Commit ed2d79f0 authored by Łukasz Nowak's avatar Łukasz Nowak

squash! WIP README: Narrative documentation

Follow Vincent's initial review.
parent d49fb6cd
......@@ -120,7 +120,7 @@ caucase, the CRL is re-generated whenever it is requested and:
Narrative introduction
======================
caucase is powerful tool which simplifies SSL key & certificate management.
caucase is tool which simplifies SSL key & certificate management.
But as SSL is based on cryptography, and cryptography is hard topic, even
with caucase is quite hard to start. There are a lot of options, use cases
and usage scenarios.
......@@ -134,26 +134,28 @@ are going to cover `caucase`_ and `caucased`_ commands.
Create virtualenv ``caucase`` and there install the tool::
mkdir caucase
virtualenv caucase
cd caucase
bin/pip install caucase
You'll see a bit of ``caucase*`` binaries in ``bin`` directory. That's good.
Create there server, user and service directories::
Create there caucased, user and service directories::
mkdir server user service
mkdir caucased user service
Before we begin, lets create two environment variables, which will ease the understanding of which side is used::
CAU=bin/caucase --ca-url http://127.0.10.1:8890 --ca-crt user/ca-crt.pem --user-ca-crt user/user-ca-crt.pem --crl user/crl --user-crl user/user-crl
CASE=
CAS=
``CAU`` is going to be used to execute Certificate Authority for Users, and ``CASE`` for Certificate Authority for SErvices. As server is going to be just running, there is no need for special environment variable.
``CAU`` is going to be used to execute Certificate Authority for Users, and ``CAS`` for Certificate Authority for SErvices. As server is going to be just running, there is no need for special environment variable.
Let's start a server, which will approve automatically one user certificate -- if you're lucky, it will be yours::
Let's start a server in separate terminal, which will approve automatically one user certificate -- if you're lucky, it will be yours::
bin/caucased --db server/caucase.sqlite --server-key server/server.key.pem --netloc 127.0.10.1:8890 --lock-auto-approve-count
bin/caucased --db caucased/caucase.sqlite --server-key caucased/server.key.pem --netloc 127.0.10.1:8890
You'll need key for yourself so lets create it::
......@@ -167,7 +169,7 @@ It will return its id and path, so fetch it with the id::
$CAU --mode user --send-csr user/client.csr.pem --get-crt <user-cert-id> user/client.key.pem
Voila, you have your key signed by caucase you started, and you became master of the caucase.
Voila, you have your key signed by caucase you started, and you became user of this caucase, so you now have the power to decide which service certificate requests will be granted and which will be rejected.
Let's create key for the service::
......@@ -175,16 +177,20 @@ Let's create key for the service::
And now as a service, let's ask caucase for signing::
$CASE --send-csr service/csr.pem
$CAS --send-csr service/csr.pem
Again store the id. Let's ask for the certificate immediately::
Again remember the id. Let's ask for the certificate immediately::
$CASE --get-crt <service-cert-id> service/crt.pem
$CAS --get-crt <service-cert-id> service/crt.pem
The reply is::
<service_id> CSR still pending
You might end up in situation with bad network, so there is nothing wrong with asking the server again to sign the certificate, it will return the same id::
$CAS --send-csr service/csr.pem
Now using user certificate, but in ``--mode service``, which is default, let's see what is to sign::
$CAU --user-key user/client.key.pem --list-csr
......@@ -200,7 +206,7 @@ As they say, you shall fetch the CSR and check the full content::
$CAU --user-key user/client.key.pem --get-csr <service_id> <service_id>.csr
**Exercise**: Use ``openssl`` to inspect downloaded CSR.
**Exercise**: Use ``openssl`` to inspect downloaded CSR, you can start with `openssl req -text -noout <service_id>.csr`.
Now you can sign the CSR::
......@@ -208,13 +214,13 @@ Now you can sign the CSR::
Now do the service part -- fetch the certificate::
$CASE --get-crt <service-cert-id> service/crt.pem
$CAS --get-crt <service-cert-id> service/crt.pem
It will download it to ``service/crt.pem`` and inform about the process::
<service_id> was (originally) manually approved
Take some time and inspect ``server``, ``client`` and ``user`` directories.
Take some time and inspect ``caucased``, ``client`` and ``user`` directories.
This is good place to start playing with below commands.
Commands
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment