From 9a4fe03c186bb403debc7022885d5201cf0b69c5 Mon Sep 17 00:00:00 2001 From: rsiddharth Date: Mon, 3 Feb 2020 17:34:01 -0500 Subject: README.md: Update 'How to use the signing script' section. Update this section to reflect the ACME v2 version of the `sign_csr.py` script. --- README.md | 37 ++++++++++++++++--------------------- 1 file changed, 16 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index 4b8d939..57d4f28 100644 --- a/README.md +++ b/README.md @@ -56,7 +56,7 @@ already have user account key with Let's Encrypt, you can skip this step. ```sh -openssl genrsa 4096 > user.key +openssl genrsa -aes256 4096 > user.key openssl rsa -in user.key -pubout > user.pub ``` @@ -67,39 +67,34 @@ and CSR for your domain, you can skip this step. ```sh #Create a CSR for example.com -openssl genrsa 4096 > domain.key +openssl genrsa -aes256 4096 > domain.key openssl req -new -sha256 -key domain.key -subj "/CN=example.com" > domain.csr #Alternatively, if you want both example.com and www.example.com -openssl genrsa 4096 > domain.key +openssl genrsa -aes256 4096 > domain.key openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com")) > domain.csr ``` Third, you run the script using python and passing in the path to your user -account public key and the domain CSR. The paths can be relative or absolute. -By default the script will ask you to start a webserver on port 80. If you -already have one, use the `--file-based` option instead. +account private key, email address, and the domain CSR. The paths can be +relative or absolute. ```sh -python3 sign_csr.py --public-key user.pub domain.csr > signed.crt +python3 sign_csr.py --account-key user.key --email mail@example.com domain.csr > signed.crt ``` -When you run the script, it will ask you do do some manual commands. It has to -ask you to do these because it doesn't know your private key or have access to -your server. You can edit the manual commands to fit your situation (e.g. if -your sudo user is different or private key is in a different location). +When you run the script, it will: -NOTE: When the script asks you to run these manual commands, you need to run -them in a separate terminal window. You need to keep the script open while you -run them. They sign temporary test files that the script created, so if you exit -or continue the script before you run the commands, those test files will be -destroyed before they can be used correctly (and you'll have to run the script -again). + - Register you with Let's Encrypt using the email address. -The `*.json` and `*.sig` files are temporary files automatically generated by -the script and will be destroyed when the script stops. They only contain the -protocol requests and signatures. They do NOT contain your private keys -because this script does not have access to your private keys. + - If the `user.key` is encrypted, openssl will ask for the passphrase every time + the private key is used for signing requests or data. + + - Ask you to provision a HTTP resource on your web server for the domain for + the ACME HTTP challenge. + + - Will write the certificate to `signed.crt` if ACME HTTP challenge is + successful. ### Help text ``` -- cgit v1.2.3