diff options
| author | rsiddharth <s@ricketyspace.net> | 2020-02-03 17:34:01 -0500 |
|---|---|---|
| committer | rsiddharth <s@ricketyspace.net> | 2020-02-03 17:34:01 -0500 |
| commit | 9a4fe03c186bb403debc7022885d5201cf0b69c5 (patch) | |
| tree | 6b85df4a951604524607ec9ab865d16485d89cdc | |
| parent | e084c0e36a70e3d38ef888926bb75fbd37e85d4c (diff) | |
README.md: Update 'How to use the signing script' section.
Update this section to reflect the ACME v2 version of the
`sign_csr.py` script.
| -rw-r--r-- | README.md | 37 |
1 files changed, 16 insertions, 21 deletions
@@ -56,7 +56,7 @@ already have user account key with Let's Encrypt, you can skip this step. ```sh -openssl genrsa 4096 > user.key +openssl genrsa -aes256 4096 > user.key openssl rsa -in user.key -pubout > user.pub ``` @@ -67,39 +67,34 @@ and CSR for your domain, you can skip this step. ```sh #Create a CSR for example.com -openssl genrsa 4096 > domain.key +openssl genrsa -aes256 4096 > domain.key openssl req -new -sha256 -key domain.key -subj "/CN=example.com" > domain.csr #Alternatively, if you want both example.com and www.example.com -openssl genrsa 4096 > domain.key +openssl genrsa -aes256 4096 > domain.key openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com")) > domain.csr ``` Third, you run the script using python and passing in the path to your user -account public key and the domain CSR. The paths can be relative or absolute. -By default the script will ask you to start a webserver on port 80. If you -already have one, use the `--file-based` option instead. +account private key, email address, and the domain CSR. The paths can be +relative or absolute. ```sh -python3 sign_csr.py --public-key user.pub domain.csr > signed.crt +python3 sign_csr.py --account-key user.key --email mail@example.com domain.csr > signed.crt ``` -When you run the script, it will ask you do do some manual commands. It has to -ask you to do these because it doesn't know your private key or have access to -your server. You can edit the manual commands to fit your situation (e.g. if -your sudo user is different or private key is in a different location). +When you run the script, it will: -NOTE: When the script asks you to run these manual commands, you need to run -them in a separate terminal window. You need to keep the script open while you -run them. They sign temporary test files that the script created, so if you exit -or continue the script before you run the commands, those test files will be -destroyed before they can be used correctly (and you'll have to run the script -again). + - Register you with Let's Encrypt using the email address. -The `*.json` and `*.sig` files are temporary files automatically generated by -the script and will be destroyed when the script stops. They only contain the -protocol requests and signatures. They do NOT contain your private keys -because this script does not have access to your private keys. + - If the `user.key` is encrypted, openssl will ask for the passphrase every time + the private key is used for signing requests or data. + + - Ask you to provision a HTTP resource on your web server for the domain for + the ACME HTTP challenge. + + - Will write the certificate to `signed.crt` if ACME HTTP challenge is + successful. ### Help text ``` |