OpenSSL Config
This project is a basic configuration for openSSL to handle a your domains through CA certificates.
This configuration allow you to create a root CA certificate which can then sign sub CA certificate that can be trusted due to domains restriction. It still allows you to sign any domain thanks to the root CA which isn't restricted.
_/!\ As the root CA isn't restricted to a domain, it may not be distributed to people for them to trust it. It's better to distribute sub CA which are restricted. /!_
Root CA Certificate
Root CA certificate management need to be done in the folder rootCA/.
To know how to manage it, please refer to the dedicated README. You can also get this informations in the wiki.
Sub CA Certificate
An example of sub CA certificate management is given in the folder webCA/.
To know how to manage it, please refer to the dedicated README. You can also get this informations in the wiki.
Note: This sub CA certificate has been first issue in using the Root CA certificate. See Root CA Certificate to learn how to do.
OCSP server
In order to distribute information about valid certificates, you may want to use an OCSP server.
An example is given for both root CA and sub CA to know how to issue OCSP certificate needed for the server.
Then you need to install the script which will take care that OCSP servers stay on and the init script to launch it.
sudo cp install/ocsp.sh /root/
sudo cp install/ocsp /etc/init.d/
sudo insserv ocspYou can now start the server:
sudo service ocsp start