|
|
@@ -43,3 +43,60 @@ tunasync
|
|
|
- [ ] config file structure
|
|
|
- [ ] support multi-file configuration (`/etc/tunasync.d/mirror-enabled/*.conf`)
|
|
|
|
|
|
+## Generate Self-Signed Certificate
|
|
|
+
|
|
|
+Fisrt, create root CA
|
|
|
+
|
|
|
+```
|
|
|
+openssl genrsa -out rootCA.key 2048
|
|
|
+openssl req -x509 -new -nodes -key rootCA.key -days 365 -out rootCA.crt
|
|
|
+```
|
|
|
+
|
|
|
+Create host key
|
|
|
+
|
|
|
+```
|
|
|
+openssl genrsa -out host.key 2048
|
|
|
+```
|
|
|
+
|
|
|
+Now create CSR, before that, write a `req.cnf`
|
|
|
+
|
|
|
+```
|
|
|
+[req]
|
|
|
+distinguished_name = req_distinguished_name
|
|
|
+req_extensions = v3_req
|
|
|
+
|
|
|
+[req_distinguished_name]
|
|
|
+countryName = Country Name (2 letter code)
|
|
|
+countryName_default = CN
|
|
|
+stateOrProvinceName = State or Province Name (full name)
|
|
|
+stateOrProvinceName_default = BJ
|
|
|
+localityName = Locality Name (eg, city)
|
|
|
+localityName_default = Beijing
|
|
|
+organizationalUnitName = Organizational Unit Name (eg, section)
|
|
|
+organizationalUnitName_default = TUNA
|
|
|
+commonName = Common Name (server FQDN or domain name)
|
|
|
+commonName_default = <server_FQDN>
|
|
|
+commonName_max = 64
|
|
|
+
|
|
|
+[v3_req]
|
|
|
+# Extensions to add to a certificate request
|
|
|
+basicConstraints = CA:FALSE
|
|
|
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
|
|
+subjectAltName = @alt_names
|
|
|
+
|
|
|
+[alt_names]
|
|
|
+DNS.1 = <server_FQDN_1>
|
|
|
+DNS.2 = <server_FQDN_2>
|
|
|
+```
|
|
|
+
|
|
|
+Substitute `<server_FQDN>` with your server's FQDN, then run
|
|
|
+
|
|
|
+```
|
|
|
+openssl req -new -key host.key -out host.csr -config req.cnf
|
|
|
+```
|
|
|
+
|
|
|
+Finally generate and sign host cert with root CA
|
|
|
+
|
|
|
+```
|
|
|
+openssl x509 -req -in host.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out host.crt -days 365 -extensions v3_req -extfile req.cnf
|
|
|
+```
|
bigeagle