Página inicial Explorar Ajuda
Entrar
cloudflare
/
cfssl
mirror de https://github.com/cloudflare/cfssl
Observar 1
Favorito 0
Fork 0
Arquivos Issues
Tree: f6cb3e8a12
Branches Tags
cfssl
/
doc
/
cmd
/
multiroot.txt

multiroot.txt 2.4 KB
Histórico Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162 
  1. THE MULTIROOTCA PROGRAM
    2. 

  2. 

  3. The multirootca program is an authenticated-signer-only server that is
    4. 

  4. intended to be used as a remote server for cfssl instances. The
    5. 

  5. scenario it was originally intended for is
    6. 

  6. 

  7.     + running cfssl as a service on servers to generate keys
    8. 

  8.     + using multirootca as a remote signer to manage the CA keys for
    9. 

  9.       issuing certificates.
    10. 

  10. 

  11. The multirootca configuration file is an ini-style configuration file;
    12. 

  12. various examples can be found in `multirootca/config/testdata`.
    13. 

  13. 

  14.     [ primary ]
    15. 

  15.     private = file://testdata/server.key
    16. 

  16.     certificate = testdata/server.crt
    17. 

  17.     config = testdata/config.json
    18. 

  18.     nets = 10.0.2.1/24,172.16.3.1/24, 192.168.3.15/32
    19. 

  19.      
    20. 

  20.     [ backup ]
    21. 

  21.     private = file://testdata/server.key
    22. 

  22.     certificate = testdata/server.crt
    23. 

  23.     config = testdata/config.json
    24. 

  24.     dbconfig = testdata/db-config.json
    25. 

  25. 

  26. This defines two signers, labelled "primary" and "backup". These are
    27. 

  27. both using the same key, but in practice these keys will be
    28. 

  28. different. The private key format is described below. The certificate
    29. 

  29. entry points the certificate PEM file on disk, and the config entry
    30. 

  30. points to a cfssl configuration file to use for each signer; the
    31. 

  31. format of this file is described in "cfssl.txt". Optionally, a nets
    32. 

  32. entry points to a comma-separated list of networks that should be
    33. 

  33. permitted access to the signer. This list forms a whitelist; if it's
    34. 

  34. not present, all networks are whitelisted for that signer. A dbconfig
    35. 

  35. entry points to a certdb configuration file containing database 
    36. 

  36. connection details, see `certdb/README.md`.
    37. 

  37. 

  38. SPECIFYING A PRIVATE KEY
    39. 

  39. 

  40. Key specification take the form of a URL. There are currently two
    41. 

  41. supported types of keys:
    42. 

  42. 

  43.     + private key files: these are specified with the "file://"
    44. 

  44.       protocol. The rest of the URL should specify a path on disk
    45. 

  45.       where the key may be found.
    46. 

  46. 

  47.     + rofile: these are specified with the "rofile://" protocol. The
    48. 

  48.       path should point to a file that is encrypted using Red October[1].
    49. 

  49.       If this private key type is specified, the following entries must
    50. 

  50.       also be provided:
    51. 

  51. 

  52.       + ro_server: the hostname:port of the Red October server
    53. 

  53.       + ro_user: the username for the Red October server
    54. 

  54.       + ro_pass: the password for the Red October server
    55. 

  55. 

  56.       Optionally:
    57. 

  57. 

  58.       + ro_ca: this can be used to specify a CA roots file to override
    59. 

  59.         the system roots.
    60. 

  60.       
    61. 

  61. [1] https://github.com/cloudflare/redoctober
    62. 

  62.