gen_server_cert.sh is used once for generating the server certificate.
gen_client_cert.sh is used repeatedly for creating client certificates.
Their usage is described below.
WARNING: Self-signed certificates are of course not considered trustworthy
by web browsers and operating systems, so they are only suitable for testing.
The generated server and client certificates have to be signed by a Certificate Authority (CA). For production uses, a trusted CA should always be used. For testing purposes, though, a self-signed CA-like certificate will do. The easiest, but least secure, way is to use the pre-generated CA-like certificate and private key from the files ca.pem and ca.key available from the JetConf repository (subdirectory utils/cert_gen). Alternatively, the CA-like certificate and key can be generated using the procedure below.
Some parameters of the certificate have to be filled in. They are not terribly important for testing purposes. For example:
Country Name (2 letter code) [AU]:CZState or Province Name (full name) [Some-State]:Locality Name (eg, city) :Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example CAOrganizational Unit Name (eg, section) :exca.czCommon Name (e.g. server FQDN or YOUR name) :firstname.lastname@example.orgEmail Address :email@example.com
To generate a new server certificate for JetConf that will be accepted even by
the more pedantic web browsers like Chrome, just run the provided
The script can be used in one of the two following ways:
In this case, the name of the private key file passed to the script as the <server_key> argument.
The script autodetects if the certificate is being issued for a domain
name or an IP address (<domain/ip>), and sets the appropriate SAN value.
For example, this command will create a certificate named server_example.crt
for example.com domain with new private key server_example.key:
$ ./gen_server_cert.sh example example.com
If you want this certificate to be accepted by your web browser,
the issuing CA's certificate needs to be imported to your browser.
WARNING: It is strongly recommended not to import the provided CA's
certificate (ca.pem) to your production browser, as its private key is
publicly known. If you do so, someone could perform a MITM attack to
any connection with an SSL-protected website.
The gen_client_cert.sh script is intended for generating client certificates signed by the previously created CA-like certificate.
The script is used simply as follows:
$ ./gen_client_cert.sh <email_address>
The issued certificate will use the email address passed in the argument is used as the emailAddress DN and commonName parameter of the client certificate. Also, the email address identifies the client to the JetConf server.
For example, the command
$ ./gen_client_cert.sh firstname.lastname@example.org
will generate the following files:
email@example.com - the client certificate
firstname.lastname@example.org - the client private key
email@example.com_curl.pfx - the previous 2 files combined and protected by a
password. Some utilities, such as curl, expect the
client certificate in this so called PKCS#12 format. In case you are wondering,
the password is again the email address, i.e. firstname.lastname@example.org in this case.