Commit 3e8090d1 authored by Botond Botyanszki's avatar Botond Botyanszki

Some polish.

parent d80acf04
......@@ -3,8 +3,17 @@ These scripts are to help with certificate generation using the openssl tool.
The `gencert.cnf` configuration file contains the needed X509 extensions so that the certificates will be generated properly.
* `genca.sh` - generate the CA certificate and private key.
* `gencert-client.sh` - generate the client certificate signed by the CA cert to be imported into the Windows' certificate store. This generates a `client.pfx` that can can be used for the import.
* gencert-server.sh - generate the server certificate and private key to be used by the im_wseventing module.
* `gencert-client.sh` - generate the client certificate signed by the CA cert to be imported into the Windows' certificate store. This generates a `client.pfx` that can can be used for the import. It will ask for a password for the pfx file.
* `gencert-server.sh` - generate the server certificate and private key to be used by the im_wseventing module. Use the FQDN of the host as the first argument, e.g. `./gencert-server.sh nxlogserver.domain.corp`
You may want to edit these files to suit your needs.
Make sure to check what was generated with
```
$ openssl x509 -text -in server-cert.pem
$ openssl x509 -text -in client-cert.pem
```
For more details on the actual WEF setup see the [im_wseventing documentation](https://nxlog.co/documentation/nxlog-user-guide/#im_wseventing).
......
#!/bin/sh
CLIENTSUBJ="/CN=client.example.com/O=nxlog.org/C=HU/ST=state/L=location"
if test x$1 != x; then
CLIENTNAME = $1;
else
CLIENTNAME="winclient.domain.corp"
fi
CLIENTSUBJ="/CN=$CLIENTNAME/O=nxlog.org/C=HU/ST=state/L=location"
CERTDIR=.
openssl req -new -newkey rsa:2048 -nodes -keyout client-key.pem -out req.pem -batch -subj "$CLIENTSUBJ" -config gencert.cnf
......
......@@ -3,14 +3,21 @@
if test x$1 != x; then
SERVERNAME = $1;
else
SERVERNAME="server.example.com"
SERVERNAME="nxlogserver.domain.corp"
fi
SERVERSUBJ="/CN=/O=nxlog.org/C=HU/ST=state/L=location"
ISSUERCA=`openssl x509 -in ca-cert.pem -noout -sha1 -fingerprint |sed s/^SHA1\ Fingerprint=//|sed s/://g`
SERVERSUBJ="/CN=$SERVERNAME/O=nxlog.org/C=HU/ST=state/L=location"
CERTDIR=.
openssl req -new -newkey rsa:2048 -nodes -keyout server-key.pem -out req.pem -batch -subj "$SERVERSUBJ" -config gencert.cnf
openssl x509 -req -days 1024 -in req.pem -CA ca-cert.pem -CAkey ca-key.pem -out server-cert.pem -set_serial 01 -extensions server_cert -extfile gencert.cnf
rm -f req.pem
openssl x509 -outform der -in server-cert.pem -out server-cert.crt
\ No newline at end of file
openssl x509 -outform der -in server-cert.pem -out server-cert.crt
echo
echo
echo "Use the following for the Subscription Manager string:"
echo "Server=HTTPS://$SERVERNAME:5985/wsman/,Refresh=14400,IssuerCA=$ISSUERCA"
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment