x

.gitignore

@@ -1,2 +1 @@
-nginx/certs/*
-!nginx/certs/.keep
+

bin/create-ca.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+openssl req -new \
+        -x509 \
+        -days 365 \
+        -out ca.crt \
+        -keyout private/ca.key

bin/create-server-cert-signing-req.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+openssl req -new \
+        -nodes \
+        -out server.csr \
+        -keyout private/server.key \
+        -config ./openssl.cnf

bin/sign-server-cert-signing-req.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+openssl ca -out server.crt \
+        -config ./openssl.cnf \
+        -infiles server.csr

docker-compose.yaml

@@ -10,9 +10,9 @@ services:
     image: integralist-nginx
     volumes:
       - ./html:/usr/share/nginx/html
-      - ./nginx/certs/server.crt:/etc/nginx/certs/server.crt
-      - ./nginx/certs/server.key:/etc/nginx/certs/server.key
-      - ./nginx/certs/ca.crt:/etc/nginx/certs/ca.crt
+      - ./nginx/cert-mng/server.crt:/etc/nginx/certs/server.crt
+      - ./nginx/cert-mng/server.key:/etc/nginx/certs/server.key
+      - ./nginx/cert-mng/ca.crt:/etc/nginx/certs/ca.crt
       - ./nginx/nginx.conf:/etc/nginx/nginx.conf
     ports:
       - 80:80

nginx/cert-mng/.gitignore

@@ -0,0 +1,13 @@
+certs/*
+!certs/.keep
+
+private/*
+!private/.keep
+
+revoked/*
+!revoked/.keep
+
+*.crt
+*.csr
+certindex.*
+serial

nginx/cert-mng/openssl.cnf

@@ -0,0 +1,78 @@
+
+dir = .
+
+[ ca ]
+default_ca = CA_default
+
+[ CA_default ]
+serial           = $dir/serial
+database         = $dir/certindex.txt
+new_certs_dir    = $dir/certs
+certificate      = $dir/ca.crt
+private_key      = $dir/private/ca.key
+default_days     = 365
+default_md       = md5
+default_crl_days = 30
+preserve         = no
+email_in_dn      = yes
+nameopt          = default_ca
+certopt          = default_ca
+policy           = policy_match
+crl_dir          = $dir/revoked
+crlnumber        = $crl_dir/crlnumber
+crl_extensions   = crl_ext
+x509_extensions  = usr_cert
+copy_extensions  = copy
+rand_serial      = no
+
+[ policy_match ]
+countryName            = optional
+stateOrProvinceName    = optional
+organizationName       = optional
+organizationalUnitName = optional
+commonName             = supplied
+emailAddress           = supplied
+
+[ crl_ext ]
+authorityKeyIdentifier = keyid:always,issues:always
+
+[ usr_cert ]
+basicConstraints       = CA:FALSE
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid, issuer
+crlDistributionPoints  = URI:http://localhost/ca/crl.pem
+
+[ req ]
+default_bits = 2048
+default_keyfile = key.pem
+default_md = md5
+string_mask = utf8only
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+
+[ req_distinguished_name ]
+0.organizationName = .
+organizationalUnitName = .
+emailAddress = luka.licina@geneza.com
+emailAddress_max = 40
+localityName = .
+stateOrProvinceName = .
+countryName = SI
+countryName_max = .
+countryName_max = .
+commonName = TheServer
+commonName_max = 64
+
+0.organizationName_default = .
+localityName_default = .
+stateOrProvinceName_default = .
+countryName_default = SI
+
+[ v3_ca ]
+basicConstraints = CA:TRUE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+
+[ v3_req ]
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash

nginx/nginx.conf

@@ -22,6 +22,7 @@ http {
     #          some connections are allowed to public
     #          endpooints
     ssl_verify_client      on;
+    ssl_crl                /etc/nginx/certs/crl.pem;
 
     root /usr/share/nginx/html;