From 793f1d732e4b82429f0bc8ba32dcd726d455a408 Mon Sep 17 00:00:00 2001 From: Andrey Arapov Date: Sat, 30 Jun 2018 21:41:38 +0200 Subject: [PATCH] updates --- README.md | 49 +++++++++++++++++++++++++------------------------ 1 file changed, 25 insertions(+), 24 deletions(-) diff --git a/README.md b/README.md index 47700bf..2956a75 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,31 @@ the IP. Usually, the IP address is not static, hence this script comes handy. -## Example usage +## Script logic + +- generate CA certificate if does not find any +- always generate server certificate on startup to ensure all IP addresses + are in x509 SAN +- warn if the CA certificate is about to expire (<30 days till expiration) +- regenerate the CA certificate if it finds it has expired + +## Notes + +- The CA certificate will be valid for 3650 days (10 years) +- The server certifcate will be valid for 365 days (1 year) +- The x509 certs are ECDSA with prime256v1 curve and SHA256 signatures + +## Testing + +I have added a simplistic script [testme.sh](testme.sh) that helps to test this +script in the following Linux distributions: + +- Alpine 3.7 +- Ubuntu Bionic +- Debian Stretch +- CentOS 7 + +## Usage example ### Minio server with Traefik example @@ -55,26 +79,3 @@ Usually, the IP address is not static, hence this script comes handy. > ``/usr/local/share/ca-certificates/``, otherwise one of these > https://golang.org/src/crypto/x509/root_linux.go -## Script logic - -- generate CA certificate if does not find any -- always generate server certificate on startup to ensure all IP addresses - are in x509 SAN -- warn if the CA certificate is about to expire (<30 days till expiration) -- regenerate the CA certificate if it finds it has expired - -## Notes - -- The CA certificate will be valid for 3650 days (10 years) -- The server certifcate will be valid for 365 days (1 year) -- The x509 certs are ECDSA with prime256v1 curve and SHA256 signatures - -## Testing - -I have added a simplistic script [testme.sh](testme.sh) that helps to test this -script in the following Linux distributions: - -- Alpine 3.7 -- Ubuntu Bionic -- Debian Stretch -- CentOS 7