docs: add doc to generate self-signed certs

not-seven · Apr 30, 2016 · d735b1e · d735b1e
1 parent 33611ce
commit d735b1e
Showing 1 changed file with 57 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -43,3 +43,60 @@ tunasync
 - [ ] config file structure
 	- [ ] support multi-file configuration (`/etc/tunasync.d/mirror-enabled/*.conf`)
 
+## Generate Self-Signed Certificate
+
+Fisrt, create root CA
+
+```
+openssl genrsa -out rootCA.key 2048
+openssl req -x509 -new -nodes -key rootCA.key -days 365 -out rootCA.crt
+```
+
+Create host key
+
+```
+openssl genrsa -out host.key 2048
+```
+
+Now create CSR, before that, write a `req.cnf`
+
+```
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+
+[req_distinguished_name]
+countryName = Country Name (2 letter code)
+countryName_default = CN
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = BJ
+localityName = Locality Name (eg, city)
+localityName_default = Beijing
+organizationalUnitName  = Organizational Unit Name (eg, section)
+organizationalUnitName_default  = TUNA
+commonName = Common Name (server FQDN or domain name)
+commonName_default = <server_FQDN>
+commonName_max  = 64
+
+[v3_req]
+# Extensions to add to a certificate request
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = <server_FQDN_1>
+DNS.2 = <server_FQDN_2>
+```
+
+Substitute `<server_FQDN>` with your server's FQDN, then run
+
+```
+openssl req -new -key host.key -out host.csr -config req.cnf
+```
+
+Finally generate and sign host cert with root CA
+
+```
+openssl x509 -req -in host.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out host.crt -days 365 -extensions v3_req -extfile req.cnf
+```