Skip to content

Latest commit

 

History

History
 
 

certs

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
c_api_examples
c_api_examples
 
 
chain_example
chain_example
 
 
crl_example
crl_example
 
 
m2
m2
 
 
README
README
 
 
README.example
README.example
 
 
base.py
base.py
 
 
ca_openssl.cnf
ca_openssl.cnf
 
 
check_modulus.py
check_modulus.py
 
 
config_pulp_certs.cfg
config_pulp_certs.cfg
 
 
config_test_repos.cfg
config_test_repos.cfg
 
 
create_ca.py
create_ca.py
 
 
create_client_cert.py
create_client_cert.py
 
 
create_crl_sym_link.sh
create_crl_sym_link.sh
 
 
create_server_cert.py
create_server_cert.py
 
 
create_test_repos.py
create_test_repos.py
 
 
display_cert.sh
display_cert.sh
 
 
display_crl.sh
display_crl.sh
 
 
example_crl_from_candlepin.crl
example_crl_from_candlepin.crl
 
 
extensions.txt
extensions.txt
 
 
hash_crl.sh
hash_crl.sh
 
 
install.py
install.py
 
 
revoke_cert.py
revoke_cert.py
 
 
setup.sh
setup.sh
 
 
template_crl_openssl.cnf
template_crl_openssl.cnf
 
 
test_fetch.py
test_fetch.py
 
 
verify_ca_and_cert.sh
verify_ca_and_cert.sh
 
 
verify_crl.sh
verify_crl.sh
 
 
verify_revoked_cert.sh
verify_revoked_cert.sh
 
 

README

Overview:
Helper scripts to:
 1) generate a CA for apache with a CN of your server hostname
 2) generate a custom x509 entitlement cert to be used with Repo Authentication

These scripts some notes Jason Dobies posted at:
http://blog.pulpproject.org/2011/05/18/pulp-protected-repositories/

Further reference, see RepoAuth wiki:
https://fedorahosted.org/pulp/wiki/RepoAuth


Usage:
[Generate a CA with your hostname]
    ./create_ca.py

This will determine your hostname and set the CN to that.
If you want to override anything see './create_ca.py --help'

[Create a custom x509 entitlement cert]
    ./create_content_cert.py

This will use 'extensions.txt' and will add the info there into a x509 cert.
It relies on the CA previously generated.
If you want to override anything see './create_content_cert.py --help'


[Create a test pulp repo with these certs]
    ./create_test_repos.py

This will create pulp repos from 'config_test_repos.cfg' with the previously generated certs

Config:
    config_pulp_certs.cfg - This has configuration options for the script, change cert names/locations here
    config_test_repos.cfg - Config options for creating pulp repos
    template_openssl.cnf - Openssl configuration template, we'll update 'REPLACE_COMMON_NAME' with the hostname
    extensions.txt - These are the x509 extensions we'll add to the entitlement cert


Example using defaults:

./create_ca.py
Running: openssl genrsa -out ./certs/Pulp_CA.key 2048
Running: openssl req -new -x509 -days 365 -key ./certs/Pulp_CA.key -out ./certs/Pulp_CA.cert -config ./certs/openssl.cnf
CA Key: ./certs/Pulp_CA.key
CA Cert: ./certs/Pulp_CA.cert

./create_content_cert.py
Running: openssl genrsa -out ./certs/ent.key 2048
Running: openssl req -new -key ./certs/ent.key -out ./certs/ent.csr -config ./certs/openssl.cnf
Running: openssl x509 -req -days 365 -CA ./certs/Pulp_CA.cert -CAkey ./certs/Pulp_CA.key -extfile ./extensions.txt -extensions pulp-repos -in ./certs/ent.csr -out ./certs/ent.cert -CAserial ./certs/Pulp_CA.srl -CAcreateserial
Entitlement Cert: ./certs/ent.cert
Entitlement Key: ./certs/ent.key


./create_test_repos.py
Running: sudo pulp-admin repo create --id pulp_f15_i386 --feed http://repos.fedorapeople.org/repos/pulp/pulp/fedora-15/i386/ --consumer_ca ./certs/Pulp_CA.cert --consumer_cert ./certs/ent.cert --consumer_key ./certs/ent.key
Running: sudo pulp-admin repo create --id pulp_f15_x86_64 --feed http://repos.fedorapeople.org/repos/pulp/pulp/fedora-15/x86_64/ --consumer_ca ./certs/Pulp_CA.cert --consumer_cert ./certs/ent.cert --consumer_key ./certs/ent.key

The output files we care about:
CA Certificate:     certs/Pulp_CA.cert
CA Key:             certs/Pulp_CA.key
Ent Certificate:    certs/ent.cert
Ent Key:            certs/ent.key