diff options
author | Andrew Cady <d@jerkface.net> | 2016-01-24 20:58:25 -0500 |
---|---|---|
committer | Andrew Cady <d@jerkface.net> | 2016-01-24 20:58:25 -0500 |
commit | be7a90d29c8a6da269d54f355cee11ce6e5eabc2 (patch) | |
tree | ee589a906c93f0a069823f744ffc181ad69a6e0f /README.md | |
parent | df216a65fcb97bb42f66fd50fb37166b3045bd39 (diff) |
update documentation
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 53 |
1 files changed, 30 insertions, 23 deletions
@@ -24,52 +24,59 @@ Available options: | |||
24 | (generated certificates will not be trusted!) | 24 | (generated certificates will not be trusted!) |
25 | ``` | 25 | ``` |
26 | 26 | ||
27 | This is a simple Haskell script to obtain a certificate from [Let's | 27 | This program can be used to obtain a certificate from |
28 | Encrypt](https://letsencrypt.org/) using their ACME protocol. | 28 | [Let's Encrypt](https://letsencrypt.org/) using their ACME protocol. |
29 | 29 | ||
30 | ## Rate Limits | ||
30 | 31 | ||
31 | - The main source of information to write this was | 32 | This tool supports multiple domain names per certificate. Note that `Let's |
32 | https://github.com/diafygi/letsencrypt-nosudo | 33 | Encrypt` will not sign a certificate with more than 100 names; nor will it allow |
34 | more than 100 names to be signed for a single domain (no matter how many | ||
35 | certificates the names are spread across). Furthermore, you can only issue 5 | ||
36 | certificates per domain per week. | ||
33 | 37 | ||
34 | - The ACME spec: https://letsencrypt.github.io/acme-spec/ | 38 | The `Let's Encrypt` community documentation contains more |
39 | [information about rate limits](https://community.letsencrypt.org/t/rate-limits-for-lets-encrypt/6769). | ||
35 | 40 | ||
36 | ## Generate user account keys | 41 | ## User account keys |
37 | 42 | ||
38 | The needed keys will be automatically generated with HsOpenSSL. You can also | 43 | Under ACME, each certificate request is associated with a private key used to |
39 | pre-generate them manually, in which case they won't be overwritten: | 44 | sign communications with the ACME server. The key is furthermore associated with |
45 | an email address. | ||
40 | 46 | ||
47 | Note: `Let's Encrypt` requires that this key be different from the key used for | ||
48 | the certificate. | ||
41 | 49 | ||
42 | ``` | 50 | Use the `--email` command line argument to specify an email address to associate |
43 | openssl genrsa 4096 > user.key | 51 | with a private key. If there is no private key, one will be generated; |
44 | mkdir -p ${DOMAIN_NAME} | 52 | otherwise, the existing one will be used. This only needs to be done once per |
45 | openssl genrsa 4096 > ${DOMAIN_NAME}/rsa.key | 53 | private key. |
46 | ``` | ||
47 | 54 | ||
48 | ## Send CSR | 55 | Currently, only RSA keys are supported by this tool. You can generate compatible |
49 | 56 | keys like this: | |
50 | The CSR will be automatically created. You can also create it yourself with: | ||
51 | 57 | ||
52 | ``` | 58 | ``` |
53 | > openssl req -new -sha256 -key ${DOMAIN}/rsa.key \ | 59 | openssl genrsa 4096 > user.key |
54 | -subj "/CN=aaa.reesd.com" -outform DER > ${DOMAIN}/csr.der | 60 | mkdir -p ${DOMAIN} |
61 | openssl genrsa 4096 > ${DOMAIN}/rsa.key | ||
55 | ``` | 62 | ``` |
56 | 63 | ||
57 | ## Receive certificate | 64 | ## Receive certificate |
58 | 65 | ||
59 | The signed certificate will be saved by this program in | 66 | The signed certificate will be saved by this program in |
60 | ``./${DOMAIN}/cert.der``. You can copy that file to the place your TLS server is | 67 | ``./${DOMAIN}/cert.der``. You can copy that file to the place your TLS |
61 | configured to read it. | 68 | server is configured to read it. |
62 | 69 | ||
63 | You can also view the certificate like so: | 70 | You can also view the certificate like so: |
64 | 71 | ||
65 | ``` | 72 | ``` |
66 | > openssl x509 -inform der -in ${DOMAIN}/cert.der -noout -text | less | 73 | openssl x509 -inform der -in ${DOMAIN}/cert.der -noout -text | less |
67 | ``` | 74 | ``` |
68 | 75 | ||
69 | ## Create a certificate for HAProxy | 76 | ## Create a certificate for HAProxy |
70 | 77 | ||
71 | Including explicit DH key exchange parameters to prevent Logjam attack | 78 | Vo Minh Thu, the original author of this program, suggests to include explicit |
72 | (https://weakdh.org/). | 79 | DH key exchange parameters to prevent the [Logjam attack](https://weakdh.org/). |
73 | 80 | ||
74 | ``` | 81 | ``` |
75 | > openssl x509 -inform der -in ${DOMAIN}/cert.der \ | 82 | > openssl x509 -inform der -in ${DOMAIN}/cert.der \ |