CERTIFICATE-----


    ➜  pki git:(master) ✗ ls
    ca-cert.pem  ca-key.pem  create_databag.sh  README.md  wildcard.crt  wildcard.key

    ➜  pki git:(master) ✗ certtool --certificate-info --infile wildcard.crt
    X.509 Certificate Information:
        Version: 3
        Serial Number (hex): 532a97e5
        Issuer: C=CZ,O=xxx,OU=PROJECTyy.L=Prague,ST=Prague,CN=ca.projectyy.xxx
        Validity:
            Not Before: Thu Mar 20 07:25:27 UTC 2014
            Not After: Sun Mar 17 07:25:33 UTC 2024
        Subject: C=CZ,O=xxx,OU=yy.DEV,L=Prague,ST=Prague,CN=wildcard
        Subject Public Key Algorithm: RSA
        Certificate Security Level: Normal
            Modulus (bits 2432):
                00:b2:f5:eb:10:a5:6d:ec:ad:e2:a7:21:a2:6a:16:60
                af:a2:18:4d:f3:8c:53:5d:ae:82:b8:52:76:f5:a4:a7
                1f:2f:1e:a9:46:ed:16:fc:34:4b:17:57:f3:d2:10:45
                56:a5:44:0c:fe:5a:bb:2f:3f:ae:ec:a5:da:fb:74:c5
                19:82:51:5f:74:a8:4b:1e:45:9b:09:ae:c8:e1:10:51
                ea:ab:17:cf:22:09:d6:ab:1d:2e:bc:e6:44:99:50:41
                1a:38:f4:4f:d4:6d:e3:b7:3a:96:c3:c8:af:57:c3:1c
                de:d1:96:53:65:72:31:21:4c:fd:f0:05:f5:b8:4e:b6
                6f:17:ec:68:67:1f:99:da:b6:64:29:d3:45:fd:b4:70
                6e:65:bf:a6:98:7b:bf:2b:88:80:f9:4c:13:75:94:34
                42:4b:6b:b7:46:f1:9c:75:68:2f:e4:e0:ac:0a:2f:30
                7e:e8:21:80:47:63:d9:91:ce:c9:4f:56:0e:0f:0f:95
                85:41:c5:6b:6b:c3:6e:e8:ec:08:f9:5c:86:3f:59:08
                88:42:8a:cd:fe:57:12:47:95:7f:53:3f:28:88:fd:cb
                f0:19:bd:71:41:c9:7e:80:c3:44:9e:7d:bf:49:d5:94
                11:52:d6:70:f3:06:1c:5d:63:7c:9b:16:ae:19:af:9f
                d7
            Exponent (bits 24):
                01:00:01
        Extensions:
            Basic Constraints (critical):
                Certificate Authority (CA): FALSE
            Key Purpose (not critical):
                TLS WWW Client.
                TLS WWW Server.
            Subject Alternative Name (not critical):
                DNSname: *.projectyy.xxx
                DNSname: *.yy.dev
                DNSname: *.yy.test
                DNSname: *.yy.prod
                DNSname: *.yy.ci
            Subject Key Identifier (not critical):
                689e022ec5e70d01bd2b7c278374fec80c5a3653
            Authority Key Identifier (not critical):
                93aa99b6e30ea4a37539c0a0bd946883ddeaa134
            CRL Distribution points (not critical):
                URI: https://ca.projectyy.xxx/crl
        Signature Algorithm: RSA-SHA256
        Signature:
            bb:1d:e4:42:db:03:46:77:eb:12:ec:aa:89:2c:7e:38
            d5:d6:9a:18:b8:4e:77:54:cb:7e:8c:aa:a1:c4:22:71
            38:83:cb:d3:cf:92:fa:a1:2e:4d:97:79:02:56:4c:ce
            81:ab:29:53:c0:b2:cb:16:47:35:8a:f4:87:3f:2d:a0
            b8:b8:90:54:b3:dc:aa:18:21:ca:c8:2c:e5:14:d2:83
            a9:7c:ef:09:dc:16:5f:03:35:b8:1b:fc:0f:05:90:ed
            2e:d7:87:0a:ee:2c:33:13:2b:9e:85:08:89:c5:a9:64
            ec:f0:da:81:5e:9b:5c:b5:bb:9d:e6:49:c8:34:7b:c4
            89:5f:56:8a:1d:dd:b2:ee:37:4e:e8:d4:f0:32:05:88
            a2:10:4a:26:c8:c0:ac:1b:74:a7:79:3b:e8:ae:4b:17
            c3:56:a7:01:f3:42:05:05:7b:3e:2f:dc:4a:e1:79:48
            dd:07:af:91:35:aa:9e:93:3c:4d:45:01:f0:14:3f:83
            53:85:32:8e:8d:2d:f4:4f:46:a0:eb:4f:de:e0:55:5b
            aa:fc:fd:e8:42:a3:85:8f:ff:87:fc:ff:e8:d2:f0:84
    Other Information:
        MD5 fingerprint:
            5a896a52c5e8032c5b35e1549000dd99
        SHA-1 fingerprint:
            f4399c39c4b2ad1a5ef159510d4a2cc152c69e84
        Public Key Id:
            689e022ec5e70d01bd2b7c278374fec80c5a3653

    -----BEGIN CERTIFICATE-----
    MIIEkDCCA0igAwIBAgIEUyqX5TANBgkqhkiG9w0BAQsFADBsMQswCQYDVQQGEwJD
    WjEMMAoGA1UEChMDSUJNMRIwEAYDVQQLEwlQUk9KRUNUS0IxDzANBgNVBAcTBlBy
    YWd1ZTEPMA0GA1UECBMGUHJhZ3VlMRkwFwYDVQQDExBjYS5wcm9qZWN0a2IuaWJt
    MB4XDTE0MDMyMDA3MjUyN1oXDTI0MDMxNzA3MjUzM1owYTELMAkGA1UEBhMCQ1ox
    DDAyy.NVBAoTA0lCTTEPMA0GA1UECxMGS0ItREVWMQ8wDQYDVQQHEwZQcmFndWUx
    DzANBgNVBAgTBlByYWd1ZTERMA8GA1UEAxMId2lsZGNhcmQwggFSMA0GCSqGSIb3
    iP3L8Bm9cUHJfoDDRJ59v0nVlBFS1nDzBhxdY3ybFq4Zr5/XAgMBAAGjgeQwgeEw
    DAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwQwYD
    VR0RBDwwOoIPKi5wcm9qZWN0a2IuaWJtgggqLmtiLmRldoIJKi5rYi50ZXN0ggkq
    LmtiLnByb2SCByoua2IuY2kwHQYDVR0OBBYEFGieAi7F5w0BvSt8J4N0/sgMWjZT
    MB8GA1UdIwQYMBaAFJOqmbbjDqSjdTnAoL2UaIPd6qE0MC0GA1UdHwQmMCQwIqAg
    oB6GHGh0dHBzOi8vY2EucHJvamVjdGtiLmlibS9jcmwwDQYJKoZIhvcNAQELBQAD
    ggExALsd5ELbA0Z36xLsqoksfjjV1poYuE53VMt+jKqhxCJxA2jXuaXzFdMAzFnT
    AlZMzoGrKVPAsssWRzWK9Ic/LaC4uJBUs9yqGCHKyCzlFNKD6wrxejMkY8jpMvv7
    b8MHncS847YsRKsTquyAeVscgMCpfO8J3BZfAzW4G/wPBZDtLteHCu4sMxMrnoUI
    icWpZOzw2oFem1y1u53mScg0e8SJX1aKHd2y7jdO6NTwMgWIohBKJsjArBt0p3k7
    6K5LF8NWpwHzQgUFez4v3ErheUjdB6+RNaqekzxNRQHwFD+DU4Uyjo0t9E9GoOtP
    3uBVW6r8/ehCo4WP/4f8/+jS8IQ=
    -----END CERTIFICATE-----
Raw
gnutls-certtool.SERVICE.template
#Service Certificates
# X.509 Certificate options
#
# DN options
# The organization of the subject.
organization = "mirantis"
# The organizational unit of the subject.
unit = "devops"
# The state of the certificate owner.
state = "Prague"
# The country of the subject. Two letter code.
country = CZ
# The common name of the certificate owner.
cn = "wildcard"
# A user id of the certificate owner.
#uid = "scertowner"
# The serial number of the certificate. Should be incremented each time a new certificate is generated.
#serial = 007
# In how many days, counting from today, this certificate will expire.
expiration_days = 3650
# X.509 v3 extensions
# DNS name(s) of the server
dns_name = "*.local"
dns_name = "*.ci.local"
dns_name = "*.ci.dev"
dns_name = "*.ci.test"
dns_name = "*.ci.staging"
# (Optional) Server IP address
#ip_address = "192.168.1.1"
# Whether this certificate will be used for a TLS server
tls_www_server
# Whether this certificate will be used to encrypt data (needed
# in TLS RSA ciphersuites). Note that it is preferred to use different
# keys for encryption and signing.
encryption_key
@bernhardreiter
Copy link

To get a webserver certificate which Chromium (seen with v98) accepted with TLSv1.3 I had to add the following options to gnutls-certtool.SERVICE.template (I haven't tested if both of them are necessary).

# Whether this certificate will be used to sign data (needed
# in TLS DHE ciphersuites). This is the digitalSignature flag
# in RFC5280 terminology.
signing_key
# The nonRepudiation flag of RFC5280. Its purpose is loosely
# defined. Not use it unless required by a protocol.
non_repudiation

Otherwise chromium stopped connecting with ERR_SSL_KEY_USAGE_INCOMPATIBLE (with protocol TLSv1.3 allowed in nginx.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment