summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGraham Hagger <g.hagger@gmail.com>2010-10-22 14:31:09 -0400
committerGraham Hagger <g.hagger@gmail.com>2010-10-22 14:31:09 -0400
commit416162c37c0b30cf42db1b7bd86bf5e15ff61284 (patch)
treef72db3e35fb460eb91cbafd1ea8dda19dfc83cb0
parenta845a6d856f60876967258dfd5c39f8f97e8afd2 (diff)
downloadbcfg2-416162c37c0b30cf42db1b7bd86bf5e15ff61284.tar.gz
bcfg2-416162c37c0b30cf42db1b7bd86bf5e15ff61284.tar.bz2
bcfg2-416162c37c0b30cf42db1b7bd86bf5e15ff61284.zip
added some docs for sslca
-rw-r--r--doc/server/plugins/generators/sslca.txt53
1 files changed, 53 insertions, 0 deletions
diff --git a/doc/server/plugins/generators/sslca.txt b/doc/server/plugins/generators/sslca.txt
new file mode 100644
index 000000000..17f936ffc
--- /dev/null
+++ b/doc/server/plugins/generators/sslca.txt
@@ -0,0 +1,53 @@
+=====
+SSLCA
+=====
+
+SSLCA is a simple generator plugin designed to handle creation of
+SSL private keys and certificates on request.
+
+At present, only the following file locations are supported, and thus
+only a single key and certifcate will be generated:
+
+* /etc/pki/tls/private/localhost.key
+* /etc/pki/tls/certs/localhost.crt
+
+While this could be seen as very limiting, SSLCA does support any aliases
+specified in clients.xml. Any aliases will be added to the cert under the
+subjectAltName extension.
+
+
+Interacting with SSLCA
+======================
+
+* Pre-seeding with existing keys/certs -- Currently existing keys/certs
+ will be overwritten by new, sslca-managed ones by default. Pre-existing
+ files can be added to the repository by putting them in
+ <repo>/SSLCA/<filename>.H_<hostname>
+
+* Revoking existing keys -- deleting <repo>/SSLCA/\*.H_<hostname>
+ will remove files for an existing client.
+
+
+Getting started
+===============
+
+#. Add SSLCA to the **plugins** line in ``/etc/bcfg2.conf`` and
+ restart the server -- This enables the SSLCA plugin on the Bcfg2
+ server.
+
+#. Add Path entries for ``/etc/pki/tls/private/localhost.key``, and
+ ``/etc/pky/tls/certs/localhost.crt``, etc to a bundle or base.
+
+#. Add a [sslca] section to ``/etc/bcfg2.conf`` contaning the following
+ information:
+
+ ca_cert - location of the CA certificate
+ ca_key - CA private key
+ ca_key_passphrase - Passphrase (if any) needed to use the CA private key
+ cert_subject - Additional subject info for the resulting certificates, CN
+ will always be the bcfg2 clients hostname.
+ cert_days - number of days from generation that cert should be valid.
+ pkey_bits - number of bits for the private key.
+
+#. Enjoy.
+